Privacy Policy

Last updated: 13 April 2026

Contents

  1. Introduction
  2. Information We Collect
  3. How We Use Your Information
  4. Legal Basis for Processing (GDPR)
  5. Third-Party Services
  6. Camera, Photos & AI Validation
  7. Data Storage & Retention
  8. Your Rights
  9. Push Notifications
  10. Children's Privacy
  11. International Data Transfers
  12. Security
  13. Changes to This Policy
  14. Contact Us

1. Introduction

Welcome to Oath ("we", "us", "our"). We operate the Oath mobile application (the "App") available on iOS. This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, and your rights regarding that data.

We are committed to protecting your privacy and handling your data transparently and responsibly. By downloading, installing, or using the App, you agree to the practices described in this Policy.

If you have questions about this Policy or your data, please contact us at hello@oath-app.com.

2. Information We Collect

We collect the following categories of data:

Category Data Purpose
Account data Apple ID credentials (email address and name, as provided by Apple Sign In), a username you choose, and an optional display name. We do not collect or store passwords — authentication is handled entirely by Apple. Creating and authenticating your account
App content Habits and todos you create (title, emoji, description, schedule, priority, validation type, reminder time, weekly target, daily reps), completion records, streak counts, and rep progress Delivering the core functionality of the App
Camera & photos Photos captured in-app via the camera or selected from your photo library for habit proof verification. See Section 6 for full details on how photos are handled, stored, and retained. AI verification of habit/todo completion, habit memory archive, and optional sharing with friends
Social data Friend connections (mutual), daily completion summaries visible to friends (completed count, total count, streak), activity feed events, leaderboard positions (streak length), and optionally shared proof photos Social accountability features
Device & technical data Push notification token (Expo push token), a locally generated device identifier (used solely for rate limiting AI validation requests), and device platform information Sending notifications and preventing abuse of the AI validation service
Notification preferences Your choices for daily reminders, friend request alerts, streak milestone celebrations, and friend activity notifications Sending only the notifications you have opted into
Payment & subscription data Subscription status (active, inactive, or trial), plan type (monthly or yearly), and transaction identifiers provided by RevenueCat. We never receive or store your payment card details — billing is handled entirely by Apple. Managing your Oath+ subscription, which is required to use the App after the free trial period

Data we do NOT collect

We want to be explicit about what we do not collect:

  • We do not collect your precise location or GPS data.
  • We do not access your contacts, calendar, or health data.
  • We do not collect advertising identifiers (IDFA) or build advertising profiles.
  • We do not use third-party analytics SDKs or track screen views, taps, or behavioural events.
  • We do not sell your personal data to third parties.

3. How We Use Your Information

We use the information we collect to:

  • Create and maintain your account and authenticate you securely via Apple Sign In.
  • Store and sync your habits, todos, completions, streaks, and progress across sessions.
  • Process photo proof submissions through AI validation (see Section 6).
  • Store habit memory photos as a permanent personal archive of your progress.
  • Optionally share activity photos with your accepted friends for 48 hours.
  • Enable social features including friend connections, the activity feed, and the leaderboard.
  • Send push notifications such as daily habit reminders, friend request alerts, and streak milestone celebrations (based on your preferences).
  • Manage your subscription to Oath+ via RevenueCat.
  • Enforce rate limits on AI validation to prevent abuse (using your device identifier).
  • Comply with our legal obligations.

We do not sell your personal data to third parties. We do not use your data to build advertising profiles or serve third-party advertisements.

If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases:

  • Contractual necessity — Processing your account data, habit/todo content, completion records, and subscription data is necessary to perform the contract between you and us (i.e. providing the App).
  • Legitimate interests — We process device identifiers for rate limiting to protect the integrity of the AI validation service, where this does not override your fundamental rights and freedoms.
  • Consent — We request your explicit consent before accessing your camera, before accessing your photo library, and before sending push notifications. You may withdraw consent at any time through your device settings.
  • Legal obligation — We may process data as required by applicable law.

5. Third-Party Services

We share data with the following trusted third-party service providers. Each is bound by their own privacy policies and, where applicable, data processing agreements with us.

Supabase (supabase.com)

Supabase provides our database (PostgreSQL), authentication layer, cloud storage, and serverless edge functions. Your account credentials, habits, todos, completion records, streak data, friend connections, proof photos, and habit memory photos are stored on Supabase infrastructure. All data in transit is encrypted via HTTPS, and data at rest is encrypted by Supabase. Row-Level Security (RLS) policies ensure users can only access their own data and the data of accepted friends. See the Supabase Privacy Policy.

OpenAI (openai.com)

When you submit a photo for AI proof validation, the image is sent securely via HTTPS to our backend (hosted on Supabase Edge Functions), which transmits it to OpenAI's API for analysis. The following data is sent to OpenAI:

  • The compressed photo (base64-encoded, maximum ~200 KB)
  • The title and description of the habit or todo being validated

OpenAI returns a pass/fail determination with a confidence score and reasoning. Under our API agreement, OpenAI does not use data submitted via the API to train their models. See the OpenAI Privacy Policy.

RevenueCat (revenuecat.com)

RevenueCat manages our in-app subscription billing in partnership with Apple. RevenueCat receives your subscription status, transaction identifiers, and your Supabase user ID (used as the app user ID) for the purpose of validating and managing your subscription. RevenueCat does not process or store raw payment card data — that is handled exclusively by Apple. See the RevenueCat Privacy Policy.

Expo (expo.dev)

Expo provides our push notification delivery infrastructure. When you grant notification permission, your device's push token is sent to Expo's push service to deliver notifications. Expo also provides over-the-air app updates. See the Expo Privacy Policy.

Apple (apple.com)

Apple provides App Store distribution, Apple Sign In authentication, in-app purchase processing, and the Apple Push Notification Service (APNs). When you sign in with Apple, we receive only the information you choose to share (name and email). Billing and payment card data are handled entirely by Apple. See Apple's Privacy Policy.

6. Camera, Photos & AI Validation

Oath uses your device camera and, optionally, your photo library to capture proof of habit and todo completion. Here is exactly what happens with your photos:

Photo capture

  • The App requests permission to access your camera to capture live proof photos.
  • The App may also request access to your photo library (via the system image picker) if you choose to select an existing photo instead of taking a new one.
  • You can revoke either permission at any time in your device's Settings app.

AI validation photos

  • When you submit a photo for AI validation, it is compressed (to approximately 200 KB) and transmitted over an encrypted HTTPS connection to our Supabase Edge Function.
  • Our edge function forwards the image to OpenAI's API, which analyses it and returns a validation result (pass/fail, confidence score, and reasoning).
  • The photo transmitted for AI validation is not permanently stored on our servers for validation purposes. We retain only the validation result.
  • Your photos are not used to train AI models by us or by OpenAI (per their API data usage policy).

Habit memory photos (permanent)

  • When you successfully validate a habit, the proof photo may be saved as a habit memory — a personal archive of your progress.
  • Habit memory photos are stored in a private Supabase Storage bucket. Only you can access your own habit memories; they are not visible to friends or other users.
  • Habit memory photos are also cached locally on your device's filesystem (in the app's private document directory) for offline access.
  • There is a limit of one memory photo per habit per day.
  • Habit memory photos are retained permanently until you delete your account.

Friend activity photos (temporary)

  • After completing a task, you may optionally choose to share a proof photo with your accepted friends.
  • Shared photos are stored in a separate Supabase Storage bucket and are visible only to your accepted friends.
  • Friend activity photos are automatically deleted after 48 hours. A scheduled cleanup function removes both the files and database records.

Revoking camera permission

If you revoke camera permission, you will not be able to use AI photo verification, but manual verification (self-attestation) remains available as an alternative.

7. Data Storage & Retention

Where your data is stored

  • Cloud storage: Your account data, habits, todos, completions, social connections, and photos are stored on Supabase infrastructure. Data in transit is encrypted via TLS/HTTPS, and data at rest is encrypted by Supabase.
  • Local storage: Your habits, todos, completions, and preferences are also stored locally on your device using AsyncStorage (a key-value store) for offline access. Habit memory photos are cached in the app's private document directory on your device.

Retention periods

Data type Retention period
Account & profile data Retained for as long as your account is active. Deleted upon account deletion.
Habits, todos, & completions Retained for as long as your account is active. Deleted upon account deletion.
Habit memory photos Retained permanently until you delete your account.
Friend activity photos Automatically deleted after 48 hours.
AI validation photos Not retained after validation is complete. Only the result (pass/fail) is stored.
Validation attempt records Daily rate-limit counters are stored per item per day. Historical records may accumulate but contain no personal content — only counters.
Push notification tokens Retained for as long as your account is active. Deleted upon account deletion.
Subscription records Transaction IDs and subscription history are retained by RevenueCat per their policy for the period required for financial and legal compliance.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

For EEA / UK residents (GDPR / UK GDPR)

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data. You can update your display name directly in the App.
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data. You can delete your account directly in the App (Profile → Delete Account), which triggers cascading deletion of all your data from our systems.
  • Right to data portability: Request an export of your data in a machine-readable format. Contact us at hello@oath-app.com.
  • Right to restrict processing: Request that we limit how we process your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.
  • Rights related to automated decision-making: Our AI photo verification makes automated pass/fail decisions about whether you have completed a habit or todo. You have the right to request human review of a disputed result. Within the App, you can also use manual validation (self-attestation) to override an incorrect AI decision.
  • Right to lodge a complaint: If you are in the UK, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk. EEA residents may contact their local supervisory authority.

For California residents (CCPA)

  • Right to know: You may request information about what personal data we have collected, used, and disclosed about you in the past 12 months.
  • Right to delete: You may request deletion of your personal data, subject to certain exceptions.
  • Right to opt-out of sale: We do not sell your personal information to third parties. No opt-out is needed.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at hello@oath-app.com. We will respond within 30 days.

Account deletion

You can delete your account at any time from within the App (Profile → Delete Account). Account deletion requires a two-step confirmation (typing your username and a final confirmation prompt). Upon deletion, the following data is permanently removed:

  • Your profile, username, and display name
  • All habits, todos, and completion records
  • All friend connections and pending friend requests
  • All habit memory photos and friend activity photos
  • Your push notification token and notification preferences
  • Your daily completion summaries
  • Your Supabase authentication account

Deletion is permanent and cannot be undone. We do not currently offer a data export feature prior to deletion — if you would like an export, please contact us before deleting your account.

9. Push Notifications

With your consent, we send push notifications to your device. These may include:

  • Daily habit reminders — sent at a default time of 5:00 PM, or at a per-habit reminder time you configure. Automatically cancelled if all your tasks for the day are already complete.
  • Streak milestone celebrations — sent when you reach 3, 7, 14, 30, 60, 100, or 365 consecutive days.
  • Friend request alerts — sent when someone sends you a friend request or accepts yours.
  • Friend activity updates — sent when friends complete habits or reach milestones.

You can manage or disable each notification type individually through:

  • The in-app Profile screen → Notification Preferences
  • Your device's Settings app → Notifications → Oath (to disable all notifications)

Disabling notifications will not affect your ability to use any other feature of the App.

10. Children's Privacy

Oath is not directed at children under the age of 13 (or 16 in the EEA where applicable). We do not knowingly collect personal data from children. If we become aware that a user is under the applicable minimum age, we will promptly delete their account and associated data. If you believe a child has provided us with personal data, please contact us at hello@oath-app.com.

11. International Data Transfers

Your data is stored on Supabase infrastructure. Where data is transferred outside the EEA or UK (for example, to OpenAI in the United States for photo analysis, or to Expo's push notification service), such transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) or equivalent mechanisms under applicable data protection law.

12. Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption in transit: All data transmitted between the App and our servers is encrypted using TLS/HTTPS.
  • Encryption at rest: Data stored on Supabase infrastructure is encrypted at rest.
  • Row-Level Security: Database access is controlled by PostgreSQL Row-Level Security (RLS) policies, ensuring users can only access their own data and the data of accepted friends.
  • Authentication: Account authentication is delegated to Apple Sign In, which provides industry-standard security including optional two-factor authentication.
  • Separated sensitive data: Push notification tokens are stored in a separate, access-controlled table with strict RLS policies.
  • Rate limiting: AI validation requests are rate-limited per user per day to prevent abuse.

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to hello@oath-app.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending a notification via the App or email. Your continued use of the App after any changes constitutes acceptance of the updated Policy.

We encourage you to review this Policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all enquiries within 5 business days and will fulfil all verified data rights requests within 30 days.