← Back to The Ritual

Privacy Policy

Last updated: April 16, 2026

The Ritual ("we", "us", "the app") is a habit tracking app. This policy explains what data we collect, why, and how you can control it. We try to collect as little as possible.

Who we are

The Ritual is operated by Subash Luitel Sharma, an independent developer. If you have questions, contact us at contactsubaz@gmail.com.

The short version

• We store your account, habits, completions, XP, streaks, badges, and time capsules on Supabase so they sync between your devices.
• We don't sell your data. We don't run ads. We don't use third-party analytics.
• Camera and location access are only used when you explicitly add photo or location proof to a habit.
• You can export or delete all of your data from the app, at any time.

What we collect and why

Account data

• Email address and password — to sign you in. Authentication is handled by Supabase Auth; we never see your raw password.
• Display name (optional) — shown in your own profile.

Habit data

• Habits you create (name, icon, schedule, XP value, target location if you set one)
• Daily completion logs — which habits you completed on which day
• XP events and streak history — to power the dashboard
• Badges you earn
• Time capsules you write (title, message, optional photos, delivery date)

All of the above is stored in your own private, row-level-secured record on Supabase. Other users cannot read it.

Device data

• Photos you attach as habit proof or to a time capsule — uploaded to a private Supabase Storage bucket scoped to your user folder. Signed URLs expire after one hour.
• Location coordinates — only sampled when you complete a habit that has a location requirement. We store only the lat/lng of the check-in.
• Face ID / Touch ID / biometric — handled entirely by your device's secure enclave. We never receive biometric data.

What we do NOT collect

• No advertising identifiers
• No contact book / address book
• No browsing history
• No microphone access
• No health/fitness data beyond the habits you type in yourself
• No third-party analytics SDKs
• No crash reporters with PII

How your data is used

• To operate the app — sync your habits, calculate XP, show your dashboard, deliver your time capsules on their unlock date.
• To authenticate you when you sign in.
• To let you recover your account via Supabase's password reset flow.

We do not use your data for advertising, for profiling, or for training machine-learning models.

Sharing

We do not sell or rent your personal data to anyone. We share data only with:

• Supabase — our database, auth, and storage provider.
• Apple App Store / Google Play — for app distribution and crash reporting you opt into at the OS level.
• Law enforcement — only if required by a valid legal request.

Your rights and controls

Inside the app, you can at any time:

• Edit or delete individual habits, logs, and time capsules from their detail screens
• Reset all app data from Profile → Advanced → Reset data (keeps your account)
• Delete your account from Profile → Advanced → Delete account (wipes all data immediately)

Email contactsubaz@gmail.com and we'll respond within 30 days.

Children

The Ritual is not directed at children under 13. We do not knowingly collect data from them. If you believe a child has created an account, email us and we will delete it.

Security

• All traffic is encrypted via HTTPS/TLS.
• Row Level Security on every table restricts reads/writes to the owning user.
• Photos are stored in private buckets with short-lived signed URLs.
• Biometric lock prevents access after backgrounding without Face ID / Touch ID.

If you discover a vulnerability, email contactsubaz@gmail.com and we will acknowledge within 72 hours.

Changes to this policy

If we change this policy, we'll update the "Last updated" date and, for material changes, show an in-app notice.