ebbwave Blog Get the app

Privacy Policy

Effective date: 6 July 2026

This is also our Consumer Health Data Privacy Policy under the Washington My Health My Data Act.

Who we are

ebbwave is operated by VIBOA UG (haftungsbeschränkt), Kopernikusstr. 14, 30167 Hannover, Germany. We are the data controller. Questions or requests: privacy@ebbwave.com.

The short version

ebbwave helps you change a habit — smoking, drinking, your phone, and others. That means the app knows something genuinely private about you: that you’re working on an addiction or compulsive habit, and how it’s going. Under the law, that’s health data. So we hold ourselves to three rules:

  • Nothing leaves your phone without your explicit OK. By default, ebbwave runs entirely on your device. Cloud sync and analytics are separate, off-by-default choices.
  • We never sell your data, never show ads, and never use it to track you across other apps or websites. There are no advertising SDKs or data brokers anywhere in ebbwave.
  • You can delete everything, in the app, in under a minute — Settings → Delete account.

What we collect, and why

If you stay in local-only mode, your data — habit, clean days, lapses, notes, everything — is stored only on your device. We can’t see it. It disappears when you delete the app. The only data that exists off-device is what Apple processes for your purchase, if you subscribe.

If you turn on cloud sync (explicit opt-in), we store on our servers:

  • Email, name (optional), sign-in credentials — your account, for sign-in and recovery.
  • Your chosen habit, goal, quit date, clean-day progress, points — your recovery state, synced and restorable.
  • Lapses you log (time, optional trigger tag, optional note) — your own history and the honest recovery curve.
  • Craving-wave sessions and daily check-ins (craving level, mood) — your progress stats.
  • Your “why”, identity statement, values, custom affirmations, custom habit name — shown back to you by Beacons at hard moments, in your own words.
  • A one-question self-check answer from onboarding — to suggest whether an app is the right tool for you, or whether professional care fits better. It’s an educational self-assessment, not a diagnosis.
  • Beacon (reminder) schedule and preferences — so your reminders survive reinstalls.
  • Support-buddy names and numbers you add — so the SOS screen can offer one-tap text/call. We never contact your buddies ourselves; calls and texts go straight from your phone. Please add people who are okay with it.
  • Circle posts (initials, a “Day N · habit” label, your words) — the anonymous community feed. Other members see your initials and post, never your name, email, or account.
  • Purchase / subscription status — to unlock Plus features you paid for.

If you also turn on analytics (a separate explicit opt-in), we record product events like “onboarding completed” or “screen viewed” to understand what helps people and what doesn’t. Analytics events never include your habit identity, lapse details, trigger tags, craving scores, or anything you typed.

Because using ebbwave reveals information about your health, we ask for explicit consent before any of it is stored off your device (GDPR Art. 9(2)(a); Washington MHMDA). Consent is:

  • Separate — its own screen, never buried in terms of service.
  • Granular — cloud sync and analytics are independent switches.
  • Optional — declining keeps you in local-only mode with the full app working.
  • Revocable — flip the switches off anytime in Settings.

We never require your consent as a condition for using the app’s safety features. SOS, the craving-wave tool, and crisis resources are always available, free, without an account.

What we never do

  • No selling or renting your data — to anyone, ever.
  • No advertising, ad networks, or data brokers.
  • No cross-app or cross-website tracking.
  • No location collection and no geofencing — ebbwave doesn’t know or use where you are.
  • No reading your health records, HealthKit, contacts, photos, or messages.
  • No AI training on your personal data.

Who processes data for us

When cloud features are on, these providers process data under contract with us (data-processing agreements in place):

  • Supabase (database and sign-in; hosted on AWS in the European Union) — the synced data listed above, encrypted in transit and at rest.
  • RevenueCat (subscription management) — an anonymous-to-them user ID and purchase state, never your habit or recovery data.
  • Apple (App Store, payments, Sign in with Apple) — your purchase; your Apple ID email (or its private relay) if you sign in with Apple.

How long we keep data

  • Local-only mode: we keep nothing; your device does, until you delete the app.
  • Account data (cloud sync on): kept while your account exists; deleted when you delete your account.
  • Analytics events: deleted after 24 months.
  • Backups: deleted data can persist in encrypted backups for a short period (no longer than 6 months) before those backups age out.

Deleting your data

Settings → Delete account permanently deletes your account and all synced data — profile, history, check-ins, analytics events, and your community posts — immediately. Backup copies age out per the schedule above. You can also email privacy@ebbwave.com; we act within 30 days (GDPR) / 45 days (Washington and California law).

Your rights

Depending on where you live, you have the right to know / access your data, correct it (most data is editable in the app), delete it, withdraw consent anytime with no penalty and no loss of the free app, receive a portable copy (email us and we’ll provide one), and not be discriminated against for exercising any of these rights.

You may also appeal a refused request by contacting us. Washington residents may contact the Washington Attorney General; EU/UK users may complain to their supervisory authority.

These rights derive from the EU/UK GDPR, the California Consumer Privacy Act (as amended by the CPRA), the Washington My Health My Data Act, and similar laws. We apply the same rights to everyone regardless of residence.

Children

ebbwave is rated 18+ on the App Store. It deals with addiction — including alcohol, nicotine, cannabis, gambling, and sexual behavior — and is not designed for, directed at, or knowingly used to collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

Security

Row-level access controls (each account can only ever read its own rows), encryption in transit and at rest, no secret keys in the app, and independent SOC 2 Type 2 audited infrastructure. No system is perfectly secure; if a breach ever affects your data, we will notify you and the relevant authorities as the law requires (within 72 hours to EU authorities).

Changes to this policy

We’ll post changes here with a new effective date, and — for anything that expands what we collect or share — ask for your consent again before it applies to you.

Contact

VIBOA UG (haftungsbeschränkt) Kopernikusstr. 14, 30167 Hannover, Germany privacy@ebbwave.com