Privacy Policy

Last updated: 28 March 2026

Contents

  1. Introduction
  2. Information We Collect
  3. How We Use Your Information
  4. Legal Basis for Processing (GDPR)
  5. Third-Party Services
  6. Camera & Photo Data
  7. Data Retention
  8. Your Rights
  9. Push Notifications
  10. Children's Privacy
  11. International Data Transfers
  12. Changes to This Policy
  13. Contact Us

1. Introduction

Welcome to Oath ("we", "us", "our"). We operate the Oath mobile application (the "App") available on iOS and Android. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data.

We are committed to protecting your privacy and handling your data transparently and responsibly. By downloading, installing, or using the App, you agree to the practices described in this Policy.

If you have questions about this Policy or your data, please contact us at hello@oath-app.com.

2. Information We Collect

We collect the following categories of data:

Category Data Purpose
Account data Email address, username, password (stored as a cryptographic hash — we never see your plain-text password) Creating and authenticating your account
App content Habits and todos you create (title, description, schedule, priority, validation type), completion records, streak counts, oath card content Delivering the core functionality of the App
Camera & photos Live photos captured in-app for habit proof verification. Gallery access is not requested or used. AI verification of habit completion (see Section 6)
Social data Friend relationships (mutual connections), activity feed events, leaderboard positions (streak length only) Social accountability features (Oath+ subscribers only)
Device & technical data Device type, operating system version, push notification token, crash logs Sending notifications, diagnosing errors, improving stability
Analytics data Anonymised in-app events (e.g. screen views, feature usage frequency). No personally identifiable information is included. Understanding how the App is used to improve it
Payment & subscription data Subscription status (active/inactive/trial), plan type, transaction IDs provided by RevenueCat. We never receive or store your raw payment card details. Managing your Oath+ subscription

3. How We Use Your Information

We use the information we collect to:

  • Create and maintain your account and authenticate you securely.
  • Store and sync your habits, todos, streaks, and progress across your devices.
  • Process and respond to photo proof submissions via AI validation.
  • Enable social features including friend connections, the activity feed, and leaderboards.
  • Send push notifications such as daily habit reminders, friend request alerts, and streak milestone celebrations.
  • Manage your subscription to Oath+ via RevenueCat.
  • Diagnose technical issues and improve the stability, performance, and features of the App.
  • Comply with our legal obligations.

We do not sell your personal data to third parties. We do not use your data to build advertising profiles or serve third-party advertisements.

If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases:

  • Contractual necessity — Processing your account data, habit/todo content, and subscription data is necessary to perform the contract between you and us (i.e. providing the App).
  • Legitimate interests — We process anonymised analytics and crash data to improve the App, where this does not override your fundamental rights and freedoms.
  • Consent — We request your explicit consent before accessing your camera and before sending push notifications. You may withdraw consent at any time.
  • Legal obligation — We may process data as required by applicable law.

5. Third-Party Services

We share data with the following trusted third-party service providers. Each is bound by their own privacy policies and, where applicable, data processing agreements with us.

Supabase (supabase.com)

Supabase provides our database, authentication, and serverless edge functions. Your account credentials, habits, todos, streak data, and social connections are stored in Supabase. Data is hosted in EU data centres. Supabase is GDPR-compliant and we have a Data Processing Agreement in place. For more information, see the Supabase Privacy Policy.

RevenueCat (revenuecat.com)

RevenueCat manages our in-app subscription billing in partnership with Apple. RevenueCat receives your subscription status, transaction IDs, and device identifiers for the purpose of validating and managing your subscription. RevenueCat does not process or store raw payment card data — that is handled exclusively by Apple. See the RevenueCat Privacy Policy.

OpenAI (openai.com)

When you submit a photo as habit proof, that image is sent securely via HTTPS to our backend (hosted on Supabase Edge Functions), which then transmits it to OpenAI's Vision API for analysis. The AI returns a pass/fail determination.

Critically: under our API agreement, OpenAI does not use images submitted via the API to train their models. The original photo is deleted from our servers immediately after the AI analysis is complete — we store only the outcome (pass/fail), not the image itself.

See the OpenAI Privacy Policy.

Apple (apple.com)

Apple provides the App Store distribution, in-app purchase processing, and the Apple Push Notification Service (APNS) for delivering notifications to your device. Billing and payment card data are handled entirely by Apple. See Apple's Privacy Policy.

6. Camera & Photo Data

Oath's AI proof verification requires access to your device camera. Here is exactly what we do with that access:

  • Live capture only. The App only captures photos in the moment using your device camera. We do not request access to your photo library or camera roll.
  • Secure transmission. Photos are transmitted over an encrypted HTTPS connection to our Supabase Edge Function backend.
  • AI analysis. The photo is forwarded to OpenAI's Vision API, which analyses it and returns a validation result.
  • Immediate deletion. The original photo is deleted from our servers immediately after the AI response is received. We retain only the result (pass or fail) and the timestamp.
  • No training use. Your photos are not used to train AI models by us or by OpenAI (per their API usage policy).
  • Local caching. Depending on your device OS, a brief local cache of the photo may exist temporarily before being cleared.

You can revoke camera permission at any time in your device's Settings app. Revoking camera permission means you will not be able to use AI photo verification, but manual verification remains available.

7. Data Retention

  • Account & app content data: Retained for as long as your account is active. Upon account deletion, your personal data is removed from our systems within 30 days, except where retention is required by law.
  • Photos: Deleted from our servers immediately upon completion of AI validation. We do not archive or retain photos.
  • Anonymised analytics: Retained and used in aggregated, non-identifiable form indefinitely for product improvement.
  • Crash logs: Retained for up to 90 days.
  • Subscription records: Transaction IDs and subscription history are retained by RevenueCat per their policy for the period required for financial and legal compliance.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

For EEA / UK residents (GDPR / UK GDPR)

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data. You can delete your account directly in the App (Profile → Delete Account), which triggers deletion of your data within 30 days.
  • Right to data portability: Request an export of your data in a machine-readable format. Contact us at hello@oath-app.com.
  • Right to restrict processing: Request that we limit how we process your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.
  • Rights related to automated decision-making: Our AI photo verification makes automated pass/fail decisions. You have the right to request human review of a disputed result by contacting us.
  • Right to lodge a complaint: If you are in the UK, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk. EEA residents may contact their local supervisory authority.

For California residents (CCPA)

  • Right to know: You may request information about what personal data we have collected, used, and disclosed about you in the past 12 months.
  • Right to delete: You may request deletion of your personal data, subject to certain exceptions.
  • Right to opt-out of sale: We do not sell your personal information to third parties. No opt-out is needed.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at hello@oath-app.com. We will respond within 30 days.

9. Push Notifications

With your consent, we send push notifications to your device. These may include:

  • Daily habit reminders (sent at a time you choose, cancelled automatically if all your tasks for the day are already complete)
  • Streak milestone celebrations
  • Friend request alerts and friend activity updates (Oath+ only)

You can manage or disable notifications at any time through:

  • Your device's Settings app → Notifications → Oath
  • The in-app Profile screen → Notifications

Disabling notifications will not affect your ability to use any other feature of the App.

10. Children's Privacy

Oath is not directed at children under the age of 13 (or 16 in the EEA where applicable). We do not knowingly collect personal data from children. If we become aware that a user is under the applicable minimum age, we will promptly delete their account and associated data. If you believe a child has provided us with personal data, please contact us at hello@oath-app.com.

11. International Data Transfers

Your data is primarily stored in EU data centres via Supabase. Where data is transferred outside the EEA or UK (for example, to OpenAI in the United States for photo analysis), such transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) or equivalent mechanisms under applicable data protection law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending a notification via the App or email. Your continued use of the App after any changes constitutes acceptance of the updated Policy.

We encourage you to review this Policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all enquiries within 5 business days and will fulfil all verified data rights requests within 30 days.