Privacy Policy

1. Controller (Responsible Party)

Jannik Brose
Brose Media
Kasernengasse 32
88416 Ochsenhausen
Germany

Email: support@hazeless.de

2. Overview of Data Processing

Hazeless is a cannabis harm reduction app designed to support more mindful cannabis use. Protecting your personal data is our highest priority. The app is built on a local-first principle — all data is stored exclusively on your device. Your data is only transmitted to our servers if you explicitly enable Cloud Sync.

We use no analytics tools (no Google Analytics, no Firebase Analytics, no tracking), set no advertising cookies, and do not share your data with third parties for marketing purposes.

3. Legal Bases for Processing

Your data is processed on the following legal bases under the GDPR:

• Art. 6(1)(a) GDPR (Consent) – Cloud Sync, marketing emails
• Art. 6(1)(b) GDPR (Contract performance) – Providing app features, account management, subscriptions
• Art. 6(1)(f) GDPR (Legitimate interest) – Server log files on website visits, fraud prevention
• Art. 9(2)(a) GDPR (Consent for special categories) – Health-related data (consumption behaviour, mood, sleep) is only stored on our servers with your explicit consent

4. Data Processing on the Website

4.1 Hosting

The website is hosted by ALL-INKL.COM – Neue Medien Münnich (owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany). When you visit the website, server log files are automatically recorded:

• IP address (anonymised)
• Date and time of access
• Page accessed and referrer URL
• Browser type and operating system

This data is not merged with other data sources and is deleted after a maximum of 7 days. Legal basis: Art. 6(1)(f) GDPR.

4.2 Fonts

The website uses exclusively self-hosted fonts (Inter). No external font services (such as Google Fonts) are used. No data is transferred to third parties.

4.3 Cookies

The website uses only technically necessary functions (localStorage) to store your cookie consent decision. No tracking cookies or third-party cookies are set.

4.4 Links to App Stores

The website contains links to the Apple App Store and Google Play Store. Clicking these links redirects you to the respective platforms, which have their own privacy policies.

5. Data Processing in the App – Local Storage

The following data is stored exclusively on your device and only leaves your device if you explicitly enable Cloud Sync.

5.1 Profile Data (Onboarding)

• Date of birth and gender
• Personal goal (pause, reduce, quit, track)
• Consumption methods (e.g. joints, vapes, edibles)
• Consumption frequency and quantity (times per week, grams per session)
• THC potency (optional)
• Weekly spending and currency
• Time of first daily consumption
• Main concerns about quitting (e.g. cravings, social pressure)
• Personal motivation
• Baseline values for sleep quality, mood and stress

Purpose: Personalising the app experience and calculating individual KPIs.

5.2 Daily Tracking Data

• Daily check-ins: consumed yes/no, quantity, method
• Mood, sleep quality, craving level (scales)
• Withdrawal symptoms (selection from predefined categories)
• Money spent
• Free-text notes (optional)

Purpose: Progress tracking, statistics and pattern analysis.

5.3 Cognitive Test Data

• Reaction times (milliseconds)
• Memory test results
• Stroop test accuracy and interference scores
• Test timestamps

Purpose: Cognitive progress measurement and self-reflection.

5.4 Pause and Streak Data

• Start and end dates of consumption pauses
• Pause status (active, completed, abandoned)
• Calculated statistics (days, savings)

5.5 Gamification Data

• Experience points (XP) and levels
• Completed tasks and milestones
• XP event history (last 40 entries)

Purpose: Motivation and engagement.

5.6 App Settings

• Language, notification preferences, haptic settings
• Reminder times and intensity
• Consent status (Cloud Sync, marketing)

6. Cloud Sync (Optional Data Transfer)

If you enable Cloud Sync, the data described in Section 5 will additionally be stored on our servers. This is entirely optional and requires your explicit consent (Art. 6(1)(a), Art. 9(2)(a) GDPR).

6.1 Service Provider

We use Supabase for cloud storage (Supabase Inc., 970 Toa Payoh North, #07-04, Singapore 318992). The database servers are located in the European Union. Supabase processes data on our behalf under a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.

6.2 Data Transferred

When Cloud Sync is enabled, the following data is synchronised:

• Profile data and onboarding information
• Daily tracking data and check-ins
• Cognitive test results
• Pause data
• Consent logs

6.3 Encryption

All data is encrypted in transit via TLS/HTTPS. Data stored on servers uses server-side encryption.

6.4 Withdrawal of Consent

You can disable Cloud Sync at any time in the app settings. Upon deactivation, all your data is automatically deleted from our servers. Your local data on the device remains unaffected. Legal basis: Art. 7(3) GDPR.

7. Account and Authentication

7.1 Account Creation (Required)

An account is required to use Hazeless. The app cannot be used without registration. During registration and use, we process:

• Email address
• User ID (automatically generated)
• Name (optional)
• Registration timestamp

Purpose: Account management, cross-device synchronisation, data recovery when switching devices. Legal basis: Art. 6(1)(b) GDPR.

7.2 Authentication Methods

Authentication is handled via Supabase Auth. Session tokens are stored securely on your device (Expo Secure Store). We do not store passwords in plain text.

Hazeless also supports Sign in with Apple and Sign in with Google. When using these methods, only authentication tokens (and optionally email address and name, as provided by Apple/Google) are transmitted. No additional personal data from Apple or Google is accessed.

8. In-App Purchases and Subscriptions

We use RevenueCat (RevenueCat Inc., 633 Tarava St Ste 101, San Francisco, CA 94116, USA) for managing premium subscriptions.

8.1 Data Processed

• Anonymised user ID
• Subscription status (active/inactive)
• Purchase history and transaction data
• Entitlements (unlocked premium features)

Purpose: Subscription management, providing premium features, purchase restoration. Legal basis: Art. 6(1)(b) GDPR.

8.2 Payment Processing

Actual payment processing is handled exclusively by the Apple App Store or Google Play Store. We have no access to your payment data (credit card numbers, bank details, etc.).

8.3 Data Transfer to the USA

RevenueCat is based in the USA. Data transfer is made on the basis of the EU-US Data Privacy Framework and Standard Contractual Clauses (Art. 46(2)(c) GDPR).

9. Push Notifications

Hazeless uses exclusively local notifications (Expo Notifications). Reminders are scheduled and triggered directly on your device — no push tokens are transmitted to external servers. There is no communication with Firebase Cloud Messaging or other push services.

You can disable notifications at any time in the app settings or in your device's system settings.

10. Device Permissions

Hazeless requests only the following permissions:

Hazeless does not access your camera, location, contacts, calendar, microphone, photos or other sensitive device data.

11. Analytics and Tracking

Hazeless uses no analytics tools and no tracking. In particular, the following services are not used:

• Google Analytics / Firebase Analytics
• Facebook/Meta Pixel
• Mixpanel, Amplitude, Segment
• Crash reporting services (Sentry, Crashlytics)
• Advertising networks or retargeting services

12. Overview of Third-Party Services

13. Special Categories of Personal Data

Hazeless processes health-related data within the meaning of Art. 9 GDPR, including information about consumption behaviour, mood, sleep quality, craving level and withdrawal symptoms.

This data is processed and stored locally on your device by default. Transfer to our servers only occurs with your explicit consent (Cloud Sync activation). Legal basis: Art. 9(2)(a) GDPR.

Hazeless does not access Apple Health (HealthKit) or Google Fit and does not read or write data from or to these services.

14. Data Retention

15. Data Deletion and Account Deletion

15.1 Account Deletion

You can delete your account at any time directly in the app under Settings → Delete Account. Upon deletion, all data stored on our servers is irrevocably deleted:

• Profile and onboarding data
• All tracking data and check-ins
• Pause data
• Account information and authentication data

Deletion is protected by double confirmation and executed immediately.

15.2 Disabling Cloud Sync

When you disable Cloud Sync, all data stored on our servers is automatically deleted. Your local data on the device is retained.

15.3 Deleting Local Data

Local data is reset when you sign out of the app. Alternatively, you can uninstall the app to remove all local data.

16. Data Security

• All data transmission via encrypted connections (TLS/HTTPS) only
• Authentication tokens stored securely in the device keychain (Expo Secure Store)
• Server-side encryption of cloud data
• Row-Level Security (RLS) in the database — each user can only access their own data
• No passwords stored in plain text

17. Use by Minors

Hazeless is intended exclusively for persons who are at least 18 years old. Age confirmation is obtained during onboarding. We do not knowingly collect data from minors. If we discover that data has been collected from a minor, we will delete it immediately.

18. Contact by Email

When you contact us by email (support@hazeless.de), your information including the contact details you provide will be stored for the purpose of processing the enquiry and for any follow-up questions. We will not share this data without your consent. Legal basis: Art. 6(1)(b) GDPR.

19. Your Rights (Art. 15–21 GDPR)

You have the following rights regarding your personal data at any time:

• Access (Art. 15 GDPR) – What data we have stored about you
• Rectification (Art. 16 GDPR) – Correction of inaccurate data
• Erasure (Art. 17 GDPR) – Deletion of your data ("right to be forgotten")
• Restriction (Art. 18 GDPR) – Restriction of processing
• Data portability (Art. 20 GDPR) – Receiving your data in a machine-readable format
• Objection (Art. 21 GDPR) – Objecting to processing
• Withdrawal of consent (Art. 7(3) GDPR) – At any time with effect for the future

To exercise your rights, contact us at: support@hazeless.de

You can also delete your cloud data and account directly in the app (Settings → Delete Account).

20. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. The supervisory authority responsible for us is:

Der Landesbeauftragte für den Datenschutz Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart, Germany

An overview of all authorities can be found at: www.bfdi.bund.de

21. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy as necessary to reflect changes in law or in the Services. The current version is always available on this page and in the app. We will notify you of material changes within the app.