Privacy Policy

Last updated: April 2026

RYVVA ("we", "us", "our") operates ryvva.run, a fitness tracking and training application. We take your privacy seriously. This policy explains what data we collect, why we collect it, how we store it, and what rights you have. We have written this in plain English so you can actually understand it.

What Data We Collect

When you use RYVVA, we collect the following personal data:

  • Account information — your name, email address, and password (hashed, we never store plaintext passwords)
  • Body metrics — weight, height, date of birth, and gender, used to personalise your training and nutrition plans
  • GPS location data — collected during runs and outdoor workouts to track your route, distance, and pace
  • Food and nutrition logs — what you eat, calorie and macro tracking data entered in the diary
  • Mood and wellness data — mood ratings and notes you choose to log
  • Workout and exercise data — run history, strength sessions, exercise types, sets, reps, personal records
  • Training preferences — your goals, experience level, preferred distances, race targets
  • Payment information — processed securely by Stripe; we never see or store your full card details

Why We Collect It

Every piece of data we collect serves a clear purpose:

  • Personalise your training plans — your fitness data, goals, and history allow us to generate and adapt training plans that are specific to you
  • Track your progress — body metrics, workout history, and food logs let you see how far you have come
  • Generate nutrition advice — your weight, activity level, and food logs help us provide relevant nutritional guidance
  • AI coaching — your data is used to provide personalised coaching suggestions via our AI features
  • Process payments — to manage your subscription
  • Improve the app — aggregated, anonymised usage patterns help us make RYVVA better for everyone

We do not collect data for the sake of it. If a data point does not serve you, we do not ask for it.

How Your Data Is Stored

Your data is stored in a PostgreSQL database hosted by Supabase, a trusted infrastructure provider. All data is encrypted at rest using AES-256 encryption. Data in transit is protected using TLS 1.2+ encryption. Supabase infrastructure is hosted in AWS data centres and is SOC 2 Type II certified. Access to your data is managed through Supabase's authenticated dashboard with role-based access controls. We do not have direct access to the underlying servers — all administration goes through Supabase's secure management layer.

Third-Party Services

We use a small number of trusted third-party services to operate RYVVA:

  • Supabase — provides authentication and database hosting. Your account credentials and app data are stored here. Supabase is GDPR compliant and SOC 2 certified.
  • Stripe — processes subscription payments. Stripe handles all card details directly; we never see or store your full card number. Stripe is PCI DSS Level 1 certified.
  • Claude AI (Anthropic) — powers our AI coaching features. Relevant fitness data may be sent to generate personalised advice. Anthropic does not use your data to train their models.

We do not sell your data to anyone. Ever. No exceptions.

Your Rights

Under UK and EU GDPR, you have the following rights over your personal data:

  • Right of access — you can request a copy of all data we hold about you at any time
  • Right to deletion — you can request that we delete all your personal data. When you delete your account, all associated data is permanently removed from our systems
  • Right to data portability — you can request an export of your data in a machine-readable format
  • Right to rectification — if any data we hold about you is inaccurate, you can update it in your profile settings or request that we correct it
  • Right to restrict processing — you can ask us to limit how we use your data
  • Right to object — you can object to certain types of data processing

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Data Retention

We retain your personal data for as long as your account is active. When you delete your account, all your personal data is permanently deleted from our systems within 30 days. We do not keep shadow copies or hidden backups of deleted accounts. Aggregated, anonymised data that cannot be linked back to you may be retained for analytical purposes.

Cookies

RYVVA uses session cookies only. These are essential for keeping you logged in and maintaining your session. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No cookie consent banner needed because we only use strictly necessary cookies.

Children

RYVVA is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete that data immediately. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

Legal Basis for Processing (GDPR)

Under UK and EU GDPR, we process your data on the following legal bases:

  • Contract — processing necessary to provide you with the RYVVA service you signed up for
  • Consent — where you have given explicit consent, such as enabling location tracking for runs
  • Legitimate interest — improving our service based on aggregated, anonymised usage data

International Data Transfers

Some of our third-party service providers operate outside the UK/EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and UK addendums where required.

Changes to This Policy

We may update this privacy policy from time to time. If we make significant changes, we will notify you via email or an in-app notification. Your continued use of RYVVA after changes are posted constitutes your acceptance of the updated policy.

Contact Us

If you have any questions about this privacy policy or how we handle your data, contact us at: [email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.