OCTANE

Privacy Policy

Last updated: April 1, 2026

OCTANE HEALTH (“we”, “us”, or “our”) operates the OCTANE mobile application (the “App”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.

1. Information We Collect

Personal Information

  • Name, email address, and password (hashed) when you create an account
  • Age or date of birth and body weight for fitness calculations

Health & Fitness Data

  • Workout logs including exercises, sets, reps, and weights
  • Meal logs including food descriptions, photos, and estimated macronutrients (calories, protein, carbs, fat)
  • Health metrics synced from Apple HealthKit or Google Health Connect (sleep, steps, active energy) — only with your explicit permission
  • Macro goals and dietary preferences

Voice & Chat Data

  • Text messages sent to the AI coaching chat
  • Voice audio sent during voice coaching sessions (processed in real time; raw audio is not stored)
  • AI-extracted personality facts and preferences derived from your conversations

Photos

  • Meal photos submitted for AI-powered nutritional analysis

Device & Usage Data

  • Device type, operating system, and app version
  • Push notification tokens for delivering notifications
  • General usage patterns (features used, API request counts) for rate limiting and service improvement

2. How We Use Your Information

  • Provide personalized AI coaching, workout recommendations, and meal analysis
  • Track your fitness progress over time and generate progressive overload suggestions
  • Analyze meal photos and text descriptions to estimate nutritional content
  • Build a personalized AI coaching personality based on your interactions
  • Send push notifications (workout reminders, weekly summaries) based on your preferences
  • Manage your subscription and enforce usage limits
  • Improve and maintain the App

3. AI Processing & Third-Party Services

We use the following third-party services to power the App’s features:

  • OpenAI — Your chat messages, meal descriptions, meal photos, and voice audio are sent to OpenAI’s API for AI processing. OpenAI processes this data according to their API data usage policy, which states that API inputs and outputs are not used to train their models.
  • RevenueCat — Manages in-app subscriptions and purchase receipts. RevenueCat receives your anonymous app user ID and purchase data.
  • Apple HealthKit / Google Health Connect — Health data (sleep, steps, active energy) is read from these platform services only with your explicit permission. If you enable auto-sync, we also write workout sessions and body weight back to HealthKit/Health Connect so your data stays consistent across apps. You can disable this at any time in Settings.
  • Expo Push Notifications — Push notification tokens are sent to Expo’s push notification service to deliver notifications to your device.
  • Vercel — Hosts our backend API and serves the App’s web pages. Vercel processes API requests and may log request metadata (IP addresses, timestamps) for security and performance.
  • Neon — Provides our PostgreSQL database hosting. All user data (account information, workouts, meals, chat history) is stored on Neon’s infrastructure.
  • Upstash — Provides Redis-based rate limiting and usage tracking. Stores anonymised usage counters (not personal content).

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area or United Kingdom, we process your data under the following legal bases:

  • Contract performance — Processing necessary to provide the App’s core features (account management, workout/meal tracking, AI coaching) as part of our service agreement with you.
  • Consent — Health data from HealthKit/Health Connect, push notifications, and optional AI personality features. You can withdraw consent at any time through the App or your device settings.
  • Legitimate interest — Security measures (rate limiting, fraud prevention), service improvement, and usage analytics. We balance our interests against your rights and do not use this basis for sensitive data.

5. Data Storage & Security

Your data is stored in a PostgreSQL database hosted on Neon (cloud PostgreSQL). Passwords are hashed using bcrypt and are never stored in plain text. Authentication uses signed JSON Web Tokens (JWT). All data is transmitted over HTTPS.

We implement rate limiting and access controls to protect against unauthorized access. Subscription-related database tables are protected by Postgres-level triggers that prevent unauthorized modifications.

6. International Data Transfers

OCTANE HEALTH is based in England. However, our infrastructure providers (Vercel, Neon, OpenAI, Upstash, RevenueCat, Expo) process data in the United States and other countries. When your data is transferred outside the UK or EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreements (IDTAs) where applicable
  • Provider-specific data processing agreements that include appropriate safeguards

By using the App, you acknowledge that your data will be processed in these jurisdictions. You can contact us at contact@asyncstudios.co.uk for more information about specific safeguards.

7. Data Retention

We retain your data for as long as your account is active. You can delete individual workouts, meals, chat conversations, and personality facts at any time through the App.

If you delete your account, all associated data is permanently and irreversibly removed from our database. This is a hard deletion — we do not soft-delete or retain data after account deletion.

8. Your Rights

All Users

  • Access, update, or delete your personal data through the App
  • Delete your entire account and all associated data
  • Opt out of push notifications at any time
  • Revoke HealthKit/Health Connect permissions through your device settings

GDPR Rights (European Economic Area)

If you are located in the EEA, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure of your data
  • Restrict or object to processing
  • Data portability
  • Lodge a complaint with your local data protection authority

CCPA Rights (California)

If you are a California resident, you have the right to:

  • Know what personal information is collected and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information — we do not sell your personal information
  • Non-discrimination for exercising your privacy rights

9. Children’s Privacy

The App is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. This age threshold applies globally and satisfies both the US Children’s Online Privacy Protection Act (COPPA) and the UK/EU General Data Protection Regulation requirements for health-related data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy in the App and updating the “Last updated” date above.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

contact@asyncstudios.co.uk

Terms of Service