Privacy Policy

1. Introduction

This Privacy Policy explains how Ryun ("Ryun", "we", "our", "the Service") collects, processes, stores, and protects personal data when you use our web application, platform, APIs, and AI features.

Ryun is operated by Rafael Klug, Eckernförder Str. 16, 60435 Frankfurt am Main, Germany. For privacy inquiries, contact us at privacy@ryun.app.

Ryun is designed to provide training insights, activity analysis and AI-powered coaching. We respect your privacy and process personal data in compliance with the EU GDPR, UK GDPR, and other applicable data protection laws.

2. Categories of Personal Data We Process

2.1. Account & Identity Data

• Email address
• Password (hashed & salted)
• Authentication tokens
• Session identifiers (NextAuth cookies)

2.2. Device & Technical Data

Automatically collected when accessing the Service:

• IP address
• Browser type & version
• Operating system
• Referrer URL
• Access timestamps
• Error logs
• Region of request (server logs)

This processing is required for system security, debugging and ensuring service availability.

2.3. Analytics Data

Through Vercel Analytics, we process:

• Page views
• Performance metrics
• Minimal anonymized telemetry

Vercel Analytics does not use cross-site tracking or advertising cookies.

2.4. Training & Activity Data

Processed through API push from devices or manually entered:

• Pace / speed
• Distance
• Duration
• Workout types
• Calories (manual)
• Heart rate (manual input; not medical)
• Subjective fatigue / sleep rating
• RPE (rate of perceived exertion)
• Notes
• Training logs and trends

We primarily process general fitness and training metrics. While we do not intend to process sensitive health data in the sense of Art. 9 GDPR, some activity and heart rate metrics may be considered health-related. We therefore apply a high level of technical and organizational protection to all training and activity data.

2.5. AI-Related Data

Processed when interacting with Ryun's AI features:

• Chat messages
• Model inputs
• Model outputs
• User prompts
• Temporary embeddings and vectorized data
• AI preferences & configurations

2.6. Future Integrations With Third-Party Platforms

Ryun may offer optional integrations with third-party fitness and activity platforms, including but not limited to Garmin Connect, Strava, Polar, Wahoo, or Apple Health, in the future. At the present time, Ryun does not import, collect, store, or transmit any data to or from these platforms.

If such integrations become available:

• No data will be exchanged without explicit user action (e.g., manual connection or authorization)
• Users will be informed of the exact categories of data involved
• The legal basis for any data exchange will be Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (requested functionality)
• Third parties like Garmin act as independent data controllers, and their processing is governed by their respective privacy policies

This ensures full transparency before any third-party data flow is activated.

2.7. Cookies

We use essential authentication cookies:

• next-auth.session-token
• next-auth.csrf-token
• next-auth.callback-url

These are strictly necessary (Art. 6(1)(f) GDPR).

3. Legal Basis for Processing

We process personal data on the following legal grounds:

3.1. Art. 6(1)(b) GDPR – Contract performance

To operate the platform, authenticate users, store workouts, generate insights and provide AI-based responses.

3.2. Art. 6(1)(a) GDPR – Consent

For AI processing (chat messages, analysis) and optional analytics.

3.3. Art. 6(1)(f) GDPR – Legitimate interest

For security logging, fraud prevention, debugging, abuse prevention and analytics essential for service stability.

3.4. No Art. 9 special categories

We do not process health data requiring Art. 9 GDPR conditions.

4. Purposes of Processing

We use personal data to:

• Provide core functionality of Ryun
• Store and display training history
• Generate AI insights and recommendations
• Improve model accuracy and training logic
• Provide customer support
• Monitor platform stability and performance
• Prevent fraud, abuse, and security incidents

5. AI Processing and Transparency

Ryun uses external AI providers exclusively for inference:

• OpenAI (OpenAI Ireland / OpenAI LLC)
• Anthropic PBC

We ensure:

• No data is used to train foundation models
• No persistent identifiers are shared
• No model fine-tuning occurs on user data
• Data is transmitted securely using TLS
• Only necessary inputs are sent

Users are informed whenever AI is involved in generating content.

No automated decision-making: Ryun does not perform automated decision-making or profiling producing legal effects or similarly significant impact on users within the meaning of Art. 22 GDPR. AI-generated recommendations are advisory only and do not replace professional medical or training advice.

Legal basis: Art. 6(1)(b) + (a) GDPR (Contract + consent to use AI features)

6. Data Storage and Hosting

We use the following processors:

Where applicable, we rely on DPAs and Standard Contractual Clauses offered by these providers.

7. International Data Transfers

When data is transferred outside the EU or UK, this occurs via:

• EU Standard Contractual Clauses (SCCs)
• UK Addendum (if applicable)
• Binding corporate rules (where offered)
• Encryption in transit & at rest

We ensure adequate safeguards are in place for all third-country transfers.

8. Data Retention

We retain personal data only as long as necessary:

• Account data: until deletion of account
• Session tokens: according to cookie lifetime
• Training data: until user deletes
• AI logs: short-term for debugging; then erased
• Server logs: 30–90 days (security)

Users may request deletion at any time.

9. Sharing of Personal Data

We do not sell personal data.

We share data only with:

• Hosting providers (Vercel, Railway, Supabase)
• AI inference providers (OpenAI, Anthropic)
• Tools necessary to provide the Service
• Legal authorities only if required by law

We never grant direct system access to third parties.

10. Data Subject Rights (GDPR)

You may exercise the following rights:

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure / Right to be forgotten (Art. 17)
• Restriction (Art. 18)
• Portability (Art. 20)
• Objection (Art. 21)
• Withdrawal of consent (Art. 7(3))

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

Contact: privacy@ryun.app

We respond within 30 days.

11. Security Measures

We apply:

• TLS encryption
• Encrypted databases
• Strict access control
• Role-based permissions
• Regular security reviews
• Anomaly detection
• No plaintext passwords

No system is perfectly secure, but we follow industry standards.

12. Children's Privacy

Ryun is not intended for users under the age of 16. We do not knowingly process children's data.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in:

• Legal requirements
• Technologies
• Platform functionality

Updates will be published on this page with a new "Last Updated" date.

14. Third-Party Developer Program Compliance

To obtain developer access for potential future integrations, Ryun may participate in third-party developer programs such as the Garmin Developer Program. Participation in such programs may require us to provide documentation (e.g., privacy policy, terms of service), but we do not provide these third parties with personal data unless users intentionally enable a future integration.

At this time, no personal data is shared with Garmin or any other external fitness provider. Any future integration will occur only after user authorization, clear disclosure of data categories, and compliance with GDPR, SCCs, and the provider's own policies.

15. Contact

For privacy concerns, contact Rafael Klug at privacy@ryun.app or by mail at Eckernförder Str. 16, 60435 Frankfurt am Main, Germany.