Privacy Policy

Your data and your privacy

Riina is a fantasy health league. To make it work we process activity and health data that you choose to connect, sync, or share. This policy explains what we collect, why, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the UK GDPR.

Effective date: May 28, 2026Applies to the Riina app and riina.io

Who we are

The data controller for your personal data is Riina Labs, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA.

For any privacy question or to exercise your rights, email privacy@riina.io. Our Data Protection Officer is Michael Cahill, reachable at the same address. For security concerns, email security@riina.io.

EU representative

Under Article 27 of the EU GDPR, our representative in the Union is Volker Leukhardt, Rua Heróis de França 906, 5Tras, 4450-156 Matosinhos, Portugal, reachable at privacy@riina.io.

UK representative

Under Article 27 of the UK GDPR, our UK representative is Rickert Services Ltd UK — Riina Labs, Inc, PO Box 1487, Peterborough, PE1 9XX, United Kingdom, reachable at art-27-rep-RiinaLabs@rickert-services.uk.

Health data and your consent

Heart rate, heart-rate variability, resting and max heart rate, ventilatory thresholds, weight, and similar metrics are special category (health) data under Article 9 GDPR. We only process this data with your explicit consent, which you give in the app when you connect a health source (Apple Health or Android Health Connect) and enable scoring.

You can withdraw consent at any time by disconnecting the health source in the app or deleting your account. Withdrawal does not affect processing that already took place, and some derived game results may remain in league history.

What data we collect

  • Account & profile: username, email, profile picture, sign-in and biometric-login preferences, referral relationships.
  • Workout & activity data imported from Apple HealthKit and Android Health Connect: heart-rate samples, start/end times, calories, activity type, distance, speed, steps, elevation gain, and extended workout metrics.
  • Health-profile values: resting heart rate, max heart rate, ventilatory thresholds, weight, height, age, and gender.
  • Location: GPS route points, only when route data is included with a workout.
  • Content & social: workout photos and videos, post content, comments, reactions, team and direct chat messages, and timestamps.
  • Usage & device: app session and screen-view events (analytics), and a push-notification token if you enable notifications.

Why we use your data and our legal bases

  • Run the app and your account, sync and store workouts, calculate scores, leagues, drafts, and leaderboards — performance of our contract with you (Art. 6(1)(b)).
  • Process health metrics for heart-rate zones and scoring — your explicit consent (Art. 9(2)(a)), with contract as the Art. 6 basis.
  • Social and game features you choose to use (posts, comments, live game views) — contract, and your consent for any optional sharing.
  • Analytics and product improvement — our legitimate interests in improving the app (Art. 6(1)(f)); you can opt out in settings, and where required we will ask for consent.
  • Security, abuse prevention, and keeping the service reliable — legitimate interests (Art. 6(1)(f)).
  • Meeting legal obligations (e.g. responding to lawful requests) — legal obligation (Art. 6(1)(c)).

Machine learning and AI processing

  • Workout classification and effort scoring run on Riina’s own self-hosted machine-learning service — not a third-party AI provider. Heart-rate samples, resting and max heart rate, and activity type are processed there to classify workouts and estimate effort. This service runs on our own infrastructure in the EU.
  • Game commentary is generated using Anthropic’s Claude API. The prompt we send contains only game-summary context — usernames, team rosters, standings, MVP/LVP and top-scorer information, and workout-based point totals. It does not include raw health data such as heart rate, GPS routes, or body metrics.
  • These processes do not make decisions that produce legal or similarly significant effects about you within the meaning of Art. 22 GDPR.

Who we share data with

We do not sell your personal data and do not use it for third-party advertising. We share it only with service providers (processors) acting on our instructions under data-processing agreements:

  • Fly.io — application hosting, database, and object storage, in the EU (Amsterdam).
  • Anthropic (USA) — game-commentary generation, aggregated game context only (see above).
  • Expo — delivery of push notifications, if you enable them.
  • Apple Health / Google Health Connect — the on-device sources you authorize Riina to read activity data from.

We may also disclose data where required by law, or to protect the rights, safety, and security of users and the service.

International data transfers

Your data is stored in the European Union (Amsterdam). Some providers, such as Anthropic, are based in the United States. Where data is transferred outside the EU/EEA or the UK, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum) together with additional safeguards. You can contact us for more information about these transfers.

How long we keep your data

  • We keep your personal data while your account is active and as needed to provide the service.
  • When you request deletion, we delete or anonymize your personal data without undue delay and within one month, except where the law requires us to retain certain information.
  • Some derived, non-identifying league and game results may be retained as part of competition history.
  • Backups are rotated on a routine schedule and purged in the ordinary course.

Your rights

Under the GDPR / UK GDPR you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”) — see the account deletion page.
  • Restrict or object to processing, including processing based on legitimate interests.
  • Data portability — receive your data in a structured, commonly used, machine-readable format.
  • Withdraw consent at any time, including for health-data processing, without affecting prior processing.
  • Lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, email privacy@riina.io or use the in-app controls. We respond within one month. You can also complain to your local EU member-state supervisory authority, or, in the UK, to the Information Commissioner’s Office (ICO).

Sharing and visibility to other users

  • Workout posts support public, friends, and private visibility. If you share a workout, other users may see its details, media, comments, reactions, and game performance.
  • GPS routes can be included with shared workouts. You can turn off route sharing for future posts and hide route data on a post; routes already shared remain visible until changed.
  • For league scoring, certain heart-rate-zone profile fields (resting heart rate, max heart rate, thresholds) may be visible to other authenticated users; age, height, and weight are not exposed.

Analytics and tracking

The app records app-session and screen-view events through an internal analytics system. Your user ID is hashed with SHA-256 and only a shortened hash is stored. You can disable analytics in the app settings. We do not run third-party advertising or advertising trackers.

Children

Riina is not intended for children. You must be at least 16 years old to use Riina. We do not knowingly collect data from children under 16. If you believe a child has provided us data, contact privacy@riina.io and we will delete it.

Security

We store application data in PostgreSQL and media (photos and videos) in object storage, hosted in the EU. Uploads use signed URLs. We apply technical and organizational measures appropriate to the sensitivity of health data. If a personal-data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users where required.

Changes to this policy

We will update this policy when our data practices change — for example around media access, route visibility, analytics, AI processing, or new service providers — and we will revise the effective date above. For material changes we will give notice in the app or by email where appropriate.

Got questions?

Everything you need to know before you join.

Riina is a team sport for people who work out solo. Connect any wearable and our AI turns your heart rate into effort points — so running, lifting, swimming, and CrossFit all compete on the same scoreboard. Join a squad, play a new 7-day match every Monday, and battle through a 5-week season against rival teams. Every workout you crush — or skip — your team feels it.

Apple Watch, Garmin, Whoop, Oura, Polar, Google Pixel, Fitbit, and any other wearable that syncs to Apple HealthKit or Android's Health Connect. If it tracks heart rate and syncs to your phone's health app, Riina reads it.

Leagues run from 2 up to 12 teams. Each team has 1–5 active members, plus an unlimited practice squad.

Your base score comes from the time you spend in different heart-rate zones during a workout — higher-intensity zones earn more points than lower ones. Our AI then validates and adjusts scoring based on overall intensity to keep competition fair. Your personal zones are calculated from your health profile (resting and max heart rate, ventilatory thresholds), so keeping it up to date keeps your scoring accurate.

Yes. Your raw health data — heart rate, GPS, weight and the rest — stays on Riina's own servers (hosted in the EU) and is never sold or shared for advertising. We use a small number of vetted providers (e.g. hosting and push notifications) strictly to run the app, under data-processing agreements. See our Privacy Policy for the full list.

Go to Settings → Privacy → Delete account. Deletion is irreversible and removes all your data within 30 days.