Privacy Policy

1. Data Controller

Ridium operates ridium.app and is the data controller responsible for your personal data. For any privacy-related inquiries, you can contact us at support@ridium.app.

2. Data We Collect

Account Information

When you create an account, we collect your name, email address, profile image (if provided), country, timezone, and language preference. If you sign in via Google OAuth, we receive your name, email, and profile picture from Google.

Health & Fitness Data

When you connect your Intervals.icu account, we sync and store training data including: Chronic Training Load (CTL), Acute Training Load (ATL), Training Stress Balance (TSB), Functional Threshold Power (FTP), heart rate zones, power zones, VO2max, heart rate variability (HRV), resting heart rate, weight, sleep metrics, wellness scores (fatigue, stress, mood, soreness), blood pressure, blood glucose, body fat percentage, menstrual cycle phase, scheduled workouts, completed activities, race events, and power curve data. This data is classified as special category data under GDPR Article 9 and requires your explicit consent to process.

AI Conversations

We store your chat conversations with our AI assistant, including messages, AI-generated recommendations, extracted memories (preferences, goals, facts), and conversation summaries. These are used to provide personalized training advice across sessions.

Billing Information

If you subscribe to a paid plan, our payment processor Lemon Squeezy collects and processes your payment information. We store only your subscription status, plan details, and the last four digits of your payment card. We do not store full credit card numbers.

Technical Data

We automatically collect your IP address, browser user agent, session tokens, and device information when you use our service. We also collect page view analytics and web performance metrics through Vercel Analytics.

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

• To provide our cycling training assistant service, including AI-powered analysis and recommendations (Legal basis: Contract performance)
• To analyze your fitness data and generate personalized training insights (Legal basis: Explicit consent for health data under Article 9)
• To process your conversations and fitness context through AI models to generate training recommendations (Legal basis: Contract performance + explicit consent for health data)
• To manage subscriptions and process payments (Legal basis: Contract performance)
• To send transactional emails including verification, password reset, and weekly training summaries (Legal basis: Contract performance and legitimate interest)
• To monitor errors, prevent abuse, and maintain service security (Legal basis: Legitimate interest)
• To analyze usage patterns and improve our service (Legal basis: Legitimate interest)

4. Health & Fitness Data (Special Category)

Your fitness and health data is classified as special category data under GDPR Article 9 and as sensitive data under Chilean Law 21.719. We process this data only with your explicit consent, which you provide when connecting your Intervals.icu account. You can withdraw this consent at any time by disconnecting your Intervals.icu account in your settings, which will stop further data syncing. Previously synced data can be deleted upon request.

5. AI Data Processing

We use OpenAI's language models to power our AI training assistant. When you interact with the AI chat, the following data is sent to OpenAI for processing: your recent conversation messages (up to 40 messages per conversation), your fitness context (current training load, power metrics, recent activities), and any memories extracted from previous conversations. OpenAI processes this data to generate responses and does not use it to train their models when accessed via their API. We also use Langfuse for AI observability, which receives conversation identifiers and model performance metrics to help us monitor and improve AI response quality.

6. Third-Party Service Providers

We share your data with the following third-party processors, each bound by data processing agreements:

• OpenAI (USA) — AI language model processing for chat conversations and training recommendations
• Intervals.icu (USA) — Bidirectional sync of training, fitness, and activity data via API and OAuth
• Google (USA) — OAuth authentication for sign-in
• Lemon Squeezy (USA) — Subscription billing and payment processing
• Sentry (USA) — Error monitoring and application performance tracking
• Langfuse (EU) — AI model observability and quality monitoring
• Resend (USA) — Transactional email delivery (verification, password reset, weekly summaries)
• Vercel (USA) — Application hosting, serverless functions, and web analytics
• Upstash (USA) — Redis caching for sessions and rate limiting
• Trigger.dev (USA) — Background job processing for data sync and scheduled emails

7. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, primarily the United States, where most of our service providers are located. For transfers from the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable. For transfers subject to Chilean law, we ensure adequate protection measures are in place as required by Law 21.719.

8. Data Retention

We retain your data for as long as your account is active and as needed to provide our services. Specifically: account data is kept while your account exists; fitness data is synced for up to 365 days of history and updated with each sync; conversation data is retained for the lifetime of your account unless you delete individual conversations; billing records are kept for the legally required period for tax and accounting purposes. When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

9. Your Rights

Under GDPR and Chilean Law 21.719, you have the following rights:

• Right of access — You can request a copy of all personal data we hold about you
• Right to rectification — You can request correction of inaccurate data
• Right to erasure — You can request deletion of your personal data
• Right to restrict processing — You can request we limit how we use your data
• Right to data portability — You can request your data in a machine-readable format
• Right to object — You can object to processing based on legitimate interest
• Right regarding automated decisions — You can request human review of AI-generated recommendations and object to automated profiling
• Right to withdraw consent — You can withdraw consent for health data processing at any time
• Right to lodge a complaint — You can file a complaint with your local data protection authority (in the EU) or the Chilean Data Protection Agency (APDP)

To exercise any of these rights, contact us at support@ridium.app. We will respond within 30 days.

10. Cookies & Tracking

We use the following cookies and tracking technologies:

• Session cookies — Strictly necessary for authentication and maintaining your login session
• Language preference cookie (NEXT_LOCALE) — Stores your language preference (en/es/it/fr/nl/de/pt)
• Vercel Analytics — Collects anonymous page view and web performance data

We do not use third-party advertising cookies. Session cookies are strictly necessary and do not require consent. Vercel Analytics respects browser Do Not Track signals.

11. Children's Privacy

Ridium is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@ridium.app and we will promptly delete such data.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: encrypted data transmission (HTTPS/TLS), secure password hashing, OAuth token encryption, role-based access controls, session management with expiration, rate limiting to prevent abuse, and regular security monitoring. While we strive to protect your data, no method of electronic transmission or storage is 100% secure.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending you an email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of our service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or want to exercise your data protection rights, contact us at:

Email: support@ridium.app

Website: ridium.app