Privacy Policy – SmokeOff

This is a translation provided for convenience. The Italian version is the legally binding one in case of discrepancies.

1. Data controller

SmokeOff — Brescia, Italy

The data controller details will be updated with the identifying information of the registered business.

2. Data collected

We may process, among other things:

  • email address and username;
  • data relating to your quit journey (e.g. quit date, cigarettes per day, pack cost);
  • messages published in the community chat;
  • navigation and app usage data (technical logs, IP address in abbreviated form where applicable).

SmokeOff uses internal analytics that collect aggregated, anonymous data on site visits (pages viewed, device, country of origin). We do not use tracking cookies or share data with third parties such as Google Analytics. The information is pseudonymised with daily hashes and does not identify individual visitors.

3. Legal basis

Processing is based on:

  • your consent (Art. 6(1)(a) GDPR), where required (e.g. optional communications and non-essential cookies, if present);
  • performance of a contract or steps prior to contracting (Art. 6(1)(b) GDPR) for providing the SmokeOff service.

4. Purposes

  • provision and maintenance of the service (account, chat, personal statistics);
  • aggregated anonymous statistics to improve the product;
  • security, abuse prevention and legal compliance.

5. Retention

Data are kept only as long as necessary to provide the service. After account deletion, personal data will be anonymised within 30 days, except where a longer retention is required by law.

6. Data subject rights

Under Articles 15–22 GDPR, you may exercise your rights of access, rectification, erasure, restriction, portability and objection through the Contact page on this website. You may also lodge a complaint with the competent supervisory authority (in Italy, the Garante per la protezione dei dati personali).

7. Cookies

We use technical session cookies essential for operating the app and authentication. We do not use behavioural profiling cookies or third-party advertising tracking on main service pages.

8. Transfer of data

Servers may be located in Germany (Hetzner), inside the European Union. Where you authenticate via Google OAuth, certain identifying data are processed by Google under its notices, according to your chosen sign-in method.

9. Security

We adopt appropriate measures: communications over HTTPS, hashed passwords (bcrypt) and best practices to protect sensitive data.

10. Changes

This policy may be updated. The date of the last update is shown at the bottom of the document.

Last updated: April 2026