Epia

Last Updated: April 30, 2026

Effective Date: April 30, 2026

Epia, Inc. ("Epia," "Company," "we," "us," or "our") is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy describes how we collect, use, store, share, protect, and delete your information when you use the Epia mobile application ("App"). This Privacy Policy also explains your rights and choices regarding your information, and how to contact us if you have questions or concerns.

This Privacy Policy is incorporated into and forms part of our Terms of Service (available at https://www.epia.app/terms). By creating an account, downloading, installing, accessing, or otherwise using the App, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and sharing of your information as described herein.

If you do not agree with this Privacy Policy, please do not use the App.

1. Who We Are

Epia, Inc. is a Delaware corporation with its principal place of business at:

Epia, Inc.
2261 Market Street, STE 89375
San Francisco, California 94114
United States

Email: support@epia.app
Website: https://www.epia.app

For purposes of applicable data protection laws, Epia, Inc. is the data controller responsible for processing your personal information in connection with the App.

2. Information We Collect

We collect information in three categories: information you provide directly, information generated through your use of the App, and information from third-party services.

2.1 Information You Provide Directly

When you create an account and use the App, you may provide the following information:

Account information. Your email address and authentication credentials (such as through Google Sign-In). This is required to create and maintain your account.
Profile information. Information you share during onboarding, such as why you are seeking wellness support, your personal goals, preferred communication style, notification preferences, and session schedule with a wellness professional.
Conversation content. Messages, reflections, and other text you enter during conversations with Epia's AI companion. This includes responses to check-ins, session preparation reflections, and any other content you share in the conversational interface.
Mood and wellness data. Mood ratings, emotional check-in responses, and any context or notes you provide about how you are feeling.
Goals and homework. Personal goals you set, homework or skill practice assignments you log, and progress updates you provide.
Feedback. Thumbs-up/thumbs-down ratings on AI responses, free-text feedback comments, and any other input you provide through the App's feedback mechanisms.
Support communications. Any information you provide when you contact us for support, including the content of your emails and any attachments.

2.2 Information Generated Through Your Use of the App

When you use the App, we automatically collect certain technical and usage information:

Usage data. How you interact with the App, including features used, frequency of use, session duration, time of day, number of conversations, and interaction patterns.
Device information. Device type, operating system version, app version, device identifiers, and language settings.
Performance data. Crash logs, error reports, and diagnostic information used to maintain and improve the App's functionality.
AI-generated content. Responses, summaries, insights, and other content generated by the AI based on your interactions. While you did not directly author this content, it is associated with your account and treated with the same privacy protections as Your Content.

2.3 Information from Third-Party Services

Authentication providers. If you sign in using Google Sign-In or another third-party authentication service, we receive your email address and basic profile information as authorized by you through that service. We do not receive your password from these services.
Therapist invitation. If a licensed therapist invited you to use the App, we receive the email address your therapist used to send the invitation. This is used solely to deliver and manage that invitation and to help connect the invite when you choose to use the therapist's code or invite link.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Operating the App

To create and maintain your account
To authenticate your identity and secure your account
To process your conversations through AI services and generate personalized responses
To provide mood tracking, goal tracking, homework tracking, and other wellness features
To generate pre-session and post-session check-ins and summaries
To power the App's crisis detection and safety features
To send you notifications (check-ins, reminders, session prep prompts) based on your preferences
To provide customer support when you contact us

3.2 Sharing with Your Therapist (At Your Direction)

To facilitate the sharing of information you choose to share with your connected therapist, such as pre-session summaries, mood trends, and goal progress
To notify your therapist of potential safety concerns detected by the crisis detection system, if you have opted into therapist sharing

All therapist sharing is voluntary, controlled by you, and subject to the provisions described in Section 5 below.

3.3 Product Improvement (De-Identified Only)

To analyze de-identified usage patterns and identify areas for improvement
To evaluate the quality, accuracy, and safety of AI-generated responses
To monitor the effectiveness of the crisis detection and safety systems
To conduct automated evaluations where AI systems review de-identified conversations to detect issues such as inaccurate responses, missed safety signals, or patterns that indicate the experience could be improved

All product improvement activities are conducted on de-identified data only, as described in Section 6 below.

3.4 Communication

To send you transactional communications related to your account (such as password resets, security alerts, and account changes)
To notify you of material changes to these Terms or the App
To respond to your support inquiries and feedback

We do not send marketing or promotional emails. We do not use your information for advertising purposes.

4. Data Visibility Model: "Controlled" vs. "Therapist Access"

Epia uses a clear, two-tier data visibility model. Every piece of information in the App falls into one of two categories: data that only you can see ("Controlled"), and data that your therapist can also see if you choose to share it ("Therapist Access"). This section describes exactly what falls into each category and how the boundaries work.

4.1 Controlled Data (Visible Only to You)

The following information is visible only to you. No one else – including your therapist, the Epia team, or any third party – can see this information in its identifiable form, unless you take an explicit action to share it (such as opting into therapist sharing) or unless required by law.

Data Type	Description
Conversation content	All messages you exchange with Epia's AI companion. Your therapist cannot see your conversations unless you choose to share a pre-session summary (which you review and approve before sending). The Epia team cannot see your conversations in identifiable form.
Mood entries (raw)	Individual mood ratings, emotional check-in responses, and context notes. Your therapist sees only aggregated mood trends if you opt into sharing – not individual entries.
Goals and homework (details)	The specific goals you set, homework assignments you log, and progress notes you write. Your therapist sees only high-level completion status if you opt into sharing – not the full detail of your entries.
Feedback and ratings	Your thumbs-up/thumbs-down ratings and free-text feedback comments. These are never shared with your therapist.
Account and profile data	Your email address, authentication credentials, onboarding responses, notification preferences, and session schedule.
App usage patterns	How often you use the App, when you use it, which features you use, and how long your sessions are. Your therapist sees only summary engagement metrics (e.g., "active 5 days this week") if you opt into sharing – not detailed usage logs.

Important:Even when data is classified as "Controlled," it may still be used in de-identified form for product improvement, as described in Section 6 below. "Controlled" means no one can see your data in a way that identifies you – it does not mean the data is excluded from de-identified, aggregated analysis.

4.2 Therapist Access Data (Shared at Your Direction)

The following information may be shared with your connected therapist, but only if you opt into therapist sharing, and only after you review and approve the specific content being shared. You can opt into or out of therapist sharing at any time through the App's settings.

Data Type	What Your Therapist Sees	What Your Therapist Does NOT See
Pre-session summaries	A summary of your week generated by the App: top discussion topics, mood highlights, homework status, and key moments you flagged. You review and approve (or edit/redact) before it is sent.	Your raw conversations, individual messages, specific mood entry details, or anything you chose to redact from the summary.
Mood trends	Aggregated mood trajectory over the past 1, 2, or 4 weeks (e.g., "mood declined mid-week, improved over the weekend").	Individual mood entries, timestamps of specific entries, or the context notes you wrote alongside each entry.
Goal progress	High-level status of your goals (e.g., "completed 3 of 5 homework items this week").	The detailed text of your goals, your specific progress notes, or the content of your homework reflections.
Engagement summary	General activity level (e.g., "active 5 days this week, 12 conversations").	Specific timestamps, session durations, which features you used, or the content of any interaction.
Crisis detection alerts	If the App's crisis detection system is triggered, your therapist may be notified that a potential safety concern was detected.	The content of the conversation that triggered the alert. The therapist is notified that a concern was flagged, not shown the transcript.

4.3 How Sharing Works

When you opt into therapist sharing, the App generates a pre-session summary before your scheduled appointment. The process works as follows:

The App generates a draft summary based on your conversations, mood data, goals, and homework from the relevant period.
You review the summary within the App before anything is shared. You can see exactly what will be sent.
You can edit or redact any item in the summary. If there is a topic, mood entry, or moment you do not want your therapist to see, you remove it before sharing.
You approve the summary and it is transmitted to your therapist's dashboard.
Your therapist receives the summary and may use it to prepare for your session.

If you do not approve the summary, nothing is sent. If you do not opt into therapist sharing at all, your therapist receives nothing from the App. Your conversations, mood entries, goals, and all other data remain Controlled and visible only to you.

4.4 Revoking Therapist Access

You may revoke therapist sharing at any time through the App's settings. Revocation takes effect immediately for all future sharing. Please note that summaries and data that were previously shared with your therapist prior to revocation may still be accessible to your therapist through their own records, notes, or systems, which are outside of Epia's control. We cannot retroactively remove information from your therapist's records.

5. Data Sharing with Third Parties

5.1 We Do NOT Share Your Data With

Advertisers or ad networks. We do not display ads in the App, and we do not share your data with any advertising platform, ad network, or data broker.
Data brokers. We do not sell, license, rent, or otherwise provide your personal data to data brokers or data aggregators.
Employers, insurers, or institutions. We do not share your data with your employer, your insurance company, your school, or any other institution, unless you explicitly direct us to do so or unless required by law.
Other users. Your data is not visible to any other user of the App.

5.2 We May Share Your Data With

AI service providers. We use third-party AI services (such as the Anthropic Claude API) to process your conversations and generate AI responses. Your conversation content is transmitted to these services for processing, subject to our data processing agreements with these providers. These providers are contractually prohibited from using your data for their own purposes, including training their AI models on your conversations.
Infrastructure and hosting providers. We use third-party cloud infrastructure providers to host the App, store your data, and operate our services. These providers are bound by data processing agreements and are required to implement appropriate security measures.
Authentication providers. If you sign in using Google Sign-In or another third-party authentication service, limited information (such as your email address) is exchanged with that provider solely for authentication purposes.
Your therapist (at your direction). As described in Section 4 above, if you opt into therapist sharing, certain information is shared with your connected therapist. This sharing occurs solely at your direction and subject to your review and approval.
Legal compliance. We may disclose your information if required to do so by law, regulation, legal process (such as a subpoena or court order), or governmental request. We may also disclose information if we believe in good faith that disclosure is necessary to protect the safety of any person, to investigate or prevent fraud or illegal activity, to protect our rights or property, or to respond to an emergency.
Business transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your information.

6. De-Identification and Product Improvement

6.1 What De-Identification Means

When we refer to "de-identified data," we mean data from which your name, email address, and other personally identifying information have been removed through automated processes consistent with the HIPAA Safe Harbor method. This method requires the removal of 18 specific categories of identifiers, including names, geographic data smaller than a state, dates (other than year), phone numbers, email addresses, Social Security numbers, medical record numbers, and other unique identifiers.

After de-identification, the resulting data cannot reasonably be used to identify you as an individual. De-identified data is not subject to the same restrictions as personally identifiable information because it can no longer be linked back to you.

6.2 How We Use De-Identified Data

We may use de-identified data for the following purposes:

Pattern analysis. Identifying trends, common user experiences, and areas where users frequently encounter issues, in order to prioritize product improvements and new features.
Quality evaluation. Assessing the accuracy, helpfulness, appropriateness, and safety of AI-generated responses across the user base.
Safety monitoring. Detecting potential gaps or failures in the App's crisis detection, content safety, or other protective features.
Automated evaluations. Using AI systems and automated tools to review de-identified conversations at scale to detect issues such as inaccurate responses, missed safety signals, or areas where the user experience could be improved.

We do not use your raw, identifiable conversations for product development, research, or any purpose other than delivering the App's features directly to you.

6.3 Feedback-Triggered Review

If you flag an AI response as unhelpful (e.g., by using the thumbs-down feedback feature), we may review a de-identified version of the flagged message, the current conversation, and up to five (5) of your most recent prior conversations. This review is conducted solely to understand what went wrong and improve the App's quality. Your name, email address, and other identifying information are removed through our automated de-identification pipeline before any member of our team sees the content. You are informed of this process the first time you use the feedback feature.

6.4 Opt-Out

You may opt out of product improvement data use at any time by contacting us at support@epia.app. We will process your request within thirty (30) days. Opting out will not affect your ability to use the App or any of its features. If you opt out, your data will continue to be used solely for operating the App and delivering its features to you, but will no longer be included in de-identified datasets used for product improvement or automated analysis.

Please note that data that was de-identified and included in aggregate analyses prior to your opt-out cannot be retroactively removed from those analyses, as it can no longer be linked to you.

7. Data Security

7.1 Encryption

We implement industry-standard encryption to protect your data:

Encryption at rest. All conversations, personal data, and sensitive information stored in our databases are encrypted using AES-256-GCM encryption. Sensitive fields are encrypted using user-specific encryption keys derived through PBKDF2 (Password-Based Key Derivation Function 2), meaning that each user's data is encrypted with a unique key.
Encryption in transit. All data transmitted between the App, our servers, and third-party services is protected by TLS (Transport Layer Security) encryption. This includes your conversations, authentication credentials, and any data shared with your therapist.

7.2 Access Controls

Access to user data within our systems is restricted based on the principle of least privilege. Only authorized personnel with a legitimate business need can access user data, and such access is logged and auditable. Administrative access requires multi-factor authentication.

7.3 Infrastructure Security

Our infrastructure is hosted by cloud providers that maintain SOC 2 Type II compliance, physical security controls, and regular third-party security audits. We maintain data processing agreements with all infrastructure providers that handle user data.

7.4 Incident Response

In the event of a data breach or security incident that affects your personal information, we will: (a) investigate the incident promptly; (b) take steps to contain and remediate the breach; (c) notify affected individuals as required by applicable law (including within 60 days as required by HIPAA, if applicable); and (d) notify relevant regulatory authorities as required.

7.5 Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee the absolute security of your information. You are responsible for maintaining the security of your account credentials and your devices.

8. Data Retention

8.1 Active Accounts

While your account is active, we retain all information associated with your account, including conversation content, mood data, goals, homework, and usage data. This information is necessary to provide the App's features, including longitudinal mood tracking, goal progress, and AI conversation continuity.

8.2 Account Deletion

When you delete your account (through the App's settings or by contacting support@epia.app), we will:

Delete your identifiable personal data from our active systems within thirty (30) days of your request.
Remove your data from backup systems within ninety (90) days, consistent with our backup retention cycles.
Retain certain information only as required by law, to resolve pending disputes, to prevent fraud, or to enforce our agreements. Such retained data will be stored securely and accessed only for the specific permitted purpose.

8.3 De-Identified Data

De-identified or aggregated data that can no longer be linked to you may be retained indefinitely for product improvement purposes, as described in Section 6 above. Because this data cannot be used to identify you, it is not subject to deletion requests.

8.4 Audit Logs

Security and access audit logs may be retained for up to six (6) years as required for compliance purposes. These logs record who accessed data, when, and for what purpose, but do not contain the content of your conversations.

9. Your Rights and Choices

9.1 Access and Portability

You have the right to access your personal information. You can view your conversation history, mood entries, goals, and other data within the App at any time. If you would like a copy of your data in a portable format, please contact us at support@epia.app and we will provide your data in a commonly used electronic format within thirty (30) days.

9.2 Correction

If any of your personal information is inaccurate or incomplete, you can update it through the App's settings or by contacting us at support@epia.app.

9.3 Deletion

You can delete your account and request deletion of your personal data at any time through the App's settings or by contacting us at support@epia.app. We will process your request as described in Section 8.2 above.

9.4 Opt-Out of Product Improvement

You can opt out of having your de-identified data used for product improvement at any time by contacting us at support@epia.app, as described in Section 6.4 above.

9.5 Therapist Sharing Controls

You can enable, disable, or modify your therapist sharing preferences at any time through the App's settings. You can review and approve (or reject) any information before it is shared with your therapist, as described in Section 4.3 above.

9.6 Notification Preferences

You can control which notifications you receive (mood check-ins, session reminders, homework prompts) and how frequently you receive them through the App's settings.

9.7 California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to request deletion, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights. To exercise these rights, contact us at support@epia.app.

9.8 Other Jurisdictions

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with applicable data protection laws, you may have additional rights, including the right to lodge a complaint with your local data protection authority. While the App is currently available only in the United States, if you access the App from another jurisdiction, please contact us at support@epia.app with any questions about your rights.

10. Children's Privacy

The App is not intended for, directed at, or designed to be used by individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take prompt steps to delete that information and terminate the associated account.

If you believe that a child under 18 has provided personal information to us, please contact us immediately at support@epia.app.

11. Third-Party Services and Links

The App may contain references to or integrations with third-party services (such as authentication providers). This Privacy Policy applies only to the Epia App and does not govern the practices of third-party services. We encourage you to review the privacy policies of any third-party services you interact with in connection with the App.

The App may display crisis resources (such as the 988 Suicide & Crisis Lifeline) that link to external websites or services. We do not control and are not responsible for the privacy practices of these external resources.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the App's features, applicable law, or other factors. If we make material changes to this Privacy Policy, we will notify you through one or more of the following methods: (a) a prominent notice within the App; (b) an email to the address associated with your account; or (c) by updating the "Last Updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Your continued use of the App after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with any updated Privacy Policy, you should stop using the App and delete your account.

13. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our privacy practices, please contact us:

Email: support@epia.app
Website: https://www.epia.app
Mailing Address: Epia, Inc., 2261 Market Street, STE 89375, San Francisco, California 94114, United States

We will respond to all privacy-related inquiries within thirty (30) days.

This Privacy Policy is effective as of April 30, 2026.

Epia, Inc. – Your wellness companion.

IMPORTANT REMINDER: Epia is a wellness support tool, not a replacement for professional care. If you are in crisis, call 988 (Suicide & Crisis Lifeline), text HOME to 741741 (Crisis Text Line), or call 911 for emergency services.