Privacy Policy

Roviqo Ltd is the data controller for personal data collected through the Roviqo platform. We are registered in England and Wales and registered with the Information Commissioner's Office (ICO) as a data controller.

Contact: Hello@roviqo.uk

We collect the following categories of personal data:

• Account data — your name and email address when you register.
• Profile data — profile photo if you choose to upload one.
• Health and fitness data (special category) — body weight, check-in responses (energy, sleep, mood, soreness scores), workout logs, exercise performance data, and progress photographs. This is special category data under UK GDPR Article 9 and is processed only with your explicit consent (given at sign-up).
• Wearable and activity data (special category) — if you connect a wearable device or health app (Apple Health, Google Fit, Garmin, Oura, Whoop, or similar), we may receive heart rate variability, resting heart rate, sleep data, steps, blood oxygen, and recovery scores. This is also special category health data and is processed only with your explicit consent.
• Coaching messages — messages you send to your coach or Rovi AI.
• Payment data — billing information is handled directly by Stripe (coach subscriptions) or Apple/Google (Rovi AI subscriptions). We do not store card details.
• Usage data — pages visited, features used, and device/browser information collected via Vercel Analytics (only with your cookie consent).

We use your data to:

• Provide and operate the Roviqo platform and coaching services.
• Allow coaches to manage their clients, programmes, and check-ins.
• Power the Rovi AI coaching feature (see section 5).
• Display your health and fitness data to you and your coach in the app dashboard.
• Process payments via Stripe or Apple/Google in-app purchase.
• Send transactional push notifications relevant to your account (new messages, check-in reminders, session feedback).
• Improve the platform through anonymised analytics (only with your cookie consent).

We do not sell your data to third parties.

We process your data under the following legal bases:

• Contract (Article 6(1)(b)) — account data and standard platform usage data, processed to deliver the service you signed up for.
• Explicit consent (Articles 6(1)(a) and 9(2)(a)) — health and fitness data, wearable data, and progress photographs. This is special category data requiring explicit consent under Article 9. You give this consent by ticking the health data consent box at sign-up. You may withdraw consent at any time by deleting your account or contacting us — withdrawal does not affect lawfulness of prior processing.
• Legitimate interests (Article 6(1)(f)) — platform security, fraud prevention, and abuse detection, where these interests are not overridden by your rights.
• Consent (Article 6(1)(a)) — analytics cookies and optional marketing communications. You may withdraw this consent at any time via the cookie banner.

Roviqo includes an AI coaching assistant named Rovi, powered by Anthropic Claude. When you use Rovi:

• Your messages, relevant fitness profile data (goal, weight, training history, check-in scores), and meal plan context are sent to Anthropic's API to generate responses.
• Anthropic processes this data as a data processor on our behalf and does not use your data to train their models under our API agreement.
• You can choose not to use Rovi at any time by selecting human coaching in your account settings.

Automated decision-making (UK GDPR Article 22). Rovi uses automated processing to generate training programmes, meal plans, and coaching feedback. These outputs may have a meaningful effect on your fitness activities. You have the right to request human review of any AI-generated content by contacting your coach or us at Hello@roviqo.uk. You also have the right not to be subject to solely automated decisions that produce significant legal or similarly significant effects — AI outputs on Roviqo are recommendations, not binding decisions.

We use the following third-party services which process your data as our data processors:

• Supabase — database, authentication, and file storage. Data is stored in EU data centres. We have a Data Processing Agreement (DPA) in place with Supabase.
• Vercel — web portal hosting and analytics. Vercel is US-based; transfers are covered by Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA). We have a DPA in place with Vercel.
• Stripe — payment processing (PCI DSS Level 1 compliant). We have a DPA in place with Stripe.
• Anthropic — AI language model for the Rovi coaching feature. Anthropic is US-based; transfers are covered by SCCs/IDTA. We have a DPA in place with Anthropic.
• Apple / Google — in-app purchase processing for Rovi subscriptions. Subject to Apple's and Google's own privacy policies.

Where data is transferred outside the UK, we ensure appropriate safeguards are in place (Standard Contractual Clauses or UK IDTA) in accordance with UK GDPR Chapter V.

We retain your personal data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal, financial, or regulatory compliance purposes (for example, Stripe transaction records which we retain for 7 years for VAT purposes).

Progress photographs are stored for the duration of your account. Set videos are automatically deleted after 30 days. Wearable sync data is retained for the duration of your account and deleted with it.

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Restriction — ask us to restrict processing in certain circumstances.
• Portability — receive your data in a machine-readable format (use the "Export my data" feature in the app, or contact us).
• Object — object to processing based on legitimate interests.
• Withdraw consent — at any time for any processing based on consent, without affecting prior lawful processing.
• Human review — request human review of any AI-generated content or decision (see section 5).

To exercise any right, contact us at Hello@roviqo.uk. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

The Roviqo web portal uses the following cookies. The mobile app does not use cookies.

• Essential cookies — session authentication tokens required for login. These cannot be disabled without breaking the service and do not require consent under PECR.
• Analytics cookies — Vercel Analytics, used to understand how the platform is used. These are only set after you click "Accept" in the cookie banner. You can withdraw consent at any time by clearing your browser cookies and declining via the banner on next visit.

We take reasonable technical and organisational measures to protect your personal data, including encryption in transit (TLS), encrypted storage via Supabase, row-level security policies so users can only access their own data, and access controls limiting which staff can access production data.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected users without undue delay.

Roviqo is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with their data, contact us at Hello@roviqo.uk and we will delete it.

We may update this policy from time to time. We will notify you of material changes with at least 30 days' notice by email or in-app notification. Continued use of Roviqo after that date constitutes acceptance of the updated policy.