Habit Dragons

Introduction

Welcome to Habit Dragons. Your privacy is important to us. This Privacy Policy explains how beemytask Ltd ("we", "us", "our", "Company") collects, uses, stores, and protects your personal information when you use the Habit Dragons mobile application ("the App"). By using Habit Dragons, you agree to the collection and use of information in accordance with this Privacy Policy.

Data Controller

The Data Controller responsible for your personal data is:
beemytask Ltd
Registration Number: 16529696
Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Contact Email: support@beemytask.com

The Data Controller determines the purposes and means of processing your personal data. If you have any questions about how your data is processed, please contact us at the email address above.

1. Information We Collect

We collect and store limited personal and usage data to provide and improve the App’s features.

a. Account Information

• Google Account data (if you sign in with Google): name, email, and profile ID (handled securely by Google Sign-In).
• Anonymous login: we store only a unique Firebase user ID, without personal details.

b. Habit and Gameplay Data

We store:

• Dragon names, happiness, and progress,
• Habit titles and reminders,
• Achievement status,
• Cosmetic items or themes you own or equip.

This data is used solely to operate your in-app experience and sync your progress across sessions.

c. Device and Technical Data

Automatically collected by Firebase:

• App version, device type, OS version,
• Crash reports and basic diagnostics.

This helps us fix bugs and improve performance.

d. In-App Purchase Data

When you buy premium features or cosmetic items, Google Play provides us with purchase tokens and product IDs (not your payment information). All transactions are processed securely by Google Play Billing.

e. Notifications

If you allow notifications, we store your reminder times and use Firebase Cloud Messaging (FCM) to deliver habit reminders and motivational messages & marketing. Marketing notifications are sent only with your explicit consent, and you can withdraw your consent at any time by disabling notifications in your device settings.

2. How We Use Your Data

We use collected data to:

• Maintain and sync your dragons, habits, and achievements,
• Send optional habit reminders,
• Restore in-app purchases and subscriptions,
• Provide app analytics, crash reporting, and updates,
• Improve user experience and add new features.
• Send in-app messages about new features or updates
• Send service-related announcements

We do not sell, rent, or trade your data to any third parties.

2.1 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Consent: When you create an account and accept this Privacy Policy, you consent to our processing of your personal data as described herein.
• Contract Performance: Processing is necessary to provide the app service you requested, including maintaining your account, syncing your data, and processing in-app purchases.
• Legitimate Interests: We process certain data based on our legitimate interests in improving the app, preventing fraud, ensuring security, and analyzing usage patterns to enhance user experience. Your rights and freedoms are not overridden by these interests.
• Legal Obligation: We process and retain certain data where required by law, such as transaction records for tax and accounting purposes.

3. Third-Party Services

Habit Dragons relies on trusted third-party services to operate:

Google Firebase Analytics and Crashlytics:

• Purpose: Anonymous usage analytics, crash reporting, and performance monitoring.
• Data Shared: Non-personal identifiers, app events, and crash logs.
• Privacy Policy: https://policies.google.com/privacy

Firebase (Google Cloud Platform):

• Purpose: Cloud storage, authentication, analytics, and notifications
• Privacy Policy: https://firebase.google.com/support/privacy

Google Play Services:

• Purpose: In-app purchases and subscription management
• Privacy Policy: https://policies.google.com/privacy

3.1 Legal Requirements

We may disclose your information if required by law or in response to:

• Legal processes (court orders, subpoenas)
• Government requests
• Protection of our rights, privacy, safety, or property
• Prevention of fraud or abuse

3.2 Contract data processing

(1) It may happen that contracted service providers are used for individual functions of our App. As with any large company, we also use external domestic and foreign service providers to handle our business transactions (e.g., in the areas of IT, logistics, telecommunications, sales, and marketing). These service providers only act on our instructions and are contractually obliged to comply with data protection regulations in accordance with Art. 28 GDPR.

(2) The following categories of recipients may have access to your personal data:

• Service providers for the operation of our App and the processing of data stored or transmitted by the systems (e.g., for data center services, IT security). The legal basis for the transfer is then Art. 28 GDPR unless they are processors;
• Government agencies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer is then Art. 6(1)(c) GDPR;
• Persons employed to carry out our business operations (e.g., auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the transfer is then Art. 6(1)(b) or (f) GDPR.

(3) Furthermore, we only disclose your personal data to third parties if you have given your express consent in accordance with Art. 6(1)(a) GDPR.

(4) If we pass on your personal data to our subsidiaries or if our subsidiaries pass on your personal data to us (e.g. for advertising purposes), this is done based on existing data processing agreements.

4. Data Storage and Security

All user data is stored on Google Firebase (Google Cloud) servers. We use encryption, authentication, and secure connections (HTTPS) to protect your data. Although we take all reasonable measures, no system is 100% secure. Use of the App is at your own risk.

4.1 International Data Transfers and Data Location

Data Location:
Your personal data is stored on Firebase (Google Cloud) servers located in the European Union (EU).

UK to EU Transfers:
As your data is stored within the EU, transfers from the UK to the EU are covered by the UK's adequacy decision, which recognizes the EU as providing an adequate level of data protection equivalent to UK GDPR.

Other Transfers:
In limited circumstances, your data may be accessed by Google's support or technical teams located outside the UK/EU (e.g., in the United States) for service maintenance and support purposes. When this occurs, appropriate safeguards are in place, including:

• Google's compliance with the EU-U.S. Data Privacy Framework
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Appropriate technical and organizational security measures

5. Data Retention and Account Deletion

Retention Period:
We retain your personal information only for as long as necessary to fulfill the purpose for which it was collected, as required by law, or to address any legal disputes. As a rule, we store your personal data for the duration of the user or contractual relationship via the App.

Account Deletion:
You can permanently delete your account and all associated personal data directly from within the Habit Dragons app by selecting Settings → Delete My Account.

Deletion Timeline:
(1) We will delete your personal data within 30 days of account deletion, except where we are legally required to retain certain information (e.g., transaction records for tax purposes must be retained for 7 years under UK law).

(2) However, data may be stored beyond this period in the event of a (threatened) legal dispute with you or other legal proceedings.

(3) Your data is generally only stored on our servers in the EU/EEA and the UK, subject to any international transfers as described in Section 4.1.

Third-Party Storage:
Third parties employed by us (see Section 3.2) will store your data for as long as necessary in connection with providing services to us.

Anonymized Data:
Data may be anonymized or aggregated for analytics after deletion to maintain service quality. This data cannot be used to identify you personally.

Legal Requirements:
Legal requirements for the storage and deletion of personal data remain unaffected by the above. When the storage period prescribed by law expires, the personal data will be blocked or deleted, unless further storage by us is necessary and there is a legal basis for this.

For more information about Firebase's data protection: https://firebase.google.com/support/privacy

6. Children's Privacy

The App is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children without parental consent. If we become aware that we have unintentionally collected information from a child, we will take appropriate steps to delete it.

7. Your Rights

You have certain rights regarding your personal information under applicable data protection laws. You may have the right to:

1. Right of access
   You have the right to obtain information from us about the personal data concerning you within the scope of Art. 15 GDPR.
2. Right to object to data processing and revoke consent
   (1) In accordance with Art. 21 GDPR, you have the right to object to the processing of personal data concerning you at any time. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves to assert, exercise, or defend legal claims.
   (2) In accordance with Art. 7(3) GDPR, you have the right to withdraw your consent once given (even before the GDPR came into force, i.e., before May 25, 2018) – i.e., your voluntary, informed and unambiguous declaration of intent, made clear by a statement or other unequivocal affirmative action, that you consent to the processing of the personal data concerned for one or more specific purposes – at any time, if you have given such consent. As a result, we will no longer be permitted to continue processing the data based on this consent in the future.
3. Right to rectification and erasure
   (1) If personal data concerning you is inaccurate, you have the right to request that we rectify it without delay in accordance with Art. 16 GDPR.
   (2) Under the conditions specified in Art. 17 GDPR, you have the right to request the erasure of personal data concerning you. You have the right to erasure in particular if the data in question is no longer necessary for the purposes of collection or processing, if the data storage period (see Section 5) has expired, if there is an objection (see Section 7. 2.), or if there is unlawful processing.
4. Right to restriction of processing
   (1) In accordance with Art. 18 GDPR, you have the right to request that we restrict the processing of your personal data.
   (2) You are particularly entitled to the right to restriction of processing if the accuracy of the personal data is disputed between you and us; in this case, you are entitled to this right for a period of time required to verify the accuracy. The same applies if the successful exercise of a right to object (see Section 7.2.) is still disputed between you and us. You also have this right in particular if you have a right to erasure (see Section 7.3) and you request restricted processing instead of erasure.
5. Right to data portability
   In accordance with Art. 20 GDPR, you have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format.
6. Right to lodge a complaint with the supervisory authority
   (1) Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority regarding the collection and processing of your personal data.
   (2) EU residents have the right to contact the data protection authority of any EU member state of their choice to exercise their data protection rights. An overview of all data protection authorities in the EU, along with contact details, can be found at the following link: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
   (3) UK residents can contact the UK Information Commissioner's Office; https://ico.org.uk/make-a-complaint/data-protection-complaints/

To exercise your rights, please contact us using support@beemytask.com

Subject Line: Data Rights Request - [Your Name]

Please include:

• Your name
• Email address associated with your account
• The specific right you wish to exercise
• Any relevant details to help us verify your identity and process your request

We will respond to verified requests within 30 days (1 month) as required by GDPR. In complex cases, we may extend this by an additional 2 months and will inform you of the delay and reasons.

8. No automated decision-making (including profiling)

We do not intend to use personal data collected from you for automated decision-making (including profiling).

9. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. Any significant changes will be communicated to you via prominent notice on the Website or through other communication channels. We encourage you to review this Privacy Policy regularly to stay informed about how we are protecting your data.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

beemytask Ltd
Email: support@beemytask.com
Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Registration Number: 16529696

For Data Protection Inquiries: Please use the subject line "Privacy Inquiry - Habit Dragons"

Response Time: We aim to respond to all inquiries within 5 business days, and to data rights requests within 30 days as required by GDPR laws.