Last updated: March 2026
Høns Invest AS
Kreklingen 9, 6823 Sandane, Norway
Email: contact@getrivl.app
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) |
| Storing and displaying workout sessions and results | Contract (Art. 6(1)(b)) |
| Sending push notifications you have opted into | Consent (Art. 6(1)(a)) |
| Processing payments from individuals (Vipps) | Contract (Art. 6(1)(b)) |
| Processing payments from businesses (Stripe) | Contract (Art. 6(1)(b)) |
| Syncing workout data with connected fitness services (Garmin, Strava, Apple Health) | Consent (Art. 6(1)(a)) |
| Improving the app and troubleshooting | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
Health data (Art. 9(2)(a)): Heart rate measurements and other health data are processed only with your explicit consent, given when creating your account. You may withdraw this consent at any time.
Our database and authentication service is operated by Supabase, Inc., with data stored on AWS EU-West-1 (Ireland). Supabase processes data as a data processor on our behalf, and a Data Processing Agreement (DPA) is in place.
Vipps is used in two ways: as a sign-in method and as a payment solution for individual users upgrading to a paid plan. When signing in, Vipps shares only what you explicitly approve (typically name, email, and phone number). For payments, Vipps processes the transaction directly — we only receive confirmation of a completed payment, not card details.
Vipps privacy policy: vipps.no/privacypolicy
Business customers pay via Stripe, Inc. We only send the necessary information (transaction amount and associated order ID) to Stripe. Card details are processed exclusively by Stripe and are never stored by us. Stripe is PCI DSS certified.
Stripe privacy policy: stripe.com/privacy
If you choose to connect your Garmin account, RIVL exchanges data with Garmin Connect via Garmin's Health API, Activity API, and Training API using an OAuth 1.0a authorisation that you explicitly approve. The integration works both ways:
Only the data necessary for these purposes is shared. We store your Garmin OAuth tokens securely in our database so we do not need to ask you to re-authorise each time. We never share your Garmin data with any other third party.
You can disconnect Garmin at any time from the Profile > Integrations screen in the app. When you disconnect, your OAuth tokens are deleted immediately. Activity data already imported into RIVL remains part of your account (and is deleted if you delete your account). Data already exported to Garmin remains in your Garmin account and is governed by Garmin's privacy policy.
Garmin privacy policy: garmin.com/privacy/connect
If you choose to connect your Strava account, RIVL can upload completed workout sessions to your Strava profile as manual activities (activity name, duration, and description). We also receive activity data from Strava via webhook so it can count towards campaigns.
Only the data necessary for these purposes is shared. We store your Strava OAuth tokens securely and refresh them automatically. You can disconnect Strava at any time from Profile > Integrations. When you disconnect, your tokens are deleted immediately.
Strava privacy policy: strava.com/legal/privacy
If you grant permission, RIVL reads workout and heart rate data from Apple Health on your device. This is used to automatically log activities towards campaigns and to enrich your competition results with heart rate data.
Apple Health data never leaves your device unless you explicitly save a workout session in RIVL — at which point only the specific session data (duration, heart rate, activity type) is sent to our servers. We never read or store data from Apple Health in bulk.
You can revoke RIVL's access to Apple Health at any time via iOS Settings > Privacy & Security > Health > RIVL. Revoking access stops all future reads; data already saved to your RIVL account is retained until you delete it or delete your account.
Apple privacy policy: apple.com/legal/privacy
We never sell your personal data to third parties.
| Data type | Retention period |
|---|---|
| Account information | Until you delete your account |
| Workout sessions and results | See note below |
| Push notification token | Until you withdraw consent |
| Payment history | 5 years after the transaction (statutory accounting requirement) |
| Fitness integration tokens (Garmin, Strava) and Apple Health permissions | Until you disconnect the integration or delete your account |
| System logs | 90 days |
What happens to workout sessions and competition results when you delete your account
When you delete your account, all personal data — name, email, profile picture, and all private data — is deleted immediately and permanently.
Workout sessions recorded as part of a campaign or competition are anonymised and retained solely to preserve the statistical integrity of results for other participants and the organiser. These are displayed as "Deleted user" and cannot be linked back to you.
Anonymised data is not considered personal data under GDPR Art. 4(1).
You have the right to:
Send requests to: contact@getrivl.app
You also have the right to lodge a complaint with the Norwegian Data Protection Authority, Datatilsynet (datatilsynet.no), if you believe we are processing your data in violation of GDPR.
We employ the following security measures:
In the event of a data breach posing a high risk to you, we will notify you and Datatilsynet within 72 hours, pursuant to GDPR Art. 33–34.
RIVL is not intended for persons under the age of 16. We do not knowingly collect data from children. If we discover that a user is under 16, their data will be deleted immediately.
We may update this policy from time to time. Material changes will be communicated via email or an in-app notification, with at least 14 days' notice. The date of the latest update is shown at the top of this page.
Privacy questions: contact@getrivl.app