How we handle your data.
Riven is a fitness app for Apple Watch and iPhone that detects exercise reps and estimates muscle failure during strength training. To do that, the app reads heart rate from Apple Health and motion data (accelerometer, gyroscope, gravity, rotation rate) from your watch's sensors. This document explains exactly what data we collect, why, where it goes, and how to delete it.
1. Who we are
"Riven", "we", "us", or "our" refers to Baraa Bilal, the developer of the Riven iOS and watchOS app, contactable at privacy@riven.fit. We are the data controller for the personal data described in this Privacy Policy under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA / CPRA) where those laws apply.
2. What data we collect, and why
2.1 Data that stays on your device
The following data is created and stored locally on your Apple Watch and iPhone. With the exception of completed-workout sensor data described in § 2.3, none of it is transmitted to us.
| Data | Source | Purpose |
|---|---|---|
| Heart rate samples | Apple HealthKit (Apple Watch sensor) | Real-time muscle failure scoring during sets |
| Motion data (accelerometer, gyroscope, gravity, rotation rate, ~100 Hz) | Apple Watch Core Motion (CMDeviceMotion) |
Rep detection, exercise classification, set-boundary detection |
| Workout activity (active energy, step rate) | Apple Watch sensors | Set timing and pacing context |
| Exercise selections, set timings, rep counts | You (taps and adjustments in the watch app) | Your workout history |
| Subscription status | Apple StoreKit | Unlocking paid features |
| App preferences and settings | You | Remembering your choices between launches |
2.2 Data we write back to Apple Health
If you grant permission, Riven saves completed workout sessions to the Apple Health app as HKWorkout records on your device. This is governed by Apple's HealthKit privacy rules — the data lives in your Health app and is controlled by you, not by us.
2.3 Data we upload to our servers
To keep improving the rep-detection and exercise-classification algorithms, Riven uploads the following after each completed workout:
- The raw motion-sensor CSV recorded during your workout (timestamps, accelerometer/gyroscope/gravity/rotation rate at ~100 Hz, heart rate samples, exercise selection, set boundaries, rep counts).
- A randomly generated anonymous identifier (not your Apple ID, name, email, or device identifier) created by our backend on first launch.
- Workout timestamps, durations, and the watch/iOS OS version reported by your device.
Uploads happen quietly in the background over Wi-Fi (or cellular if Wi-Fi is unavailable) so they never interrupt your workout. By installing and using Riven, you agree to this processing as a core part of the service; the legal basis under GDPR is the performance of our contract with you (the Service) and our legitimate interest in maintaining and improving it.
We do not upload, and the app does not collect:
- Your real name, email address, or phone number.
- Your Apple ID, Sign in with Apple identifier, or any device identifier (IDFA, IDFV, advertising ID).
- Your location.
- Contacts, photos, calendar, microphone, camera, or browsing data.
- Any third-party advertising or analytics identifier.
2.4 Sign in with Apple (optional)
Sign in with Apple is optional. If you choose to sign in, Riven stores your Apple-supplied user identifier and (only if you elect to share it during the Apple flow) your display name, in the iOS Keychain on your device. This information is not uploaded to our servers and is not linked to the anonymous Data Sharing identifier. Signing out or deleting your local profile in Settings → Profile erases this information immediately.
3. HealthKit (Apple Health) data
Riven uses Apple's HealthKit framework to read your heart rate during workouts and (with your permission) to write completed workout sessions back into Apple Health. We comply with Apple's HealthKit rules, which include:
- HealthKit data is never used for advertising or other data-mining purposes.
- HealthKit data is never sold to or shared with data brokers, marketers, or third-party advertisers.
- HealthKit data is never disclosed to any third party except as required by law.
- Heart-rate samples are included in the uploaded workout CSV (§ 2.3) solely to improve fatigue and rep-detection accuracy. They are stored under the anonymous identifier described above and remain governed by the HealthKit rules in this section.
- You can revoke Riven's access to HealthKit at any time in the iOS Settings app under Privacy & Security → Health → Riven. Revoking access stops Riven from reading new heart-rate samples; uploads continue for the motion data only.
4. Where your data is stored and processed
Local data lives on your Apple Watch and iPhone. Uploaded data (§ 2.3) is processed and stored by Supabase Inc., our hosting provider, in their EU West (Ireland) region. Supabase processes the data on our instructions under a Data Processing Agreement. If you are based outside the EU, please note that your data is transferred to and stored in the European Economic Area; we rely on Supabase's standard contractual clauses for any onward transfers.
5. How long we keep your data
- Local data: stays on your device until you delete the app.
- Uploaded data: retained indefinitely under the anonymous identifier so we can continue to train and validate the rep-detection model on a stable corpus. To request deletion of all workouts tied to your anonymous identifier, email privacy@riven.fit; we complete erasure within 30 days.
- Subscription receipts: handled by Apple under Apple's terms; we never see your payment information.
6. How we use this data
- To run the app's core features (rep counting, set detection, failure scoring, workout history).
- To improve the accuracy of the rep-detection and exercise-classification models, using only data that you have explicitly opted to share.
- To diagnose crashes and software issues you report to us.
- To enforce our Terms of Service and prevent abuse.
We do not use your data for advertising, profiling for marketing purposes, or any automated decision-making that produces legal effects concerning you.
7. Who we share data with
We share personal data only with the following categories of recipients, and only as needed to run Riven:
- Apple Inc. — App Store distribution, Sign in with Apple (if you use it), HealthKit, StoreKit. Governed by Apple's privacy policy.
- Supabase Inc. — hosting of opted-in workout data in the EU. Governed by Supabase's privacy policy and DPA.
- Cloudflare, Inc. — content delivery for this website (riven.fit). Governed by Cloudflare's privacy policy. The mobile app itself does not communicate with Cloudflare.
We do not sell, rent, or trade personal data, and we do not share it with advertisers, data brokers, or analytics companies. We do not use Google Analytics, Facebook Pixel, or any equivalent tracking in the app.
8. App Tracking Transparency
Riven does not track you across apps or websites owned by other companies. We do not request the App Tracking Transparency permission because we have no need for the IDFA or any cross-app identifier.
9. Your rights
Depending on where you live, you have some or all of the following rights regarding the personal data we hold about you:
- Access — request a copy of the data tied to your anonymous identifier.
- Rectification — ask us to correct inaccurate data.
- Erasure ("right to be forgotten") — ask us to delete all data tied to your anonymous identifier.
- Restriction and objection — ask us to stop processing your data. Where you object on legitimate-interest grounds we will stop unless we can show compelling overriding grounds.
- Portability — receive your uploaded workout CSVs in a machine-readable format.
- Complaint — lodge a complaint with your local data-protection supervisory authority. In Ireland (where our processor is located) that is the Data Protection Commission.
California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we collect and to opt out of any "sale" or "sharing" of personal information. We do not sell or share (in the CCPA sense) personal information.
To exercise any of these rights, email privacy@riven.fit. We will respond within 30 days. Deleting the Riven app from your devices also stops any further uploads from those devices, though it does not by itself delete previously uploaded data — for that, please email us.
10. Security
Local data is protected by iOS's standard data-protection class (encrypted at rest while the device is locked). Authentication tokens are stored in the iOS Keychain. Uploads to Supabase use TLS 1.2 or higher in transit. Server-side access is gated by Supabase Row-Level Security, scoped to the anonymous identifier on your device. No system is perfectly secure, but we follow current industry practice and Apple's platform security guidance.
11. Children
Riven is rated 17+ on the App Store and is intended for adults engaged in resistance training. We do not knowingly collect data from anyone under the age of 16 in the EU/UK, or under 13 in the United States. If you believe a minor has used Riven and provided us with data, please contact privacy@riven.fit and we will delete it.
12. Cookies and the website
The riven.fit website uses only the strictly necessary cookies set by our hosting provider (Cloudflare) to operate the site. We do not use marketing or analytics cookies. The mobile app does not use cookies.
13. Changes to this policy
If we change this Privacy Policy in a way that materially affects how we handle your data, we will update the "Last updated" date at the top of this document and, where required by law, ask for your renewed consent before the change takes effect.
14. Contact
Questions, requests, or complaints about your data can be sent to privacy@riven.fit. For general support, write to support@riven.fit.