[SYSTEM FILE]

PRIVACY POLICY

Last updated: March 2026

> DATA CONTROLLER

The data controller for NoBuy Streak is Äctvli Responsible Consulting. Contact us at any time: reachout@actvli.com

> WHAT WE COLLECT

[ACCOUNT] — Email address, authentication tokens (Google/GitHub OAuth if used), and your timezone.

[APP DATA] — No Buy rules you create, daily check-in records (held/slipped), and temptation log entries.

[PAYMENT] — If you upgrade to Pro, Stripe processes your payment. We store your Stripe Customer ID and subscription ID only. We never see or store your card details.

[OPTIONAL] — Display name and preferred currency, only if you set them in Settings.

> LAWFUL BASIS

CONTRACT — We process your data to deliver the service you signed up for (streaks, check-ins, lookback emails).

LEGITIMATE INTERESTS — Account security, fraud prevention, and service stability.

CONSENT — We send you optional reminder and lookback emails. You can unsubscribe at any time.

> HOW WE USE IT

> Calculate and display your No Buy streaks correctly in your timezone.

> Send the 30-day temptation lookback email (Pro subscribers).

> Generate your shareable streak card (Pro subscribers).

> Process and manage your subscription via Stripe.

> Display your handle and streak on the public leaderboard (only if you set a public display name).

WE DO NOT sell your data, use it for advertising, or share it with third parties except the sub-processors below.

> SUB-PROCESSORS

SUPABASE — Database and authentication. Data stored in EU region (Frankfurt). Privacy policy →

STRIPE — Payment processing. Subject to Stripe's own privacy policy and PCI-DSS compliance. Privacy policy →

RESEND — Transactional email delivery. Privacy policy →

VERCEL — Hosting and edge network. Privacy policy →

> INTERNATIONAL TRANSFERS

Some sub-processors (Stripe, Resend, Vercel) operate in the United States. Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or by adequacy decisions where applicable.

> COOKIES

We use session cookies only — set by Supabase Auth to keep you logged in. We do not use tracking cookies, analytics cookies, advertising cookies, or third-party pixel trackers.

> DATA RETENTION

> Account data is retained until you delete your account.

> Check-in and temptation log data: retained while your account is active.

> Stripe billing data: retained as required by financial regulations (typically 7 years).

> On account deletion, all your personal data is permanently and irreversibly erased from our systems.

> YOUR RIGHTS (GDPR)

ACCESS — Request a copy of all data we hold about you.

RECTIFICATION — Correct inaccurate personal data.

ERASURE — "Right to be forgotten" — delete your account and all data from Settings.

PORTABILITY — Request your data in a machine-readable format.

RESTRICTION — Request we limit processing of your data.

OBJECTION — Object to processing based on legitimate interests.

WITHDRAW CONSENT — Unsubscribe from emails at any time.

To exercise any of these rights, email reachout@actvli.com. We will respond within 30 days.

> AUTOMATED DECISIONS

We do not make any automated decisions that produce legal or similarly significant effects about you.

> SUPERVISORY AUTHORITY

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your national data protection authority. In the EU, you can find your local DPA at edpb.europa.eu.

> CONTACT

reachout@actvli.com · Äctvli Responsible Consulting