Privacy Policy

Last updated: December 1, 2025

INTRODUCTION

Supernova ("we," "our," or "us") operates a fitness accountability platform that helps users build consistent workout habits through financial commitments and social support. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our mobile application and services (collectively, the "Service").

We are committed to transparency and user control. This policy describes our actual data practices in plain language.

By using Supernova, you agree to the collection and use of information in accordance with this policy.

1. INFORMATION WE COLLECT

1.1 Account Information

When you create an account, we collect:

  • Email address
  • Profile photo (if you choose to upload one)
  • User biography (up to 150 characters, optional)
  • Timezone (auto-detected from your device)

Purpose: Account creation, authentication, profile display, and communication.

1.2 Photos and Camera Data

What We Collect:

  • Front camera photos (selfies taken during check-in)
  • Back camera photos (images of your workout environment)
  • EXIF metadata embedded in photos (may include GPS coordinates, timestamp, device type)

How We Collect It: Direct camera capture within the app using your device's camera. You initiate all photo captures.

Purpose: To prevent fraudulent check-ins. Photos are analyzed to confirm you are in an appropriate workout environment (such as a gym, studio, or outdoor fitness area).

Important: Before your first camera use, you will see a consent popup explaining our automated verification process. You must grant consent to use camera features.

See Section 3 for detailed information about automated photo analysis.

1.3 Location Data

What We Collect:

  • GPS coordinates (latitude and longitude) when you submit check-in photos
  • GPS accuracy measurement (in meters)
  • Home gym location (if you configure one in settings)

How We Collect It: CoreLocation API when you submit a check-in proof. Optional geofencing around your configured gym location (with your permission).

Purpose: Provide arrival notifications when you enter your gym's geofence (optional feature), and associate check-ins with specific gym locations.

User Control: You can disable location services entirely through iOS Settings → Privacy & Security → Location Services → Supernova. Disabling location will prevent check-in submissions since location is required for accountability.

1.4 Payment Information

What We Collect:

  • Stripe Customer ID (a reference token, not your actual payment details)
  • Stripe Payment Method ID (a tokenized reference to your Apple Pay or card)
  • Transaction history (amounts, dates, statuses)

How We Collect It: Through Stripe's secure payment APIs when you authorize Apple Pay or add a payment method. Stripe hosts the Apple Pay authorization sheet; we never see your full card number, CVV, or billing address.

Purpose: Process charges for missed workouts.

Important Security Note: Supernova does NOT store your actual credit card numbers, CVV codes, expiration dates, or billing addresses. We only store tokenized references provided by Stripe. All sensitive payment data is held exclusively by Stripe, a PCI-DSS compliant payment processor.

1.5 Financial Commitment Data

What We Collect:

  • Daily commitment amounts
  • Contract start and end dates
  • Weekly workout schedule (which days you commit to working out)
  • Number of skip days allowed and used
  • Current streak and longest streak

Purpose: Enforce accountability contracts, display progress statistics.

1.6 Device and Technical Information

What We Collect:

  • APNs device token (for push notifications)
  • Device timezone
  • App version and iOS version (for debugging purposes, logged locally only)

What We DO NOT Collect: IDFA (Identifier for Advertisers), device fingerprints for cross-app tracking, or advertising identifiers.

Purpose: Send timely reminders (7 AM workout reminders, 10 PM deadline warnings), provide local-time notifications, ensure app compatibility.

2. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

2.1 Core Service Functionality

  • Enforce accountability contracts and financial commitments
  • Calculate and process charges for missed workouts
  • Provide real-time check-in feedback

2.2 Communication

Send push notifications for:

  • Daily workout reminders (7 AM on scheduled days)
  • Proof deadline warnings (10 PM on scheduled days)
  • Friend activity updates
  • Streak milestones
  • Friend requests and group invitations

All notifications are timezone-aware (sent at your local time).

2.3 Safety and Security

  • Detect and prevent fraudulent check-ins (duplicate photos, inappropriate content)
  • Moderate user-generated content per Apple App Store guidelines
  • Respond to user reports of harassment or inappropriate behavior

3. AUTOMATED PHOTO VERIFICATION AND AI PROCESSING

3.1 How Verification Works

When you submit a check-in photo, your images undergo automated analysis. This analysis occurs in two stages:

Stage 1: On-Device Analysis (Your iPhone)

  • Uses Apple's Vision Framework APIs built into iOS
  • Detects presence of fitness equipment, indoor/outdoor scenes
  • Counts faces in selfie (to confirm at least one person is present)
  • Assesses image quality (brightness, sharpness)
  • Provides real-time preview feedback before you submit

Stage 2: Cloud-Based Verification (After Submission)

  • Your front and back camera photos are uploaded to our secure cloud storage (Supabase)
  • Photos are sent to our AI verification service hosted on Render.com
  • The AI service calls the OpenAI GPT-4o Vision API
  • AI analyzes image content to detect gym equipment and fitness environments
  • A confidence score (0-100%) determines whether verification passes

3.2 What the AI Does

The automated system analyzes your photos to answer:

  • Is this image taken in a fitness facility or appropriate workout environment?
  • Does the image contain gym equipment or fitness-related objects?
  • Is this a credible check-in (not a screenshot, duplicate, or fraudulent submission)?

3.3 What the AI Does NOT Do

We do NOT perform facial recognition or biometric identification.

Specifically:

  • We do NOT identify who you are based on facial features
  • We do NOT extract or store biometric templates from your face
  • We do NOT create identity profiles or facial signatures
  • We do NOT match your face against databases
  • We do NOT use facial data for any purpose other than counting the number of faces present

Our system uses face detection (counting faces) NOT facial recognition (identifying individuals). This is analogous to a camera's autofocus detecting a face to focus properly—it knows a face is present but does not know whose face it is.

3.4 AI Service Providers

Your photos are processed by third-party AI services:

Render.com (hosting infrastructure)

  • Hosts our AI verification engine
  • Temporarily processes images during analysis
  • Located in United States data centers

OpenAI

  • Processes images via GPT-4o Vision API
  • Subject to OpenAI's data retention and usage policies
  • OpenAI states they do not use API data to train models (as of their current policy)
  • Privacy Policy: https://openai.com/privacy

3.5 Data Retention by AI Provider

Photos sent to OpenAI API are subject to their data retention policy:

  • OpenAI: Retains API data for 30 days for abuse monitoring, then deletes (per their current API policy)

Your Control: If you delete your Supernova account, your photos are removed from our storage. However, we cannot delete data from AI provider cache during their retention window.

4. HOW WE SHARE YOUR INFORMATION

4.1 Service Providers

We share data with third-party service providers who process information on our behalf:

Service ProviderData SharedPurpose
SupabaseAll user account data, photos, financial records, app dataDatabase hosting, file storage, authentication backend
StripeName, email, tokenized payment methods, transaction amountsPayment processing, Apple Pay authorization
Render.comPhotos, GPS coordinatesAI verification infrastructure hosting
OpenAIPhotos, GPS coordinates, verification promptsAutomated gym verification via GPT-4o Vision

4.2 What We DO NOT Share

We DO NOT:

  • Sell your personal information to third parties
  • Share your data with advertisers or data brokers
  • Use your photos to train AI models without your consent
  • Share your location data with third parties except as described in Section 4.1

5. DATA RETENTION

5.1 How Long We Keep Your Data

While Your Account is Active:

  • All data is retained to provide continuous Service functionality
  • Financial records are maintained for transaction history
  • Photos are stored to maintain proof-of-attendance audit trails

After Account Deletion:

  • Most data is permanently deleted within 30 days
  • Financial records may be retained for up to 7 years for legal compliance
  • Anonymized, aggregated data (with no personal identifiers) may be retained indefinitely

Special Case - Active Contracts:

If you request account deletion while you have an active accountability contract or challenge:

  • Your subscription is immediately canceled (no further charges)
  • Your account data is anonymized (name changed to "Deleted User", email randomized)
  • You remain able to log in and submit proofs until your contract end date
  • This prevents users from escaping contract obligations by deleting their account mid-challenge
  • Full data deletion occurs automatically after your contract or challenge ends

6. YOUR RIGHTS AND CHOICES

6.1 Access and Portability

Right to Access: You can view all your personal data in the app through Settings.

Right to Data Portability: You can request a machine-readable export of your data by contacting support@supernovahq.com

6.2 Privacy Controls

  • Location Services: iOS Settings → Privacy & Security → Location Services → Supernova
  • Camera Access: iOS Settings → Privacy & Security → Camera → Supernova
  • Notifications: iOS Settings → Notifications → Supernova
  • Social Visibility: App Settings → Privacy → Show Proofs to Friends

6.3 Do Not Sell My Personal Information (CCPA)

We do NOT sell your personal information. This right is automatically honored—no action required on your part.

7. DATA SECURITY

We implement industry-standard security practices:

Data Protection Measures:

  • Data in Transit: TLS 1.3 encryption for all API communications
  • Data at Rest: Supabase database encryption, encrypted file storage for photos
  • Access Controls: Row-Level Security (RLS) policies, users can only access their own data
  • Application Security: Regular security audits, dependency vulnerability scanning

8. CHILDREN'S PRIVACY

Supernova is not intended for children under 9 years of age. We do not knowingly collect personal information from children under 9. By creating an account, you represent that you are at least 9 years old (or 16 in the European Union).

9. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

Your Acceptance: Continued use of the Service after changes constitutes acceptance of the updated policy.

10. CONTACT INFORMATION

For Privacy Questions or Requests:
Email: privacy@supernovahq.com

For General Support:
Email: support@supernovahq.com

Response Time: We aim to respond within 5 business days.

This Privacy Policy is compliant with Apple App Store Review Guidelines, GDPR, and CCPA.