Privacy Policy

This Privacy Policy explains how 9554-5133 Québec inc. (“we”, “us”, “our”) processes personal information when you use Smokoff—this site https://smokoff.app, the mobile apps (e.g. package app.smokoff on Android), and the application programming interface the apps call at https://api.smokoff.app (JSON API under /api/…).

1. What we may collect

The data categories below are aligned with what the Smokoff clients and server are designed to process (authentication, user profile and avatar, smoking profile, diary, custom quit reasons, breathing session records, chat and read state, friend relationships, public user profiles, encouragements, and push token registration with the backend and Firebase/FCM).

• Account and sign-in — e-mail, password (or one-time/reset links), and OAuth-related identifiers when you use Google or Facebook sign-in. Those companies’ policies apply to their part of the flow. Session/refresh handling may also occur as implemented in the app and API.
• Profile and quit journey — display name, optional avatar, fields of your “smoking profile,” and the personal reasons you list for quitting.
• Content you create or exchange — diary entries; chat messages; read state; data needed for friend requests, your friend list, and “encouragements” on public profiles.
• Breathing sessions — when you use the feature in a way that is stored and synced to the server.
• Push notification device token — registered with our API and, through the app, with Google Firebase (e.g. Firebase Cloud Messaging) so we can send pushes you allow. See Google’s documentation and privacy policy for how Firebase/FCM processes data as a processor or service provider to app developers.
• Device and service data — IP address, app version, language, and security or limited diagnostic data from operating the service.
• Optional phone health features — if a platform (Apple Health, Health Connect, etc.) offers integration, access is under your system permissions. The public mobile /api/… contract in the current app code does not expose a dedicated “health” REST resource; if that changes, we will update this Policy and the app to reflect it.

2. How we use information

We use this information to:

• Provide, operate, and improve Smokoff features;
• Authenticate you, sync data across your devices, and keep accounts secure;
• Send push notifications and emails when you enable them;
• Comply with law and respond to lawful requests; and
• Communicate with you about the Services or support.

3. Sharing

We do not sell your personal information. We may share or entrust data to sub-processors that help us run Smokoff—such as hosting/servers, e-mail, push delivery (e.g. Firebase/FCM), and security or error tools—under written terms where we require appropriate confidentiality and data protection. We may disclose information if the law compels us or to protect the rights, safety, or security of users and the public. Google and Facebook (Meta) also process some personal data for sign-in, under their own policies, when you choose those options.

4. International transfers

We or our subprocessors may process data in Canada, the United States, or other countries. Where we transfer personal data across borders, we use appropriate safeguards as required by applicable law.

5. Retention

We keep information for as long as needed to provide the Services and to meet legal, security, and business requirements, including reasonable backups.

6. Security

We use administrative, technical, and physical safeguards we consider appropriate. No method of transmission or storage is 100% secure. Use a strong, unique password and keep your device updated.

If you believe you have found a security vulnerability in Smokoff (the apps or our public sites or API), please report it responsibly to [email protected]. Do not use this address for general support requests.

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your data, and to object to or restrict certain processing (including, for residents of Québec, rights under applicable privacy legislation such as Act respecting the protection of personal information in the private sector and related regulations, as updated). Contact us at the address or e-mail below to exercise your rights. We may need to confirm your identity first. For account deletion and step-by-step data deletion (including the app flow and e-mail options), see our Data deletion instructions.

8. Children

The Services are not directed to children under 13 (or the age required in your region), and we do not knowingly collect their data.

9. Changes

We will update the “Last updated” date when this Policy changes. If a change is material, we may provide additional notice, where required.

10. Contact

Data controller: 9554-5133 Québec inc. (NEQ 1181515835)
316-3625 rue Jean-Gascon, Montréal, Québec, H4R 0K6, Canada
E-mail (privacy, rights, and data questions): [email protected]
Public site: https://smokoff.app — API for the apps: https://api.smokoff.app

11. Facebook / Meta

If you use Facebook login or features that interface with Meta services, Meta’s Data Policy and other applicable Meta terms may apply in addition to this Policy for information Meta processes on its systems. Our Policy governs what we and our host/Firebase stack process for Smokoff.

When you choose Facebook sign-in, the Smokoff app sends a Facebook access token to our API for server-side validation. We then obtain from Meta (as permitted and shared by you) information such as:

• your Facebook user identifier (so we can link the correct account to your Smokoff profile);
• the e-mail address you granted to the app, if you approved the email permission;
• your public profile name, if available;
• a URL to your profile picture, if you granted access to public profile data we use to display an avatar;

We use this data only to authenticate you, connect or merge your account, and provide the in-app experience described in this Policy. We do not use it for sale or for purposes that fall outside the permissions you grant the app.