Privacy Policy

Last updated: December 20, 2025

1. Introduction

This Privacy Policy explains how Ryun ("Ryun", "we", "our", "the Service") collects, processes, stores, and protects personal data when you use our web application, platform, APIs, and AI features.

Ryun is operated by Rafael Klug, Eckernförder Str. 16, 60435 Frankfurt am Main, Germany. For privacy inquiries, contact us at privacy@ryun.app.

Ryun is designed to provide training insights, activity analysis and AI-powered coaching. We respect your privacy and process personal data in compliance with the EU GDPR, UK GDPR, and other applicable data protection laws.

2. Categories of Personal Data We Process

2.1. Account & Identity Data

  • Email address
  • Password (hashed & salted)
  • Authentication tokens
  • Session identifiers (NextAuth cookies)

2.2. Device & Technical Data

Automatically collected when accessing the Service:

  • IP address
  • Browser type & version
  • Operating system
  • Referrer URL
  • Access timestamps
  • Error logs
  • Region of request (server logs)

This processing is required for system security, debugging and ensuring service availability.

2.3. Analytics Data

Through Vercel Analytics, we process:

  • Page views
  • Performance metrics
  • Minimal anonymized telemetry

Vercel Analytics does not use cross-site tracking or advertising cookies.

2.4. Training & Activity Data

Processed through API push from devices or manually entered:

  • Pace / speed
  • Distance
  • Duration
  • Workout types
  • Calories (manual)
  • Heart rate (manual input; not medical)
  • Subjective fatigue / sleep rating
  • RPE (rate of perceived exertion)
  • Notes
  • Training logs and trends

While Ryun is not a medical service, certain activity, sleep, heart rate, and physiological metrics may qualify as health data under Art. 9 GDPR. Such data is processed exclusively upon explicit user consent and solely to provide requested training insights

2.5. AI-Related Data

Processed when interacting with Ryun's AI features:

  • Chat messages
  • Model inputs
  • Model outputs
  • User prompts
  • Temporary embeddings and vectorized data
  • AI preferences & configurations

Important: These data are transmitted to OpenAI and Anthropic for inference only, never for model training.

2.6. Third-Party Fitness Platform Integrations

Ryun currently supports optional integration with Garmin Connect. Future integrations may include Strava, Polar, Wahoo, or Apple Health.

When you explicitly connect your Garmin account via OAuth authorization, Ryun may receive and process training and health-related data such as activities, daily summaries, sleep data, and related metrics, as authorized by you.

  • No data is accessed, imported, or processed without explicit user consent
  • Consent is obtained via an explicit OAuth authorization flow provided by Garmin Connect
  • Garmin acts as an independent data controller; processing by Garmin is governed by Garmin's own privacy policy
  • Ryun processes Garmin-provided data exclusively to deliver user-requested training insights and coaching features in accordance with Art. 6(1)(a) and Art. 9(2)(a) GDPR
  • Garmin-provided End User Data is never used to train, fine-tune, or improve artificial intelligence models

Users control their integrations and may disconnect at any time

2.7. Cookies

We use essential authentication cookies:

  • next-auth.session-token
  • next-auth.csrf-token
  • next-auth.callback-url

These are strictly necessary for contract performance (Art. 6(1)(b) GDPR).

3. Legal Basis for Processing

We process personal data on the following legal grounds:

3.1. Art. 6(1)(b) GDPR – Contract performance

To operate the platform, authenticate users, store workouts, generate insights and provide AI-based responses.

3.2. Art. 6(1)(a) GDPR – Consent

For AI processing (chat messages, analysis) and optional analytics.

3.3. Art. 6(1)(f) GDPR – Legitimate interest

For security logging, fraud prevention, debugging, abuse prevention and analytics essential for service stability.

3.4. Art. 9(2)(a) GDPR – Health Data

Certain activity, sleep, heart rate, and physiological metrics may qualify as health data under Art. 9 GDPR. Such data is processed exclusively upon explicit user consent (Art. 9(2)(a) GDPR) and solely to provide requested training insights and coaching features. Ryun does not provide medical diagnosis or medical treatment.

4. Purposes of Processing

We use personal data to:

  • Provide core functionality of Ryun
  • Store and display training history
  • Generate AI insights and recommendations
  • Improve model accuracy and training logic
  • Provide customer support
  • Monitor platform stability and performance
  • Prevent fraud, abuse, and security incidents

5. AI Processing and Transparency

Ryun uses external AI providers exclusively for inference:

  • OpenAI (OpenAI Ireland / OpenAI LLC)
  • Anthropic PBC

We ensure:

  • No data is used to train foundation models
  • No persistent identifiers are shared
  • No model fine-tuning occurs on user data
  • Data is transmitted securely using TLS
  • Only necessary inputs are sent
  • Garmin-provided End User Data is never used to train, fine-tune, or improve artificial intelligence models

Users are informed whenever AI is involved in generating content.

No automated decision-making: Ryun does not perform automated decision-making or profiling producing legal effects or similarly significant impact on users within the meaning of Art. 22 GDPR. AI-generated outputs are non-binding, informational, and advisory in nature. They do not replace professional medical or training advice.

Legal basis: Art. 6(1)(b) + (a) GDPR (Contract + consent to use AI features)

6. Data Storage and Hosting

We use the following processors:

6.1. Vercel (Hosting + Analytics)

Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA

  • Hosts the Ryun frontend
  • Processes IPs and analytics events
  • SCCs in place
  • DPA accepted

6.2. Railway (Backend)

Railway.app, Inc. (USA)

  • Executes backend processes
  • API server hosting
  • Secure encrypted networking
  • SCCs in place

6.3. Supabase (Auth + Database)

Supabase Europe (Supabase B.V. / Ireland)

  • Authentication
  • Postgres database
  • Storage of user data
  • Edge functions

Where applicable, we rely on DPAs and Standard Contractual Clauses offered by these providers.

7. International Data Transfers

When data is transferred outside the EU or UK, this occurs via:

  • EU Standard Contractual Clauses (SCCs)
  • UK Addendum (if applicable)
  • Binding corporate rules (where offered)
  • Encryption in transit & at rest

We ensure adequate safeguards are in place for all third-country transfers.

8. Data Retention

We retain personal data only as long as necessary:

  • Account data: until deletion of account
  • Session tokens: according to cookie lifetime
  • Training data: until user deletes
  • AI logs: short-term for debugging; then erased
  • Server logs: 30–90 days (security)

Users may request deletion at any time.

9. Sharing of Personal Data

We do not sell personal data.

We share data only with:

  • Hosting providers (Vercel, Railway, Supabase)
  • AI inference providers (OpenAI, Anthropic)
  • Tools necessary to provide the Service
  • Legal authorities only if required by law

We never grant direct system access to third parties.

10. Data Subject Rights (GDPR)

You may exercise the following rights:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure / Right to be forgotten (Art. 17)
  • Restriction (Art. 18)
  • Portability (Art. 20)
  • Objection (Art. 21)
  • Withdrawal of consent (Art. 7(3))

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

Contact: privacy@ryun.app

We respond within 30 days.

11. Security Measures

We apply:

  • TLS encryption
  • Encrypted databases
  • Strict access control
  • Role-based permissions
  • Regular security reviews
  • Anomaly detection
  • No plaintext passwords

No system is perfectly secure, but we follow industry standards.

12. Children's Privacy

Ryun is not intended for users under the age of 16. We do not knowingly process children's data.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in:

  • Legal requirements
  • Technologies
  • Platform functionality

Updates will be published on this page with a new "Last Updated" date.

14. Third-Party Developer Program Compliance

Ryun participates in third-party developer programs, including the Garmin Developer Program, to enable fitness platform integrations. When you authorize a connection to Garmin Connect, Ryun receives and processes training and health-related data in accordance with Section 2.6 of this policy.

Data is shared with Garmin only when you explicitly authorize the connection via OAuth. All data processing complies with GDPR, applicable SCCs, and the provider's own policies. See Section 2.6 for details on Garmin-specific data handling.

15. Contact

For privacy concerns, contact Rafael Klug at privacy@ryun.app or by mail at Eckernförder Str. 16, 60435 Frankfurt am Main, Germany.