Quit Nail Biting Get early access on Google Play
Short version

Here's where your data lives and who can see it.

Your photos, check-ins, and progress sync to a backend I run on Supabase so they survive a reinstall. I don't sell any of it, I don't share it with advertisers, and you can delete the whole lot anytime.

Last updated April 24, 2026

What I collect

When you open the app for the first time, it creates an anonymous account for you. A random ID, no email required. From there, here's what gets stored:

  • Lesson progress. Which day you're on, which sessions you've finished, and whether you've done the shame-acknowledgment step. This is required, because the 8-week program can't pick up where you left off without it.
  • Check-in photos. Optional. You can skip them on any day.
  • Check-in reflections, notes, and mood. Optional. Most fields can be left blank.
  • Your email address. Only if you choose to sign in. Sign-in is a magic-link flow, so you get a link emailed to you instead of setting a password.
  • A push notification token. Only if you turn on notifications.

All of this lives in a backend I run on Supabase. That's the auth system, the Postgres database, and the storage bucket your photos go in. It's set up this way so your progress survives reinstalling the app or moving to a new phone.

What leaves your phone

Here's what touches outside services, and when.

  • Every check-in. Any photos you take land in a Supabase storage bucket under your user ID ({userId}/{date}/{hand}.jpg). Reflection text, notes, and mood go into the Supabase checkins table.
  • Every lesson. Your progress through the 8-week program is written to the Supabase profiles table: day index, session completions, and the shame-acknowledgment flag.
  • When you subscribe. Google Play handles the payment. Your Supabase user ID is passed to RevenueCat so the app can tell whether your subscription is active, trialing, expired, or renewed. Google sees the transaction; I never see payment details.
  • When you sign in with email. The magic-link email goes out through Resend from noreply@quitnailbiting.app. Resend sees your email and the link at the moment of send.
  • When you turn on notifications. An Expo push token is saved on your profile so reminders can reach you.
  • When you request deletion on the web. Your email and any reason you add go into a server log and trigger a notification to me via Loops.

Third parties

Five services. Each one does a specific thing.

  • Supabase. The backend. Hosts authentication, the Postgres database (profiles, checkins), and the storage bucket for check-in photos. Every photo, reflection, and progress record lives here.
  • RevenueCat. The subscription platform. Receives your Supabase user ID as appUserID and the current state of your subscription. Nothing else from the app reaches them.
  • Google Play. Handles the payment itself. Google sees the purchase; I only see whether the subscription is active.
  • Resend. Sends the magic-link sign-in emails. It sees your email and the sign-in link at send time. Nothing else.
  • Loops. Transactional email only, on the web side. When someone submits the deletion form, Loops sends me a notification containing the email and the optional reason. There's no marketing signup form on this site, so Loops isn't holding any subscriber list for me.

What I never do

  • I don't sell your data.
  • I don't share it with advertisers or data brokers.
  • I don't run ad trackers or behavioral analytics SDKs.
  • I don't let anyone outside the five services above read your photos or check-in content. Nobody's training a model on them and nobody's selling them to a data partner.

How long data is kept

Everything stored in Supabase stays as long as your account exists. That covers your photos, your check-ins, your lesson progress, and your email if you signed in. When you delete the account, I wipe it.

RevenueCat and Google Play keep subscription records under their own retention rules. That's usually years, for tax and audit reasons, and it's out of my hands.

Resend and Loops keep transactional email logs under their defaults, which is enough to troubleshoot a failed send. Neither holds any kind of profile or marketing record for you.

Account deletion

Two ways.

In the app. Settings, then "Delete my account and data." This is an automated wipe. Your profile, check-ins, photos, and auth record are removed in one step.

On the web. If you can't get into the app, submit the form at quitnailbiting.app/delete-my-data. This is a deletion request, not an automated wipe. It lands in my inbox and I process it by hand, usually within a few days. I'll email you when it's done.

If you had an active paid subscription, cancel it in Google Play separately. The app can't cancel Google subscriptions on your behalf.

Contact

Questions or requests about this policy: daniel@quitnailbiting.app. It's one person on the other end, so give me a couple of days.