Rift

Privacy Policy

Last updated · May 24, 2026

1. Who we are

Rift is an iOS training app and web service operated by Rift Endurance LLC, a Delaware limited liability company ("Rift," "we," "us," or "our"). This Privacy Policy explains how we collect, use, share, and protect your information when you use the Rift mobile app, the website at riftendurance.com, and the web app at app.riftendurance.com (together, the "Service").

By using the Service you agree to the practices described here. If you do not agree, do not use the Service.

2. What we collect

2.1 Account information

• Email address — required to create your account and receive transactional emails (beta invitations, plan-ready notifications, account confirmations).
• Authentication identifiers — managed by our authentication provider (Supabase) including a hashed password or OAuth identifier from your sign-in provider.
• Display name — optional, used for personalization inside the app.

2.2 Athlete profile

To generate accurate training plans, the Service collects optional profile data you enter during onboarding or in Settings:

• Date of birth or age, sex / gender, weight, height
• Race goals, target race date, target distance (Sprint, Olympic, 70.3, 140.6)
• Training history, weekly training availability, weekly training volume
• Functional threshold metrics: FTP (bike power), LTHR (lactate threshold heart rate), threshold pace (run), swim CSS (critical swim speed)
• Injury history, time zone, timezone preference
• Gear inventory (bikes, shoes), gear maintenance reminders

2.3 Training and workout data

• Workouts you log manually: date, sport, duration, distance, pace, heart rate, perceived exertion, notes
• Workouts imported from connected services (see §2.4)
• Training programs / plans: scheduled sessions, completion status, plan adaptations over time
• Session reviews and post-session notes
• Per-interval data when available: pace targets, heart-rate targets, completion vs target

2.4 Data from third-party integrations (your explicit consent only)

You can connect the following services to enrich your training data. Each requires your explicit consent, and you can revoke any of them at any time.

• Strava — via Strava's official OAuth flow. With your consent we read your basic athlete profile (Strava ID, first / last name, profile photo), activity summaries (sport, date, distance, duration, elevation, average heart rate / power, GPS polyline), and per-activity streams you opt to import (heart rate, power, cadence, altitude, velocity, distance, time). We do not currently write workouts back to Strava. You can disconnect Strava at any time from inside the app or at strava.com/settings/apps.
• Apple HealthKit — with your permission, the iOS app reads heart rate, distance, workout history, and body metrics (weight, height) to display live HR zones during workouts and calculate training load. The app may write completed workouts back to HealthKit if you opt in. Apple Health data is read on-device and is not transmitted to our servers.
• Apple WorkoutKit (Apple Watch) — with your permission, the iOS app pushes scheduled workouts to your Apple Watch and reads completed workout summaries back from the Watch via HealthKit.
• Garmin, Wahoo, Coros, Polar, Suunto — listed as planned future integrations on our marketing site. If and when these go live, they will be opt-in via the same consent model as Strava.

2.5 Communications

• Email messages you send us (support inquiries, feedback)
• Responses you submit through forms on our website (beta signup, newsletter)
• Direct messages on social platforms where you initiate contact with us

2.6 Device and usage data

• Device model, operating system version, app version, locale, timezone
• Pages or screens viewed, features used, taps and scrolls (via analytics — see §4)
• Crash logs and error events (via Sentry — see §4)
• IP address (collected automatically by our hosting providers for fraud prevention and rate limiting; not used to track you across sites)

We do not use Apple's Identifier for Advertisers (IDFA). We do not track you across other apps or websites for advertising purposes.

2.7 Payment information (future)

The Service is currently free during beta. When paid subscriptions are introduced, payments will be processed by a third-party payment processor (likely Stripe and / or Apple's In-App Purchase system). We will not store your full credit card number on our servers; we will only receive transaction metadata (subscription tier, renewal date, last four digits) needed to operate your subscription.

3. How we use your information

We use the information we collect to:

• Operate the Service — create your account, generate your training plan, sync data across your devices, display your training history
• Personalize — calibrate workouts to your fitness data, race goals, and life schedule
• Generate AI coaching content — send anonymized training context to our AI provider (Anthropic) to generate plan content and answer your training questions (see §4)
• Communicate — send transactional emails (beta invites, password resets, important service updates) and (with your opt-in) newsletters
• Improve the product — analyze aggregated usage to identify bugs, prioritize features, and improve plan quality
• Ensure security — detect abuse, prevent fraud, debug errors
• Comply with law — respond to legal requests, enforce our Terms

4. Third-party services we share data with

We share data with the following service providers, each of whom is bound by their own privacy commitments and processes data only on our behalf:

Provider	Purpose	Data shared
Supabase Privacy	Database, authentication, file storage	All account, profile, and training data persisted to the cloud
Anthropic (Claude) Privacy	AI plan generation and AI coaching responses	Training metadata (workout types, durations, paces, HR zones, race goals). We do not send your name or email to Anthropic.
Netlify Privacy	Website hosting + serverless functions that proxy Strava and AI calls	Request logs (IP, user-agent), form submissions, function invocations
Strava Privacy	Activity import via OAuth	Only the OAuth identifier we use to fetch your activities (data flows from Strava to us, not the other way)
Apple (HealthKit + APNs) Privacy	HealthKit read / write (on-device only), Apple Push Notifications	APNs device tokens (for push delivery); HealthKit data never leaves your device
Sentry Privacy	Error monitoring and crash reporting	Error events (stack traces, device model, OS, app version). We do not include training data or PII in error reports.
Google Analytics, Meta Pixel, TikTok Pixel, Microsoft Clarity, PostHog	Website and product analytics (marketing site + in-app)	Page views, conversion events (hashed email only for ad attribution), session replays of your interactions with the marketing site (Clarity)
Loops / Klaviyo (email)	Transactional and marketing email delivery	Email address, name, list-membership, email open / click events
Stripe / Apple In-App Purchase (future)	Subscription payment processing	Limited transaction metadata (no full credit card number)

We do not sell your personal information. We do not share your training data, athlete profile, or contact information with data brokers, advertisers, or unrelated third parties.

5. How we protect your data

• Encryption in transit — all data is sent over HTTPS / TLS 1.2+
• Encryption at rest — Supabase encrypts your data at rest using AES-256 on the underlying AWS infrastructure
• Row Level Security — all user data tables in our database have RLS policies that allow only your authenticated account to read or write your own records
• Access controls — only a small number of operators have administrative access to production systems, with multi-factor authentication enforced
• Apple Health data stays on-device — never transmitted to our servers
• API keys and secrets — managed through environment variables in our hosting providers; never committed to source control

No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify you and the relevant authorities as required by law (within 72 hours for GDPR jurisdictions).

6. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you
• Correction — update inaccurate or incomplete data (most can be done directly inside the app under Settings → Profile)
• Deletion — request that we delete your account and associated data (see §7)
• Portability — request a machine-readable export of your training data
• Restriction / objection — restrict or object to certain processing (such as marketing emails — unsubscribe links are in every email)
• Withdraw consent — withdraw consent for any integration (Strava, Apple Health, etc.) at any time inside the app
• Lodge a complaint — with your local data protection authority (for EU / UK residents)

To exercise any of these rights, email app@riftendurance.com. We will respond within 30 days.

7. Data retention and deletion

We retain your data for as long as your account is active. You can delete your account at any time from Settings → Account → Delete Account inside the iOS app.

When you delete your account:

• Your profile, workouts, programs, gear, reviews, and Strava connection are permanently deleted from our database within 30 days
• Your data is removed from active database backups within 90 days
• Email records (transactional history) are retained for up to 12 months for compliance and fraud prevention, then deleted
• Aggregated, anonymized usage analytics that cannot be associated with you may be retained indefinitely

You can also email app@riftendurance.com to request deletion.

8. International data transfers

Rift is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. By using the Service you consent to this transfer.

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on appropriate safeguards (such as Standard Contractual Clauses) where required for cross-border transfers via our processors.

9. Children's privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at app@riftendurance.com and we will delete it.

10. California, Colorado, Virginia, and other state privacy rights

Residents of certain US states have additional rights including the right to know, delete, correct, and opt out of the sale or sharing of personal data. Rift does not sell or share personal data in the way these laws define those terms. To exercise rights under your state's law, email app@riftendurance.com.

11. iOS Privacy Nutrition Label

For our App Store listing, the data we collect maps to the following Apple Privacy categories:

• Contact Info — email address (linked to user, used for app functionality)
• Health & Fitness — fitness, workout, body metrics (linked to user, used for app functionality)
• Identifiers — user ID (linked to user)
• Usage Data — product interaction (linked to user, used for analytics + app functionality)
• Diagnostics — crash data, performance data (linked to user, used for app functionality)

We do not collect: financial info (until paid subscriptions launch), location data outside of workout GPS routes that you explicitly import, contacts, browsing history, search history, or sensitive info.

12. Changes to this Privacy Policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top. For material changes that affect how your data is used, we will notify you via email and / or an in-app notice at least 30 days before they take effect. Continued use of the Service after changes constitutes acceptance.

13. Contact us

Questions, requests, or complaints? Email app@riftendurance.com.

Postal address: Rift Endurance LLC, [Add postal address before going live].