Quit Nail Biting Get it on Google Play
Short version

Privacy Policy

Here's where your data lives and who can see it.

Your photos, check-ins, and progress sync to a backend I run on Supabase so they survive a reinstall. I don't sell any of it, I don't share it with advertisers, and you can delete your data anytime.

Last updated June 8, 2026

What I collect

When you open the app for the first time, it creates an anonymous account for you. A random ID, no email required. From there, here's what gets stored:

  • Lesson progress. Which day you're on, which sessions you've finished, and whether you've done the shame-acknowledgment step. This is required, because the 12-week program can't pick up where you left off without it.
  • Check-in photos. Optional. You can skip them on any day.
  • Check-in reflections, notes, and mood. Optional. Most fields can be left blank.
  • Your email address. Only if you choose to sign in. Sign-in is a magic-link flow, so you get a link emailed to you instead of setting a password.
  • A push notification token. Only if you turn on notifications.
  • Your email address, if you submit the waitlist form on the website. This is separate from the in-app sign-in flow and completely optional. If you submit it, your email is stored in Loops so I can send launch or update notifications. Loops handles unsubscribe.

All of this lives in a backend I run on Supabase. That's the auth system, the Postgres database, and the storage bucket your photos go in. It's set up this way so your progress survives reinstalling the app or moving to a new phone.

What leaves your phone

Here's what touches outside services, and when.

  • Every check-in. Photos and reflection notes go to my backend on Supabase, tied to your account. That's how your before/after journal stays with you across a reinstall.
  • Every lesson. Your progress through the 12-week program is saved on the backend so it picks up where you left off when you reopen the app or switch phones.
  • When you subscribe. Google Play handles the payment itself. RevenueCat receives a reference to your account and the current state of your subscription (active, trialing, expired, renewed). I never see payment details.
  • When you sign in with email. The magic-link email goes out through Resend from noreply@quitnailbiting.app. Resend sees your email and the link at the moment of send.
  • When you turn on notifications. A notification token is stored on your account so reminders can reach you.
  • When you request deletion on the web. Your email and any reason you add are logged on the server, and Loops sends me a notification so I can process the request.
  • When you submit the waitlist form on the website. Your email address goes to Loops as a contact, tagged as a website waitlist signup (general or iOS variant), so I can send you launch updates. Loops handles unsubscribe and CAN-SPAM compliance.

Third parties

Five services. Each one does a specific thing.

  • Supabase. The backend. Your account, check-ins, lesson progress, and photos all live here.
  • RevenueCat. The subscription platform. It knows which account a subscription belongs to and whether it's active, trialing, expired, or renewed. Nothing else from the app reaches them.
  • Google Play. Handles the payment itself. Google sees the purchase. I only see whether your subscription is active.
  • Resend. Sends the magic-link sign-in emails. It sees your email and the sign-in link at send time. Nothing else.
  • Loops. Two uses, both on the web side. When someone submits the deletion form, Loops sends me a notification with their email and any reason given. When someone submits the email waitlist form, Loops creates a contact record for that email, tagged as a website waitlist signup, so I can send launch updates. Loops handles unsubscribe and compliance for the waitlist list.

What I never do

  • I don't sell your data.
  • I don't share it with advertisers or data brokers.
  • I don't run ad trackers or behavioral analytics SDKs.

How long data is kept

Everything stored in Supabase stays as long as your account exists. That covers your photos, your check-ins, your lesson progress, and your email if you signed in. When you delete the account, I wipe it.

RevenueCat and Google Play keep subscription records under their own retention rules. That's usually years, for tax and audit reasons, and it's out of my hands.

Resend keeps transactional email logs under its defaults, enough to troubleshoot a failed send. If you submitted the waitlist form, Loops holds your email as a contact until you unsubscribe or I delete the list.

Account deletion

Two ways.

In the app. Settings, then "Delete my account and data." This is an automated wipe. Your profile, check-ins, photos, and auth record are removed in one step.

On the web. If you can't get into the app, submit the form at quitnailbiting.app/delete-my-data. This is a deletion request, not an automated wipe. It lands in my inbox and I process it by hand, usually within a few days. I'll email you when it's done.

If you had an active paid subscription, cancel it in Google Play separately. The app can't cancel Google subscriptions on your behalf.

Contact

Questions or requests about this policy: daniel@quitnailbiting.app. It's one person on the other end, so give me a couple of days.