qüit

Privacy Policy

Version 1.0 · Last updated: May 7, 2026

This Privacy Policy describes how we process your personal data when you use the qüit mobile application and related services. The document complies with Regulation (EU) 2016/679 (GDPR) and Polish Personal Data Protection Act of 10 May 2018.

1. Data Controller

The controller of your personal data is:

Halo Sp. z o.o.
ul. Warszawska 40, 40-008 Katowice, Poland
Tax ID (NIP): 9542880835
Contact e-mail:kontakt@halo.com.pl

2. Data Protection Officer

We have not appointed a Data Protection Officer (DPO) as it is not required under GDPR Art. 37(1). For all matters concerning the processing of personal data, please contact us at kontakt@halo.com.pl.

3. Categories of Data Collected

We collect the following categories of data:

Account data: e-mail address, optional display name, Apple ID or Google identifier (when using social login), password hash (when registering with e-mail).
Health data (special category - GDPR Art. 9): quiz answers - daily cigarette count, years of smoking, motivations and goals for quitting, declared quit date, symptoms experienced when trying to quit.
Subscription data: Apple/Google transaction ID, product ID, expiration date. We do not process payment card data - payments are fully handled by Apple or Google.
Technical data: device model, OS version, app version, time zone, anonymous session logs, crash reports.
Communications: contents of e-mails if you contact us for support.

4. Purposes and Legal Bases

Account creation and operation → Art. 6(1)(b) GDPR (performance of contract).
Quiz answers (health data) → Art. 9(2)(a) GDPR (your explicit consent) combined with Art. 6(1)(a). Consent is voluntary; you may withdraw it at any time by deleting your account.
Subscription handling and billing → Art. 6(1)(b) (contract) and Art. 6(1)(c) (tax and accounting obligations).
Diagnostic logs and crash reports → Art. 6(1)(f) (legitimate interest - improving app stability and security).
Marketing communications (if ever introduced) → Art. 6(1)(a) (consent - separately required).

5. Data Recipients (Processors)

Your data may be entrusted to the following trusted entities:

Apple Inc. (Cupertino, USA) - in-app payments (StoreKit), Sign in with Apple, App Store distribution. Separate controller for payment data. Policy: apple.com/legal/privacy.
Google LLC (Mountain View, USA) - Sign in with Google (OAuth login), Google Play Billing (Android subscriptions). Separate controller. Policy: policies.google.com/privacy.
Render Services, Inc. (San Francisco, USA) - API server and database (PostgreSQL) hosting. Processor. Policy: render.com/privacy.

6. International Data Transfers

Some of our service providers (Apple, Google, Render) are located in the United States. Data transfers are made on the basis of:

The EU-US Data Privacy Framework (GDPR Art. 45) - for partners certified under DPF.
Standard Contractual Clauses approved by the European Commission (GDPR Art. 46(2)(c)) - as a fallback safeguard.

7. Data Retention

Active account: data is retained for as long as your account exists.
After account deletion: data is permanently deleted from the main database immediately. Backups are overwritten within a maximum of 30 days.
Billing data (invoices, transactions): 5 years from the end of the fiscal year in which the invoice was issued - pursuant to Art. 74 of the Polish Accounting Act and tax regulations.
Diagnostic logs: 90 days rolling.

8. Your Rights

Under GDPR, you have the following rights:

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure ("right to be forgotten") (Art. 17) - in the app: Profile → Settings → Delete account. The operation is immediate and irreversible.
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20) - write to kontakt@halo.com.pl.
Right to object to processing (Art. 21)
Right to withdraw consent at any time - without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl.

In-app account deletion: The qüit app allows you to delete your account along with all related data on your own. Go to Settings → Delete account. The operation is irreversible.

9. Children

The qüit app is not directed at persons under 16 years of age. We knowingly do not collect data from minors. The Polish digital consent threshold under GDPR Art. 8 and the 2018 Personal Data Protection Act is 16 years. If you are a parent or guardian and believe your child has provided us with their data, contact us immediately at kontakt@halo.com.pl - we will delete them right away.

10. Cookies and Tracking Technologies

The qüit app does not use cookies, advertising identifiers (IDFA), or technologies tracking users across apps under Apple's App Tracking Transparency (ATT) framework. We do not display targeted advertising. We do not integrate third-party analytics SDKs (Firebase Analytics, Mixpanel, etc.).

11. Data Security

We apply technical and organizational protection measures in accordance with GDPR Art. 32:

Data transmission encryption (TLS 1.3)
Password hashing with bcrypt (or equivalent)
Short-lived JWT tokens + refresh-token rotation
Principle of least privilege for database access
Regular server security updates

12. Changes to this Policy

We may update this Privacy Policy in the future. We will notify you of material changes 30 days in advance via the app or e-mail (if the change requires renewed consent). The current version is always available at this URL with the last-updated date in the header.

13. Contact

For matters concerning the processing of personal data:

E-mail: kontakt@halo.com.pl
Mail: Halo Sp. z o.o., ul. Warszawska 40, 40-008 Katowice, Poland
Tax ID (NIP): 9542880835