Privacy Policy
Effective date: 21 May 2026 · Last updated: 21 May 2026
1. Overview
Aroh Labs (“we”, “us”, “our”) operates the RYVEfitness application (the “App”). We are committed to protecting the privacy and security of our users. This Privacy Policy explains in detail what information we collect, why we collect it, how we use and protect it, and the rights available to you.
By creating an account or using RYVE, you agree to the practices described in this policy. If you do not agree, please do not use the App.
RYVE is a personal fitness operating system designed to help you log workouts, track nutrition, monitor daily wellness, and receive AI-powered coaching. To deliver these features, we necessarily process certain personal and health-related data. We handle all such data with care, and we never sell your personal information.
2. Information We Collect
We collect information you provide directly, information generated through your use of the App, and limited technical information from your device.
2.1 Account & Identity
- Full name
- Email address
- Password (hashed; never stored or transmitted in plain text)
- Google account details if you sign in with Google (name, email, profile picture — provided by Google OAuth)
- Account creation date and authentication session tokens
2.2 Profile & Body Metrics
- Date of birth (used to calculate age for fitness calculations)
- Gender / biological sex (used for caloric and metabolic calculations)
- Height (centimetres)
- Current weight and target weight (kilograms)
- Fitness level (beginner, intermediate, advanced)
- Primary fitness goal (e.g., build muscle, lose weight, improve performance)
- Preferred activity type (gym, running, home, yoga, classes, mixed)
- Weekly training commitment (days per week)
- Activity level (sedentary to very active)
2.3 Nutrition Profile
- Dietary preference (e.g., vegetarian, vegan, keto, standard)
- Food allergies and intolerances (e.g., dairy, gluten, nuts)
- Declared health conditions relevant to nutrition (e.g., diabetes, thyroid conditions) — provided voluntarily
- Meals per day preference
- Eating window / intermittent fasting pattern
- Protein source preference
- Meal timing schedule (breakfast, lunch, dinner, snack, training windows)
2.4 Food & Nutrition Logs
- Food name and description
- Meal type (breakfast, lunch, dinner, snack)
- Portion size (grams)
- Macronutrient values: calories, protein, carbohydrates, fat
- Data source for each entry: AI estimate, USDA database, Open Food Facts, our food catalogue, or manually entered
- Date and time of each log entry
2.5 Supplement Tracking
- Supplement name and brand
- Macronutrient content per serving
- Daily serving logs including quantity and timing
2.6 Workout Data
- Workout session name, date, type (strength, cardio, mobility, recovery)
- Duration (minutes)
- Exercises performed (name, order)
- Sets, reps, and weight (kg) for each exercise
- Personal records (PRs) automatically detected per exercise
- Optional notes per session
2.7 Daily Check-In Data
- Sleep duration (hours) and derived sleep quality rating
- Energy level (scale of 1–5)
- Hydration status (boolean: stayed hydrated / did not)
- Whether you trained that day, and at what time
2.8 Weight Logs & Progress Photos
- Logged body weight entries with timestamps
- Progress photos (stored securely in cloud storage; accessible only to you)
2.9 App Usage & Preferences
- App settings (colour theme, notification preferences)
- Streak counts (consecutive check-in / workout days)
- In-app event activity (e.g., workout completed, food logged) — used only for your personal stats dashboard, not shared externally
2.10 Subscription & Purchase Data
- Subscription status (free or RYVE Premium) and entitlement information
- Purchase history (subscription tier, billing period, date of purchase) — managed by RevenueCat
- Store-assigned purchase identifiers (from Google Play or the App Store) — we do not receive or store your payment card details
- Whether a free trial was used and its expiry date
2.11 Technical & Device Information
- Device operating system and version
- App version
- Push notification tokens (used to deliver reminders)
- No IP address logging or precise geolocation is performed at the application level
3. How We Use Your Information
We use the data we collect exclusively to operate and improve RYVE. Specifically:
Providing Core Features
To deliver your personalised fitness dashboard, workout logger, nutrition tracker, weight trends, daily check-ins, and progress photo gallery.
AI-Powered Coaching
To power Coach Ryve — your in-app AI coach. Your profile, workout history, nutrition logs, and daily wellness data are used to generate personalised insights, meal suggestions, training feedback, and conversational coaching. See Section 4 for full details.
Calculations & Personalisation
To calculate your caloric targets, macronutrient goals, RYVE Index score, readiness score, and other personalised metrics based on your body data and activity.
Reminders & Notifications
To send check-in reminders, workout reminders, and streak milestone notifications based on your preferences and schedule.
Authentication & Security
To verify your identity, manage your session, and protect your account from unauthorised access.
Product Improvement
Aggregated, anonymised usage patterns may be used to improve App features, fix bugs, and enhance the user experience. Individual personal data is not used for this purpose without your consent.
We do not use your data for advertising. We do not build advertising profiles, sell your data to data brokers, or share your information with advertisers.
4. AI Coach (Coach Ryve) & Data Processing
RYVEfeatures “Coach Ryve,” an AI-powered fitness coach that provides personalised insights, recommendations, and conversational support. Understanding how Coach Ryve works is important for your privacy.
What data Coach Ryve receives
When you interact with Coach Ryve or when the App generates an automated brief, a contextual snapshot of your data is assembled and sent for processing. This snapshot may include:
- Your name, fitness goal, activity type, and fitness level
- Height, weight, age, gender, and activity level
- Recent workout sessions (last 30 days): exercise names, sets, reps, weights
- Today’s food log and macro totals
- Nutrition targets and meal schedule
- Supplement log
- Diet type, allergies, and declared health conditions
- Today’s check-in data: sleep, energy, hydration, planned workout
- Your RYVE Index, recent streaks, and personal records
How it is processed
All AI requests are routed through a secure server-side proxy (a Supabase Edge Function hosted on our infrastructure). Your data is never sent directly from your device to OpenAI. The proxy adds no logging of its own and acts as a secure intermediary. OpenAI processes the request and returns a response that is streamed back to your device.
We use OpenAI’s GPT-4o and GPT-4o-mini models. Per OpenAI’s API usage policies, data submitted via the API is not used to train their models, and API interactions are not retained by OpenAI beyond the processing of each individual request (subject to their Data Processing Agreement). See OpenAI’s Privacy Policy for full details.
AI Limitations
Coach Ryve is an AI assistant, not a licensed medical professional, registered dietitian, or certified personal trainer. Responses are generated by a large language model and may contain errors or omissions. Always consult a qualified professional before making significant changes to your diet, exercise regimen, or health management.
6. Third-Party Services
The following third-party services are integrated into RYVE. Each acts as a data processor under agreement with Aroh Labs.
Supabase
Purpose: Backend database, authentication, file storage, and Edge Functions (AI proxy).
Data stored: All user accounts, profiles, workout logs, nutrition logs, health metrics, weight logs, progress photos, and app activity.
Privacy: supabase.com/privacy
OpenAI
Purpose: Powers Coach Ryve — AI coaching, food recognition, nutritional estimation, and conversational responses.
Data sent: Contextual user snapshots (profile, logs, check-ins) routed via our secure server proxy. Data is not used to train OpenAI models per their API data policy.
Privacy: openai.com/policies/privacy-policy
Google (OAuth)
Purpose: Optional “Sign in with Google” authentication.
Data received: Name and email address from your Google account when you choose to sign in with Google.
Privacy: policies.google.com/privacy
USDA FoodData Central
Purpose: Nutritional database for food search and macro lookup.
Data sent: Food search query strings only. No personal data is transmitted.
Source: U.S. Department of Agriculture public API (no personal data shared).
Open Food Facts
Purpose: Barcode scanning and product nutrition data lookup.
Data sent: Product barcodes only. No personal data is transmitted.
Privacy: Open Food Facts is an open-source, non-profit food database.
RevenueCat
Purpose: Subscription and in-app purchase management. RevenueCat handles purchase verification, entitlement tracking (RYVE Premium), and subscription lifecycle events across Android (Google Play) and iOS (App Store).
Data shared: Your app user ID, subscription status, purchase history, and store-issued transaction identifiers. No payment card information is ever shared with RevenueCat or Aroh Labs — all card processing is handled exclusively by Google Play or the App Store.
Privacy: revenuecat.com/privacy
Expo (Push Notifications)
Purpose: Delivering push notifications (check-in reminders, workout reminders, streak milestones).
Data used: Device push notification tokens. Notification content contains no sensitive personal data.
Privacy: expo.dev/privacy
7. Data Retention
We retain your personal data for as long as your account is active. When you delete your account, we initiate a full data deletion process:
- All progress photos are permanently deleted from cloud storage.
- Your profile, body metrics, workout history, nutrition logs, weight logs, supplement data, check-in data, personal records, and all associated account data are permanently deleted from our database.
- Local app data (settings, preferences stored on your device) is cleared.
- Account deletion is completed within 30 days of the request.
Some data may be retained for a limited additional period where required by applicable law. In particular, purchase and subscription transaction records (managed via RevenueCat) may be retained for up to 7 years to comply with financial and tax record-keeping obligations under applicable law, after which they will be permanently deleted. These records contain only transaction identifiers and subscription status — never your payment card details.
Note: Supabase and OpenAI have their own data handling and retention policies for data processed through their infrastructure. Please refer to their respective privacy policies for details on their retention practices.
8. Security
We implement industry-standard security measures to protect your data:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
- Encryption at rest: Data stored in Supabase is encrypted at rest using AES-256 encryption.
- Password security: Passwords are hashed using bcrypt by Supabase Auth and are never stored or transmitted in plain text.
- Authentication tokens: JSON Web Tokens (JWT) with RS256 signing are used for session management and auto-refreshed securely.
- AI proxy: OpenAI API keys are stored server-side only and never exposed to the client application.
- OAuth security: Google Sign-In uses PKCE (Proof Key for Code Exchange) flow to prevent interception attacks.
- Row-level security: Database access is enforced at the row level — you can only access your own data.
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.
9. Your Rights & Choices
You have the following rights with respect to your personal data:
Access
Request a copy of the personal data we hold about you.
Correction
Update or correct inaccurate or incomplete data at any time through the App's profile settings.
Deletion
Request the permanent deletion of your account and all associated data. You can initiate this from within the App under account settings. Deletion is completed within 30 days.
Restriction
Request that we restrict processing of your data in certain circumstances.
Portability
Request a machine-readable export of your personal data. Contact us at privacy@thearohlabs.com to request a data export.
Withdraw Consent
Where processing is based on your consent (e.g., progress photos), you may withdraw that consent at any time without affecting the lawfulness of prior processing.
Notification Opt-Out
Manage or disable push notifications at any time from within the App's settings or your device's notification settings.
To exercise any of these rights, contact us at privacy@thearohlabs.com. We will respond within 30 days. We may require identity verification before processing sensitive requests.
10. Notifications & Device Permissions
Push Notifications
RYVE may send push notifications for check-in reminders, workout reminders, and streak milestone alerts. Notification content does not include sensitive health or personal data. You can enable or disable notification types individually within the App, or disable all App notifications from your device settings.
Camera Access
Camera access is requested for two features: (a) barcode scanning to identify packaged food products for nutritional data, and (b) food photo recognition, where an image is processed by Coach Ryve to estimate nutritional content. Photos are processed for immediate recognition and are not stored unless you explicitly save the result as a food log entry. Progress photos you choose to save are stored securely in your personal storage bucket.
Photo Library
Access to your photo library is requested only when you choose to upload a progress photo from your gallery. We access only the specific photo you select and do not browse or access any other photos.
11. Progress Photos
Progress photos are stored in a private, per-user cloud storage bucket on Supabase infrastructure. They are accessible only to you and are never shared with other users, third parties, or used for any purpose other than displaying them to you in the App.
Photos are end-to-end protected by database row-level security and Supabase Storage access policies. Only authenticated requests from your own account can read or delete your photos.
When you delete a progress photo or delete your account, the photo file is permanently removed from storage and cannot be recovered.
12. Children’s Privacy
RYVE is intended for users who are 17 years of age or older. The App is not directed at, marketed to, or designed for children under 17. We do not knowingly collect personal data from users under 17.
If you are a parent or guardian and believe your child under 17 has created an account or provided us with personal information, please contact us immediately at privacy@thearohlabs.com. We will promptly delete the account and all associated data upon verification.
13. Health Information Disclaimer
RYVE collects and processes health-related information — including body metrics, nutrition data, sleep data, and energy levels — for the purpose of providing a personalised fitness experience. This information is not shared with healthcare providers, insurers, employers, or any third party (except as described in this Policy).
RYVE is a consumer wellness application. It is not a medical device, and the information and AI-generated coaching within the App does not constitute medical advice, diagnosis, or treatment. It is your responsibility to ensure that any fitness or dietary programme you follow is appropriate for your health status.
If you choose to enter health conditions (e.g., diabetes, thyroid conditions) to personalise your experience, this information is used solely to contextualise AI coaching responses and nutritional guidance. It is never shared, sold, or used for insurance or employment purposes.
14. Regional Privacy Rights
European Union (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent legislation, including the right to object to processing, the right to lodge a complaint with your local supervisory authority, and the rights described in Section 9.
Our legal bases for processing personal data include: performance of a contract (providing the App features you signed up for), legitimate interests (improving the App, security), and consent (for optional features such as progress photos and optional health condition data).
California (CCPA / CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act, including the right to know what personal information we collect and how it is used, the right to delete your personal information, the right to opt out of the “sale” of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights.
To exercise these rights, contact privacy@thearohlabs.com.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will notify you by:
- Displaying a notice within the App
- Sending an email notification to the address associated with your account
- Updating the “Effective date” at the top of this page
Your continued use of RYVE after notification of changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated policy, you should delete your account and discontinue use of the App.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us:
We will respond to all privacy inquiries within 30 days.