Privacy Policy

Habisun Privacy Policy

Effective Date: May 20, 2026
Last Updated: May 20, 2026

This Privacy Policy explains how Habisun collects, uses, shares, protects, and retains personal information when you use the Habisun mobile application, websites, backend APIs, and related services (collectively, the “Services”).

1. Scope

Habisun is a family task, habit, reward, and parent-child collaboration service. The Services are intended to be managed by parents or legal guardians. Child profiles and child-facing experiences are controlled by a parent or guardian account.

This Policy applies to users in the countries and regions where we make the Services available. It is designed for international markets and should be read together with our Terms of Service. If you do not agree with this Policy, please do not use the Services.

2. Information We Collect

We collect only information that is reasonably necessary to provide, secure, maintain, and improve the Services.

2.1 Account and Authentication Information

When you create or access an account, we may collect:

email address;
display name;
authentication provider identifiers, such as Firebase Auth user ID, Google sign-in ID, or Apple sign-in ID;
login status, account creation time, account update time, and locale;
parent PIN status and related security metadata, such as failed attempt count and lockout time. We store PIN verification data in protected form and do not store your plain-text PIN.

2.2 Family, Parent, and Child Profile Information

Parents or guardians may create and manage family data, including:

family membership, parent/guardian role, and child role;
child nickname or display name;
child avatar, profile image, icon choice, birthday or age group, and preferred form of address;
family invitations, invitee email address, invitation status, and family membership status;
preferences such as language, theme, notification settings, and app mode.

Please do not add sensitive information about a child unless it is necessary for your family’s use of the Services.

2.3 Task, Habit, Reward, Wish, and Activity Data

To operate the core product, we process data such as:

task definitions, schedules, recurrence rules, reminders, task categories, and task assignments;
task completion records, review status, proof notes, reviewer notes, and optional proof images;
reward templates, reward inventory, reward redemption history, coin balances, and coin ledger records;
wish requests, wish descriptions, parent review messages, and related reward conversion records;
focus sessions, growth reports, messages, in-app event notifications, and read status.

2.4 Images and Uploaded Files

If you choose to upload or capture images, we may process:

profile avatars for parents or children;
task proof images;
reward images or other family content images;
image metadata required to store, compress, deliver, or delete the file.

We use these files only for the purposes selected in the App and related family features.

2.5 Device, App, and Technical Information

We may automatically collect or receive:

device model, operating system, app version, platform, language, and region settings;
device notification token, such as Firebase Cloud Messaging token, when notifications are enabled;
device name or similar diagnostic device information where available;
IP address, request metadata, server logs, API route, timestamps, and error logs;
crash, performance, and diagnostic information;
analytics events about product usage, such as feature usage, screen flows, subscription events, and app stability signals.

2.6 Purchase and Subscription Information

Habisun may offer paid subscription plans through Apple App Store, Google Play, and RevenueCat. We may process:

product ID, entitlement ID, billing cycle, subscription status, purchase time, expiration time, renewal status, refund or revocation status;
RevenueCat customer identifiers and app user identifiers;
app store transaction metadata needed to verify and maintain paid access.

We do not collect or store full payment card numbers. Payment processing is handled by the applicable app store or payment platform.

2.7 Website Cookies and Similar Technologies

Our website may use cookies or similar technologies to keep the website functional, understand visits, improve performance, and prevent abuse. You can manage cookies through your browser settings.

3. App Permissions We Request

Habisun requests device permissions only when needed for a feature. You can grant or deny permissions through your device settings. If you deny a permission, the related feature may not work, but the rest of the Services may remain available.

Permission	Platform	Purpose	When Used
Internet / network access	Android, iOS	Connect to our APIs, Firebase, Supabase, Cloudflare, RevenueCat, Sentry, and app store services; sync family data; load images; send diagnostics.	Required for cloud sync, login, subscriptions, notifications, and online features.
Camera	Android, iOS	Let you take a profile photo, reward image, or task proof image.	Only after you choose a camera-based feature.
Photo library / media picker	iOS and supported Android versions through system picker	Let you select an existing image for avatars, rewards, or task proof.	Only after you choose an image selection feature.
Notifications	Android 13+, iOS	Send task reminders, family updates, review results, subscription or service messages, and other app notifications.	Only after permission is granted or notifications are enabled.
Background remote notifications	iOS	Support delivery and handling of remote notifications.	Used for notification-related service behavior.
Local storage / secure storage	Android, iOS	Store app preferences, local cache, authentication/session material, and encrypted local data.	Used to keep the App functional and support offline or faster access.
Device information	Android, iOS	Improve compatibility, support troubleshooting, detect platform-specific issues, and manage notification delivery.	Collected as part of diagnostics, support, and notification features.

Habisun does not request precise location, contacts, microphone, calendar, SMS, phone call, health data, or advertising identifier permissions in the current version.

4. How We Use Information

We use personal information for the following purposes:

create, authenticate, secure, and maintain accounts;
provide family management, child profiles, tasks, habits, rewards, wishes, reports, and notifications;
sync data across devices and family members;
process subscriptions, entitlements, renewals, cancellations, refunds, and app store events;
store and deliver user-selected images and other in-app content;
provide customer support and respond to privacy requests;
improve app reliability, performance, safety, usability, and product quality;
detect, prevent, and investigate fraud, abuse, security incidents, policy violations, and technical issues;
comply with law, enforce our Terms, and protect our rights, users, and Services.

5. Legal Bases for Processing

Depending on your location, we rely on one or more legal bases:

Contract necessity: to provide the Services you request.
Consent: for optional permissions, notifications, certain analytics choices, and child-related processing where consent is required.
Legitimate interests: to secure, debug, improve, and protect the Services, provided those interests are not overridden by your rights.
Legal obligations: to comply with applicable laws, tax, accounting, consumer protection, app store, and safety requirements.
Parental authorization: for child profile and child-related family data managed by a parent or legal guardian.

6. Children and Family Privacy

Habisun is designed for families and is intended to be controlled by parents or legal guardians. Children should use the Services only under the supervision and authorization of a parent or legal guardian.

We do not knowingly allow children to create independent parent accounts. Child profiles are created and managed by a parent or legal guardian. We do not knowingly collect personal information directly from children under 13 in the United States, or under the age at which parental authorization is required in the EEA, United Kingdom, Japan, Korea, or other applicable jurisdictions, without appropriate parent or guardian authorization.

Where laws such as COPPA, GDPR/UK GDPR child consent rules, the UK Age Appropriate Design Code, Japan’s APPI, Korea’s PIPA, or comparable children’s privacy rules apply, we aim to provide age-appropriate protections, minimize child data collection, avoid targeted advertising to children, and rely on a parent or guardian for child profile creation and management.

Parents or legal guardians may request access, correction, deletion, or restriction of child profile information by using in-app controls or contacting us at support@habisun.com. If we learn that we collected child personal information without required authorization, we will take reasonable steps to delete or de-identify it.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use children’s personal information for targeted advertising. We share information only as reasonably necessary for the Services, legal compliance, security, or business operations.

7.1 Service Providers and SDKs

The App and backend may use the following third-party service providers or SDKs. Their processing may involve data transfer to their infrastructure.

Provider / SDK	Purpose	Data That May Be Processed
Firebase / Google Cloud	Authentication, Firebase Cloud Messaging, analytics, crash reporting, token verification, and cloud service support.	Account identifiers, email, provider ID, app instance data, notification tokens, crash logs, device/app information, analytics events.
Google Sign-In	Optional account sign-in.	Google account identifier, email, display name, authentication tokens or assertions.
Sign in with Apple	Optional account sign-in.	Apple user identifier, relay email where selected, authentication tokens or assertions.
Supabase	Database and backend data storage.	Account, family, profile, task, reward, wish, subscription, and operational data.
Cloudflare Workers	API hosting, routing, security, request handling, and logs.	API requests, IP address, headers, timestamps, authentication verification data, operational logs.
Cloudflare R2	Image and file storage.	Avatars, proof images, reward images, file keys, metadata needed to serve and delete files.
RevenueCat	Subscription entitlement management and app store purchase validation.	App user ID, product ID, entitlement ID, purchase and renewal status, transaction metadata from app stores.
Apple App Store / Google Play	In-app purchase processing, subscription management, distribution, and app review compliance.	App store account/payment information handled by the app store, transaction identifiers, subscription status.
Sentry	Error monitoring, crash diagnostics, performance monitoring.	Crash traces, error logs, device/app information, diagnostic breadcrumbs, network error metadata.
Flutter and Flutter plugins listed in the App	Core app framework and device features such as image picking, secure storage, device info, local notifications, sharing, networking, local database, and image caching.	Data depends on the feature used, such as selected images, device info, local preferences, or local cached content.

We require service providers to process personal information only for authorized purposes and to use appropriate confidentiality, security, and data protection safeguards.

7.2 Legal, Safety, and Business Disclosures

We may disclose information:

to comply with law, court orders, subpoenas, government requests, or app store compliance requirements;
to protect users, children, families, our Services, and the public from fraud, abuse, security threats, or harm;
to enforce our Terms and other agreements;
in connection with a merger, acquisition, financing, reorganization, asset sale, or similar business transaction, subject to appropriate protections.

8. International Transfers

The Services use global cloud providers and app platforms. Your information may be processed in countries or regions outside where you live, including the United States, the European Economic Area, the United Kingdom, Japan, Singapore, and other locations where our service providers operate.

Where cross-border transfer rules apply, we use appropriate safeguards such as contractual protections, data processing agreements, standard contractual clauses, adequacy mechanisms, transfer impact assessments where required, and technical and organizational security measures.

9. Data Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, including providing the Services, maintaining account records, resolving disputes, enforcing agreements, meeting legal obligations, preventing abuse, and preserving security. When personal information is no longer necessary, we delete, de-identify, or anonymize it according to our technical and legal retention practices.

Typical retention practices include:

account and family data: retained while your account or family workspace is active;
child profile, task, reward, wish, and activity data: retained while needed for family use and sync unless deleted by a parent or through account deletion;
uploaded images: retained while linked to active family content or until deleted, subject to backups and technical deletion cycles;
subscription records: retained as needed for entitlement verification, accounting, dispute handling, and legal compliance;
crash, analytics, and server logs: retained for a limited period reasonably necessary for security, diagnostics, and service improvement;
deleted account data: deleted, anonymized, or isolated according to our account deletion workflow, except where retention is legally required or necessary for security, fraud prevention, or dispute resolution.

10. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information, including:

encrypted transport where supported;
protected local storage and encrypted local database techniques where implemented;
access controls for backend systems;
authentication token verification;
service provider controls and secret management;
monitoring, logging, and incident response procedures;
deletion and de-identification workflows where appropriate.

No system is completely secure. If you believe your account or family data has been compromised, contact us immediately.

11. Your Choices and Rights

Depending on your location, you may have rights to:

access personal information we hold about you;
correct inaccurate information;
delete personal information;
restrict or object to certain processing;
withdraw consent where processing is based on consent;
receive a copy of certain information in a portable format;
opt out of sale, sharing, or targeted advertising where applicable. We do not sell personal information or share it for cross-context behavioral advertising;
appeal a privacy request decision where applicable;
lodge a complaint with a privacy or data protection authority.

You may exercise rights through in-app settings where available or by contacting support@habisun.com. We may need to verify your identity and authority, especially for family or child data requests.

12. Managing Permissions, Notifications, and Account Deletion

You can manage app permissions in your device settings. You can manage push notifications in the App or operating system settings. You can manage subscriptions through Apple App Store or Google Play account settings.

You can request account deletion in the App where available or by contacting us. Account deletion may remove or anonymize account, family, and child profile data, subject to legal, security, backup, and technical limitations. If a family has multiple parents or guardians, deletion may affect family access and shared content.

13. Regional Privacy Notices

13.1 EEA, United Kingdom, and Switzerland

If GDPR, UK GDPR, or Swiss data protection law applies, you may have rights of access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and complaint to a supervisory authority.

Where we rely on legitimate interests, those interests include service security, debugging, fraud prevention, product improvement, and operating a family productivity service. Where we process child-related information, we rely on parent or guardian authorization and other applicable legal bases. Where legally required, we will maintain an EU, UK, or local representative or provide other required local contact details.

13.2 United States State Privacy Laws

If a state privacy law such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), applies to you, the categories of personal information we may collect include identifiers, customer records, commercial information, internet or electronic network activity, coarse location inferred from network metadata where applicable, audio/visual information you upload such as images, inferences related to preferences, and sensitive personal information such as account login credentials or child data where provided.

We use and disclose these categories for the purposes described in this Policy. We do not sell personal information or share it for cross-context behavioral advertising. We do not knowingly sell or share personal information of consumers under 16.

13.3 Canada, Japan, Korea, Australia, and Other Regions

Where privacy laws such as Canada’s PIPEDA, Japan’s APPI, Korea’s PIPA, Australia’s Privacy Act, or similar laws apply, we handle personal information according to the transparency, purpose limitation, access, correction, security, retention, cross-border transfer, and complaint-handling requirements that apply to the Services.

14. App Store and Google Play Disclosures

Apple App Store privacy labels and Google Play Data Safety disclosures are intended to summarize data practices. This Policy provides a fuller explanation. We aim to keep store disclosures, in-app notices, SDK behavior, and this Policy consistent. If you notice an inconsistency, please contact us at support@habisun.com.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the App, website, app store listing, email, or other reasonable means, and update the “Last Updated” date. Your continued use of the Services after the effective date means you acknowledge the updated Policy.

16. Contact Us and Data Controller

The legal entity responsible for the Services is Voxria Tech. Voxria Tech is the data controller of your personal information unless a different role is stated for a specific feature or region.

For privacy questions, rights requests, support, or formal legal notices, contact us:

Habisun Privacy Team
Legal entity: Voxria Tech
Email: support@habisun.com
Website: www.habisun.com
Formal notice details: available upon verified request where required by law.