GrowBit
HephaTech / GrowBit
← Back home

Privacy Policy.

Effective: [Effective date]  ·  Last updated: [Effective date]  ·  Applies to: the GrowBit website (growbit.hephatech.in) and the GrowBit mobile app

1. Who we are

This Privacy Policy explains how HephaTech ("we", "us", "our"), through its product GrowBit, collects, uses, stores, and protects personal data of visitors and users of the GrowBit website at growbit.hephatech.in and the GrowBit mobile app (the "App").

HephaTech is the Data Fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") for personal data collected through the website and the App. By using the App you agree to the practices described in this policy.

Registered office: [Registered address], India.

2. Scope & legal basis

This policy is issued in compliance with:

  • The Digital Personal Data Protection Act, 2023 (DPDP Act) and any rules notified under it
  • The Information Technology Act, 2000 ("IT Act") and the SPDI Rules, 2011
  • The Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020
  • For premium subscriptions: the rules of the Google Play Billing system

We process your personal data on the lawful basis of your consent (DPDP §6 — given when you create an account and at relevant in-App prompts) and on the basis of legitimate uses (DPDP §7) for security, abuse prevention, and operational logging.

3. What the website collects

The marketing website at growbit.hephatech.in collects very little:

  • Server logs via our hosting provider (Vercel): IP address, user-agent, requested URL, referrer, and timestamp — used for delivery, security, and abuse prevention
  • Service-worker cache: the website registers a service worker (/sw.js) so it works offline. The cache lives entirely in your browser and contains the website's own static files only
  • Local storage: a single key (growbit-theme) stores your light/dark theme preference. Never transmitted to us.

The website has no contact form, no analytics, and no cookies.

4. What the GrowBit app collects

4.1 Account data

  • Email address (required for sign-up; verified via OTP)
  • Password stored as a bcrypt hash — we never see your plaintext password
  • First and last name (required during onboarding)
  • Optional: avatar URL, username, timezone
  • Identity archetype (Warrior / Scholar / Builder / Monk / CEO) — chosen during onboarding
  • FCM token for Android push notifications
  • Premium status and the date you became premium

4.2 Habit & routine data

  • Habit name, optional description, type (yes/no, measurable, timed), frequency, difficulty, target value & unit, reminder time, category, and archived/deleted state
  • Habit logs: completion status, value, duration, optional note, date
  • Streaks: current and longest per habit
  • Mood and energy entries: 1–5 scale, optional note, date

4.3 Gamification data

  • Achievements unlocked and the date of unlock
  • XP transactions: reason, amount, description
  • Identity stat tree: integer values for FOCUS, STRENGTH, INTELLIGENCE, DISCIPLINE, CALM

4.4 Notification preferences

  • Per-habit reminders: enabled / time / sound
  • Account-level toggles: streak-risk nudges, daily reminders, weekly motivation, inactivity warnings

4.5 Local-only data (on-device)

  • The App keeps an offline-first SQLite mirror of your habits, logs, streaks, and mood entries on your device, so the App works without internet
  • Notification cursor and dismissed-suggestion state stay on-device only

4.6 What the App does not collect

  • No location, GPS, or geofencing data
  • No camera, microphone, or contacts access
  • No advertising ID or hardware identifier
  • No access to your photos, files, calendar, or call/SMS data
  • No browsing history outside the App
  • No biometric or sensitive personal data

4.7 Android permissions actually requested

Per the App's AndroidManifest.xml, the only permissions GrowBit requests are:

  • INTERNET — talking to our backend
  • RECEIVE_BOOT_COMPLETED — rescheduling habit reminders after a device reboot
  • POST_NOTIFICATIONS — Android 13+ requires this to display reminders
  • VIBRATE — gentle haptic feedback when you complete a habit
  • BILLING — Google Play Billing for the optional premium upgrade

5. Why we collect it

CategoryPurposeLawful basis
Email, password hash, nameAuthenticating you and enabling password recoveryConsent (DPDP §6)
Habit and mood dataDelivering the core habit-tracking service you signed up forConsent (DPDP §6)
Streaks, XP, achievements, archetype, statsGamification mechanics that motivate retentionConsent (DPDP §6)
FCM token, notification preferencesSending the reminders you opted intoConsent (DPDP §6)
Premium subscription dataGranting and revoking premium features; tax compliancePerformance of contract; legal obligation
Server logsOperational delivery, security, abuse prevention, rate-limitingLegitimate use (DPDP §7)

6. Sharing & disclosure

We share data only with the following Data Processors, each bound to use it strictly per our instructions:

  • The GrowBit backend server — operated by HephaTech, hosted on PostgreSQL via Prisma. All account, habit, mood, and gamification data live here
  • Google Gemini API — receives aggregated, de-identified habit metrics (habit names you create, streak counts, completion rates, mood data) for AI-coach generation. We do not send your email, name, password, or user ID with these prompts. See §7
  • Google Play Billing — verifies premium-subscription receipts. Receives the purchase token, order ID, product ID, and your Google Play account identifier. Governed by Google's policies
  • Google Sign-In (only if you opt-in to Drive backup) — used purely to obtain a token scoped to your Drive appDataFolder. We do not use Google Sign-In for authentication
  • Notifee + FCM — Firebase Cloud Messaging delivers our push notifications. FCM receives the notification payload and your FCM token
  • Sentry (only if SENTRY_DSN is configured — currently disabled) — would receive crash stack traces and an opaque user identifier for debugging
  • Vercel — hosts the marketing website (logs only)

We do not sell, rent, or share data with advertisers, data brokers, or any third party for commercial gain. We have no advertising SDKs of any kind.

We may disclose data if required to do so by law, by court order, or by a competent authority issuing a lawful direction under the IT Act, the DPDP Act, or the Code of Criminal Procedure.

7. AI Coach & Gemini

The optional AI Coach (a premium feature) generates daily and weekly summaries, focus-habit recommendations, and burnout-risk assessments. To produce them, the GrowBit server sends a prompt to Google Gemini via the @google/generative-ai SDK.

The prompt includes:

  • The names of your habits and their categories (so the model can suggest relevant nudges)
  • Aggregated counts: streak length, completion rate over the last 7 days, count of mood entries
  • Mood and energy averages over the relevant period

The prompt does not include: your email address, name, password, user ID, FCM token, payment information, or any free-text notes you entered on individual habits or mood entries. The Gemini response is cached server-side in our database; we do not feed your data to model training.

If you want to opt out of AI features, do not enable AI Coach in Settings; the rest of the App works exactly the same without it.

8. Premium & payments

GrowBit is free; an optional Premium tier unlocks AI Coach, Identity, Activity Feed, and a few other features. Premium is sold via Google Play Billing. We do not see, receive, or store your card number, CVV, UPI PIN, or any other payment credential. What our backend receives from Google Play is:

  • Your purchase token and Google order ID
  • Product ID and base plan ID
  • Subscription status (PENDING / ACTIVE / CANCELED)
  • Started, expiry, and cancel dates
  • The raw receipt JSON returned by Google for verification

Cancellations and refunds are handled by Google Play under its policies. Your statutory rights under the Consumer Protection Act, 2019 are preserved.

9. Social features

GrowBit's social features (Circles, Pacts, Accountability Twin, Leaderboard, Activity Feed) make some of your information visible to other users you have a relationship with:

  • Followers, leaderboard members, and circle members can see your username, first/last name (if you set them), avatar, archetype, and premium status badge
  • Pact members and accountability twins can see whether you completed your shared habit on a given day, but not the value, duration, or note
  • Activity-feed events visible to followers include: achievement unlocks, level-ups, pact milestones, boss-battle defeats. They never include the names or content of individual habits

What is never shared: your email, password, mood/energy entries, notes, individual habit details outside the pact context, or your subscription details.

You can leave a circle, end a pact, or unfollow at any time from in-App settings.

10. Cross-border transfers

The Data Processors listed above may host or process your personal data on servers outside India. Specifically: Google Gemini, Google Play Billing, FCM, and our hosting may operate primarily from the United States or other Google-region datacentres. Such transfers are necessary for the service and are protected by the contractual obligations those vendors are subject to. The Indian government may, by notification under DPDP §16, restrict transfers to specified countries; we will comply with any such notification.

11. How long we keep data

  • Account data (email, name, archetype, etc.): retained as long as your account is active
  • Habit logs, mood entries, achievements: retained as long as your account is active
  • Premium / subscription records and invoices: retained for at least eight (8) years as required under §36 of the CGST Act, 2017 and the Income Tax Act, 1961
  • Server logs: up to 90 days at the hosting layer
  • AI Coach responses: cached for the day or week to which they apply, then archived as anonymous aggregates
  • Local SQLite mirror: lives on your device until you uninstall

12. Account deletion & export

You have two in-App actions available at any time:

  • Export all your data via GET /user/export — returns a JSON of your user record, habits, habit logs, categories, streaks, XP, achievements, mood entries, and notification preferences (paginated for large logs)
  • Delete account via DELETE /me — performs a cascade delete of your user record. All linked records (habits, logs, mood, achievements, subscriptions, owned circles) are permanently deleted. Rate-limited to 5 attempts per hour to prevent abuse

Subscription records and invoices are retained for the statutory period above even after account deletion, in compliance with Indian tax law; they are stored separately and are not used for any other purpose.

13. How we secure data

  • HTTPS / TLS 1.2+ for all transit
  • Passwords stored only as bcrypt hashes
  • JWT-based sessions with device binding; refresh tokens revoked on password change
  • Refresh tokens stored in the device's secure keychain (react-native-keychain)
  • Rate-limiting on sensitive endpoints (login, OTP, account deletion)
  • Server-side input validation and parameterised queries via Prisma
  • Optional device-integrity attestation via Google Play Integrity API (disabled by default)
  • Periodic dependency updates and least-privilege access controls

14. Your rights as a Data Principal

Under the DPDP Act, you have the right to:

  • Access a summary of personal data we hold about you (GET /user/export or write to us)
  • Correct inaccurate or incomplete data — most fields (name, username, archetype, notification preferences) are user-editable in Settings
  • Erase your data via the in-App "Delete Account" flow
  • Withdraw consent for AI Coach, push notifications, or social features individually in Settings
  • Grievance redressal — see §17
  • Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity (DPDP §14)

For requests beyond in-App self-service, email hello@hephatech.in with the subject "DPDP Request — GrowBit"; we respond within 30 days.

15. Children

GrowBit is not directed at children under 13 years of age, and we do not knowingly collect personal data from anyone we know to be under 13. The App is most useful for users 18 and over; users between 13 and 18 should use it under the supervision of a parent or legal guardian.

Where we do process the personal data of any individual under 18, we obtain verifiable parental consent in the manner prescribed under §9 of the DPDP Act.

16. Data breach handling

In the event of a personal-data breach, we will notify the Data Protection Board of India and each affected Data Principal as required under §8(6) of the DPDP Act, with sufficient detail and within the timelines prescribed by the Rules.

17. Grievance redressal

For any complaint about how your personal data has been handled, you may contact our Grievance Officer:

  • Name: [Grievance Officer name]
  • Email: [Grievance Officer email]
  • Phone: [Grievance Officer phone]
  • Address: [Registered address]

The Grievance Officer will acknowledge your complaint within 72 hours and resolve it within 30 days. If you remain dissatisfied, you may escalate to the Data Protection Board of India.

18. Changes

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be flagged in-App and on the marketing site for 30 days; for substantive changes that affect your rights, we will require you to re-consent on next launch.

19. Contact

For any privacy-related question, email hello@hephatech.in or write to the Grievance Officer above.

This document is a good-faith draft prepared in line with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. We recommend obtaining independent legal advice before relying on it for production.