How URGE Handles Your Data

Account Information:

• Email address (required for account creation and authentication)
• Username (unique identifier you choose)
• Account creation and last update timestamps
• Authentication credentials (hashed passwords managed by Supabase Auth)

Habit Tracking Data:

• Streak data: current streak count, longest streak, start dates, reset timestamps
• Urge events: when you resist or give in, with optional notes
• Relapse records: streak length at time of relapse, triggers, feelings, and optional notes
• Journal entries: up to 3 entries per day, each limited to 500 characters

Subscription & Payment Data:

• Subscription status (active, cancelled, expired, etc.)
• Payment provider customer ID (linked to your account)
• Subscription ID and end dates
• Payment processing is handled entirely by our payment provider—we never see or store your payment card details

Technical Data:

• Browser and device information (for compatibility and support)
• Session data (to keep you logged in)

Core Service Delivery:

• Authenticate your account and maintain your login session
• Calculate and display your current streak and longest streak
• Log and track your urges (resisted or gave in) with timestamps
• Record relapses with associated context (triggers, feelings, notes)
• Store and display your journal entries (up to 3 per day)
• Send you 3 automated accountability emails per day (The Sentinel)
• Manage your subscription status and billing

Service Improvement:

• Aggregate anonymized usage patterns to understand how the service is used
• Identify bugs and technical issues
• Improve features and user experience
• No personal identifiers are included in aggregated analytics

Security & Legal:

• Prevent fraud, abuse, and unauthorized access
• Comply with legal obligations and respond to valid legal requests
• Enforce our Terms of Service

Supabase (Database & Authentication):

• Stores all your account data, streaks, relapses, journals, and urges
• Handles user authentication and session management
• Hosts our PostgreSQL database
• Subject to Supabase's privacy policy and security standards

Payment Provider (Dodo Payments):

• Processes subscription payments
• Stores payment method information (we never see your card details)
• Manages subscription lifecycle (active, cancelled, etc.)
• Subject to the payment provider's privacy policy

Email Service Provider:

• Sends automated accountability emails (The Sentinel)
• Receives your email address and email preferences
• May track email opens and clicks for delivery confirmation

Hosting Provider (Vercel):

• Hosts the URGE application
• May log IP addresses and request metadata for security and performance
• Subject to Vercel's privacy policy

Authentication Cookies:

Required to keep you logged in. These are session-based and expire when you log out or after a period of inactivity.

No Third-Party Cookies:

We don't set third-party cookies or allow third parties to set cookies on our site.

While Your Account Exists:

We retain all your data (account information, streaks, relapses, journals, urges) for as long as your account is active. This allows you to access your complete history and track your progress over time.

Account Deletion:

When you delete your account, we immediately and permanently delete all of your data:

• Your user account and profile information
• All streak data (current streak, longest streak, timestamps)
• All relapse records (including notes, triggers, feelings)
• All journal entries
• All urge events (resisted and gave in)
• Subscription information (after any required billing period)

This deletion is permanent and cannot be undone. Due to database cascade relationships, when your user account is deleted, all related records (streaks, relapses, journals, urges) are automatically deleted as well.

Backup Retention:

Database backups may retain your data for up to 30 days after account deletion. These backups are encrypted and are only used for disaster recovery. After 30 days, backups containing your data are permanently purged.

Payment Records:

We may be required by law to retain certain payment transaction records for a period (typically 7 years for tax and accounting purposes). These records contain minimal information (transaction ID, amount, date) and do not include your personal habit tracking data.

Right to Access:

You can request a copy of all personal data we hold about you, including your account information, streaks, relapses, journals, and urge events. You can access much of this data directly through your dashboard.

Right to Correction:

You can update your account information (email, username) at any time through your settings. You can edit or delete your journal entries and notes.

Right to Deletion:

You can delete your account at any time through your settings. This immediately and permanently deletes all your data as described in Section 6.

Right to Data Portability:

You can request an export of your data in a machine-readable format (typically JSON). Contact us to request a data export.

Right to Object:

You can object to certain processing of your data. For example, you can unsubscribe from accountability emails, though this may limit core functionality.

Right to Withdraw Consent:

Where we rely on your consent for data processing, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

Encryption:

• All data in transit is encrypted using TLS/SSL
• Passwords are hashed using industry-standard algorithms (never stored in plain text)
• Database backups are encrypted at rest

Access Controls:

• Database access is restricted to authorized personnel only
• Multi-factor authentication required for administrative access
• Regular security audits and access reviews

Infrastructure Security:

• Hosting on secure, SOC 2 compliant infrastructure (Vercel, Supabase)
• Regular security updates and patches
• Firewall protection and intrusion detection

Incident Response:

• We monitor for security breaches and unauthorized access
• If a breach occurs, we will notify affected users within 72 hours as required by law
• We maintain an incident response plan