SmokeFreeAI

SmokeFree AI Privacy Policy

Last Updated: July 6, 2026

This Privacy Policy explains how SmokeFree AI ("SmokeFree AI," "we," "us," or "our") collects, uses, discloses, stores, transfers, and protects personal information when you access or use the SmokeFree AI mobile application, website, AI coaching features, admin systems, communications, and related services (collectively, the "Service").

SmokeFree AI is a wellness and smoking-cessation support service. It is not a medical provider, healthcare provider, therapy service, crisis service, emergency service, or medical device.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, you must not use the Service.

1. Scope and controller

This Privacy Policy applies to personal information processed by SmokeFree AI in connection with the Service.

For purposes of applicable privacy laws, SmokeFree AI is generally the controller or business responsible for deciding how personal information is processed, unless a separate written agreement states otherwise. SmokeFree AI is operated by an independent individual developer trading under the name "SmokeFree AI." You can contact us about this Policy or your privacy rights at support@smokefreeai.com.

The Service is currently offered in the United States, the United Kingdom, Australia, and Canada. We may make it available in additional countries in the future.

2. Categories of information we collect

We may collect the categories of information described below, depending on how you use the Service.

Account and identity information

  • Email address.
  • First name, display name, or profile name.
  • Password hash if you use email and password login.
  • Social login identifiers if you use Google, Apple, or another supported login provider.
  • Email verification status, authentication status, account creation date, account status, role, subscription tier, and trial status.

Smoking-cessation and wellness information

  • Smoking status, smoking type, quit date, cigarettes per day, years smoking, price per pack, currency, and savings estimates.
  • Onboarding answers, motivation, triggers, coping strategies, personal mantra, high-risk situations, support system, coach preferences, and progress goals.
  • Craving logs, mood logs, slip or relapse logs, recommitment information, milestones, achievements, and progress statistics.
  • Optional physical profile fields, such as age, gender, height, and weight, if you choose to provide them.

Chat and AI coaching information

  • Messages, prompts, and questions you send to the AI coach.
  • AI-generated replies and related output.
  • Conversation summaries, coaching memories, behavioral patterns, weekly session notes, suggested homework, trajectory summaries, and other coaching context.
  • AI usage metadata, including feature name, model identifier, input token count, output token count, estimated AI cost, timestamp, request status, and related session metadata.

Safety, moderation, and support information

  • Safety events detected by automated systems, including potential self-harm, suicide, harm to others, severe distress, rage escalation, abuse, harassment, or other moderation signals.
  • Trigger statement excerpts, severity tier, resources offered, review status, resolution notes, timestamps, and administrative review notes.
  • Support requests, account support records, password reset support, subscription support, and communications with us.

Device, network, and technical information

  • IP address, approximate location derived from IP address, user agent, device type, operating system, app version, browser type, language settings, session timestamps, and active-session metadata.
  • Push notification token if you enable notifications.
  • Analytics events, feature usage, diagnostic data, crash reports, performance data, and security logs.
  • Local app storage values needed for authentication, preferences, cached data, and app functionality.

Payment and subscription information

  • Subscription plan, trial status, billing status, renewal status, cancellation status, payment processor identifiers, app-store purchase identifiers, and purchase metadata.
  • We do not intentionally store full payment card numbers. Payment details are processed by app stores, payment processors, or subscription platforms.

Administrative and audit information

  • Internal admin actions taken on accounts.
  • Audit logs showing who accessed or changed account, safety, billing, or operational records.
  • Role-based access information for team members and administrators.

3. Sources of information

We collect information:

  • Directly from you when you register, complete onboarding, chat with the coach, log cravings or mood, update settings, purchase a subscription, or contact support.
  • Automatically when you use the Service.
  • From service providers, including authentication providers, payment processors, app stores, email providers, analytics providers, crash-reporting tools, hosting providers, and AI infrastructure providers.
  • From internal systems, including admin dashboards, audit logs, safety-review tools, and account-management tools.

4. How we use information

We use personal information to:

  • Create, authenticate, secure, maintain, and manage accounts.
  • Provide AI coaching, progress tracking, craving tools, quit-date tracking, safety resources, reminders, and personalized support.
  • Maintain coaching continuity through summaries, memory, context, and progress history.
  • Calculate smoke-free days, cigarettes avoided, money saved, milestones, and other progress statistics.
  • Detect, prevent, investigate, and respond to abuse, fraud, security incidents, technical issues, unsafe activity, and policy violations.
  • Detect safety language and provide crisis-resource information or supportive safety responses.
  • Review safety events, support requests, account issues, subscriptions, and billing issues through authorized admin tools.
  • Process subscriptions, trials, billing status, cancellation status, refunds, entitlements, and related support.
  • Send verification messages, password reset messages, transactional emails, service notices, security alerts, and support responses.
  • Send push notifications if you enable them.
  • Debug, test, monitor, analyze, improve, and develop the Service.
  • Measure AI usage, token usage, system costs, feature usage, performance, and reliability.
  • Maintain audit logs, access logs, and records needed for accountability and security.
  • Comply with legal obligations, enforce agreements, respond to lawful requests, and protect rights, safety, and property.
  • Create aggregated, de-identified, or anonymized information that does not reasonably identify you.

5. AI processing

SmokeFree AI uses artificial intelligence systems to generate coaching replies, summaries, insights, suggested actions, memory, safety classification, and other Service features.

To provide these features, we may process or transmit your messages, onboarding information, progress data, safety context, and related metadata through AI infrastructure providers. These providers may process information on our behalf to generate AI Outputs and support the Service.

AI-generated content may be inaccurate, incomplete, inappropriate, or unsafe. The Service is not intended to provide medical advice, therapy, diagnosis, treatment, emergency response, or clinical monitoring.

We do not intend to use identifiable personal chat content to train public AI models operated by SmokeFree AI. Where provider settings and contracts allow, we aim to configure third-party AI providers to process data for service delivery and safety rather than for training their public models. Provider practices may depend on applicable terms, account settings, data-processing agreements, and technical configuration.

We may use aggregated, de-identified, anonymized, or statistical information to improve the Service, measure quality, debug systems, develop safety features, and understand product performance.

6. AI memory and personalization

The Service may create and store coaching memories, summaries, behavioral patterns, session notes, preferences, and context snapshots to personalize future interactions.

If memory controls are available, you can turn AI memory off or reset it. Turning memory off stops the Service from creating new coaching memories, but it does not delete coaching memories that were already stored: your existing history remains until you reset coaching memory or delete your account. Resetting coaching memory clears stored coaching memories from active systems, subject to the backup, legal, safety, and audit retention described in this Policy. Deleting your account removes your account and associated personal coaching data as described in the Account deletion section. Disabling or resetting memory may reduce personalization.

7. Safety review and admin dashboard

Authorized SmokeFree AI administrators, support personnel, or contractors may access limited user information through internal systems for:

  • Account support.
  • User management.
  • Safety event review.
  • Abuse prevention.
  • Subscription and billing support.
  • AI usage and cost monitoring.
  • Debugging and operational troubleshooting.
  • Audit logging, access control, and security.

Safety events may include message excerpts that triggered safety or moderation systems. Admin access is intended to be role-based, limited to authorized personnel, and logged.

SmokeFree AI does not monitor users in real time and does not guarantee that any safety event will be detected, reviewed, escalated, or resolved.

8. Legal bases for processing

Where the GDPR, UK GDPR, or similar laws apply, we process personal information based on one or more of the following legal bases:

  • Consent, such as AI processing consent, notification permission, or optional profile data.
  • Performance of a contract, such as providing the Service, account features, subscriptions, and support.
  • Legitimate interests, such as security, fraud prevention, service improvement, analytics, safety review, debugging, and operational administration.
  • Legal obligations, such as tax, billing, consumer protection, breach notification, sanctions, law enforcement, and regulatory compliance.
  • Vital interests, where processing may be necessary to provide urgent safety information or help protect a person's life or physical safety.

Where required, you may withdraw consent at any time. Withdrawal of consent does not affect processing that occurred before withdrawal and may limit or disable certain Service features.

9. How we disclose information

We may disclose personal information to the following categories of recipients:

  • AI infrastructure providers for AI coaching, summaries, safety classification, and related features.
  • Cloud hosting, database, infrastructure, storage, and security providers.
  • Authentication providers if you use social sign-in or third-party login.
  • Email and communication providers for verification, password reset, transactional messages, and support.
  • Payment processors, app stores, and subscription platforms for purchases, subscriptions, refunds, and entitlement management.
  • Push notification providers if you enable notifications.
  • Analytics, diagnostics, crash-reporting, monitoring, and performance providers.
  • Customer support and operational service providers.
  • Professional advisors, including lawyers, accountants, auditors, insurers, and consultants.
  • Government, regulatory, law enforcement, or legal authorities when required or permitted by law.
  • Other parties in connection with a merger, acquisition, financing, restructuring, bankruptcy, sale of assets, or similar transaction.

Key sub-processors we currently use

To be transparent about who processes your information, the main providers we rely on today are:

  • Google (Google Gemini API) — powers the AI coaching conversations, session summaries, and safety classification. When you send a message to the coach, its content is processed by this provider to generate a response. Where provider settings and contracts allow, we aim to configure this provider to process your data for service delivery and safety, not to train its public AI models.
  • Amazon Web Services (AWS) — cloud hosting, database, and storage for the Service, currently operated in the European Union (Frankfurt) region.

This list may change as the Service develops; we aim to keep an up-to-date list of sub-processors available on request at the contact address below. Sending a message to the coach means your message is processed by the AI provider above.

We do not sell personal information for money. We do not use third-party advertising trackers in the app unless this Privacy Policy is updated and any required consent or opt-out mechanism is provided.

10. Health, wellness, and sensitive information

Some information you provide may relate to smoking behavior, cravings, mood, relapse, emotional state, motivation, or other wellness information. This information may be considered sensitive personal information under certain laws.

SmokeFree AI is not intended to collect protected health information subject to HIPAA unless we expressly enter into a separate written agreement, such as a business associate agreement, stating otherwise.

Depending on the Service's data flows and applicable law, certain health privacy or breach-notification laws may apply, including the FTC Health Breach Notification Rule in the United States. If legally required, we will provide applicable notices regarding breaches of unsecured health-related personal information.

You should not submit information that you do not want processed by the Service or by the providers needed to operate the Service.

11. International transfers

The Service is currently hosted on cloud infrastructure located in the European Union (Frankfurt, Germany). If you use the Service from the United Kingdom, Australia, Canada, the United States, or elsewhere, your information is transferred to and processed in the European Union, and may also be processed in other countries where we or our providers operate, including Israel and the United States.

These jurisdictions may have privacy laws that differ from those in your location. Where required, we use appropriate safeguards for international transfers, such as contractual protections, Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, adequacy decisions, consent, or other lawful transfer mechanisms.

12. Retention

We retain personal information for as long as reasonably necessary to provide the Service, operate our business, protect safety and security, comply with legal obligations, resolve disputes, enforce agreements, and maintain audit logs.

Retention periods vary based on the type of information, purpose of processing, legal requirements, security needs, and technical constraints. Typical retention practices may include:

  • Account information: retained while your account is active and for a reasonable period afterward as needed for legal, security, or operational purposes.
  • Coaching data and chat history: retained to provide continuity unless deleted, reset, or otherwise limited by available controls, subject to legal, safety, security, and backup requirements.
  • AI memory and summaries: retained while needed for personalization unless disabled, reset, or deleted, subject to operational and legal limitations.
  • Safety events: retained as needed for safety, auditability, legal compliance, abuse prevention, and operational accountability.
  • Audit logs and security logs: retained as needed for security, fraud prevention, legal compliance, and accountability.
  • Payment and subscription records: retained as required for tax, accounting, platform, dispute, refund, and legal obligations.
  • Support communications: retained as needed to provide support, resolve disputes, and improve operations.

Deleted information may remain for a limited time in backups, archives, logs, or disaster-recovery systems before being deleted, overwritten, anonymized, or isolated according to our backup cycles and legal obligations.

13. Your choices and rights

Depending on your location and applicable law, you may have rights to:

  • Access personal information we hold about you.
  • Receive a copy of certain personal information in a portable format.
  • Correct inaccurate personal information.
  • Delete personal information.
  • Restrict or object to certain processing.
  • Withdraw consent where processing is based on consent.
  • Opt out of certain sharing, sale, targeted advertising, or profiling, where applicable.
  • Limit the use or disclosure of sensitive personal information, where applicable.
  • Appeal certain privacy-rights decisions, where applicable.

You can exercise available rights through app settings or by contacting support@smokefreeai.com. We may need to verify your identity before fulfilling a request. Authorized agents may be required to provide proof of authority.

Some requests may be denied or limited where permitted by law, including where information is needed for legal compliance, billing records, fraud prevention, security, safety review, dispute resolution, audit logs, backups, or technical operation.

14. Account deletion

You may request deletion of your account through available in-app tools or by contacting us.

Deletion is intended to remove your account and associated personal coaching data from active systems. After deletion, you may lose access to your account, subscription-linked app features, chat history, progress history, coaching memory, and related data.

Certain information may be retained, anonymized, aggregated, or preserved where necessary or permitted for:

  • Legal compliance.
  • Tax, accounting, billing, refund, and payment-dispute records.
  • Security, fraud prevention, and abuse prevention.
  • Safety review and audit logs.
  • Enforcement of agreements.
  • Legal claims and dispute resolution.
  • Backups, archives, and disaster recovery.

15. Security

We use technical and organizational measures designed to protect personal information, which may include authentication, password hashing, token controls, encrypted connections, access controls, role-based admin permissions, audit logging, monitoring, rate limiting, backups, and security reviews.

No method of transmission or storage is completely secure. We cannot guarantee absolute security, continuous availability, immunity from cyberattacks, or prevention of unauthorized access.

If we determine that a security incident requires notice under applicable law, we will provide notice in the manner required by law.

16. Children

The Service is intended for adults only and is not directed to users under 18. We do not knowingly collect personal information from children or minors.

If we learn that a minor has used the Service, we may suspend or delete the account and associated information, subject to applicable law.

17. Push notifications

If you enable push notifications, we may use a device push token to send reminders, check-ins, craving support, milestone messages, subscription notices, safety notices, or service notifications.

You can disable push notifications through app settings or your device settings. Disabling notifications may limit reminder and check-in features.

18. Cookies, SDKs, and local storage

The mobile app may use local storage, secure storage, SDKs, device identifiers, and similar technologies for authentication, preferences, cached data, diagnostics, analytics, crash reporting, security, and app functionality.

The website may use cookies or similar technologies for security, analytics, performance, preferences, and session management. Where required by law, we will provide consent, notice, or opt-out controls.

19. California and U.S. state privacy rights

If the CCPA/CPRA or similar U.S. state privacy laws apply, residents of covered states may have rights to know, access, delete, correct, obtain a copy of, opt out of certain sale or sharing, opt out of targeted advertising or certain profiling, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights.

We do not sell personal information for money. If we engage in activities considered "sharing" for cross-context behavioral advertising or targeted advertising under applicable law, we will provide required notices and opt-out mechanisms.

We use sensitive personal information only as reasonably necessary to provide and secure the Service, comply with law, protect safety, and perform other purposes permitted by applicable law, unless we provide additional notice or obtain consent where required.

20. European, UK, and international users

If the GDPR, UK GDPR, or similar laws apply, you may have rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent.

You may also have the right to lodge a complaint with a data protection authority. We encourage you to contact us first so we can try to resolve your concern.

If required by law, we may appoint an EU, UK, or other local representative or provide additional jurisdiction-specific notices.

21. Automated decision-making and AI transparency

The Service uses AI systems to interact with users and generate content. We aim to make clear when users are interacting with AI.

The Service is not intended to make solely automated decisions that produce legal or similarly significant effects concerning you. AI Outputs may be wrong or unsuitable and should not be treated as professional advice.

22. Data processing agreements and vendors

Where required, we seek to use appropriate contractual protections with service providers that process personal information on our behalf. These may include data-processing agreements, confidentiality obligations, security obligations, subprocessors terms, international-transfer safeguards, and breach-notification obligations.

Providers and subprocessors may change over time as the Service develops.

23. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the Service, by email, by website posting, or by other reasonable means.

The updated Privacy Policy becomes effective on the date stated in the updated policy unless a different date is specified. Your continued use of the Service after an updated policy becomes effective means that you acknowledge the updated policy.

24. Contact

SmokeFree AI

Email: support@smokefreeai.com

Website: https://smokefreeai.com