Privacy Policy

1. Data controller

The data controller is an individual developer based in Poland, operating the XP Life service available at xp-life-kappa.vercel.app.

For data protection inquiries, contact: [email to be provided]

2. Data we collect

We collect the following categories of data:

• Account data— email address, encrypted password
• Habit data— habit names, type (positive/negative), point values, completion data, streaks
• Task data— task content, due dates, priorities, point values
• Reward data— reward names, point costs
• Point transactions — history of earning and spending XP points
• User statistics — current point balance, streaks
• Push notification subscriptions — subscription tokens for sending browser notifications
• Session data— authentication tokens for maintaining login sessions

3. Purpose of data processing

• Service delivery — account management, habit and task tracking, point calculation
• Authentication and security — login, account protection
• AI features (Pro plan) — generating suggestions and analytics based on user data
• Push notifications — habit and task reminders
• Billing — processing Pro plan payments

4. Legal basis for processing (GDPR)

• Art. 6(1)(b) — processing necessary for contract performance (service delivery)
• Art. 6(1)(a) — user consent (push notifications, AI features)
• Art. 6(1)(f) — legitimate interest of the controller (service security, abuse prevention)

5. AI data processing (Google Gemini)

Under the Pro plan, selected user data (habit names, task descriptions, statistics) is sent to the Google Gemini API to generate AI-powered suggestions and analytics.

Data is sent in anonymized form (without email address) and used solely to fulfill the request. The administrator has no control over how Google processes data after transmission.

Using AI features is voluntary and requires an active Pro plan subscription. You can cancel Pro at any time, which stops data transmission to Google Gemini.

6. Cookies and local storage

The service uses cookies solely for technical purposes:

• Session cookies — maintaining login sessions (Better Auth)
• Local Storage— storing user interface preferences

The service does not use marketing or third-party analytics cookies.

7. Your rights

Under GDPR, you have the following rights:

• Right of access— you can request information about your processed data
• Right to rectification — you can correct inaccurate data
• Right to erasure — you can request deletion of your data (account deletion)
• Right to data portability — you can request your data in a machine-readable format
• Right to restriction of processing — you can request restriction of data processing
• Right to object — you can object to processing based on legitimate interest
• Right to withdraw consent — you can withdraw consent at any time

To exercise your rights, contact the administrator via email. You also have the right to lodge a complaint with the Polish Data Protection Authority (UODO).

8. Data storage

Personal data is stored in a PostgreSQL database hosted on the Neon platform.

Data is retained for the duration of account usage. Upon account deletion, all user data is permanently removed from the database.

Payment-related transaction data may be retained longer if required by tax regulations.

9. Data security

We implement appropriate technical and organizational measures to protect personal data, including password encryption, HTTPS communication, and database access controls. Passwords are stored exclusively in hashed form and are never accessible in plain text.

10. Changes to this policy

The administrator reserves the right to update this privacy policy. Users will be notified of significant changes via email or in-app notification.

11. Contact

For data protection inquiries, please contact us at: [email to be provided]