XSMOXIT Start now →
Home · Legal · Privacy

Privacy policy.

Your data stays 100% yours. Here's exactly what we collect, why, and how we protect it — written in plain language.

Last updated: 07 May 2026

In short: we collect the minimum we need to help you quit. We never sell your data.

1. Data controller

SMOXIT GmbH, Cologne, Germany — the operator of smoxit.app and my.smoxit.app — is the data controller under the General Data Protection Regulation (GDPR / DSGVO).

Contact our privacy team: privacy@smoxit.app

2. What we collect

  • Account data — email, password (hashed), display name.
  • Onboarding data — your smoking history, triggers, goals (the inputs that shape your quit plan).
  • Usage data — coach conversations, check-ins, cravings logged, streak progress.
  • Payment data — handled by our payment provider; we receive only a transaction reference, never your full card details.
  • Technical data — IP address, browser type, device info, error logs.

3. Why we collect it

  • To provide the Service and personalise your quit plan;
  • To improve our AI coach (using anonymised, aggregated patterns — never raw conversations);
  • To handle billing and prevent fraud;
  • To send service-related emails (you can opt out of marketing anytime).

We process your data on the following legal bases:

  • Performance of contract — to deliver the Service you signed up for;
  • Consent — for optional marketing emails and analytics cookies;
  • Legitimate interest — to keep the Service secure and to improve it;
  • Legal obligation — for tax, accounting, and statutory record-keeping.

5. Sharing & processors

We use carefully selected processors under data-processing agreements. Currently:

  • Cloud hosting (EU region)
  • AI inference provider
  • Payment processing
  • Transactional email
  • Privacy-friendly analytics

We never sell your data. We never share it for advertising.

6. How long we keep it

Account and onboarding data: as long as your account is active, plus 30 days after deletion.
Billing records: 10 years (statutory retention).
Coach conversations: deleted on request, otherwise retained while your account is active.

7. Your rights (Art. 15–22 GDPR)

You have the right to:

  • Access the data we hold about you;
  • Rectify inaccurate data;
  • Erase your data ("right to be forgotten");
  • Restrict or object to processing;
  • Receive your data in a portable format;
  • Lodge a complaint with a supervisory authority (e.g. LDI NRW).

To exercise any of these, email privacy@smoxit.app — we'll reply within 30 days.

8. Cookies

We use only essential cookies by default (session, security). Optional analytics and preference cookies are set only with your consent via the cookie banner. You can change your preferences anytime in your account settings.

9. Security

We protect your data with TLS encryption in transit, encrypted storage at rest, principle-of-least-privilege access, and regular security reviews. No system is 100% secure — but we take this very seriously.

10. Changes to this policy

We update this policy when we change how we handle data. Material changes are announced by email or in-app at least 14 days in advance.

Privacy team: privacy@smoxit.app

100% private. 100% yours.

Start your quit journey with confidence. €9.95 / month. Cancel anytime.

Start now