Privacy Policy

Effective Date: April 22, 2026 · Last Updated: April 22, 2026

1. Introduction

SnusStop ("we," "us," or "our") is operated by Felix Moser, an individual based in Austria, European Union. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use the SnusStop mobile application (the "App") and related services (collectively, the "Service").

We take your privacy seriously — especially because our App handles sensitive health-related data. We do not sell your personal information. We do not share your information for cross-context behavioral advertising.

By using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller

Felix Moser
Softwarepark 35, Top 1/3
4232 Hagenberg im Mühlkreis
Austria, European Union
Email: privacy@snusstop.at

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided via Apple or Google Sign-In)
  • Authentication identifiers (user ID)

CCPA Category A (Identifiers), Category B (Customer Records).

3.2 Health and Wellness Data

This data is classified as Sensitive Personal Information under California law (CCPA/CPRA) and as Consumer Health Data under the Washington My Health My Data Act.

We collect the following health-related data that you provide through your use of the App:

  • Nicotine pouch consumption logs (quantity, timing, context tags such as "stress," "social," "boredom")
  • Quit date and streak duration
  • Daily nicotine pouch limit settings
  • Mood and emotion check-in data
  • Craving logs and craving management session data
  • Program progress (21-day program completion, daily missions)
  • Personal notes and reflections you enter

CCPA Category H (Sensitive Personal Information — health data).

3.3 Usage and Analytics Data

We automatically collect:

  • App usage patterns (pages visited, features used)
  • Error and crash reports (via Sentry — anonymized by default)
  • Device type, operating system version, app version

CCPA Category F (Internet or other electronic network activity information).

3.4 Device Information

  • Push notification device tokens (if you enable push notifications)
  • Device identifiers for authentication

3.5 Payment Information

We do not directly collect or store payment card details. All subscription payments are processed by Apple (via Apple In-App Purchase) and managed through RevenueCat. We receive only: subscription status, purchase date, expiration date, and transaction identifiers.

CCPA Category D (Commercial information — purchase history).

3.6 Information We Do NOT Collect

  • Location data (GPS, IP-based geolocation)
  • Contacts or address book
  • Photos, camera, or microphone data
  • Biometric data (fingerprints, face scans)
  • Financial account numbers or payment card details
  • Social Security numbers or government identifiers
  • Advertising identifiers (IDFA)

4. How We Collect Information

  • Directly from you: When you create an account, log consumption, record moods, or enter personal notes.
  • From authentication providers: Apple Sign-In or Google Sign-In provide your email and name (if you grant permission).
  • Automatically: Error tracking (Sentry) collects anonymized crash data and device information.
  • From payment processors: RevenueCat provides subscription status and purchase records from Apple In-App Purchase.

5. How We Use Your Information

We use your information for the following purposes:

PurposeData Used
Provide core app functionalityAccount, health/wellness, usage data
Track and display your progressHealth/wellness data
Send push notifications (if enabled)Device tokens, health data (for personalization)
Manage your subscriptionAccount info, payment data
Diagnose and fix errorsCrash reports, device info
Improve the ServiceAggregated, anonymized usage data
Communicate about your accountEmail address

We do NOT use your personal information for advertising, marketing to third parties, profiling for purposes unrelated to the Service, or any purpose not disclosed here.

6. Consumer Health Data Notice

This section applies to residents of Washington, Nevada, Connecticut, and any other jurisdiction with consumer health data protection laws.

Under the Washington My Health My Data Act (RCW 19.373) and similar state laws, the health and wellness data described in Section 3.2 qualifies as "consumer health data." We provide the following additional disclosures:

Categories of Consumer Health Data Collected

  • Nicotine consumption and usage patterns
  • Cessation progress (quit dates, streaks, milestones)
  • Mental and emotional health indicators (mood check-ins, craving intensity)
  • Behavioral patterns (consumption triggers, context data)

Purpose of Collection

Consumer health data is collected solely to provide you with the core functionality of the App — tracking your nicotine use, displaying your progress, providing personalized support content, and sending relevant notifications.

Consent

We obtain your affirmative consent before collecting consumer health data. You provide this consent by creating an account and actively logging your data in the App. You may withdraw your consent at any time by deleting your account in the App settings.

Sharing

We do not sell consumer health data. We share consumer health data only with the service providers listed in Section 7 (Supabase for storage, Sentry for error tracking) as necessary to operate the Service. We obtain separate consent before sharing consumer health data with any new category of third party.

Your Rights

You have the right to: (a) confirm whether we are collecting or sharing your consumer health data; (b) access your consumer health data; (c) delete your consumer health data; and (d) withdraw your consent to the collection or sharing of your consumer health data. To exercise these rights, contact us at privacy@snusstop.at or delete your account in the App settings.

7. Third-Party Service Providers

We use the following third-party service providers to operate the Service. Each acts as a data processor on our behalf and is contractually obligated to protect your data:

Supabase (Supabase Inc., USA)

Purpose: Authentication, database storage, real-time services

Data processed: Account information, all app data including health data

Data location: European Union (Frankfurt, Germany — AWS eu-central-1)

Privacy: supabase.com/privacy

RevenueCat (RevenueCat Inc., USA)

Purpose: Subscription and in-app purchase management

Data processed: User ID, purchase history, subscription status

Data NOT processed: Health data, personal notes, consumption logs

Privacy: revenuecat.com/privacy

Sentry (Functional Software Inc., USA)

Purpose: Error tracking, crash reporting, and session replay

Data processed: Anonymized crash data, device type, OS version, app version. Session replay may record a small percentage of sessions to diagnose errors — all text, inputs, and media are masked.

Data NOT processed: Health data, personal notes, email (email addresses are automatically redacted), name

Privacy: sentry.io/privacy

Vercel (Vercel Inc., USA)

Purpose: Web application hosting and content delivery

Data processed: Server logs (IP addresses, request data)

Data NOT processed: Health data, personal notes, account information

Privacy: vercel.com/legal/privacy-policy

Apple Inc. / Google LLC

Purpose: Authentication (Sign-In with Apple / Google Sign-In), payment processing (Apple In-App Purchase)

Data received by us: Email address, name (if permitted by you), user identifier

Note: Apple's relay email service may hide your actual email address. Payment card details are never shared with us.

Cloudflare (Cloudflare Inc., USA)

Purpose: Bot detection and abuse prevention (Cloudflare Turnstile)

Data processed: Challenge tokens, browser interaction data for bot verification

Data NOT processed: Health data, personal notes, account information

Privacy: cloudflare.com/privacypolicy

8. Data Sharing and Sale

We do NOT sell your personal information.

We do NOT share your personal information for cross-context behavioral advertising.

We do NOT use your health data for advertising, marketing, or data mining purposes.

In the preceding 12 months, we have not sold or shared (as defined by the CCPA/CPRA) any personal information, including sensitive personal information, to any third party.

We disclose personal information only to the service providers listed in Section 7, solely as necessary to provide the Service. We may also disclose information:

  • To comply with applicable laws, regulations, or legal processes
  • To protect the rights, privacy, safety, or property of SnusStop, you, or others
  • In connection with a merger, acquisition, or sale of assets (with notice to you)

9. Data Retention

We retain your data for the following periods:

Data TypeRetention Period
Account data (email, name)Until account deletion + 30 days
Health/wellness dataUntil account deletion
Push notification tokensUntil permission revoked or account deleted
Purchase/subscription dataUntil account deletion + 2 years (tax compliance)
Error logs (Sentry)90 days
Server logs (Vercel)30 days

When you delete your account, we delete your personal information from our active databases and instruct our service providers to do the same. Backup copies may persist for up to 30 additional days before automatic purging. We may retain anonymized, aggregated data that can no longer identify you.

10. Your Privacy Rights

10.1 All US Residents

Regardless of your state of residence, you have the right to:

  • Access the personal information we hold about you
  • Delete your personal information (via in-app account deletion or by contacting us)
  • Portability — receive your data in a commonly used, machine-readable format
  • Non-discrimination — we will not deny you service or charge different prices for exercising your privacy rights

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you additionally have the right to:

  • Know what personal information we collect, use, disclose, and sell
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information (we do not sell or share, so this right is already satisfied)
  • Limit the use of sensitive personal information to purposes necessary for the Service

We honor Global Privacy Control (GPC) browser signals as a valid opt-out request.

10.3 Virginia, Colorado, Connecticut, Texas, Oregon, and Other States

Residents of states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Nebraska, New Hampshire, New Jersey, Iowa, Maryland, Minnesota, Rhode Island, Tennessee, and Indiana) have similar rights to access, delete, correct, and port their data.

Where required by your state's law, we obtain opt-in consent before processing your sensitive personal information (including health data). If you have questions about your specific state's rights, contact us at privacy@snusstop.at.

10.4 Washington Residents (My Health My Data Act)

Washington residents have additional rights under the My Health My Data Act (RCW 19.373). See Section 6 for your specific rights regarding consumer health data, including the right to consent, access, delete, and withdraw consent.

10.5 How to Exercise Your Rights

You can exercise your privacy rights by:

  • Deleting your account in the App (Settings → Delete Account)
  • Emailing us at privacy@snusstop.at with the subject "Privacy Rights Request"

We will verify your identity before processing your request. We will respond within 45 days (or 30 days where required by state law). If we need additional time, we will notify you.

10.6 Right to Appeal

If we deny your privacy rights request, you have the right to appeal by contacting us at privacy@snusstop.at with the subject "Privacy Appeal." We will respond to your appeal within 60 days.

11. Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, there is no need for you to submit an opt-out request. However, if you wish to confirm this or have concerns, contact us at privacy@snusstop.at.

We honor Global Privacy Control (GPC) signals received from your browser.

12. Children's Privacy

SnusStop is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. The App requires users to be at least 18 years old.

If we become aware that we have collected personal information from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal information, please contact us at privacy@snusstop.at.

13. International Data Transfers

SnusStop is operated from Austria (European Union). Your primary data (profile, health data) is stored in the EU (Frankfurt, Germany) through Supabase. Some service providers (Vercel, Sentry, RevenueCat) process data in the United States.

For transfers from the EU/EEA to the United States, we rely on the EU-US Data Privacy Framework where our service providers are certified, and Standard Contractual Clauses (SCCs) approved by the European Commission as additional safeguards.

By using the Service from outside the United States, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.

14. Data Security

We implement reasonable technical and organizational measures to protect your personal information, including:

  • Encryption in transit (TLS/HTTPS for all data transmissions)
  • Encryption at rest (database encryption via Supabase)
  • Secure authentication token storage (iOS Keychain)
  • Row-level security policies on database tables
  • No plaintext password storage (hashed with secure algorithms)
  • Regular security updates and dependency monitoring

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

15. Health Breach Notification

In compliance with the FTC Health Breach Notification Rule (16 CFR Part 318), if we experience a breach of security involving your individually identifiable health information, we will notify you without unreasonable delay and in no case later than 60 calendar days after discovery. We will also notify the Federal Trade Commission as required.

16. Additional Information for EU/EEA Residents

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to our processing of your personal data.

Legal basis for processing:

  • Contract performance (Art. 6(1)(b) GDPR) — for providing the Service
  • Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) — for health data processing
  • Legitimate interest (Art. 6(1)(f) GDPR) — for error tracking and service improvement

Your GDPR rights: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.

You have the right to lodge a complaint with a supervisory authority. The Austrian Data Protection Authority (Datenschutzbehörde): www.dsb.gv.at

For the full German-language GDPR privacy policy, see: /legal/de/datenschutz

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and updating the "Last Updated" date above. For material changes affecting health data processing, we will provide notice via email or in-app notification at least 30 days before the changes take effect.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

18. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us:

Felix Moser
Softwarepark 35, Top 1/3
4232 Hagenberg im Mühlkreis
Austria, European Union

Privacy inquiries: privacy@snusstop.at
General support: support@snusstop.at

We will respond to privacy rights requests within 45 days (or sooner where required by applicable state law).