Privacy Policy
Last updated: June 22, 2026
Epoch AI ("we", "us", or "our") operates the Epoch mobile application. This Privacy Policy explains how we collect, use, and protect your information when you use our app.
1. Information We Collect
We collect information you provide directly:
- Account information: email address and password (or OAuth credentials via Apple/Google)
- Profile data: display name, profile photo, bio, height, weight, fitness goals, and activity level
- Fitness data: workout logs, nutrition logs, body measurements, progress photos, and water intake
- User content: posts, comments, and messages you share within the app
We also collect limited data automatically:
- Crash reports and error logs (via Sentry) to improve app stability
- Basic usage data to understand how features are used
- Device push notification tokens (stored to deliver notifications; deleted when you sign out or disable notifications)
2. How We Use Your Information
- To provide, operate, and improve the Epoch app
- To personalise your experience and calculate fitness metrics (TDEE, macros, etc.)
- To power the AI coach feature — your fitness data is sent to OpenAI's API to generate responses
- To process Pro subscription purchases via RevenueCat and Apple/Google billing
- To send transactional emails (account confirmation, password reset) via Supabase and Resend
- To send push notifications for activity such as likes, comments, new followers, and messages (you can disable these in Settings)
- To respond to support requests submitted through the in-app support chat or by email
- To detect and fix crashes and performance issues
3. Third-Party Services
We use the following third-party services, each governed by their own privacy policies:
- Supabase — database, authentication, and file storage
- OpenAI — powers the AI coach (your messages and fitness data are processed by OpenAI's API)
- RevenueCat — subscription management and billing lifecycle
- Sentry — crash reporting and error monitoring
- Expo / EAS — app delivery and over-the-air updates
- Resend — transactional email delivery (password resets, account confirmation)
- USDA FoodData Central — food nutrition database (queries are proxied through our server)
4. Direct Messages & End-to-End Encryption
Direct messages (DMs) between users are end-to-end encrypted using ECDH P-256 key exchange and AES-GCM 256-bit encryption. This means only you and the person you are messaging can read your messages — we cannot decrypt them. Your private encryption key is stored only on your device and is never transmitted to our servers. Group chat messages use the same encryption protocol with a shared group key wrapped per member.
Messages are stored encrypted on our servers solely to enable delivery to other devices. You can delete individual messages or clear a conversation at any time.
5. In-App Support Chat
The app includes a support chat feature that lets you send messages directly to the Epoch support team. Messages sent through support chat are not end-to-end encrypted and may be read by Epoch staff for the purpose of resolving your support request. We do not share these messages with third parties. You can also reach us by email at [email protected].
6. Data Storage & Security
Your data is stored on Supabase infrastructure. All data is encrypted in transit (HTTPS/TLS). Sensitive data such as session tokens are stored in encrypted storage on your device. We implement row-level security so users can only access their own data. Encryption keys for E2E messages never leave your device.
7. User Content & Community
Posts, workout shares, and meal shares you publish to the Community feed are visible to other Epoch users. You can delete your own posts at any time. Profile privacy settings allow you to control what information is visible to others. You may block other users, which prevents them from viewing your profile or contacting you. You may report content or users that violate our Terms of Service; reports are reviewed by our team.
8. Data Retention & Deletion
You can delete your account at any time from the Settings screen in the app. Account deletion permanently removes your profile, fitness data, and user content from our systems within 30 days.
To delete your account: open the Epoch app → Settings → scroll to the bottom → tap "Delete Account" → confirm. All personal data including your profile, workout logs, nutrition logs, progress photos, and community posts will be permanently erased within 30 days. Some anonymised, aggregated data may be retained for service improvement.
9. Children's Privacy
Epoch is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at [email protected].
10. Your Rights
Depending on your location, you may have rights to access, correct, or delete your personal data, or to object to certain processing. To exercise these rights, contact us at [email protected].
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or by email. Continued use of Epoch after changes constitutes acceptance of the updated policy.
12. Contact
For privacy-related questions, contact us at [email protected].
© 2026 Epoch AI · Terms of Service