Privacy Policy

How we handle your data.

Effective: May 24, 2026 · Last updated: May 24, 2026

Riven is a fitness app for Apple Watch and iPhone that detects exercise reps and estimates muscle failure during strength training. To do that, the app reads heart rate from Apple Health and motion data (accelerometer, gyroscope, gravity, rotation rate) from your watch's sensors. This document explains exactly what data we collect, why, where it goes, and how to delete it.

The short version. Riven does not collect your name, email address, phone number, location, contacts, or any advertising identifier. During onboarding we ask whether you want to help improve Riven by sharing your workout sensor data — including heart rate from Apple Health — with our servers. If you accept, completed workouts are uploaded under a randomly generated identifier that is never linked to your Apple ID. If you decline, nothing is uploaded and Riven still works fully. You can change your choice anytime in Settings → Cloud Data, and delete previously uploaded data from Settings → Cloud Data → Delete uploaded data or by emailing privacy@riven.fit.

1. Who we are

"Riven", "we", "us", or "our" refers to Baraa Bilal, the developer of the Riven iOS and watchOS app, contactable at privacy@riven.fit. We are the data controller for the personal data described in this Privacy Policy under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA / CPRA) where those laws apply.

2. What data we collect, and why

2.1 Data that stays on your device

The following data is created and stored locally on your Apple Watch and iPhone. With the exception of completed-workout sensor data described in § 2.2 (and only if you have accepted the in-app data-sharing consent), none of it is transmitted to us.

DataSourcePurpose
Heart rate samples Apple HealthKit (Apple Watch sensor) Real-time muscle failure scoring during sets
Motion data (accelerometer, gyroscope, gravity, rotation rate, ~100 Hz) Apple Watch Core Motion (CMDeviceMotion) Rep detection, exercise classification, set-boundary detection
Step rate Apple Watch CMPedometer Set timing and pacing context
Exercise selections, set timings, rep counts You (taps and adjustments in the watch app) Your workout history
Subscription status Apple StoreKit Unlocking paid features
App preferences and settings You Remembering your choices between launches

2.2 Data we upload to our servers — only with your consent

During onboarding we show a dedicated screen — Help improve Riven — that asks whether you would like to share your workout sensor data with us. The screen has two equal options, Accept and Not Now, and you cannot move past it without choosing one. If you accept, the following is uploaded after each completed workout:

Uploads happen quietly in the background over Wi-Fi (or cellular if Wi-Fi is unavailable) so they never interrupt your workout. If you decline, nothing is uploaded and Riven's core features — rep detection, set tracking, failure scoring, workout history — all continue to work locally on your device. You can change your choice at any time in Settings → Cloud Data; switching the toggle off takes effect on the very next workout, with no app restart required.

The legal basis for this processing under the EU GDPR and UK GDPR is your consent (Article 6(1)(a) GDPR; for the heart-rate data, Article 9(2)(a) GDPR). Consent is granted via the in-app screen described above and can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

2.3 Data we do NOT write to Apple Health

Riven does not save any workout sessions, calorie burn, or other entries back to the Apple Health app. We only read heart rate from HealthKit (with your permission), and only during an active workout. Nothing from Riven appears in your Health → Workouts list.

We do not upload, and the app does not collect:

2.4 Sign in with Apple (optional)

Sign in with Apple is optional. If you choose to sign in, Riven stores your Apple-supplied user identifier and (only if you elect to share it during the Apple flow) your display name, in the iOS Keychain on your device. This information is not uploaded to our servers and is not linked to the random identifier described in § 2.2. Signing out or deleting your local profile in Settings → Profile erases this information immediately.

2.5 AI workout planner (optional)

Riven includes an optional "Quick build" AI planner that turns a short text description of your training goals into a draft workout program. If you use it, the text you type, the number of days per week you select, and our built-in (non-personal) exercise catalog are sent to our AI provider, Anthropic, PBC, which generates the plan. We do not send your name, heart rate, Apple Health data, motion data, or the random identifier from § 2.2 to Anthropic — only your typed request and the day count. Please avoid typing personal or sensitive health information into the planner. Anthropic processes the request on our behalf and, under its commercial API terms, does not use API inputs to train its models. If the AI service is unavailable, Riven builds the plan on your device instead. The AI planner is entirely optional — Riven's core features never require it.

3. HealthKit (Apple Health) data

Riven uses Apple's HealthKit framework to read your heart rate during workouts. Riven does not write anything to Apple Health. We comply with Apple's HealthKit rules:

4. Where your data is stored and processed

Local data lives on your Apple Watch and iPhone. Uploaded data (§ 2.2) is processed and stored by Supabase Inc., our hosting provider, in their EU West (Ireland) region. Supabase processes the data on our instructions under a Data Processing Agreement. If you are based outside the EU, please note that your data is transferred to and stored in the European Economic Area; we rely on Supabase's standard contractual clauses for any onward transfers.

5. How long we keep your data

6. How we use this data

We do not use your data for advertising, profiling for marketing purposes, or any automated decision-making that produces legal effects concerning you.

7. Who we share data with

We share personal data only with the following categories of recipients, and only as needed to run Riven:

We do not sell, rent, or trade personal data, and we do not share it with advertisers, data brokers, or analytics companies. We do not use Google Analytics, Facebook Pixel, or any equivalent tracking in the app.

8. App Tracking Transparency

Riven does not track you across apps or websites owned by other companies. We do not request the App Tracking Transparency permission because we have no need for the IDFA or any cross-app identifier.

9. Your rights and privacy choices

The most direct controls are inside the app itself:

Depending on where you live, you also have some or all of the following statutory rights regarding the personal data we hold about you:

California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we collect and to opt out of any "sale" or "sharing" of personal information. We do not sell or share (in the CCPA sense) personal information.

For any right we cannot fulfill via an in-app action, email privacy@riven.fit. We respond within 30 days. Deleting the Riven app from your devices stops further uploads from those devices but does not by itself delete previously uploaded data — use the in-app delete action, or email us, for that.

10. Security

Local data is protected by iOS's standard data-protection class (encrypted at rest while the device is locked). Authentication tokens are stored in the iOS Keychain. Uploads to Supabase use TLS 1.2 or higher in transit. Server-side access is gated by Supabase Row-Level Security, scoped to the anonymous identifier on your device. No system is perfectly secure, but we follow current industry practice and Apple's platform security guidance.

11. Children

Riven is rated 17+ on the App Store and is intended for adults engaged in resistance training. We do not knowingly collect data from anyone under the age of 16 in the EU/UK, or under 13 in the United States. If you believe a minor has used Riven and provided us with data, please contact privacy@riven.fit and we will delete it.

12. Cookies and the website

The riven.fit website uses only the strictly necessary cookies set by our hosting provider (Cloudflare) to operate the site. We do not use marketing or analytics cookies. The mobile app does not use cookies.

13. Changes to this policy

If we change this Privacy Policy in a way that materially affects how we handle your data, we will update the "Last updated" date at the top of this document and, where required by law, ask for your renewed consent before the change takes effect.

14. Contact

Questions, requests, or complaints about your data can be sent to privacy@riven.fit. For general support, write to support@riven.fit.