Privacy Policy
Last updated: [DATE]
This Privacy Policy explains how Ripple processes your personal data when you use the Ripple swim-planning web app (the “Service”), in accordance with the EU General Data Protection Regulation (GDPR). Please read it together with our Terms of Service.
1. Data controller
The controller responsible for your personal data is [LEGAL_ENTITY], [ADDRESS] (“Ripple”, “we”, “us”). For any privacy question or to exercise your rights, contact us at [CONTACT_EMAIL].
2. Data we process
Account data. Your email address and an authentication identifier. You sign in with email and password or with Google. Authentication is handled by our processor Supabase; we do not store your raw password.
Profile data. Your display name and, if you add one, an avatar image.
Training data. Swim sessions and their details (date, distance, duration, pace, stroke data, SWOLF, calories, GPS track, water temperature, location, conditions), your goals, generated training plans, and personal records.
Health data (special category). Wellness metrics such as heart rate, resting and maximum heart rate, heart-rate variability (HRV), estimated VO2max, and training readiness are data concerning your health and are a special category of data under Article 9 GDPR. We process them only with your explicit consent, which you give when you create your account or connect a data source, and which you can withdraw at any time.
Integration credentials. If you connect third-party services, the credentials needed to sync your data: your intervals.icu athlete ID and API key, and Garmin Connect authentication tokens. Sensitive credentials are encrypted at rest.
Technical data. Aggregate usage and performance data from our hosting/analytics provider (Vercel) to operate and improve the Service.
3. Why we process it and our legal basis
- To create and secure your account and provide the Service — performance of a contract (Art. 6(1)(b)).
- To process your health and wellness data so we can calculate metrics and generate plans — your explicit consent (Art. 9(2)(a)); you may withdraw it at any time.
- To sync data from intervals.icu and Garmin, and to generate plans using a cloud AI provider — your consent (Art. 6(1)(a)), given when you enable each feature.
- To keep the Service secure, prevent abuse, and understand aggregate usage — our legitimate interests (Art. 6(1)(f)) in running a reliable service.
- To comply with legal obligations — legal obligation (Art. 6(1)(c)).
Withdrawing consent does not affect processing carried out before withdrawal. If you withdraw consent for health-data processing, core features of the Service may no longer be available to you.
4. AI workout and plan generation
When you ask Ripple to generate a workout or plan, we send the inputs needed to produce it (such as session type, target duration or distance, focus, and summary training context) to an AI model provider. Depending on the configured provider this is either a local model (Ollama) on self-hosted infrastructure, or a cloud provider (OpenRouter). When the cloud provider is used, the prompt is transmitted to it and processed under its own terms. Plan generation is automated, but it produces suggestions that you remain free to accept, change, or ignore; it does not constitute a decision producing legal or similarly significant effects within the meaning of Article 22 GDPR.
5. Processors and recipients
We share data only as needed with the following processors:
- Supabase — authentication, database, and file storage.
- Vercel— hosting, and cookieless analytics/performance monitoring.
- intervals.icu and Garmin Connect— only if you connect them, to sync your data.
- OpenRouter— only when cloud AI generation is enabled, to generate workouts and plans.
We do not sell your personal data and do not use it for advertising.
6. International transfers
Some of our processors (including Supabase, Vercel, and OpenRouter) may process data on servers located outside the European Economic Area, including in the United States. Where data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, in particular the European Commission’s Standard Contractual Clauses, or an adequacy decision where one applies. You can request a copy of the relevant safeguards by emailing [CONTACT_EMAIL].
7. Cookies and analytics
Ripple uses only the storage strictly necessary to keep you signed in. Our analytics and performance tools (Vercel Analytics and Speed Insights) are configured to operate without cookies and without identifying you individually. We do not use advertising or third-party tracking cookies.
8. Retention
We keep your personal data while your account is active. If you delete your account or ask us to erase your data, we delete it within 30 days, except where we must retain specific data to comply with a legal obligation or to establish, exercise, or defend legal claims. Backups are purged on a rolling basis.
9. Your rights
Under the GDPR you have the right to: access your data; have it corrected; have it erased; restrict or object to processing; data portability; and withdraw consent at any time where processing is based on consent. To exercise any of these, email [CONTACT_EMAIL]. You also have the right to lodge a complaint with a supervisory authority, in particular [SUPERVISORY_AUTHORITY] or the authority in your country of residence.
10. Security
We use industry-standard measures including encryption in transit, encryption of sensitive credentials at rest, and access controls (row-level security) so that each user can access only their own data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Children
Ripple is not directed to children under 16, and we do not knowingly process their data. If you believe a child has provided us data, contact us and we will delete it.
12. Changes
We may update this policy and will revise the “Last updated” date. We will notify you of material changes where appropriate.
13. Contact
[LEGAL_ENTITY], [ADDRESS] — [CONTACT_EMAIL].