Last updated · Invalid Date
1. Who we are
Stubbd (“we”, “us”, “our”) is an iOS application operated by Anurag Agnihotri. For all privacy questions: privacy@stubbd.com.
2. What we collect
We collect only what we need to operate the app and personalize your experience.
2.1 Account identifiers
- A Supabase user ID (UUID) tied to your anonymous account on first launch
- An email address, but only if you choose to attach one to back up your account
- A RevenueCat anonymous ID for managing your subscription
- A PostHog distinct ID for product analytics (subject to your opt-out — see §5.3)
2.2 Health & wellness information (sensitive)
This is the category to read carefully. Smoking is a health behavior, and the data Stubbd collects to help you change it is health-adjacent.
- Smoking history you provide during onboarding: years smoked, cigarettes per day, cost per pack, pack size
- Your quit date, triggers, reasons for quitting, previous quit attempts, stage of change
- Cravings you log (timestamp, intensity, trigger, strategy used, outcome)
- Daily check-ins (mood, energy, sleep)
- Milestones earned
We treat this category as special-category personal data under GDPR Art. 9 and as sensitive personal data under DPDP §2(36) and CCPA §1798.140.
2.3 Conversations with the AI coach
- The text of messages you send to the in-app coach
- The responses generated for you
- Stored against your account so the coach can reference past conversations
2.4 Usage and diagnostics
- Anonymized product analytics (which screens you visit, which features you use), via PostHog
- Crash and error logs via Sentry, which may include anonymized device identifiers and stack traces
- iOS device model and OS version, for debugging
2.5 What we do NOT collect
- Your physical location
- Your contacts, photos, calendar, or microphone
- Biometric or health-kit data from outside the Stubbd app
- Any data from advertising identifiers (we do not use IDFA)
3. How we use it
- Operate the app — authentication, syncing your profile, scheduling local notifications
- Personalize your recovery — render the brain-healing timeline, the savings counter, your milestones
- Power the AI coach — your profile and recent cravings are sent to OpenAI (see §4) at the moment of each coach turn, to generate a contextually relevant response
- Understand product usage in aggregate — using PostHog, we look at which features help and which don’t, to improve the app
- Diagnose and fix bugs — using Sentry crash logs
We do not sell your personal information. We do not share it with advertisers. We do not use it for cross-context behavioral advertising. We do not use it to train any large language model.
The legal basis for our processing under GDPR is your consent (Art. 6(1)(a)) for analytics, and the performance of our contract with you (Art. 6(1)(b)) for everything else. Special-category processing is based on your explicit consent (Art. 9(2)(a)).
4. Sub-processors
We use the following providers to run Stubbd. Each is bound by their own privacy commitments and a Data Processing Agreement with us where applicable.
| Provider | Purpose | Region | Data handled |
|---|---|---|---|
| Supabase | Database, authentication, edge functions | US-East | Account, profile, cravings, AI conversations |
| OpenAI | AI coach inference, per-turn | US | The text of your coach message + relevant context. Per OpenAI’s API terms, your inputs are not used to train OpenAI’s models. |
| RevenueCat | Subscription state | US | Anonymous ID, purchase metadata |
| PostHog | Product analytics | EU | Anonymized usage events |
| Sentry | Crash and error monitoring | US | Anonymized crash diagnostics |
| Apple App Store | Billing and subscription delivery | Global | Apple ID, payment (handled entirely by Apple under Apple’s terms) |
5. Your rights
You can do all of the following from inside the app, in Settings → Account:
5.1 Export your data
A complete machine-readable JSON of everything we hold on you, delivered via the export-user-data edge function and emailed to your attached address. Typical turnaround under 24 hours.
5.2 Delete your account
Permanently erases your account and all associated data via the delete-account edge function. This is irreversible and cascades through all our systems within 30 days (see §7).
5.3 Opt out of analytics
A toggle that disables PostHog event collection on your device immediately. We never collect new analytics events for an opted-out account.
5.4 Jurisdiction-specific rights
- EU/EEA (GDPR) — In addition to the above, you have rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object (Art. 21). You may also lodge a complaint with your local supervisory authority.
- United Kingdom (UK GDPR) — Equivalent rights to the EU GDPR; you may lodge a complaint with the ICO.
- India (DPDP Act 2023) — Rights of access, correction, completion, updating, and erasure (§11), grievance redressal (§13), and the right to nominate (§14).
- California (CCPA / CPRA) — Right to know, right to delete, right to correct, right to opt out of sale or sharing (we do neither, but the right is yours), right to limit use of sensitive personal information, and right to non-discrimination for exercising any of these rights.
- Other US states with comprehensive privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.) — equivalent rights apply where the law extends to us.
To exercise any of these rights, email privacy@stubbd.com. We will respond within 30 days (45 days where extended is permitted by law).
6. International transfers
Your data primarily lives in Supabase’s US-East region. If you are in the EU/EEA or UK, your data is transferred to the United States under the EU–US Data Privacy Framework adequacy decision and, where applicable, Standard Contractual Clauses. If you are in India, your data is transferred under the DPDP Act’s cross-border framework.
7. Retention
We keep your data for as long as your account exists. When you delete your account, your data is removed from our active systems immediately and from encrypted database backups within 30 days, after which the backups are rotated out.
Anonymized analytics events that no longer identify you may be retained longer, in aggregate form only.
8. Security
Your data is encrypted in transit (HTTPS/TLS 1.2+) and at rest (managed by Supabase / AWS). Row-level security policies on every database table ensure that you can only access your own rows. Authentication uses iOS Keychain for token storage. We follow modern best practices, but no system is perfectly secure — if you suspect a breach, please email security@stubbd.com.
9. Children
Stubbd is rated 17+ on the App Store. We do not knowingly collect data from anyone under 13 (or under 16 in the EU). If we learn we have, we will delete it. If you are a parent or guardian and believe your child has provided us data, email privacy@stubbd.com.
10. Cookies and similar technologies
Stubbd is a native iOS app and does not use cookies. Our marketing website (stubbd.com) uses only essential first-party storage; we do not run third-party advertising trackers.
11. Changes to this policy
We will update this policy as the product evolves. Material changes will be announced via in-app notification with at least 14 days’ notice before they take effect, and the “Last updated” stamp at the top of this page will be revised. Material changes that broaden the categories of data collected or our processing purposes will require fresh consent where the law requires it.
12. Contact
| Purpose | Address |
|---|---|
| Privacy questions and rights requests | privacy@stubbd.com |
| Suspected security incidents | security@stubbd.com |
| General support | hello@stubbd.com |