← Home

Privacy Policy

Last updated: March 2026

1. Who We Are

GroupHabits ("we", "our", or "us") operates the habit-tracking application at grouphabits.com. We are the data controller for the personal data described in this policy.

Contact for privacy matters: grouphabitmvp@gmail.com

2. Data We Collect

Account Information

Your email address, display name (optional), and password (stored as a one-way bcrypt hash — we cannot read it). We also store an email verification token and, when requested, a password-reset token (both expire within 24 hours).

Habit & Activity Data

Habit names, daily completion logs, streak counts, numeric or boolean values you enter, journal entries, daily reflections (1–5 score), group check-in text, public commitments, and challenge participation records. This is the core content of your account.

Group & Social Data

Group membership records (which groups you belong to and when you joined), shared-habit progress visible within each group, emoji reactions, comments on feed posts, and cached performance statistics (completion rates, current streaks). These statistics are also accessible to the owner of any group you are a member of — see Section 5 for details.

Notification Preferences

Whether you have opted in to group-activity notifications, reaction alerts, reminders, and any quiet-hours window you configure. If you grant push-notification permission in your browser, we store a Web Push subscription record containing your browser's push endpoint URL and the encryption keys needed to send you notifications. This record is tied to your account and deleted when you revoke permission or delete your account.

Payment Information

Subscription tier and billing status. Card details are collected and stored exclusively by Stripe — we never see or store full card numbers. We store the Stripe Customer ID and subscription ID so we can manage your plan.

Usage & Technical Data

Product analytics events (such as pages visited, features used, and errors encountered) are sent to PostHog, a product-analytics service. Error reports including stack traces and browser information are sent to Sentry. IP addresses are processed transiently by our hosting infrastructure (Vercel) for routing and rate-limiting; they are not persistently stored by us in your profile. We also use browser localStorage to cache up to 100 analytics events before they are sent, to remember whether you have seen onboarding prompts, and to cache session metadata. This local data never leaves your device except as described above.

3. Lawful Basis for Processing

Under UK GDPR and EU GDPR, we rely on the following lawful bases:

Contract performance (Article 6(1)(b))

Processing your account information, habit data, group data, notification preferences, and payment records is necessary to provide the service you signed up for. Without this processing, we cannot operate your account.

Legitimate interests (Article 6(1)(f))

We use PostHog analytics and Sentry error tracking to understand how the product is used and to diagnose technical problems. This enables us to improve the service. We have assessed that these interests do not override your rights: analytics are pseudonymous, error reports do not include habit content, and you can object at any time (see Section 8). We also process your data to prevent fraud and abuse, and to enforce these terms, under the same basis.

Legal obligation (Article 6(1)(c))

We may retain certain records (such as billing records) where required by applicable law, including UK tax law.

4. How We Use Your Data

  • To create and maintain your account and provide access to the service
  • To display your habit progress to you and, for shared habits, to your group members
  • To send transactional emails (email verification, password reset, notifications you have opted into)
  • To process subscription payments via Stripe
  • To generate group performance reports for group owners (see Section 5)
  • To analyse product usage and improve the service (PostHog)
  • To detect, investigate, and fix bugs and errors (Sentry)
  • To enforce our Terms of Service and prevent abuse
  • To comply with legal obligations

5. Group Owner Access to Member Data

When you join a group on GroupHabits, the owner of that group has access to certain analytics about your activity within the group. This is a core feature of the platform — it enables group owners to support their members and manage accountability effectively. Specifically, a group owner can:

  • View your completion rate (percentage of shared habits completed) for any date range
  • View your current and longest streak on shared group habits
  • See whether you are flagged as "at risk" (a threshold based on recent inactivity relative to your personal baseline)
  • View your total completed days and last active date within the group
  • Export a CSV file of the above statistics, covering all members of the group

Group owners cannot see the content of your private habits, journal entries, private reflections, or any activity outside the shared habits of the group.

When a group owner exports member data as a CSV, they become an independent data controller for that exported file. GroupHabits is not responsible for how group owners store, use, or share exported data after it leaves our platform. If you have concerns about how a group owner is using your data, please contact us at the address in Section 11.

By joining a group you acknowledge that the group owner has the access described above. If you do not wish the group owner to have visibility into your performance statistics, you should leave the group (which removes you from future reports) or contact us to exercise your rights under Section 8.

6. Third-Party Services & Processors

We share data with the following sub-processors and service providers, each of which processes data only as necessary to perform the described function:

Neon (database hosting)

Hosts the PostgreSQL database that stores all application data. Servers are located in the EU (AWS eu-west-1 / eu-central-1 region). Privacy policy

Vercel (application hosting & CDN)

Hosts and serves the web application. Processes transient request data (IP addresses, request logs) for routing and security. Privacy policy

Stripe (payment processing)

Processes all payment card data. We pass your email and subscription metadata to Stripe. Stripe is an independent data controller for payment data. Privacy policy

PostHog (product analytics)

Receives pseudonymous usage events (pages visited, features used, errors). Events include a PostHog-generated device ID and may include your GroupHabits user ID. PostHog may be hosted in the US or EU depending on configuration. Privacy policy

Sentry (error monitoring)

Receives error reports including browser/OS details, stack traces, and the URL at which an error occurred. We configure Sentry to scrub sensitive form values. Sentry is US-based. Privacy policy

Resend (transactional email)

Sends verification, password-reset, and notification emails on our behalf. Processes your email address and the content of the email. Privacy policy

Upstash (Redis caching)

Used for rate-limiting (processing your IP address transiently) and short-lived caching of aggregated statistics. Data is not persisted beyond the cache TTL. Privacy policy

7. International Data Transfers

Some of our sub-processors (including Stripe, PostHog, Sentry, and Resend) are based in the United States. When personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place. These include:

  • UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) with relevant processors
  • Reliance on adequacy decisions where applicable
  • Processor-side certifications (e.g. EU-US Data Privacy Framework participation where relevant)

You may request details of the safeguards in place for any specific transfer by contacting us at the address in Section 11.

8. Your Rights

Under UK GDPR (and EU GDPR where applicable) you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your data. You can trigger full account deletion directly in your profile settings, which permanently removes all your data. For partial erasures (e.g. removing data from group owner reports while keeping your account), contact us.
  • Portability: Request an export of your habit data in machine-readable format. A CSV export is available directly in your account settings.
  • Restriction: Request that we restrict processing of your data (for example, while a dispute is resolved).
  • Objection: Object to processing carried out under our legitimate interests (Section 3). We will stop unless we have compelling legitimate grounds that override your interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at grouphabitmvp@gmail.com. We will respond within one calendar month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your national data protection authority if you are in the EU.

9. Data Retention

We retain data for as long as your account is active. Specific periods:

  • Account and habit data: Retained until you delete your account. Deletion is permanent and immediate.
  • Email verification and password-reset tokens: Expire within 24 hours and are cleared on use.
  • Push notification subscriptions: Deleted when you revoke browser permission, when the subscription expires, or when you delete your account.
  • Billing records: Stripe retains payment records per their own retention policy. We retain subscription status metadata for up to 7 years for financial compliance purposes.
  • Analytics and error logs: PostHog and Sentry retain data per their own policies (typically 1–2 years for PostHog; configurable for Sentry). Pseudonymous analytics events are not deleted on account deletion unless you submit a specific request.
  • Redis cache entries: Expire automatically, typically within minutes to hours.

When you delete your account, we run an atomic deletion transaction that removes: your user record, all habit logs, habits, journal entries, reflections, group memberships, and — if you are a group owner — your group and all associated data including other members' participation records within that group.

10. Cookies & Local Storage

Cookies

We set one first-party session cookie: __Secure-next-auth.session-token (in production) or next-auth.session-token (in development). This cookie is HttpOnly, Secure, and SameSite=lax. It contains your encrypted session identifier and is strictly necessary to keep you signed in. It expires after 30 days of inactivity.

We do not set advertising, tracking, or third-party cookies. PostHog may set its own cookies or use localStorage for device identification under its own policy.

Browser Local Storage

We use browser localStorage for: caching up to 100 queued analytics events before transmission; recording onboarding prompt dismissal; and caching session metadata for performance. This data remains on your device and is not transmitted except as part of the analytics pipeline described in Section 6.

11. Data Security

We implement appropriate technical and organisational measures, including:

  • HTTPS encryption in transit for all communications
  • Passwords stored as bcrypt hashes (we cannot reverse them)
  • HTTP security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
  • Camera, microphone, and geolocation access blocked via Permissions-Policy header
  • Rate limiting on authentication and sensitive endpoints
  • Database hosted on Neon with encryption at rest

12. Children's Privacy

The Service is not directed to children under 13 (or under 16 in jurisdictions where a higher age threshold applies). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with data without appropriate consent, contact us immediately and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy. We will notify you of material changes by email (to the address on your account) at least 14 days before the change takes effect, and by updating the "Last updated" date above. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact

For any questions about this Privacy Policy, or to exercise your rights, please contact us:

grouphabitmvp@gmail.com

To complain to the UK supervisory authority: ico.org.uk/make-a-complaint

© 2026 GROUPHABITS. ALL RIGHTS RESERVED.