Privacy Policy

This Privacy Policy explains how we collect, use, share, and protect personal data when you use the XDAYS website, application, and related services (the “Service”). The controller of your personal data within the meaning of the EU General Data Protection Regulation (“GDPR”) is:

This Policy applies to all users of the Service worldwide. Where local data protection laws grant you additional rights, those rights remain unaffected.

2.1 Data You Provide

• Account data: email address and authentication credentials (processed via Google Firebase Authentication; if you sign in with Google, we receive your email address from Google).
• Profile data (optional): username and profile image. If you set these, they are publicly visible — see Section 6.
• Habit data: habit names, descriptions, icons, schedules, goals, and completion records.
• AI prompts: goal text you enter when using the AI habit generation feature.
• Settings: your timezone, used to display habit data correctly.
• Communications: the content of emails or support requests you send us.

2.2 Data Collected Automatically

• Usage and analytics data: we use Google Analytics for Firebase to record basic usage events (such as page views) together with device and browser information and approximate location derived from your IP address.
• Technical data: log data, IP address, and identifiers necessary to operate, secure, and debug the Service.

2.3 Payment Data

Payments are processed by Stripe. Your full card details are provided directly to Stripe and are never stored on our servers. We receive limited payment information from Stripe, such as your subscription status, plan, and transaction history, which we need to provide the paid Service and to comply with tax and accounting obligations.

We process personal data for the following purposes and on the following legal bases under Article 6(1) GDPR:

• Providing the Service (account creation, habit tracking, sync, public profiles you enable, AI features) — performance of a contract (Art. 6(1)(b)).
• Processing payments and managing subscriptions — performance of a contract (Art. 6(1)(b)) and compliance with legal obligations such as tax and accounting laws (Art. 6(1)(c)).
• Securing the Service (fraud prevention, abuse detection, debugging) — our legitimate interest in keeping the Service safe and operational (Art. 6(1)(f)).
• Analytics (understanding how the Service is used so we can improve it) — our legitimate interest (Art. 6(1)(f)) and, where required by law, your consent (Art. 6(1)(a)).
• Communicating with you (service announcements, responses to support requests, notices required by law) — performance of a contract (Art. 6(1)(b)) and our legitimate interest (Art. 6(1)(f)).
• Establishing, exercising, or defending legal claims — our legitimate interest (Art. 6(1)(f)).

Providing account data is necessary to use the Service; without it we cannot create your Account. Profile data is optional.

We do not sell your personal data. We share data only with service providers (processors) who help us operate the Service, and only to the extent necessary:

• Google (Firebase / Google Cloud): authentication, database hosting, file storage (including profile images), and analytics. Google processes this data in accordance with its data processing terms.
• Stripe: payment processing and subscription billing.
• OpenAI: when you use the AI habit generation feature, the goal text you enter is sent to OpenAI for processing. We do not send your name, email address, or other account identifiers to OpenAI — only the text you submit. Do not include personal or sensitive information in AI prompts.

We may also disclose personal data where required by law, to comply with legal process, to enforce our Terms and Conditions, to protect the rights, property, or safety of XDAYS, our users, or others, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you where required by law).

Our service providers listed above are headquartered in the United States and may process data outside the European Economic Area. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, including the European Commission's adequacy decision for the EU–U.S. Data Privacy Framework (where the provider is certified) and/or Standard Contractual Clauses concluded with the provider. You may contact us for further information about these safeguards.

• If you set a username or upload a profile image, that information becomes publicly accessible on the internet, including to people who do not use XDAYS and to search engines.
• Profile images are stored on Google Cloud servers at publicly accessible URLs.
• If you share your public profile, the habit and streak information displayed on it is visible to anyone with the link.
• You can remove your profile image and username at any time in Settings, after which they will no longer be served by the Service; cached copies held by search engines or third parties may persist for some time outside our control.

• Account and habit data: kept for as long as your Account exists. When you delete your Account, your data is deleted from our production systems without undue delay, and from backups within a reasonable period thereafter.
• Payment and transaction records: retained for as long as required by applicable tax, accounting, and financial regulations (in Poland, generally 5 years from the end of the relevant tax year).
• Support communications: retained for as long as necessary to handle your request and for the limitation period of potential legal claims.
• Analytics data: retained in accordance with the retention settings of Google Analytics for Firebase.

Subject to the conditions set out in the GDPR and other applicable laws, you have the right to:

• Access your personal data and receive a copy of it;
• Rectify inaccurate or incomplete data;
• Erase your data (“right to be forgotten”), including by deleting your Account in Settings;
• Restrict processing in certain circumstances;
• Data portability — receive data you provided in a structured, commonly used, machine-readable format;
• Object to processing based on our legitimate interests;
• Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at aximer.business@gmail.com. We will respond within one month, extendable by two further months for complex requests, as permitted by the GDPR.

You also have the right to lodge a complaint with a supervisory authority. In Poland, this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl). You may also complain to the supervisory authority in your country of residence.

The Service uses cookies and similar technologies (such as browser local storage) for:

• Essential purposes: keeping you signed in and securing your session (Firebase Authentication). These are necessary for the Service to function.
• Analytics: Google Analytics for Firebase uses identifiers to measure usage of the Service.

You can control or delete cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, and reliance on the certified infrastructure of our cloud providers. No method of transmission or storage is completely secure; we cannot guarantee absolute security, but we will notify you and the competent supervisory authority of personal data breaches where required by law.

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided us with personal data, contact us and we will delete it.

We do not use your personal data for automated decision-making that produces legal effects concerning you or similarly significantly affects you. AI-generated habit suggestions are informational only and have no such effects.

We may update this Privacy Policy from time to time, for example to reflect changes in the Service, our providers, or applicable law. We will post the updated Policy on this page and update the “Last Updated” date. For material changes, we will provide additional notice (such as by email or a prominent notice in the Service) before the changes take effect.

For any questions or requests concerning this Privacy Policy or your personal data, contact us: