Skip to main content

Privacy Policy

Last Updated: February 1, 2026
Effective Date: February 1, 2026

1. Introduction and Acceptance

This Privacy Policy ("Policy") governs the collection, use, storage, processing, disclosure, and protection of information obtained through:

(a) The Habit Loops mobile application available on iOS and Android ("App" or "Application"); (b) The Frictionwell marketing website located at https://frictionwell.com and any subdomains thereof ("Website" or "Marketing Site"); (c) Any related websites, landing pages, microsites, or web properties operated by or on behalf of Frictionwell; (d) Any related services, features, content, APIs, or applications offered by Frictionwell;

(collectively referred to as the "Services" or "Platforms").

This Policy is issued by Frictionwell, a sole proprietorship registered in Bengaluru, Karnataka, India ("Company," "we," "us," or "our").

Registered Address: Frictionwell Bengaluru, Karnataka, India Email: reachus@frictionwell.com

BY DOWNLOADING, INSTALLING, ACCESSING, OR USING THE APP; BY VISITING, BROWSING, OR INTERACTING WITH OUR WEBSITE OR ANY OF OUR WEB PROPERTIES; OR BY USING ANY OF OUR SERVICES IN ANY CAPACITY, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY IN ITS ENTIRETY. If you do not agree with any provision of this Policy, you must immediately cease all use of the App, leave our Website, and discontinue use of all Services.

This Policy applies to all users of our Services, including but not limited to:

  • Mobile app users (free and premium)
  • Website visitors and browsers
  • Newsletter subscribers
  • Blog readers and commenters
  • Beta testers and trial users
  • Users who contact us through any channel
  • Any other individuals who access or interact with our Services in any capacity

We reserve the right to modify this Privacy Policy at any time. Changes will be made in accordance with Section 15 of this Policy. We encourage you to review this Policy periodically.

2. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

  • "Personal Information" or "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

  • "Device" means any mobile phone, tablet, computer, or other electronic device used to access the App.

  • "Usage Data" means data collected automatically, either generated by the use of the App or from the App infrastructure itself (e.g., duration of page visits, interaction patterns).

  • "Cookies" means small data files stored on your Device.

  • "Data Controller" means the entity that determines the purposes and means of processing Personal Data.

  • "Data Processor" means the entity that processes data on behalf of the Data Controller.

  • "User", "You", or "Your" means any individual accessing or using the App.

  • "Third-Party Services" means any services, platforms, or applications not operated by the Company but integrated with or accessed through the App.

3. Information We Collect

3.1 Information You Provide Directly

When you use Habit Loops, you may voluntarily provide the following information:

Account Information:

  • Email address (for account creation and authentication)
  • Display name or username (optional)
  • Profile photograph (optional)
  • Password (only if you register via email/password; stored in encrypted/hashed form by our authentication provider — we never have access to your plaintext password. If you sign in via Apple or Google, no password is collected by us.)

Habit Data:

  • Habit names, descriptions, and categories you create
  • Habit completion records and check-ins
  • Streak data and completion history
  • Notes or annotations you add to habits
  • Custom templates you create
  • Habit frequency and scheduling preferences
  • Habit type (build or quit)
  • Target completion counts
  • Reminder settings and preferences

User-Generated Content:

  • Any text, notes, or descriptions you enter into the App
  • Custom categories or tags you create
  • Feedback, suggestions, or communications you send to us

Payment and Subscription Information:

  • Subscription tier selection (free, monthly, yearly, lifetime)
  • Transaction identifiers provided by Apple App Store or Google Play Store
  • Subscription status and renewal dates

Note: We do not directly collect, process, or store credit card numbers, bank account details, or other financial payment instruments. All payment processing is handled exclusively by Apple (App Store) or Google (Play Store) through their respective in-app purchase systems, or by RevenueCat as our subscription management provider. We only receive transaction confirmation data and subscription status information.

3.2 Information Collected Automatically

When you use the App, certain information is collected automatically:

Device Information:

  • Device type, model, and manufacturer
  • Operating system type and version
  • Unique device identifiers (where permitted by law)
  • Device language and regional settings
  • Screen resolution and display characteristics
  • Available storage space (for backup functionality)

App Usage Data:

  • App version installed
  • Features accessed and frequency of use
  • Session duration and timing
  • Screens viewed and navigation patterns
  • Interaction events (taps, swipes, gestures)
  • Error logs and crash reports
  • Performance metrics and diagnostics

Technical Data:

  • IP address (may be anonymized or truncated)
  • Time zone setting
  • Internet connection type (WiFi, cellular)
  • Referring source (how you found the App)

3.3 Information from Third-Party Services

If you choose to use certain features, we may receive information from third-party services:

Authentication Providers: If you sign in using Apple Sign-In, Google Sign-In, or other social authentication:

  • Email address associated with your account
  • Display name (if provided)
  • Profile photograph URL (if provided)
  • Unique identifier from the authentication provider

Cloud Storage Providers: If you enable cloud backup functionality:

  • iCloud (iOS): Backup data is stored in your personal iCloud account
  • Google Drive (Android): Backup data is stored in your personal Google Drive account
  • We do not have access to your cloud storage credentials or other files in your cloud accounts

Analytics and Crash Reporting Services: We may use third-party analytics and crash reporting services that collect aggregated, anonymized, or pseudonymized data about App usage and performance.

3.4 Information Collected Through the Website

When you visit our Website or Marketing Site, we may additionally collect:

Browser and Access Data:

  • Browser type, version, and language
  • Operating system
  • Referring URL (the page that led you to our site)
  • Pages visited, time spent on pages, and navigation path
  • Date and time of access
  • Screen resolution and viewport size

Cookies and Similar Technologies:

  • Essential cookies required for website functionality
  • Analytics cookies to understand site usage and improve user experience
  • Preference cookies to remember your settings
  • Marketing cookies to measure advertising effectiveness (only with your consent)

See Section 24 (Cookie Policy) for detailed information on cookie usage.

Newsletter and Marketing Data: If you subscribe to our newsletter or marketing communications:

  • Email address
  • Name (if provided)
  • Subscription preferences
  • Email open rates and click-through data
  • Date and time of subscription

Contact and Support Data: If you contact us through the Website:

  • Name and email address
  • Subject and content of your message
  • Any attachments you provide

Blog Interaction Data: If you interact with our blog:

  • Comments you post (if commenting is enabled)
  • Pages and articles viewed

3.5 Information We Do NOT Collect

To be clear, Habit Loops does NOT collect:

  • Precise geolocation data or GPS coordinates
  • Contact lists or address books
  • Call logs or SMS/text messages
  • Photographs, videos, or media files (except profile photos you explicitly upload)
  • Microphone or camera data
  • Browsing history outside the App
  • Data from other applications on your device
  • Biometric data (fingerprints, facial recognition data)
  • Genetic or health data from health platforms
  • Information about children under 13 (see Section 12)

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Provision and Core Functionality

  • To create and manage your user account
  • To enable habit tracking, completion logging, and streak calculation
  • To provide analytics, statistics, and progress visualization
  • To deliver personalized insights and recommendations (premium feature)
  • To generate gamification elements (badges, levels, achievements)
  • To enable data export functionality
  • To process and manage your subscription
  • To enable backup and restore functionality
  • To synchronize data across your devices (where applicable)
  • To display the Habi mascot companion and related features

4.2 Communication

  • To send transactional emails (account verification, password resets)
  • To respond to your inquiries, feedback, or support requests
  • To send service-related announcements and updates
  • To send promotional communications (only with your explicit consent)
  • To deliver push notifications and reminders (only if enabled by you)

4.3 Improvement and Development

  • To understand how users interact with the App
  • To identify and fix bugs, errors, and technical issues
  • To improve App performance and user experience
  • To develop new features and functionality
  • To conduct research and analysis on usage patterns
  • To test new versions and features

4.4 Safety and Security

  • To detect, prevent, and address fraud, abuse, or security threats
  • To enforce our Terms of Service and other policies
  • To protect our rights, property, and safety
  • To protect the rights, property, and safety of our users
  • To comply with legal obligations

4.5 Legal and Compliance

  • To comply with applicable laws, regulations, and legal processes
  • To respond to lawful requests from public authorities
  • To protect against legal liability
  • To establish, exercise, or defend legal claims

4.6 AI-Powered Features (Premium)

If you subscribe to premium features that include AI-powered insights:

  • We may process your habit data to generate personalized recommendations
  • AI analysis may include pattern recognition, trend identification, and behavioral insights
  • AI processing may occur on-device or via secure cloud-based services
  • You maintain full control over AI feature usage through App settings

5. Legal Bases for Processing (GDPR Compliance)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your Personal Data based on the following legal grounds:

5.1 Contractual Necessity

Processing necessary to perform our contract with you, including:

  • Account creation and management
  • Service delivery and core functionality
  • Subscription processing and management
  • Customer support

5.2 Legitimate Interests

Processing based on our legitimate business interests, including:

  • Improving and optimizing our Services
  • Ensuring security and preventing fraud
  • Analytics and research
  • Marketing our Services to existing customers

5.3 Consent

Processing based on your explicit consent, including:

  • Marketing communications
  • Optional analytics and tracking
  • AI-powered personalized features
  • Push notifications

You may withdraw consent at any time through the App settings or by contacting us.

5.4 Legal Obligation

Processing necessary to comply with legal requirements, including:

  • Tax and accounting obligations
  • Responding to legal requests
  • Regulatory compliance

6. Data Sharing and Disclosure

6.1 We Do NOT Sell Your Personal Data

Habit Loops does not sell, rent, lease, or trade your Personal Data to third parties for their marketing purposes or any other commercial purpose.

6.2 Service Providers and Partners

We may share information with trusted third-party service providers who assist us in operating the App, conducting our business, or serving our users, subject to confidentiality obligations:

Cloud Infrastructure:

  • Supabase (database hosting, authentication services)
  • Hosting and content delivery providers

Payment Processing:

  • RevenueCat (subscription management)
  • Apple Inc. (App Store payments)
  • Google LLC (Play Store payments)

Analytics and Performance:

  • PostHog (privacy-focused analytics)
  • Sentry (error tracking and crash reporting)

Communication:

  • Email service providers (transactional emails only)

These providers are contractually obligated to:

  • Use your information only for the specific services they provide to us
  • Maintain appropriate security measures
  • Not disclose your information to other parties
  • Delete or return data upon termination of services

6.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

  • Court orders, subpoenas, or legal process
  • Government or regulatory agency requests
  • Law enforcement requests
  • National security or intelligence requests

We will attempt to notify you of such requests unless prohibited by law or court order.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our App of any change in ownership or uses of your Personal Data.

6.5 Protection of Rights

We may disclose information when we believe in good faith that disclosure is necessary to:

  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of our users or others
  • Investigate fraud or respond to government requests
  • Enforce our Terms of Service

6.6 Aggregated or De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for any purpose, including research, analytics, and marketing.

7. Data Storage and Security

7.1 Data Storage Locations

Local Storage: Your habit data is primarily stored locally on your device using SQLite database technology. This means:

  • Your data remains on your device under your control
  • The App functions offline without internet connectivity
  • Local data is subject to your device's security measures

Cloud Storage (Optional): If you enable cloud backup:

  • iOS users: Data is stored in your personal iCloud account
  • Android users: Data is stored in your personal Google Drive account
  • We do not host or control this cloud-stored data

Server-Side Storage: Certain data may be stored on our servers or third-party infrastructure:

  • Account credentials (encrypted)
  • Subscription status
  • Anonymized analytics data
  • Error logs and crash reports

7.2 Data Retention

We retain your Personal Data only for as long as necessary to:

  • Provide our Services to you
  • Comply with legal obligations
  • Resolve disputes
  • Enforce our agreements

Specific retention periods:

  • Account data: Retained while your account is active, plus 30 days after deletion request
  • Habit data: Retained locally on your device; server copies (if any) deleted within 30 days of account deletion
  • Analytics data: Retained in anonymized form indefinitely; identifiable data retained for up to 24 months
  • Transaction records: Retained for 7 years for tax and legal compliance
  • Support communications: Retained for up to 3 years after resolution

7.3 Security Measures

We implement appropriate technical and organizational security measures to protect your information, including:

Technical Measures:

  • Encryption of data in transit using TLS/SSL
  • Encryption of sensitive data at rest
  • Secure password hashing using industry-standard algorithms
  • Regular security assessments and vulnerability testing
  • Access controls and authentication requirements
  • Secure development practices

Organizational Measures:

  • Limited access to Personal Data on a need-to-know basis
  • Employee confidentiality obligations
  • Incident response procedures
  • Regular security training

7.4 Security Limitations

IMPORTANT DISCLAIMER: While we implement commercially reasonable security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge and accept that:

  • Any transmission of information is at your own risk
  • We are not responsible for circumvention of any privacy settings or security measures
  • You are responsible for maintaining the security of your device and account credentials
  • We are not liable for unauthorized access resulting from your failure to safeguard your credentials

8. Your Rights and Choices

8.1 Account and Data Management

You have the following controls within the App:

  • Access: View your habit data and account information
  • Correction: Edit or update your personal information
  • Export: Download your data in multiple formats (CSV, JSON, PDF)
  • Deletion: Delete individual habits, categories, or your entire account
  • Backup: Create and restore backups of your data

8.2 Communication Preferences

You can control communications by:

  • Disabling push notifications in App settings or device settings
  • Unsubscribing from marketing emails via the link in each email
  • Adjusting reminder settings within the App

8.3 Analytics and Tracking Opt-Out

You can opt out of analytics collection:

  • Within the App's Data & Privacy settings
  • By disabling "Allow Tracking" in your device's privacy settings
  • By contacting us to request exclusion

8.4 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

  • Right of Access: Obtain confirmation of whether we process your data and access to that data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Restrict processing of your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time
  • Right to Lodge a Complaint: File a complaint with a supervisory authority

8.5 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: Request information about data we collect, use, and disclose
  • Right to Delete: Request deletion of your Personal Information
  • Right to Correct: Request correction of inaccurate Personal Information
  • Right to Opt-Out: Opt out of the sale or sharing of Personal Information (Note: We do not sell or share Personal Information for cross-context behavioral advertising)
  • Right to Limit: Limit the use and disclosure of sensitive Personal Information
  • Right to Non-Discrimination: Not be discriminated against for exercising your rights

California residents may designate an authorized agent to make requests on their behalf.

8.6 Rights Under Other Jurisdictions

We comply with applicable privacy laws in other jurisdictions. If you have specific rights under your local law, please contact us.

8.7 Exercising Your Rights

To exercise any of these rights, you may:

  • Use the in-App settings and controls
  • Email us at: reachus@frictionwell.com
  • Submit a request through our website contact form

We will respond to verifiable requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

9. International Data Transfers

9.1 Transfer Mechanisms

If you are located outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers from various jurisdictions, we rely on appropriate legal mechanisms:

From the EEA, UK, or Switzerland:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other lawful transfer mechanisms under GDPR

From Australia:

  • Reasonable steps to ensure overseas recipients comply with Australian Privacy Principles
  • Contractual obligations on data recipients

From Singapore:

  • Compliance with PDPA requirements for overseas transfers
  • Contractual protections ensuring comparable data protection

From India:

  • Compliance with DPDPA cross-border transfer provisions
  • Adequate safeguards as required by Indian law

From Japan:

  • Compliance with APPI requirements for cross-border transfers
  • Ensuring recipient countries have equivalent data protection standards or contractual safeguards

From South Korea:

  • Compliance with PIPA requirements including notice and consent for overseas transfers
  • Contractual safeguards ensuring data protection

From Canada:

  • Compliance with PIPEDA requirements
  • Contractual clauses ensuring comparable protection

From Brazil:

  • Compliance with LGPD international transfer requirements
  • Standard contractual clauses or other recognized mechanisms

From Other Jurisdictions:

  • Compliance with applicable local data transfer requirements
  • Appropriate contractual or other safeguards

9.2 Countries Where Data May Be Processed

Your data may be processed in the following countries:

  • United States (primary data processing)
  • Countries where our cloud service providers operate (including but not limited to the US, EU, and Singapore)

9.3 Your Consent to Transfer

By using the App, you acknowledge and consent to the transfer, storage, and processing of your information in countries outside your country of residence, which may have different data protection laws. We take appropriate steps to ensure your data remains protected in accordance with this Privacy Policy regardless of where it is processed.

10. Third-Party Links and Services

10.1 External Links

The App may contain links to third-party websites, services, or applications that are not operated by us. We are not responsible for the content, privacy policies, or practices of any third-party sites or services.

10.2 Third-Party Integrations

If you connect the App to third-party services (e.g., sign-in with Google/Apple), those services have their own privacy policies. We encourage you to review them.

10.3 Social Sharing

If you share content from the App to social media platforms, your activity is governed by those platforms' privacy policies.

11. Push Notifications and Local Notifications

11.1 Notification Types

The App may send:

  • Habit reminders: Notifications to remind you to complete habits
  • Streak alerts: Notifications about streaks at risk
  • Achievement notifications: Celebrations for badges and milestones
  • Service announcements: Important updates about the App

11.2 Consent and Control

  • Push notifications require your explicit permission
  • You can disable notifications at any time in App settings or device settings
  • Local notifications (on-device only) may be sent even without push notification permission

12. Children's Privacy

12.1 Age Restrictions

Habit Loops is not intended for children under the applicable age of digital consent in their jurisdiction.

The minimum age requirements vary by jurisdiction:

  • United States: 13 years (COPPA)
  • European Union/UK: 16 years (or lower if member state has set a lower age, minimum 13)
  • Australia: 13 years
  • Singapore: 13 years
  • India: 18 years (users under 18 require verifiable parental consent under DPDPA)
  • Japan: 13 years
  • South Korea: 14 years (users under 14 require parental consent; users under 19 need guardian consent for subscriptions)
  • Canada: 13 years (may vary by province)
  • Brazil: 13 years (users under 18 may require parental consent for certain processing)
  • Other jurisdictions: The higher of 13 years or the local age of digital consent

We do not knowingly collect Personal Information from children below the applicable age without verifiable parental consent.

12.2 Parental Consent

Where required by law, we will obtain verifiable parental consent before collecting Personal Information from minors. Parents or guardians may:

  • Review their child's Personal Information
  • Request deletion of their child's Personal Information
  • Refuse to permit further collection or use
  • Withdraw consent previously provided

12.3 Parental Rights

If you are a parent or guardian and believe your child has provided us with Personal Information without proper consent, please contact us immediately at reachus@frictionwell.com. We will take steps to delete such information from our systems.

12.4 COPPA Compliance (United States)

We comply with the Children's Online Privacy Protection Act (COPPA). If we discover we have collected information from a child under 13 without verifiable parental consent, we will delete it promptly.

12.5 Jurisdiction-Specific Requirements

We comply with all applicable laws regarding children's privacy in the jurisdictions where we operate, including but not limited to:

  • COPPA (United States)
  • GDPR Article 8 (EU/UK)
  • DPDPA provisions on children (India)
  • PIPA provisions on minors (South Korea)
  • APPI provisions on minors (Japan)
  • Privacy Act provisions (Australia)
  • PDPA provisions (Singapore)
  • PIPEDA and provincial laws (Canada)
  • LGPD provisions on minors (Brazil)

13. Do Not Track and Global Privacy Control Signals

13.1 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature that sends a signal to websites you visit indicating you do not wish to be tracked. As there is no industry standard for DNT, our Services do not currently respond to DNT signals.

13.2 Global Privacy Control (GPC)

We recognize and honor Global Privacy Control (GPC) signals as a valid opt-out mechanism where required by applicable law, including under the California Consumer Privacy Act (CCPA/CPRA). If our systems detect a GPC signal from your browser, we will treat it as a request to opt out of the sale or sharing of your Personal Information.

14. Data Processing Addendum

For users subject to GDPR or similar regulations requiring a Data Processing Agreement (DPA), our standard DPA is available upon request by contacting reachus@frictionwell.com.

15. Changes to This Privacy Policy

15.1 Right to Modify

We reserve the right to modify, amend, or replace this Privacy Policy at any time, at our sole discretion, to reflect changes in our data practices, legal requirements, or business operations.

15.2 Classification of Changes

We classify changes into two categories:

Material Changes — Changes that significantly affect your rights, the categories of data we collect, how we use or share your data, or that reduce the protections afforded to you. Examples include:

  • Introducing new categories of Personal Data collection
  • Sharing data with new categories of third parties
  • Changing the legal basis for processing
  • Reducing your data subject rights
  • Changing data retention periods significantly
  • Transferring data to new jurisdictions

Non-Material Changes — Minor updates such as formatting corrections, clarifications of existing practices, updated contact information, or changes required by law that do not reduce your protections.

15.3 Notification of Material Changes

For Material Changes, we will provide notice through at least two of the following methods:

  • Prominent banner or notice on our Website for at least 30 days
  • In-App notification or pop-up
  • Email notification to the address associated with your account
  • Push notification (if you have notifications enabled)
  • Blog post or announcement on our Website

Material Changes will not take effect until 30 days after the date of notification ("Notice Period"), unless: (a) The change is required by law, regulation, or court order, in which case it takes effect as required; (b) The change is necessary to address an immediate security threat; (c) A longer notice period is required by applicable local law.

15.4 Notification of Non-Material Changes

For Non-Material Changes, we will:

  • Update the "Last Updated" date at the top of this Policy
  • Post the revised Policy on our Website and make it available in the App

Non-Material Changes take effect immediately upon posting.

15.5 Your Options Upon Material Changes

Upon receiving notice of a Material Change, you may:

(a) Accept the changes by continuing to use our Services after the Notice Period; (b) Reject the changes by:

  • Deleting your account and ceasing all use of our Services before the end of the Notice Period;
  • Contacting us at reachus@frictionwell.com to discuss the changes;
  • Exercising any opt-out rights provided in the notification.

15.6 Deemed Acceptance

YOUR CONTINUED USE OF ANY OF OUR SERVICES (INCLUDING THE APP, WEBSITE, OR ANY WEB PROPERTY) AFTER THE NOTICE PERIOD CONSTITUTES YOUR BINDING ACCEPTANCE OF THE REVISED PRIVACY POLICY. If you do not agree to the revised Privacy Policy, your sole remedy is to cease using our Services and delete your account.

15.7 Version History

We maintain an archive of prior versions of this Privacy Policy, available upon request at reachus@frictionwell.com.

15.8 Jurisdictional Notice Requirements

In jurisdictions where specific notice periods or methods are required by law (such as GDPR, DPDPA, or PIPA), we will comply with the longer or more stringent requirement.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices — including GDPR, CCPA, DPDPA, or any other jurisdiction-specific inquiries — please contact us:

Frictionwell Email: reachus@frictionwell.com
Website: https://frictionwell.com

17. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of India, with specific reference to the laws applicable in the State of Karnataka, without regard to conflict of law provisions, except where applicable local privacy laws (such as GDPR, CCPA, PDPA, DPDPA, APPI, PIPA, PIPEDA, or LGPD) require otherwise. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Bengaluru, Karnataka, India, except where mandatory local law grants you the right to bring proceedings in your country of residence.

18. Limitation of Liability for Privacy Matters

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER FRICTIONWELL NOR ITS PROPRIETOR, EMPLOYEES, AGENTS, CONTRACTORS, OR AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS PRIVACY POLICY OR OUR DATA PRACTICES.

YOUR TOTAL RECOVERY FOR ANY PRIVACY-RELATED CLAIMS SHALL BE LIMITED TO THE LIABILITY CAP SET FORTH IN OUR TERMS AND CONDITIONS. SEE OUR TERMS AND CONDITIONS FOR ADDITIONAL LIMITATIONS ON RECOURSE.

19. Severability

If any provision of this Privacy Policy is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

20. Entire Agreement

This Privacy Policy, together with our Terms and Conditions, constitutes the entire agreement between you and Frictionwell regarding the collection and use of your information through the Services.

21. Language

This Privacy Policy is provided in English. If translated into other languages, the English version shall prevail in case of any discrepancy, except where prohibited by local law.

22. US State Privacy Rights

22.1 California

Shine the Light (Civil Code §1798.83): California residents may request information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. As stated in this Policy, we do not share your Personal Information with third parties for their direct marketing purposes.

CCPA/CPRA Rights: See Section 8.5 for your detailed rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, including rights to know, delete, correct, opt-out, and limit use of sensitive data.

22.2 Other US States

Residents of other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, and Nevada, among others) may have additional rights under their respective state privacy laws, such as rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising, sale of personal data, and profiling. We do not sell your Personal Information. To exercise any applicable state privacy rights, contact us at reachus@frictionwell.com.

23. Privacy Contact

For all privacy-related concerns, data protection inquiries, or to exercise any rights under applicable privacy laws, contact us at:

Email: reachus@frictionwell.com

24. Cookie Policy

24.1 Mobile App

The App does not use cookies in the traditional web browser sense. However, the App may use local storage mechanisms on your device (such as AsyncStorage or SQLite) to store preferences, settings, and App data. This local storage is essential for the App's functionality and cannot be disabled while using the App.

24.2 Website and Marketing Site

When you visit our Website, we may use cookies and similar tracking technologies. These are categorized as follows:

Strictly Necessary Cookies: Required for the Website to function. These cannot be disabled. They include cookies for security, load balancing, and session management.

Analytics Cookies: Help us understand how visitors interact with our Website by collecting anonymous usage data. We use privacy-focused analytics tools. You may opt out of analytics cookies through your browser settings or our cookie consent mechanism.

Functional Cookies: Remember your preferences and settings (e.g., language, region) to enhance your experience. Disabling these may result in reduced functionality.

Marketing/Advertising Cookies: Used to track visitors across websites to display relevant advertisements. We will only set these cookies with your explicit consent.

24.3 Managing Cookies

You can manage cookies through:

  • Our cookie consent banner displayed on the Website
  • Your browser settings (blocking or deleting cookies)
  • Browser extensions designed to manage cookies

Note: Disabling certain cookies may affect your ability to use some features of our Website.

24.4 Third-Party Cookies

Our Website may include content or services from third parties (e.g., analytics providers, embedded content) that may set their own cookies. We do not control these third-party cookies and recommend reviewing their respective privacy policies.

25. Algorithmic Analysis

The App uses algorithmic features to provide you with useful insights and statistics, including:

  • Calculating streaks, completion rates, and progress analytics
  • Determining badge achievements and gamification rewards
  • Generating personalized habit insights and recommendations (premium feature, where available)

These features use deterministic calculations and, where applicable, AI-based analysis. None of these processes produce legal effects or similarly significant effects on you. Where AI-powered personalization features are available, you can manage them through the App settings.

26. Data Breach Notification

In the event of a data breach that affects your Personal Information, we will:

(a) Assess the scope and severity of the breach without unreasonable delay; (b) Notify affected users and applicable regulatory authorities in accordance with the following timelines:

  • GDPR (EU/UK): Supervisory authority within 72 hours of becoming aware; affected individuals without undue delay where the breach is likely to result in high risk;
  • India (DPDPA): Data Protection Board of India without unreasonable delay;
  • Australia: OAIC and affected individuals as soon as practicable if the breach is likely to result in serious harm;
  • Singapore (PDPA): PDPC within 3 calendar days of assessment; affected individuals as soon as practicable;
  • South Korea (PIPA): Affected individuals within 72 hours; PIPC without delay;
  • USA (State Laws): In accordance with the applicable state breach notification statute (e.g., California requires notification without unreasonable delay);
  • All Other Jurisdictions: In accordance with applicable local law, and in no event later than 30 days after becoming aware of the breach; (c) Provide notification via email, in-App notification, or prominent posting on our Website, depending on the circumstances and legal requirements; (d) Include in any notification: the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

27. International Jurisdiction-Specific Privacy Rights

The following provisions apply to users in specific jurisdictions. Where local law provides greater protection than this Privacy Policy, local law shall prevail.

27.1 Australia (Privacy Act 1988 and Australian Privacy Principles)

If you are located in Australia, the following additional rights and disclosures apply:

Your Rights Under the Privacy Act:

  • Right to access your Personal Information held by us
  • Right to request correction of inaccurate Personal Information
  • Right to complain about a breach of the Australian Privacy Principles (APPs)
  • Right to request anonymity or use of a pseudonym where practicable

Disclosure: We may disclose your Personal Information to overseas recipients, including service providers in the United States. By using the App, you consent to such overseas disclosure. We take reasonable steps to ensure overseas recipients comply with the APPs.

Complaints: If you have a complaint about our handling of your Personal Information, please contact us first at reachus@frictionwell.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

27.2 Singapore (Personal Data Protection Act 2012 - PDPA)

If you are located in Singapore, the following additional rights and disclosures apply:

Your Rights Under the PDPA:

  • Right to access your Personal Data
  • Right to correct errors or omissions in your Personal Data
  • Right to withdraw consent for collection, use, or disclosure of Personal Data
  • Right to request information about how your Personal Data has been used or disclosed in the past year

Designated Privacy Contact: For Singapore-specific inquiries, contact us at reachus@frictionwell.com.

Do Not Call Registry: We do not engage in telemarketing. If you receive unwanted communications, please contact us immediately.

Consent Withdrawal: You may withdraw consent at any time by contacting us. Withdrawal of consent may affect our ability to provide certain services to you.

27.3 India (Digital Personal Data Protection Act 2023 - DPDPA)

If you are located in India, the following additional rights and disclosures apply:

Your Rights Under the DPDPA:

  • Right to access information about your Personal Data being processed
  • Right to correction and erasure of inaccurate Personal Data
  • Right to grievance redressal
  • Right to nominate another person to exercise rights in case of death or incapacity

Data Fiduciary Obligations: In our capacity as a Data Fiduciary under the DPDPA (to the extent applicable based on our processing activities and classification by the Data Protection Board), we:

  • Process your Personal Data only for lawful purposes
  • Implement appropriate security safeguards
  • Ensure accuracy and completeness of Personal Data
  • Delete Personal Data when no longer necessary

Compliance with IT Act 2000: We comply with the Information Technology Act 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

Grievance Officer: In accordance with Rule 3(11) of the IT (Intermediary Guidelines) Rules, 2021: Name: Shashank M (Proprietor, Frictionwell) Email: reachus@frictionwell.com Response time: Acknowledgment within 24 hours; resolution within 15 days of receipt

Parental Consent: For users under 18 years of age in India, verifiable parental consent is required before processing Personal Data, as mandated by the DPDPA.

Cross-Border Transfer: Your data may be transferred to countries outside India. We ensure adequate safeguards are in place for such transfers as required under the DPDPA. Data will not be transferred to countries restricted by the Central Government under the DPDPA.

Governing Law: Privacy matters for Indian users are governed by the laws of India, with the courts of Bengaluru, Karnataka having jurisdiction, subject to your statutory rights under Indian law.

27.4 Japan (Act on Protection of Personal Information - APPI)

If you are located in Japan, the following additional rights and disclosures apply:

Your Rights Under the APPI:

  • Right to request disclosure of your Personal Information
  • Right to request correction, addition, or deletion of inaccurate data
  • Right to request cessation of use or erasure of Personal Information
  • Right to request cessation of provision of Personal Information to third parties

Purpose of Use: We use your Personal Information for the purposes described in Section 4 of this Privacy Policy. We will not use your Personal Information beyond these purposes without your consent.

Third-Party Provision: We may provide your Personal Information to third parties as described in Section 6. You may opt out of certain third-party disclosures by contacting us.

Joint Use: Where we jointly use Personal Information with affiliates or partners, we will disclose the categories of data, purposes, and parties involved.

Inquiries: For APPI-related inquiries, contact: reachus@frictionwell.com

27.5 South Korea (Personal Information Protection Act - PIPA)

If you are located in South Korea, the following additional rights and disclosures apply:

Your Rights Under PIPA:

  • Right to be informed about the processing of your Personal Information
  • Right to consent or refuse consent to Personal Information processing
  • Right to access your Personal Information
  • Right to request suspension of processing
  • Right to request correction or deletion
  • Right to request destruction of Personal Information

Data Processing Principles: We adhere to PIPA's principles including:

  • Purpose limitation
  • Minimum collection
  • Transparency
  • Security safeguards
  • Data subject participation

Retention and Destruction: We retain your Personal Information only as long as necessary. Upon expiration of the retention period, we destroy Personal Information within 5 days.

Cross-Border Transfer: Your Personal Information may be transferred overseas. We provide information about the recipient, purpose, and items transferred as required by PIPA.

Privacy Officer: For PIPA-related inquiries, contact: reachus@frictionwell.com

27.6 Bangladesh

If you are located in Bangladesh, the following applies:

We comply with applicable laws of Bangladesh, including the Digital Security Act 2018 and any data protection regulations in effect. While Bangladesh does not currently have comprehensive data protection legislation equivalent to GDPR, we extend the core privacy protections in this Policy to all Bangladesh users, including:

  • Transparency about data collection and use
  • Security measures to protect your data
  • Your ability to access, correct, and delete your data
  • Response to your privacy inquiries

For Bangladesh-specific inquiries, contact: reachus@frictionwell.com

27.7 Sri Lanka

If you are located in Sri Lanka, the following applies:

We comply with applicable laws of Sri Lanka, including the Computer Crimes Act and any data protection regulations in effect. We extend the core privacy protections in this Policy to all Sri Lanka users, including:

  • Clear disclosure of data practices
  • Implementation of reasonable security measures
  • Respect for your data rights
  • Prompt response to privacy concerns

For Sri Lanka-specific inquiries, contact: reachus@frictionwell.com

27.8 Canada (PIPEDA and Provincial Privacy Laws)

If you are located in Canada, the following additional rights and disclosures apply:

Your Rights Under PIPEDA:

  • Right to access your Personal Information
  • Right to challenge the accuracy and completeness of your data
  • Right to know how your Personal Information is being used
  • Right to withdraw consent (subject to legal or contractual restrictions)

Meaningful Consent: We obtain your meaningful consent for the collection, use, and disclosure of your Personal Information. You may withdraw consent at any time, subject to legal restrictions.

Provincial Laws: If you are located in Quebec, Alberta, or British Columbia, additional provincial privacy laws may apply. We comply with all applicable provincial privacy legislation.

Office of the Privacy Commissioner: You may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

27.9 Brazil (Lei Geral de Proteção de Dados - LGPD)

If you are located in Brazil, the following additional rights and disclosures apply:

Your Rights Under the LGPD:

  • Right to confirmation of the existence of processing
  • Right to access your data
  • Right to correct incomplete, inaccurate, or outdated data
  • Right to anonymization, blocking, or deletion of unnecessary data
  • Right to data portability
  • Right to delete Personal Data processed with your consent
  • Right to information about sharing with third parties
  • Right to information about the possibility of denying consent
  • Right to revoke consent

Legal Basis: We process your Personal Data based on: (a) your consent; (b) legitimate interests; (c) contract performance; or (d) legal compliance.

International Transfer: Your data may be transferred to countries outside Brazil. We ensure adequate protection through contractual clauses or other mechanisms recognized by Brazilian law.

Data Protection Authority: You may file complaints with the Autoridade Nacional de Proteção de Dados (ANPD).

27.10 Mexico (Ley Federal de Protección de Datos Personales)

If you are located in Mexico, the following additional rights and disclosures apply:

Your ARCO Rights:

  • Access: Right to access your Personal Data
  • Rectification: Right to correct inaccurate data
  • Cancellation: Right to request deletion of data
  • Opposition: Right to oppose certain processing activities

Privacy Notice: This Privacy Policy serves as our Aviso de Privacidad as required by Mexican law.

Sensitive Data: We do not intentionally collect sensitive Personal Data (datos personales sensibles) as defined under Mexican law.

INAI: You may file complaints with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).

27.11 Other Americas (Argentina, Chile, Colombia, Peru, etc.)

If you are located in other countries in the Americas, we comply with applicable local data protection laws and extend the core protections of this Privacy Policy to you. Contact us for jurisdiction-specific information.

28. Jurisdiction-Specific Contact Information

For all jurisdiction-specific privacy inquiries, including but not limited to GDPR, CCPA, DPDPA, PDPA, APPI, PIPA, PIPEDA, LGPD, and all other data protection regulations, contact us at:

Email: reachus@frictionwell.com

We will route your inquiry to the appropriate team based on your jurisdiction and the nature of your request.

Relevant Regulatory Authorities:

RegionRegulatory Authority
AustraliaOAIC (oaic.gov.au)
SingaporePDPC (pdpc.gov.sg)
IndiaData Protection Board of India
JapanPPC (ppc.go.jp)
South KoreaPIPC (pipc.go.kr)
CanadaOPC (priv.gc.ca)
BrazilANPD (gov.br/anpd)
USA (California)CA Attorney General
EU/UKLocal Data Protection Authority

By using any of our Services (including the Habit Loops mobile application or the Frictionwell website), you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy.

© 2026 Frictionwell. All rights reserved.