Privacy Policy
Last updated: March 2026 | Version 1.0
1. Who We Are
Oryn is an AI-powered health and fitness platform. We are the data controller for personal data collected through this platform. For GDPR purposes, "special category data" (health and biometric data) is processed under your explicit consent, which you provide during sign-up.
2. What Data We Collect
We collect the following categories of personal data:
| Account data | Name, email address, password (encrypted) | Contract performance |
| Profile data | Age, height, weight, gender, goals, fitness history | Explicit consent |
| Health data (special category) | Injuries, allergies, dietary requirements, medical conditions you share | Explicit consent |
| Biometric data (special category) | Sleep, heart rate, HRV, steps, activity — from connected wearables | Explicit consent |
| Usage data | Conversations with the AI, workout logs, meal logs, progress entries | Legitimate interest / contract |
| Payment data | Subscription status (payment details held by Stripe, not by us) | Contract performance |
3. How We Use Your Data
- To provide the service: Your profile, health data, and biometric data are used to personalise fitness plans, nutrition plans, and recovery protocols.
- To power AI recommendations: Your data is sent to Anthropic's Claude API to generate personalised guidance. Anthropic processes this data as a data processor under our Data Processing Agreement.
- To process wearable data: If you connect a wearable, your biometric data is received via Terra API. Terra processes this data as a data processor under our Data Processing Agreement.
- To process payments: Subscription billing is managed by Stripe.
- To improve the platform: Aggregated, anonymised usage patterns may be used to improve the service. We will never use your identifiable health data for this purpose without separate consent.
4. Your Rights
Under UK GDPR, you have the following rights:
- Right to access: Request a copy of all personal data we hold about you.
- Right to erasure: Request deletion of your account and all associated data.
- Right to portability: Request your data in a portable format (JSON).
- Right to rectification: Correct inaccurate data at any time through your account settings.
- Right to withdraw consent: Withdraw consent for special category data processing at any time. This will require account deletion as the service cannot function without this data.
- Right to object: Object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@oryn.app. We will respond within 30 days.
5. Data Retention
We retain your data for as long as your account is active. If you delete your account, we will delete all personal data within 30 days, except where retention is required by law (e.g. financial records required for 7 years under UK law).
6. Third-Party Processors
| Processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase | Database & authentication | EU (AWS eu-west-1) | supabase.com/privacy |
| Anthropic | AI content generation | USA (Standard Contractual Clauses) | anthropic.com/privacy |
| Terra | Wearable data aggregation | USA (Standard Contractual Clauses) | tryterra.co/privacy |
| Stripe | Payment processing | USA (Standard Contractual Clauses) | stripe.com/privacy |
| Vercel | Hosting & infrastructure | USA/EU (Standard Contractual Clauses) | vercel.com/legal/privacy-policy |
7. International Transfers
Some of our processors are based outside the UK/EU. Where data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) to ensure adequate protection.
8. Security
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database access is protected by Row-Level Security, ensuring no user can access another user's data. We conduct regular security reviews and promptly address any identified vulnerabilities.
9. Cookies
We use only essential cookies required for authentication and session management. We do not use advertising cookies or tracking cookies. We do not use any third-party analytics that track individual users across sites.
10. Contact & Complaints
For any privacy queries: privacy@oryn.app
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.