Privacy Policy

Last updated: March 15, 2026

1. Introduction

NoPuff (“we,” “our,” or “us”) operates the NoPuff mobile application (the “App”) and the website located at nopuff.app (the “Website”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App and Website (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect information necessary to provide the Service, including:

  • Your Apple ID identifier (when you sign in with Apple) — we do not receive or store your Apple ID password
  • Display name (optional, may be a pseudonym)
  • Email address (if provided through Sign in with Apple)
  • Timezone setting for accurate streak calculations

2.2 Health and Vaping Data

To provide our core quit-vaping features, we collect information you voluntarily provide, including:

  • Quit date and vaping history
  • Vaping habits (device type, nicotine strength, frequency, daily spend)
  • Quit motivation and reason for quitting
  • Daily check-in data (mood, craving intensity, triggers)
  • Streak information (start date, current streak length)
  • AI coaching conversation history (messages exchanged with the AI Coach)
  • SOS/panic button usage

Apple HealthKit Data Disclosure: NoPuff does not currently read from or write to Apple HealthKit. If we integrate HealthKit in the future, we will update this Privacy Policy accordingly. We will never sell HealthKit data to third parties, use it for advertising, or share it with data brokers, in compliance with Apple's HealthKit guidelines.

2.3 Usage Data

We automatically collect certain information about how you use the App, including:

  • App opens and session duration
  • Features accessed and actions taken
  • Crash reports and performance data
  • Subscription status and type

2.4 Device Information

We may collect information about the device you use to access the App, including:

  • Device model and operating system version
  • Unique device identifiers (for push notifications)
  • Language and locale settings
  • App version

3. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Calculate your streak, track health milestones, compute money saved, display your progress dashboard, and enable community milestone features.
  • AI Coaching: Your vaping history, check-in data, and conversation history are sent to our AI coaching system to provide personalized, contextual support. See Section 5 for details on our AI provider.
  • Push Notifications: Send you daily check-in reminders, streak milestone celebrations, motivational messages, and craving support notifications (with your permission).
  • Analytics: Understand how the App is used so we can improve features and user experience. Analytics data is aggregated and not linked to individual accounts.
  • Customer Support: Respond to your requests, troubleshoot issues, and provide technical assistance.
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes.

4. Data Storage and Security

Your data is stored on Supabase (self-hosted PostgreSQL database) hosted on Railway infrastructure. We implement the following security measures:

  • All data is encrypted at rest using AES-256 encryption
  • All data in transit is encrypted using TLS 1.2 or higher
  • Row-Level Security (RLS) is enforced on all database tables, ensuring users can only access their own data
  • Authentication is handled through Sign in with Apple, using industry-standard OAuth 2.0
  • Database backups are performed regularly and stored securely
  • Access to production infrastructure is restricted to authorized personnel with multi-factor authentication

While we implement commercially reasonable security measures, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.

5. Third-Party Services

We use the following third-party services to operate the App. Each service has its own privacy policy governing the use of your information:

5.1 Anthropic (AI Coaching)

Our AI Craving Coach is powered by Anthropic's Claude AI. When you use the AI Coach, your conversation messages and relevant context (such as your streak length, recent check-in data, and vaping history) are sent to Anthropic's API to generate responses. Anthropic processes this data according to their Privacy Policy. Anthropic does not use API inputs to train their models.

5.2 RevenueCat (Subscriptions)

We use RevenueCat to manage in-app subscriptions. RevenueCat receives your anonymous app user ID and subscription purchase information from Apple. RevenueCat does not receive your name, email, or health data. See RevenueCat's Privacy Policy.

5.3 Apple (Authentication and App Store)

We use Sign in with Apple for account authentication. Apple provides us with a unique user identifier and, at your option, your email address (which may be a private relay address). Subscription payments are processed entirely by Apple through the App Store. We do not receive or store your payment card information. See Apple's Privacy Policy.

5.4 Apple Push Notification Service (APNs)

We use APNs to deliver push notifications. Your device token is stored securely on our servers for the sole purpose of sending you notifications you have opted in to receive. You can disable notifications at any time in your device settings.

6. Your Rights Under GDPR (European Economic Area)

If you are a resident of the European Economic Area (EEA), you have certain data protection rights under the General Data Protection Regulation (GDPR). We process your personal data based on the following legal bases:

  • Contract: Processing necessary to provide the Service you have subscribed to.
  • Consent: Processing based on your explicit consent (e.g., push notifications, optional data sharing).
  • Legitimate Interest: Processing necessary for our legitimate interests (e.g., analytics, fraud prevention), provided these do not override your rights.

You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure: Request deletion of your personal data (“right to be forgotten”).
  • Restriction: Request restriction of processing of your personal data.
  • Portability: Request transfer of your personal data in a structured, machine-readable format.
  • Objection: Object to processing of your personal data.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

7. Your Rights Under CCPA (California)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out: We do not sell your personal information to third parties. Therefore, there is no need to opt out of the sale of personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

We do not sell personal information. We do not share personal information with third parties for their direct marketing purposes.

To exercise your rights, contact us at [email protected]. We will verify your identity before fulfilling your request.

8. Data Retention and Deletion

We retain your personal data only for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. Specifically:

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Health and vaping data: Retained while your account is active. Permanently deleted when you delete your account.
  • AI coaching conversations: Retained while your account is active. Permanently deleted when you delete your account.
  • Usage analytics: Aggregated analytics data (which cannot identify individual users) may be retained indefinitely.
  • Backup data: May persist in encrypted backups for up to 90 days after deletion from live systems.

How to Delete Your Account and Data

You can request deletion of your account and all associated data by:

  1. Opening the NoPuff app, navigating to Settings, and tapping “Delete Account”
  2. Emailing [email protected] with the subject line “Account Deletion Request”

Upon receiving your request, we will delete your account and all associated personal data within 30 days, except where we are required by law to retain certain information.

9. Children's Privacy

NoPuff is intended for users aged 13 and older. We do not knowingly collect personal information from children under the age of 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us at [email protected], and we will promptly delete such information.

We do not collect data covered under the Children's Online Privacy Protection Act (COPPA). Our Service does not target children under 13, and we do not knowingly allow children under 13 to create accounts or use the Service.

For users between 13 and 17 years of age, we encourage parents or guardians to monitor their teen's use of the App and to contact us with any concerns.

10. Cookies and Tracking Technologies

Our Website may use cookies and similar tracking technologies for analytics purposes. The App itself does not use cookies. You can control cookie preferences through your browser settings.

We do not use tracking technologies for targeted advertising. We do not participate in cross-app or cross-site tracking.

11. International Data Transfers

Your data may be transferred to and processed in countries other than the country in which you reside. Our servers are located in the United States. If you are accessing the Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate.

We take appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Policy, including the use of Standard Contractual Clauses approved by the European Commission where applicable.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last updated” date. For material changes, we will also provide notice through the App (e.g., an in-app notification or email).

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy, your personal data, or our privacy practices, please contact us:

For GDPR-related inquiries, you may also lodge a complaint with your local data protection authority.