Privacy Policy
Last Updated: June 6, 2026
This Privacy Policy describes how Epsu ("we", "us", "our") collects, uses, shares, and protects your personal data when you use our mobile application, website (https://epsu.site), and related services (collectively, the "Service"). It is intended to describe the Service's current data handling at a practical level.
1. Introduction
Epsu is a mobile-first local community platform where users interact via place-based (regional) and institution-based (school) communities called "Epsus". Posts are hidden from ordinary users' identity view, while backend records are retained for moderation, safety, and account management.
This policy applies to personal data processed through our Expo/React Native mobile app, our static website at epsu.site, and backend services operated through third-party infrastructure providers used by the Service. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller for your personal data is:
Epsu Tehnoloogiad OÜ
Email: epsu.site@protonmail.com
Registered office: Lääne maakond, Haapsalu linn, Estonia
For EU/EEA users, the data controller is responsible for ensuring compliance with GDPR and DSA requirements.
3. Personal Data We Collect
We collect the following categories of personal data, as permitted by applicable law:
3.1 Account Data
Collected during signup via our mobile app:
- Email address: Used for authentication, password reset, and account notifications.
- Username: Unique identifier stored in your profile, not displayed on anonymous posts.
- Date of birth: Used to verify that you are at least 18 years old and eligible to use the Service.
- Country of residence: Used to assign regional Epsu memberships and comply with local laws.
- Password: Stored as a bcrypt hash via Supabase Auth, never stored in plaintext.
- Policy acceptance timestamps: Records of when you accept our Terms of Service, Privacy Policy, and Community Guidelines.
- Notification preferences: Boolean flag for optional push notifications, stored in your profile.
3.2 Community and Content Data
- Post content: Titles, bodies, and reply content you submit. Posts are anonymous to other users, but author_id is stored in our database for moderation, safety, and deletion purposes. Under the current delete_own_account RPC, account deletion removes the auth user, profile-linked records, and posts authored by that account.
- Post metadata: Epsu ID, post number, reply-to-post ID, like/dislike counts, post status (active/deleted_by_threshold/deleted_by_mod), creation/update timestamps.
- Membership data: Epsu IDs you join/apply to, membership role (member/moderator/host), membership status (active/invited/muted/left), join timestamps.
- Reaction data: Posts you like/dislike, stored to hide reacted posts from your feed and calculate auto-deletion thresholds.
- Block author relationships: Records of anonymous authors you block, stored to hide their future posts/replies from your feed.
3.3 Safety and Moderation Data
- Report data: Posts you report, report reason, report status (open/resolved/rejected), timestamp.
- Moderation action data: Records of actions taken against your content or account (post removal, mute, etc.), including actor profile ID, target profile ID, Epsu ID, post ID, action type, timestamp.
- Keyword-flagged post data: If your post triggers our automated keyword safety filters, we store the flag reason and review status before release from the hourly queue.
3.4 Support and Account Assistance Data
- Support correspondence: If you email us for deletion help, privacy questions, moderation-related questions, or similar support needs, your message content and contact details may be processed in the ordinary course of handling that request.
- School application data: For school Epsus, your short answer application content, application status, review timestamps.
3.5 Device and Usage Data
- Push tokens: Unique device tokens for Expo push notifications, stored per profile with platform (iOS/Android), enabled flag, creation/last seen timestamps.
- Local storage data: Auth session tokens, cached app data, post drafts, notification soft-prompt state, last push token, pending moderator invite tokens, runtime copies of posts/memberships/reports/block lists. Stored via AsyncStorage on your device.
- Log data: Supabase Auth login/logout events, database query logs, Edge Function (push delivery) error logs. Stored securely in Supabase.
4. How We Collect Data
We collect data through three primary methods:
- Directly from you: When you sign up, create posts, submit reports, apply to school Epsus, update settings, or contact support via email.
- Automatically via the Service: When you use the app/website, we collect device-related and local app data needed for app functionality via Expo APIs, the Supabase client SDK, and AsyncStorage.
- From third-party service providers: Infrastructure providers may process technical logs or service-delivery data in the course of operating the Service.
We do not use third-party analytics SDKs (e.g., Google Analytics, Mixpanel) or advertising SDKs. We do not track you across third-party websites or apps.
5. Legal Basis for Processing
We process your personal data under the following legal bases per GDPR Article 6:
| Data Category |
Legal Basis |
| Account Data |
Performance of a contract (GDPR Art. 6(1)(b)): To provide the Service you signed up for. |
| Community/Content Data |
Performance of a contract (Art. 6(1)(b)) and Legitimate Interest (Art. 6(1)(f)): To operate the Service and maintain community safety. |
| Safety/Moderation Data |
Legitimate Interest (Art. 6(1)(f)): To prevent harm, comply with legal obligations, and enforce our Terms. |
| Support Request Data |
Performance of a contract (Art. 6(1)(b)) and Legal Obligation (Art. 6(1)(c)): To resolve your requests and comply with data protection laws. |
| Device/Usage Data |
Consent (Art. 6(1)(a)): For optional push notifications; Legitimate Interest (Art. 6(1)(f)): To support Service functionality and reliability. |
| Cookie Data |
Legitimate Interest (Art. 6(1)(f)) or technical necessity, depending on the specific web flow. |
For date of birth used for age verification, we process that information as part of providing and enforcing eligibility for the Service under GDPR Art. 6(1)(b) and, where applicable, our legitimate interests in safety and compliance under Art. 6(1)(f).
6. Purposes of Processing
We use your personal data for the following purposes:
- Account management: Create/delete accounts, authenticate users, reset passwords, update profile data.
- Service operation: Process posts/replies/reactions, manage Epsu memberships, release hourly queued posts, apply auto-deletion thresholds.
- Moderation and safety: Review reports, flag keyword-violating posts, block authors, mute users, remove content, maintain moderation records.
- Notifications: Send optional push notifications for supported Service events, including moderation-related actions, hourly post-drop updates, and invite or community activity.
- Support: Respond to support emails, deletion issues, privacy questions, and moderation-related questions submitted through the available channels.
- Legal compliance: Respond to valid legal requests and operate the Service in light of applicable laws.
7. Sharing of Personal Data
We share your personal data only in the following limited circumstances:
7.1 Service Providers
We share data with trusted third-party service providers who process data on our behalf:
- Supabase: Processes Auth, database, storage, and push-delivery function data used by the Service.
- Expo (Expo Application Services): Processes push notification tokens and delivery-related data used by the app's notification flows.
- Render: Hosts our static website (epsu.site).
All service providers are contractually obligated to protect your data and only use it for the purposes we specify.
7.2 Legal Requirements
We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government investigations).
7.3 Business Transfers
If Epsu is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email or in-app message before any such transfer.
7.4 With Your Consent
We may share data with third parties when you explicitly consent to such sharing (e.g., if we add optional third-party integrations in the future).
We do not sell your personal data to third parties for commercial purposes. We do not share data with advertisers, as we do not display third-party ads.
8. International Data Transfers
Your personal data may be processed through third-party infrastructure providers that operate in multiple jurisdictions. The exact storage and transfer path can depend on the provider and service flow in use at the time.
If you have questions about cross-border processing of your data, contact us at epsu.site@protonmail.com.
9. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law:
| Data Type |
Retention Period |
| Account Data |
Until account deletion, plus 30 days for backup recovery. |
| Post Content |
Until the end of the post's lifecycle (temporary content model), then permanently deleted. If deleted by moderation, retained for 24 hours (mute duration) for processing. |
| Membership Data |
Until you leave an Epsu or delete your account, plus 30 days for backup recovery. |
| Report/Moderation Data |
Retained for as long as reasonably needed for safety, moderation, audit, or compliance purposes. |
| Push Tokens |
Until you disable notifications, uninstall the app, or the token is marked invalid by Expo. |
| Local Storage Data |
Stored on your device until you log out, delete the app, or clear AsyncStorage. |
Deletion note: Under the current backend, account deletion removes the auth user, authored posts, and profile-linked records, including moderation actions where the deleted account was the actor or target.
10. Your Data Protection Rights
Under GDPR and other applicable laws, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of the personal data we hold about you, including how it is processed.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
- Right to restriction of processing (Art. 18): Request that we restrict processing of your data in certain circumstances (e.g., if you contest accuracy).
- Right to data portability (Art. 20): Request a machine-readable copy of your personal data to transfer to another service provider.
- Right to object (Art. 21): Object to processing based on legitimate interest, including for direct marketing purposes.
- Right to withdraw consent (Art. 7(3)): Withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal.
- Right not to be subject to automated decision-making (Art. 22): We do not use fully automated decision-making with legal or similarly significant effects (e.g., fully automated account termination). Moderation decisions include human review.
For EU users, you also have the right to lodge a complaint with your local data protection authority if you believe our processing violates GDPR.
11. Exercising Your Rights
To exercise any of your data protection rights:
- Use the in-app Account History feature to view your posts, reactions, reports, memberships, and requests.
- Use the in-app Delete Account feature (password confirmation required) to request erasure.
- Email us at epsu.site@protonmail.com with your request, including your email address and a description of the right you wish to exercise.
- For data portability, the app currently provides an account-history export in JSON format through the in-app export flow.
We will respond to your request within 30 days (or 60 days for complex requests, with notice). If we deny your request, we will provide a written explanation of the reason.
12. Cookies and Similar Technologies
Our static website (epsu.site) does not intentionally use analytics or advertising cookies. Some auth-related web flows may rely on browser storage, temporary session state, or cookie-like mechanisms to function:
- Password reset and email confirmation flows may depend on browser state or redirect handling.
- No tracking cookies, analytics cookies, or advertising cookies are intentionally deployed by the static site itself.
- Disabling browser storage or cookies may break some auth-related web flows.
Our mobile app does not use cookies. Local storage (AsyncStorage) is used only for app functionality, not tracking.
13. Security of Personal Data
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption: Supabase Auth uses bcrypt for password hashing; all data in transit is encrypted via TLS 1.2+; Supabase database data is encrypted at rest.
- Access controls: Backend authority is enforced via Supabase Row Level Security (RLS) policies, RPC functions, and Edge Function secret checks. Only authorized personnel have access to raw data.
- Anonymity protections: Author IDs are never exposed to ordinary users; moderation data is scoped to assigned Epsus only.
- Incident response: Access to backend data is intended to be limited to authorized operators, and service issues or security concerns may be investigated using available logs, access controls, and provider tooling.
No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously update our safeguards to meet industry standards.
14. Children's Privacy
The Service is not intended for anyone under 18 years old, and you must be at least 18 to create an account, access, or use the Service.
If we learn that a person under 18 has provided personal data to us or created an account, we may delete the data and terminate the account. If you believe someone under 18 has used the Service, contact us at epsu.site@protonmail.com.
15. Third-Party Services
The Service integrates with third-party services as described in Section 7.1. We are not responsible for the privacy practices of these providers. We encourage you to review their privacy policies:
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law (e.g., GDPR/DSA updates), or Service features. We will notify you of material changes by:
- Posting the updated policy on epsu.site with a new "Last Updated" date.
- Sending an in-app notification or email to your registered address.
Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree, you must delete your account and stop using the Service.
18. Supplementary Terms for EU/EEA Users
If you are a resident of the EU/EEA, the following additional terms apply in a general sense:
- We provide a reporting mechanism for potentially illegal content in the app and on epsu.site.
- We prioritize human review for moderation actions that materially affect user content or account access.
- Users may contact us by email regarding moderation-related questions or privacy/support matters.
19. Data Protection Officer
Epsu does not currently present a separate publicly identified Data Protection Officer.
Privacy contact: epsu.site@protonmail.com