Back to Rivo

Privacy Policy — Rivo

**Last updated:** May 10, 2026

**Effective date:** May 10, 2026

> ⚠️ **Notice:** This is a functional draft ready for Apple App Store submission. We recommend review by a qualified attorney before final publication.

---

1. Who we are

Rivo is an iOS behavioral health application operated by **Bruno Osorio**, individual operator established in Brazil (entity formalization pending).

**Contact:** legal@getrivoapp.com

This policy describes how we collect, use, share, and protect your information when you use the Rivo app (bundle `com.getrivo`).

2. Data we collect

2.1 Data you provide directly

  • **Account & identification:** user ID, email (via Sign in with Apple or Google).
  • **Initial quiz:** responses about your goals, context, recognized pain, and availability.
  • **User content:** free text in journaling, gratitudes, and prompt responses.

2.2 Data collected automatically

  • **HealthKit (read-only):** heart rate variability (HRV), sleep, steps, resting heart rate, active energy, and exercise minutes. Collected only with your explicit permission via iOS prompt. Revocable anytime in **Settings → Privacy → Health → Rivo**.
  • **Precise location:** GPS during walking and running habits — only when you start the habit and grant permission. We do not track your location in the background outside these habits.
  • **App usage data:** product events (PostHog) — which habits you start, complete, or skip. **Anonymized** with device ID, no IDFA, no advertising attribution (NSPrivacyTracking = false).
  • **Crash and performance data:** error and performance reports via Sentry, without personally identifiable information.

2.3 Data we do NOT collect

  • We do not access your contacts, photos, microphone, camera, or social networks.
  • We do not collect IDFA or participate in advertising attribution networks.
  • We do not track your behavior across other apps or websites.

3. How we use your data

  • **Personalization:** we adjust your habit plan, recommendations for breathing, meditation, focus, and movement based on your context (HealthKit, execution history, quiz).
  • **App functionality:** we deliver the contracted service (rituals, metrics, momentum tier).
  • **Product improvement:** we analyze aggregated events to identify friction and optimize flows. No automated decisions that legally affect you.
  • **Support and security:** we detect crashes, purchase fraud, and abuse.

**We do not use your data** for advertising profiling, sale to third parties, or training external AI models.

4. Legal bases (GDPR)

We process personal data based on:

  • **Consent** (Art. 6(1)(a)) — for HealthKit, location, and notifications.
  • **Performance of contract** (Art. 6(1)(b)) — to deliver the paid service you purchased.
  • **Legitimate interest** (Art. 6(1)(f)) — for crash reports and anonymized analytics, with impact assessment available upon request.

For Brazilian users, the legal bases follow LGPD Art. 7 (Consentimento, Execução de contrato, Legítimo interesse).

5. Sharing with third parties

We share strictly necessary data with the following processors:

| Third Party | Purpose | Location |

|---|---|---|

| **Supabase** (Auth + Postgres) | Database and authentication | United States |

| **Sentry** | Crash and performance reports | United States |

| **PostHog** | Anonymized product analytics | United States |

| **OpenAI** *(GPT-4o-mini)* | Daily archetype recommendation + personalized insights (no journaling content, no direct PII) | United States |

| **Apple** | Sign in with Apple, In-App Purchase, HealthKit | United States |

| **Google** | Sign in with Google | United States |

| **Hubla** *(future V1.1)* | Web checkout payment in Brazil | Brazil |

**About OpenAI usage:** Rivo uses OpenAI's GPT-4o-mini model to personalize daily habit recommendations and to generate short insights based on aggregated data (readiness, streak, goal). We send only normalized/numeric data and aggregated context. We **do not send** free-text journaling, audio, direct identifiers, email, or name. OpenAI acts as a data processor under a non-training agreement (per OpenAI API Terms — zero data retention on our API key).

Each processor handles your data under contractual agreement with Rivo, compliant with LGPD/GDPR.

**We do not sell your data.** In case of merger, acquisition, or asset sale, we will notify you in advance and offer deletion options before transfer.

6. International transfers

Some processors host data in the US. We ensure adequate transfers via Standard Contractual Clauses (SCCs) or other mechanisms permitted by GDPR Art. 46 / LGPD Art. 33.

7. Your rights

You have the right to (GDPR Art. 15-22 / LGPD Art. 18):

  • **Confirm** the existence of processing — via email below.
  • **Access** the data we hold about you — ✓ available in **Profile → Export my data**.
  • **Rectify** incomplete or outdated data — via email below.
  • **Port** your data in structured format (machine-readable JSON) — ✓ same export as above.
  • **Erase** your data — ✓ available in **Profile → Delete account** (see below).
  • **Withdraw consent** at any time — disconnect HealthKit/Screen Time under Profile → Integrations.
  • **Object** to legitimate interest processing — ✓ disable analytics in **Profile → Privacy → Share anonymous analytics**.

How to exercise

Rights marked with ✓ can be exercised directly in-app, instantly. For the remaining ones (Confirm, Rectify), email `legal@getrivoapp.com` with subject "Privacy Rights Request" — we respond within 15 business days.

Account deletion

In-app: **Profile → Delete account**.

  • **Immediate soft delete:** your data becomes inaccessible (30-day grace period).
  • **Hard delete after 30 days:** permanent deletion via cron job.
  • You can **cancel deletion** within the 30-day window.
  • Past purchases are not refunded by deletion (see Terms of Service).

8. Data retention

We retain your data only as long as necessary:

  • **Account data:** while your account is active + 30-day soft delete + legal obligations (5 years for financial records per Brazilian tax law).
  • **Anonymized usage events:** 24 months for aggregate analysis.
  • **Crash logs:** 90 days.

After these periods, data is irreversibly deleted or anonymized.

9. Security

We implement reasonable technical and organizational measures:

  • TLS 1.2+ on all connections.
  • **Server-side:** Encryption at rest (AES-256) on Supabase Postgres.
  • **On-device (iPhone):** Locally stored data is protected by iOS Data Protection (Class C) — Apple's native AES-256 file encryption, activated when the device is locked, with a key derived from your passcode.
  • Row-Level Security on all Postgres tables.
  • Minimum necessary access for administrators.
  • Passwords never stored in plain text (auth delegated to Apple/Google).

In case of a security incident, we will notify you and the relevant authority (ANPD in Brazil, supervisory authority in EU) within 72 hours as required by law.

10. Children's privacy

Rivo is **not intended for children under 13** (COPPA) or under 18 without parental consent in Brazil. We do not knowingly collect data from children. If you are a guardian of a minor using the app, contact us for deletion.

11. Cookies and similar technologies

The iOS app does not use browser cookies. We use anonymous device identifiers for analytics (PostHog) and fraud prevention (StoreKit).

12. Changes to this policy

We will notify you of material changes via:

  • Registered email.
  • In-app notification.
  • Update of "Last updated" date at the top of this document.

Continued use after notification implies acceptance of the new terms.

13. Contact

**Data Protection Officer (DPO):** Bruno Osorio

**Email:** legal@getrivoapp.com

**Address:** to be confirmed (entity formalization pending)

For unresolved complaints, you may contact:

  • **Brazil:** Autoridade Nacional de Proteção de Dados (ANPD) — https://www.gov.br/anpd/
  • **EU:** your local supervisory authority — https://edpb.europa.eu/

---

*This document is a functional draft. Consult a qualified attorney before final publication.*