Privacy Policy

Last updated: May 4, 2026

1. Introduction

This Privacy Policy explains how Ryun ("Ryun", "we", "our", "the Service") collects, processes, stores, and protects personal data when you use our web application, platform, APIs, and AI features.

Ryun is operated by Rafael Klug, Eckernförder Str. 16, 60435 Frankfurt am Main, Germany. For privacy inquiries, contact us at privacy@ryun.app.

Ryun is designed to provide training insights, activity analysis and AI-powered coaching. We respect your privacy and process personal data in compliance with the EU GDPR, UK GDPR, and other applicable data protection laws.

2. Categories of Personal Data We Process

2.1. Account & Identity Data

  • Email address
  • Password (hashed & salted)
  • Authentication tokens
  • Session identifiers (NextAuth cookies)

2.2. Device & Technical Data

Automatically collected when accessing the Service:

  • IP address
  • Browser type & version
  • Operating system
  • Referrer URL
  • Access timestamps
  • Error logs
  • Region of request (server logs)

This processing is required for system security, debugging and ensuring service availability.

2.3. Analytics Data

Through Vercel Analytics, we process:

  • Page views
  • Performance metrics
  • Minimal anonymized telemetry

Vercel Analytics does not use cross-site tracking or advertising cookies.

2.4. Training & Activity Data

Processed through API push from devices or manually entered:

  • Pace / speed
  • Distance
  • Duration
  • Workout types
  • Calories (manual)
  • Heart rate (manual input; not medical)
  • Subjective fatigue / sleep rating
  • RPE (rate of perceived exertion)
  • Notes
  • Training logs and trends

While Ryun is not a medical service, certain activity, sleep, heart rate, and physiological metrics may qualify as health data under Art. 9 GDPR. Such data is processed exclusively upon explicit user consent and solely to provide requested training insights

2.5. AI-Related Data

Processed when interacting with Ryun's AI features:

  • Chat messages
  • Model inputs
  • Model outputs
  • User prompts
  • Temporary embeddings and vectorized data
  • AI preferences & configurations

Important: These data are transmitted to Anthropic, Nebius, and OpenAI for inference only, never for model training.

2.6. Third-Party Fitness Platform Integrations (Garmin Data)

Ryun offers optional integrations with third-party fitness and activity platforms, including Garmin Connect, with Wahoo, Suunto, and others planned. Data exchange with these platforms only occurs when explicitly authorized by the user via an OAuth authorization flow provided by Garmin Connect.

Data collected from Garmin Connect

When you authorize the Garmin Connect integration, Ryun receives the following categories of data via the Garmin Health API (Push and Ping services):

  • Activity Summaries: activity type, name, start time, duration, distance, average/max heart rate, pace, cadence, elevation, calories, device name
  • Activity Detail Samples: per-second heart rate, speed, GPS coordinates, elevation, cadence, power (where available)
  • Activity FIT Files: raw device files including beat-to-beat RR intervals (used for DFA alpha1 heart rate variability analysis), per-second sensor data, and lap/interval markers
  • Daily Health Stats: steps, resting heart rate, stress levels, Body Battery, heart rate samples throughout the day
  • Sleep Data: sleep stages (deep, light, REM, awake), sleep duration, overnight HRV (RMSSD), respiration rate
  • HRV Data: nightly heart rate variability summaries (last night average, 7-day baseline)
  • Device Information: device model name (e.g. "Garmin tactix Delta"), used for data source attribution
  • User Identifiers: Garmin user ID (opaque identifier for webhook correlation; not your Garmin Connect username or email)

How Garmin data is processed

Garmin-provided data is processed exclusively to deliver training analysis and AI coaching features:

  • Deterministic analysis (server-side): training load (TSS/CTL/ATL/TSB), heart rate zones, aerobic decoupling, DFA alpha1 threshold detection, session structure classification, readiness scoring — all computed on our backend without transmitting data to third parties
  • AI coaching (with explicit consent): when you enable AI Health Consent, aggregated training context (activity summaries, fitness metrics, sleep/HRV trends) may be transmitted to AI providers for generating personalized coaching responses. Raw sensor data (per-second samples, RR intervals) is not sent to AI providers — only computed summaries and metrics

Third-party AI providers processing Garmin-derived data

When AI coaching features are enabled, the following providers may process Garmin-derived training context:

  • Anthropic (Claude) — primary chat-based coaching and activity insight generation
  • Nebius — secondary/fallback language model for coaching responses
  • Voyage AI — vector embeddings for semantic retrieval of training history

All AI providers process data under data processing agreements. No AI provider uses Garmin-provided data for model training. Transmission of Garmin-derived data to AI providers requires your explicit AI Health Consent, which you can grant or revoke at any time in the app settings. See Section 5 and our AI Product Terms for full provider details.

Data storage and retention

  • Storage location: Garmin-provided data is stored in a PostgreSQL database hosted on Railway (US region), encrypted at rest
  • Retention: data is retained for the duration of your account and active Garmin connection. When you disconnect Garmin or delete your account, all Garmin-sourced data is permanently deleted
  • No data sharing: Garmin-provided data is never sold, licensed, or shared with third parties beyond the AI providers listed above (and only with your explicit consent)

Legal basis and user rights

  • Consent is obtained via an explicit OAuth authorization flow provided by Garmin Connect
  • Garmin acts as an independent data controller; processing by Garmin is governed by Garmin's own privacy policy
  • Ryun processes Garmin-provided data in accordance with Art. 6(1)(a) and Art. 9(2)(a) GDPR
  • Garmin-provided End User Data is never used to train, fine-tune, or improve artificial intelligence models
  • You may disconnect Garmin at any time via Settings → Connections in the Ryun app. Upon disconnection, Garmin stops sending data and you may request deletion of all previously received Garmin data

For Garmin's own privacy practices, see the Garmin Connect Privacy Notice.

2.7. Cookies

We use essential authentication cookies:

  • next-auth.session-token
  • next-auth.csrf-token
  • next-auth.callback-url

These are strictly necessary for contract performance (Art. 6(1)(b) GDPR).

3. Legal Basis for Processing

We process personal data on the following legal grounds:

3.1. Art. 6(1)(b) GDPR – Contract performance

To operate the platform, authenticate users, store workouts, generate insights and provide AI-based responses.

3.2. Art. 6(1)(a) GDPR – Consent

For AI processing (chat messages, analysis) and optional analytics.

3.3. Art. 6(1)(f) GDPR – Legitimate interest

For security logging, fraud prevention, debugging, abuse prevention and analytics essential for service stability.

3.4. Art. 9(2)(a) GDPR – Health Data

Certain activity, sleep, heart rate, and physiological metrics may qualify as health data under Art. 9 GDPR. Such data is processed exclusively upon explicit user consent (Art. 9(2)(a) GDPR) and solely to provide requested training insights and coaching features. Ryun does not provide medical diagnosis or medical treatment.

4. Purposes of Processing

We use personal data to:

  • Provide core functionality of Ryun
  • Store and display training history
  • Generate AI insights and recommendations
  • Improve model accuracy and training logic
  • Provide customer support
  • Monitor platform stability and performance
  • Prevent fraud, abuse, and security incidents

5. AI Processing and Transparency

Ryun uses external AI providers exclusively for inference. For full details on providers, data retention, and the no-training commitment, see the AI Product Terms.

  • Anthropic PBC (San Francisco, USA) — chat, coaching (primary)
  • Nebius B.V. (Amsterdam, Netherlands) — chat, coaching (secondary); data processed in the EU (Finland)
  • OpenAI (OpenAI Ireland / OpenAI LLC) — memory extraction
  • Voyage AI, Inc. — embeddings

We ensure:

  • No data is used to train foundation models
  • No persistent identifiers are shared
  • No model fine-tuning occurs on user data
  • Data is transmitted securely using TLS
  • Only necessary inputs are sent
  • Garmin-provided End User Data is never used to train, fine-tune, or improve artificial intelligence models

Users are informed whenever AI is involved in generating content.

No automated decision-making: Ryun does not perform automated decision-making or profiling producing legal effects or similarly significant impact on users within the meaning of Art. 22 GDPR. AI-generated outputs are non-binding, informational, and advisory in nature. They do not replace professional medical or training advice.

Legal basis: Art. 6(1)(b) + (a) GDPR (Contract + consent to use AI features)

6. Data Storage and Hosting

We use the following processors:

6.1. Vercel (Hosting + Analytics)

Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA

  • Hosts the Ryun frontend
  • Processes IPs and analytics events
  • SCCs in place
  • DPA accepted

6.2. Railway (Backend)

Railway.app, Inc. (USA)

  • Executes backend processes
  • API server hosting
  • Secure encrypted networking
  • SCCs in place

6.3. Supabase (Auth + Database)

Supabase Europe (Supabase B.V. / Ireland)

  • Authentication
  • Postgres database
  • Storage of user data
  • Edge functions

Where applicable, we rely on DPAs and Standard Contractual Clauses offered by these providers.

7. International Data Transfers

When data is transferred outside the EU or UK, this occurs via:

  • EU Standard Contractual Clauses (SCCs)
  • UK Addendum (if applicable)
  • Binding corporate rules (where offered)
  • Encryption in transit & at rest

We ensure adequate safeguards are in place for all third-country transfers.

8. Data Retention

We retain personal data only as long as necessary:

  • Account data: until deletion of account
  • Session tokens: according to cookie lifetime
  • Training data: until user deletes
  • AI logs: short-term for debugging; then erased
  • Server logs: 30–90 days (security)

Users may request deletion at any time.

9. Sharing of Personal Data

We do not sell personal data.

We share data only with:

  • Hosting providers (Vercel, Railway, Supabase)
  • AI inference providers (Anthropic, Nebius, OpenAI)
  • Tools necessary to provide the Service
  • Legal authorities only if required by law

We never grant direct system access to third parties.

10. Data Subject Rights (GDPR)

You may exercise the following rights:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure / Right to be forgotten (Art. 17)
  • Restriction (Art. 18)
  • Portability (Art. 20)
  • Objection (Art. 21)
  • Withdrawal of consent (Art. 7(3))

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

Contact: privacy@ryun.app

We respond within 30 days.

11. Security Measures

We apply:

  • TLS encryption
  • Encrypted databases
  • Strict access control
  • Role-based permissions
  • Regular security reviews
  • Anomaly detection
  • No plaintext passwords

No system is perfectly secure, but we follow industry standards.

12. Children's Privacy

Ryun is not intended for users under the age of 16. We do not knowingly process children's data.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in:

  • Legal requirements
  • Technologies
  • Platform functionality

Updates will be published on this page with a new "Last Updated" date.

14. Third-Party Developer Program Compliance

Ryun participates in third-party developer programs, including the Garmin Developer Program, to enable fitness platform integrations. When you authorize a connection to Garmin Connect, Ryun receives and processes training and health-related data in accordance with Section 2.6 of this policy.

Data is shared with Garmin only when you explicitly authorize the connection via OAuth. All data processing complies with GDPR, applicable SCCs, and the provider's own policies. See Section 2.6 for details on Garmin-specific data handling.

15. Contact

For privacy concerns, contact Rafael Klug at privacy@ryun.app or by mail at Eckernförder Str. 16, 60435 Frankfurt am Main, Germany.