Comeback: 90 Day Lock In logo

Comeback: 90 Day Lock In — Privacy Policy

Effective Date: September 17, 2025

Privacy Policy

Comeback is a product operated by Superneural Technologies Private Limited ("Comeback," "Superneural," "we," "our," or "us"). This Privacy Policy describes how we collect, use, disclose, and safeguard information about individuals who use our mobile applications, APIs, and related services (collectively, the "Services"). It also explains the rights and choices available to individuals in connection with their information.

We created this Privacy Policy to be comprehensive and transparent. Please read it carefully. If you do not agree with the practices described here, do not use the Services. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

Important

This Privacy Policy is not a contract and does not create any legal rights or obligations in addition to those described under applicable law and in our Terms of Service. If you have questions, contact us at privacy@superneural.co.

1. Scope and Applicability

This Privacy Policy applies to personal data (as defined below) processed by Superneural Technologies Private Limited in connection with the Services. It covers information we collect from:

  • Individuals who install or use the Comeback iOS application;
  • Individuals who visit our websites, join waiting lists, or interact with marketing pages;
  • Individuals who participate in squads, chat, or other social features within the Services;
  • Individuals who engage with our customer support, participate in surveys, or otherwise communicate with us;
  • Individuals who complete purchases through our web checkout or through externally hosted payment flows.

This Privacy Policy does not apply to:

  • Third-party websites, services, or apps that integrate with or link to our Services. Those services are governed by their own privacy policies.
  • Employee or contractor data collected in the context of employment with Superneural Technologies Private Limited.

2. Key Definitions

  • Personal Data means any information relating to an identified or identifiable natural person and includes "personal information" as defined under US state privacy laws and "personal data" under the EU/UK GDPR.
  • Services means the Comeback application, websites, APIs, customer support, and associated offerings described in this Privacy Policy.
  • Health Data means information related to an individual's physical or mental health status, including data obtained from Apple HealthKit (or similar sources) such as steps, workouts, sleep duration, active calories, and weight measurements.
  • Sensitive Data means categories of data given heightened protection under law, such as Health Data, biometric identifiers, precise geolocation, and racial or ethnic origin. This Privacy Policy primarily addresses health-related sensitive data.
  • You means the individual using the Services or otherwise interacting with Superneural Technologies Private Limited.

3. Information We Collect

We collect the categories of information described below. The specific data elements we process depend on how you use the Services, the features you enable, and the choices you make.

3.1 Account and Identity Information

  • Email address and, where provided, display name.
  • Apple ID or Google account identifiers if you sign in through those providers.
  • Password hash if you create an email/password login (passwords are hashed using bcrypt and are never stored in plain text).
  • Region or locale data inferred from your device settings to tailor onboarding, pricing disclosures, and legal notices.

3.2 Authentication and Security Data

  • JSON Web Tokens (JWTs) and refresh tokens we generate to authenticate requests.
  • Device identifiers used to register for push notifications (Apple Push Notification Service tokens).
  • Logs related to authentication, sign-in attempts, and account status.

3.3 Habit, Progress, and Usage Data

  • Habit selections, streaks, completion status, "arc" configurations, and custom goals.
  • Daily completion records (including whether a completion was manual, auto-verified, rescued, or graced).
  • Analytics about feature usage (e.g., which screens are accessed, proof submissions, squad participation) collected through our backend logs. We do not use third-party advertising SDKs or behavioral tracking services.

3.4 Health and Wellness Data (Optional)

If you grant permission, we read limited data from Apple HealthKit to auto-verify certain habits. The iOS application processes HealthKit data on-device and shares only the minimum necessary aggregates with our servers, such as:

  • Date-specific summaries of steps, workout minutes, active energy burned, and sleep duration;
  • Wake time (to confirm wake-up goals) and optional weight entries;
  • User-defined preferences for movement goals or wake times.

We do not collect raw HealthKit samples or store sensitive identifiers from HealthKit. Health Data is only processed when you opt in and can be disabled at any time in iOS Settings.

3.5 Photos, Media, and AI Validation Data

  • Photos or short videos you capture to prove habit completion ("Proofs"). These are uploaded to encrypted object storage (DigitalOcean Spaces) using presigned URLs.
  • Metadata about each proof, such as upload date, file size, original filename, and optional EXIF timestamps if provided by your device.
  • AI validation outputs when you choose to run automated checks on proofs. Proof media may be temporarily shared with Microsoft Azure OpenAI for image analysis. Outputs include validation scores, reasoning, and any flagged concerns.

3.6 Squad and Community Content

  • Messages, reactions, and attachments shared in squad chats.
  • Squad membership records, roles, invite codes, and activity feeds.

3.7 Payment and Commerce Information

  • Stripe Checkout session identifiers, subscription IDs, and plan selections.
  • Transaction status, trial eligibility, and promotional code usage.
  • We do not store full payment card numbers. Payment credentials are handled by Stripe or other payment processors you choose (e.g., Apple Pay).

3.8 Communications and Support

  • Email messages, support tickets, bug reports, and feedback submissions.
  • Content of surveys, beta feedback, or feature requests.

3.9 Technical and Log Information (Automatically Collected)

  • IP address, device type, operating system version, app version, and user-agent string.
  • Crash logs and server-side error logs (without capturing Health Data or proof contents).
  • Security logs relating to suspicious activity, rate limits, or abuse prevention.

3.10 Information from Third Parties

  • Identity information from Apple or Google when you sign in through those services.
  • External checkout state from Stripe (e.g., whether a payment succeeded) via webhooks.
  • Device tokens relayed by Apple Push Notification Service (APNs).
  • Regulatory reporting tokens (EU acquisition/services tokens) when provided in connection with external payment flows.

3.11 Aggregated, Anonymized, and De-identified Data

We may create aggregated or de-identified datasets by removing personal identifiers. We use these datasets for analytics, product development, and benchmarking. We do not attempt to re-identify de-identified data.

4. How We Use Information

We use the information described above for the following purposes:

4.1 Provide and Maintain the Services

  • Authenticate users and manage accounts.
  • Deliver habit tracking, streak calculations, squad features, analytics dashboards, and notifications.
  • Store and display proof media, squad messages, and habit progress.

4.2 HealthKit Integration and Auto-Verification (with your consent)

  • Process aggregated Health Data to auto-complete applicable habits (e.g., movement and wake-time goals).
  • Update your progress dashboards with Health Data summaries.

4.3 AI Validation and Content Moderation (with your instruction)

  • Analyze proof media via Azure OpenAI to assist with fraud detection and habit verification.
  • Flag content that may violate community guidelines or appear inconsistent with the claimed habit.

4.4 Communications

  • Send transactional emails or push notifications (e.g., habit reminders, payment confirmations, squad activity alerts).
  • Respond to support requests and resolve issues.

4.5 Payments and Subscriptions

  • Facilitate purchases via Stripe or other authorized payment processors.
  • Manage trial eligibility, subscription status, renewals, and access to premium features.

4.6 Research, Analytics, and Product Improvement

  • Aggregate usage metrics to measure feature adoption and performance.
  • Conduct A/B testing and feature experiments (without exposing personal Health Data outside authorized teams).

4.7 Security, Fraud Prevention, and Enforcement

  • Monitor for suspicious activity, abuse, or violations of our Terms of Service.
  • Protect the integrity of squads, chat, and proof sharing features.

4.8 Legal and Compliance Obligations

  • Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • Enforce our Terms of Service or other agreements, including investigating potential violations.

We will not use personal data for purposes inconsistent with this Privacy Policy without seeking additional consent or providing required notice.

For individuals in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

  • Performance of a Contract: To provide the Services, manage your account, process payments, and deliver features you request.
  • Consent: For processing Health Data via HealthKit, sending certain push notifications, and any optional marketing communications. You may withdraw consent at any time via device settings or by contacting us.
  • Legitimate Interests: To secure the Services, prevent fraud, understand usage trends, and improve user experience (balanced against your rights and expectations).
  • Legal Obligations: To comply with tax, accounting, reporting, and regulatory requirements.

6. How We Share Information

We do not sell personal data and we do not share personal data with third parties for their direct marketing purposes. We share information only as described below and with appropriate safeguards.

6.1 Service Providers and Subprocessors

We engage carefully selected third parties to help us deliver the Services. These providers are contractually restricted from using personal data for purposes other than providing services to us. Key categories include:

  • Infrastructure & Storage: DigitalOcean (app hosting, databases, object storage), Amazon Web Services (via S3-compatible SDKs when interacting with DigitalOcean Spaces).
  • AI and Machine Learning: Microsoft Azure OpenAI for automated proof validation (only when you initiate validation).
  • Identity & Authentication: Apple (Sign in with Apple, Apple Push Notification Service), Google (Google Sign-In).
  • Payments: Stripe, Inc., Apple Pay, and other payment networks involved in web checkout.
  • Communications: Email delivery providers (if used for transactional support), push notification services (APNs).
  • Analytics & Logging: Internal logging services; we currently do not employ third-party analytics SDKs in the mobile application.

We maintain a list of current subprocessors that is available upon request at privacy@superneural.co.

6.2 Other Users

Content you choose to share within squads (including proof media, messages, and profile details) is visible to your squad members. Squad activity such as completion streaks may also be visible to other members.

6.3 Compliance with Law and Enforcement Requests

We may disclose information to a government authority, regulator, lawful request, or in response to legal process when required or permitted by law. We may also disclose information to protect our rights, privacy, safety, or property, and/or that of our users or the public.

6.4 Business Transfers

If we undergo a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction, subject to appropriate confidentiality protections. We will notify you of any material change in ownership or control of your personal data.

6.5 Aggregated or De-identified Information

We may share aggregated or de-identified data that cannot reasonably be used to identify you with partners or the public (e.g., overall habit completion trends) for research or informational purposes.

7. International Data Transfers

Superneural Technologies Private Limited is based in India, and some of our infrastructure is hosted in US data centers. When we transfer personal data from the EEA, UK, or Switzerland to India, the United States, or other countries that may not provide equivalent data protection, we rely on appropriate safeguards, such as:

  • Contractual protections, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum;
  • Supplemental security measures such as encryption in transit and at rest, strict access controls, and data minimization;
  • Ongoing assessment of legal and regulatory developments.

By using the Services, you acknowledge that your personal data may be transferred to, stored in, and processed in India, the United States, or other jurisdictions where we or our service providers operate.

8. Health Data and Sensitive Information

8.1 HealthKit Commitments

  • HealthKit access is optional and requires your explicit consent via iOS.
  • We only request read permissions necessary to verify relevant habits (sleep analysis, step count, workouts, active energy, body weight).
  • HealthKit data is processed locally on your device when possible. We only transmit aggregate metrics necessary to record habit completion.
  • We do not use HealthKit data for advertising, marketing, or data brokerage.
  • You can revoke HealthKit permissions at any time in iOS Settings → Health → Data Access & Devices.

8.2 AI Validation of Proofs

  • Proof media may be analyzed by Microsoft Azure OpenAI to generate validation scores and quality checks.
  • Proofs are transmitted to Azure over encrypted connections and are not added to Azure training datasets.
  • You can skip AI validation and rely on manual review at any time.

8.3 Sensitive Data Handling

We treat Health Data, proof media, and squad communications as sensitive. Access is restricted to personnel with a legitimate need-to-know. We log administrative access to production systems and employ role-based access controls.

9. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce agreements. Our retention practices include:

  • Active Accounts: Core account data, habit history, proofs, squad messages, and subscriptions are retained while your account remains active.
  • Deleted Accounts: When you delete your account, we queue your data for deletion and permanently remove or anonymize personal data within 30 days, unless we are legally required to retain it longer (e.g., for tax or fraud-prevention reasons).
  • Proof Media: Stored in DigitalOcean Spaces and deleted when you remove a proof or delete your account. We may retain derivative metadata (e.g., validation results) in backups for up to 30 days.
  • Health Data Summaries: Retained with your daily completion records and deleted upon account deletion.
  • Payment Records: Retained for at least seven (7) years to satisfy tax, accounting, and regulatory requirements.
  • Backups: Encrypted backups may persist for up to thirty (30) days before being overwritten. When restoring from backups, we reapply deletion requests.

We may retain aggregated or de-identified information indefinitely for legitimate business purposes.

10. Your Rights and Choices

10.1 Account Controls

  • Update your display name and preferences in-app.
  • Enable or disable HealthKit integration and push notifications through iOS settings.
  • Manage squad memberships, proof visibility, and sharing options inside the app.

10.2 Data Export and Deletion

  • Export your data via the in-app export feature (Settings → Account → Export), which generates a downloadable archive of your account data.
  • Delete your account via Settings → Account → Delete. Deletion removes your personal data as described in Section 9.

10.3 Access, Correction, and Restriction

  • Request access to or correction of your personal data by contacting privacy@superneural.co.
  • Request restriction of processing where applicable (e.g., while we verify accuracy or handle an objection).

10.4 Communications Preferences

  • Opt out of non-essential emails by using the unsubscribe link or contacting support.
  • Disable push notifications through your iOS device settings.

10.5 GDPR-Specific Rights

Individuals in the EEA/UK/Switzerland have additional rights, subject to legal limitations:

  • Right to access your personal data and receive a copy.
  • Right to rectify inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten").
  • Right to restrict processing in certain circumstances.
  • Right to data portability for information you provided to us.
  • Right to object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent at any time (without affecting the lawfulness of prior processing).

To exercise these rights, contact privacy@superneural.co. We may request additional information to verify your identity. We will respond within one month (or as required by law). You also have the right to lodge a complaint with your local data protection authority.

10.6 California Privacy Rights (CCPA/CPRA)

California residents have the right to:

  • Know the categories and specific pieces of personal information we collect, use, and disclose;
  • Request deletion of personal information, subject to legal exceptions;
  • Request correction of inaccurate personal information;
  • Receive information about personal information disclosed for a business purpose;
  • Opt out of "selling" or "sharing" personal information (we do not sell or share personal information as those terms are defined under the CCPA/CPRA);
  • Not be discriminated against for exercising these rights.

Submit requests at privacy@superneural.co. If you are an authorized agent making a request on behalf of a California resident, attach proof of authorization. We will verify requests via the account email address or other reasonable means.

10.7 Nevada Residents

We do not sell covered information as defined under Nevada law. Nevada residents may submit opt-out requests to privacy@superneural.co.

11. Security

We employ administrative, technical, and physical safeguards designed to protect personal data. These measures include encryption in transit and at rest, hardened infrastructure, least-privilege access controls, rate limiting, secure software development practices, and monitoring for unusual activity.

No system is perfectly secure. We cannot guarantee absolute security of personal data transmitted to or stored within the Services. If you believe your account has been compromised, contact support immediately at support@superneural.co.

In the event of a data breach affecting your personal data, we will notify you and relevant authorities in accordance with applicable laws.

12. Children's Privacy

The Services are not directed to children under 13. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If we learn that a child under 13 has provided personal data, we will delete that information. Parents or guardians who believe their child has provided personal data should contact privacy@superneural.co.

For users in the EU/UK, we do not knowingly collect personal data from individuals under 16 without appropriate consent.

13. Third-Party Services and Links

The Services may link to or integrate with third-party websites, apps, or services. We are not responsible for the privacy practices of those third parties. Review their privacy policies before providing personal data. Key third parties include Apple, Google, Stripe, DigitalOcean, and Microsoft Azure OpenAI.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the app, email, or other reasonable means, and update the "Effective Date" above. Your continued use of the Services after the revised Privacy Policy becomes effective constitutes acceptance of the changes.

15. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us at:

  • Email: privacy@superneural.co
  • Subject Line: Privacy Inquiry
  • Mail: Superneural Technologies Private Limited, Attn: Privacy, Ahmedabad, Gujarat, India

If you are in the EEA/UK and remain unsatisfied after contacting us, you may lodge a complaint with your local supervisory authority. Contact details are available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

16. Additional Disclosures for EEA/UK Users

  • Controller: Superneural Technologies Private Limited is the controller of your personal data. If we appoint an EU/UK representative or Data Protection Officer (DPO), we will update this section.
  • Automated Decision-Making: We do not engage in automated decision-making that produces legal or similarly significant effects. AI validation provides recommendations but requires human review for consequential decisions.
  • Data Protection Authority Contact: You may contact your national authority (for example, the Irish Data Protection Commission or the UK Information Commissioner's Office) if you wish to lodge a complaint.

17. Additional Disclosures for California Residents

The following table summarizes our data practices over the past twelve (12) months (as required by CCPA/CPRA). "Collected" indicates whether we collected the category; "Shared for Business Purpose" indicates disclosures to service providers or other permitted third parties.

Category of Personal InformationCollectedSourceBusiness Purpose(s)Shared for Business Purpose?
Identifiers (name, email, Apple/Google ID, IP address)YesDirectly from users; auth providersAccount management, authentication, securityYes (infrastructure, auth providers)
Customer records (habit configurations, subscription status)YesDirectly from usersProvide Services, analyticsYes (infrastructure, payments)
Commercial information (purchase history)YesPayments via StripeBilling, fraud preventionYes (payments, accounting)
Internet/Technical activity (device info, logs)YesAutomatic collectionSecurity, troubleshootingYes (infrastructure, logging)
Geolocation (coarse region)Yes (approximate)Derived from device locale/IPRegion-specific pricing/complianceYes (infrastructure)
Audio/Visual (proof media, chat attachments)YesDirectly from usersService functionality, squad sharingYes (storage, AI validation when requested)
Professional or education informationNo
Inferences (habit insights, streaks)YesDerived internallyAnalytics, habit insightsNo (only aggregated)
Sensitive data (Health Data)Yes (optional)HealthKit (with consent)Auto-verificationYes (infrastructure; not sold or shared)

We do not knowingly sell or share (for cross-context behavioral advertising) the personal information of California residents, including those under 16.

18. Definitions (Glossary)

  • "Arc" refers to a structured habit commitment period (typically 90 days) tracked within the Services.
  • "Proof" means user-generated photo or media evidence of habit completion.
  • "Squad" refers to an accountability group of users who can view certain activity, share messages, and collaborate.
  • "Auto-verify" means marking a habit as completed based on Health Data or other automated checks rather than manual confirmation.

Last reviewed September 17, 2025.