CtrlX – Privacy Policy
Effective Date: November, 2025. Company: Blinkpace Creative Solutions. Contact: blinkpacehq@gmail.com.
This Privacy Policy explains how we collect, use, and protect your personal information when you use CtrlX. It applies globally, including to users in the US, UK, and EU.
1. What Data We Collect
Account data such as username, display name, and email. Authentication and security data such as JWT access and refresh tokens, the quitx_session cookie, and a CSRF token. OTP codes for signup which expire in about fifteen minutes. Habit configuration data such as habit title, status, and action text. Activity and event data such as work completions and access purchases, with timestamps and light payloads. Wallet and virtual currency data such as xcoin credits and debits and transaction reasons with timestamps. Logs and technical data such as basic server and app logs and diagnostic errors. Email communications such as support, password reset, and OTP delivery. We do not collect payment card data and we do not support real‑money payments.
2. How We Use Your Data
We create and manage your account, authenticate and secure access, operate core app mechanics such as actions, xcoin wallet balances, and access windows, show dashboards and habit history, improve and troubleshoot the service, send operational emails such as OTP and password reset, and provide support when you contact us. We do not sell personal data.
3. Legal Bases for Processing
For users in the EU and UK, we rely on contract to provide the service, legitimate interests for security, fraud prevention, and product improvement, and consent for optional non‑operational communication. Where we rely on consent, you may withdraw it at any time.
4. Cookies, Sessions, and Caching
The quitx_session cookie is used for the login session and is set with Secure and HttpOnly flags and SameSite=Lax. JWT is stored server‑side and sent via the Authorization header. A service worker may cache static assets for performance and limited offline use. We do not use advertising or third‑party tracking cookies.
5. Data Sharing
We share data only with trusted providers that help us operate CtrlX, such as hosting providers, email providers for OTP and password‑reset emails, and any infrastructure or security tooling we use. We do not sell or share personal data for advertising and our subprocessors are required to protect data under appropriate safeguards.
6. International Data Transfers
Data may be processed or stored in countries outside your own. Where required, we use appropriate safeguards such as contractual protections to ensure your data remains protected.
7. Security
We use reasonable technical and organizational measures, including HTTPS, JWT with secure keys, Secure and HttpOnly cookies, access controls and user‑scoped data, and CSRF protection in the frontend API proxy. No system is completely secure and users should protect their accounts.
8. Retention
Account data is kept while your account is active. Habit, event, and wallet data is retained for history and functionality. OTP data is deleted after about fifteen minutes. Logs are retained for a reasonable period for security and diagnostics. If you request deletion, we may delete or pseudonymize historical data so it can no longer be tied to you.
9. Your Rights
Depending on your location, you may have rights to access your personal data, request correction or deletion, object to or restrict certain processing, obtain data portability, and withdraw consent for optional processing. California users under CCPA and CPRA have the right to know what data is collected, request deletion, correct inaccurate data, and opt out of sale or sharing. To exercise rights, email blinkpacehq@gmail.com. We may require verification of your identity before responding.
10. Children’s Privacy
CtrlX is not intended for children under sixteen. We do not knowingly collect personal data from children under thirteen. If we learn that we have done so, we will delete that data.
11. Changes
We may update this Policy occasionally. If we make material changes, we will provide notice. Continued use after an update means you accept the revised Policy.
12. Contact
Blinkpace Creative Solutions. Email: blinkpacehq@gmail.com.