ClariLung Privacy Policy

Effective date: 2026-03-16 · Last updated: 2026-06-02

ClariLung ("we", "our", "the app") is a wellness application for quitting vaping, smoking, weed, or cigars, built by Duskfield Studios LLC. We take your privacy seriously. This policy explains what data we collect, why we collect it, and your rights over it. By using ClariLung you agree to the practices described here.

1. Information we collect

Account information: Email address, name (optional), and an encrypted password. We never store your password in readable form — it is hashed with bcrypt before being written to disk.

Quit profile: Substance type (vape / cigarette / weed / cigar), device type, nicotine level, estimated puffs per day, craving triggers, and quit method (cold turkey or taper). This powers your personalised quit plan, health timeline, and AI Coach.

Usage data: Quit date, streak history, daily puff logs (taper mode), craving events (intensity, trigger category, tool used, whether you resisted), journal entries (mood and text), and health milestones you've reached.

AI Coach conversations: Messages you send to the AI Coach and the responses generated. Stored to maintain conversation context across sessions.

Social features: Buddy connections and encouragement messages — visible only to connected quit buddies.

Subscription metadata: The platform that handled your payment (Stripe / Apple / Google), your subscription status, plan, and billing period start/end. We never see or store your payment-instrument details (card numbers, Apple ID password, etc.).

Device information: Push notification tokens (if you enable notifications). We do not collect device identifiers, precise location data, or browsing history.

2. How we use your data

  • To provide and personalise your quit plan, taper schedule, and health milestones
  • To power the AI Coach with context about your journey (triggers, patterns, progress)
  • To sync your streak and progress to iOS widgets, Apple Watch, and Wear OS
  • To connect you with quit buddies and deliver encouragement messages
  • To send push notifications about milestones and check-ins you opt into
  • To send transactional email (signup verification, password reset)
  • To process subscription payments through Stripe, Apple, and Google
  • To enforce rate limits and protect the service from abuse

3. AI Coach & third-party processors

The AI Coach sends your messages, along with your anonymised quit profile (substance type, device type, nicotine level, triggers, craving patterns), to Anthropic for processing. Your email and name are not sent to Anthropic. Anthropic does not use your data for training. See Anthropic's privacy policy.

We use the following additional third-party services:

  • Stripe (web payments) — handles credit-card data for web subscriptions. We never see or store card numbers; we keep only your Stripe customer ID. See Stripe's privacy policy.
  • Apple App Store (iOS payments) — handles iOS subscriptions through StoreKit. We receive transaction identifiers but never your Apple ID password.
  • Google Play (Android payments) — handles Android subscriptions through Play Billing. We receive purchase tokens but never your Google account credentials.
  • Resend (transactional email) — sends signup verification and password-reset emails. Receives only the recipient address and the message content. See Resend's privacy policy.
  • Railway (hosting) — runs our backend, PostgreSQL database, and Redis cache. Customer data lives on Railway's managed Postgres.
  • Cloudflare Workers (web hosting) — serves the web app static assets. Does not receive your account data.

4. Data storage & security

  • Passwords hashed with bcrypt (irreversible)
  • JWT tokens stored in encrypted device storage (iOS Keychain / Android Keystore on mobile; browser localStorage on web)
  • All API communication uses HTTPS / TLS encryption
  • Rate limiting and account lockout against brute-force login attempts
  • Parameterised database queries — no raw SQL with user input
  • HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options) prevent clickjacking, MIME sniffing, and XSS
  • Audit logging on all sensitive operations
  • SSL certificate pinning on the mobile app
  • Non-root database role for the application — the backend cannot drop tables

5. Data sharing

We do not sell your data. We share data only with the third-party processors listed in section 3 (each for the limited purpose described there), with your connected quit buddies (streak length, name, and encouragement messages only), and with law enforcement only if required by valid legal process.

6. Your rights (CCPA / similar)

You have the right to:

  • Know what personal data we collect (this policy)
  • Access / export your data — use Settings → Your data → Export my data in the app, or email us and we'll send you a JSON file of everything in your account
  • Delete your data — use Settings → Danger zone → Delete account in the app, or email us. Deletion is immediate and permanent (see section 8 for details)
  • Opt out of sale — we do not sell personal data, so this is automatic
  • Non-discrimination — we will not change the service you receive for exercising any of these rights

To exercise any of these rights, email ceo@duskfieldstudios.com. We respond within 45 days.

7. Data retention

We retain your account data while your account is active. When you delete your account, you are signed out immediately and all your data is permanently and irreversibly removed in the same operation — there is no grace window. See Account Deletion for the full list of what is removed. We retain transactional records (subscription / payment history) we are legally required to keep for tax or audit purposes, per applicable accounting rules.

Audit logs (IP addresses, timestamps, event types — no message content) are retained for 90 days for security investigation purposes.

8. Children's privacy

ClariLung is for users 13 and older. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, contact us and we will delete it.

9. Wellness disclaimer

ClariLung is a wellness application and does not provide medical advice, diagnosis, or treatment. The AI Coach provides general wellness support and is not a substitute for professional medical or psychological care. If you experience severe withdrawal symptoms or mental health concerns, please consult a healthcare provider. In a mental health emergency, call 988 (Suicide & Crisis Lifeline) or 911.

10. Changes

We may update this policy. Material changes will be communicated via in-app notification or email at least 14 days before they take effect. The "Last updated" date at the top of this page is updated on every revision.

11. Contact

Privacy questions, data export or deletion requests, or other concerns: ceo@duskfieldstudios.com.

See also: Terms of Service · Subscription Terms · Refund Policy · Account Deletion

← Back to ClariLung