Privacy Policy

1. Who Operates Riveryn

In this policy, "Riveryn," "we," "us," and "our" mean MyTip Innovations s.r.o. when it operates the Riveryn app, website, backend, and support channels.

MyTip Innovations s.r.o. is established in the European Union. No separate EU representative is required for GDPR purposes. A data protection officer has not been appointed because Riveryn is not currently designed to require one.

2. Scope

This policy applies to the Riveryn iOS app, the website at riveryn.com, the backend at api.platecue.com, and Riveryn support interactions.

This policy does not cover Apple services, App Store billing, device-level analytics controlled by Apple, or third-party websites linked from Riveryn. Those services are governed by their own terms and privacy policies.

3. Short Summary

• No account required. Riveryn does not require a user account. Your profile, meal history, saved entries, energy check-ins, and entitlement cache are stored locally on your device.
• Meal input is user initiated. You choose when to take or import a photo, type meal details, or record a voice note. Voice notes may be sent through the Riveryn backend to ElevenLabs for transcription before editable text is inserted. Apple speech recognition may be used as a fallback if backend transcription is unavailable.
• No ad tracking or sale. Riveryn does not use third-party advertising SDKs, cross-app tracking, data brokers, or health and nutrition data for advertising targeting.
• Anonymous diagnostics only. If configured, Riveryn sends coarse app usage diagnostics to understand onboarding, meal-check, correction, save, saved-entry, energy check-in, paywall, purchase, restore, export, delete, and error funnels. Meal photos, voice audio, meal text, transcripts, corrections, meal names, detailed nutrition totals, energy check-in labels or notes, body data, HealthKit data, contact info, exact location, and ad identifiers are not sent to analytics. You can turn this off in Settings.
• Website App Store CTA attribution. When you tap an App Store button on riveryn.com, Riveryn may send only UTM source, campaign, and content values, CTA surface, App Store destination, and page path to the Riveryn backend for aggregate launch learning. This does not use cookies, third-party pixels, ad identifiers, account data, contact data, meal data, referrer, or user-agent fields in the analytics event.
• Export and delete controls. The app includes local data export and local data deletion in Settings. The privacy choices page explains the exact paths.

4. Personal Data We Process

• Profile and goal inputs. Examples include sex, age, height, weight, preferred units, self-reported activity level, goal, and diet style. These are stored locally on your device. A limited goal, diet-style, activity, calorie-target, protein-target, and carb-target context may be sent for a requested meal analysis or energy-pattern insight, but sex, age, height, weight, and preferred units are not intentionally forwarded to the AI provider. The purpose is to estimate daily calorie, protein, and carb signals for your chosen plan, format body-measure inputs in the units you prefer, and give meal checks enough plan context to explain what a meal means for the day. Riveryn does not collect HealthKit data, Motion and Fitness API data, step counts, workouts, or sensor-derived exercise data in the current app.
• Meal photos. Examples include photos you choose from camera or photo library for meal analysis. These are processed in the app and, for production AI analysis, sent to the Riveryn backend and AI provider. The purpose is to identify visible foods and estimate nutrition. Raw photos are not intentionally stored by Riveryn after the request is serviced.
• Typed notes, correction text, and transcripts. Examples include meal descriptions, hidden sauce or oil notes, serving details, brand or label details, voice-note transcripts, and correction text you type or apply after transcription. Text may be sent to the Riveryn backend and OpenAI when you request a meal check, correction, or eligible pattern insight. The purpose is to estimate or correct meals when a photo is missing context or when you prefer text or voice input.
• Voice audio for transcription. Examples include short meal-note or correction recordings you start from the microphone control. In the current production path, Riveryn records a temporary audio file on the device, sends it to the Riveryn backend, and the backend sends it to ElevenLabs for speech-to-text transcription. If backend transcription is unavailable, the app may use Apple speech recognition as a fallback where supported and permitted. The local temporary audio file is deleted after transcription finishes or fails. Riveryn backend logs for speech transcription are designed to include metadata such as duration, byte size, transcript length, source, model, and language signal, not raw audio or transcript text.
• Meal estimates and corrections. Examples include detected items, calories, macros, fiber, sodium, confidence, notes, and saved entries. These are stored locally on your device. The backend returns an estimate and does not store a meal-history database. The purpose is to show daily progress, help you correct estimates, and let you reuse familiar entries.
• Energy check-ins. Examples include optional low, sluggish, steady, or great labels; optional notes; and scheduled, completed, or skipped state. These are stored locally on your device and included in local export and deletion controls. When enough completed check-ins exist, Riveryn may send a limited history to the backend and OpenAI for an energy-pattern insight: meal day key, meal slot, meal title, estimated calories/macros/fiber, completed energy label, optional hunger score if present, limited goal context, and the current on-device fallback insight. Check-in notes are not sent for AI pattern insight. The purpose is to help you spot subjective meal patterns over time based on your own check-ins.
• Purchase status. Examples include Apple subscription product ID, entitlement state, and restore result. These are handled by Apple StoreKit and cached locally in the app. The purpose is to unlock premium features and restore purchases. Riveryn does not receive payment card numbers.
• Anonymous product diagnostics. Examples include coarse app events such as onboarding started/completed, meal check started/completed, analysis failed, correction added, meal saved, saved entry created or logged, energy check-in scheduled/completed/skipped without the selected label or note, paywall viewed/dismissed, plan selected, purchase started/cancelled/failed, premium started, restore started/completed, export, and delete. These may be sent to a privacy-forward analytics provider through HTTPS when anonymous usage diagnostics are enabled. Riveryn uses a random app-local installation identifier that is hashed before transmission, plus a per-launch hashed session identifier. The purpose is to find activation, retention, revenue, and reliability bottlenecks. Riveryn does not send meal photos, voice audio, typed or dictated meal text, transcripts, correction text, meal names, detailed nutrients, energy check-in labels or notes, body measurements, HealthKit-derived values, contact info, exact location, IDFA, or ad attribution identifiers to analytics.
• Website App Store CTA attribution. Examples include UTM source, campaign, and content parameters, CTA surface, App Store destination, and page path when you select an App Store button on riveryn.com. The website sends this to the Riveryn backend as a first-party event with credentials omitted. The purpose is aggregate landing-to-App Store intent measurement by campaign and variant. The analytics event is designed not to include cookies, persistent browser IDs, ad identifiers, referrer, user-agent, account or contact details, meal data, or nutrition data.
• Operational request data. Examples include IP address used for rate limiting, request timing, endpoint, mode, model, source, item count, transcript length, audio byte count, language signal, and error state. This is handled in backend memory and hosting logs, depending on the service provider. The purpose is security, abuse prevention, reliability, debugging, and capacity planning. Application logs are designed not to intentionally include raw photos, raw voice audio, meal names, user notes, transcript text, correction text, or nutrition totals.
• Support data. Examples include email address, message text, attachments, and issue details you choose to send. This is handled in the support inbox or support tooling. The purpose is to respond to support, legal, privacy, billing, and product questions.
• Website data. Examples include basic hosting logs such as IP address, browser user agent, pages requested, referrer, and timestamp, plus privacy-first Cloudflare Web Analytics page and performance metrics. This is handled by static hosting, CDN, DNS, and website analytics providers. The purpose is to deliver the website, prevent abuse, secure the site, understand service reliability, and learn which public pages help people find Riveryn. The landing page does not include ad pixels or intentional tracking cookies.

5. Sensitive and Health-Adjacent Data

Riveryn is a consumer wellness app, not a medical service. Still, nutrition, weight, body, diet, food, voice, and subjective energy information can be sensitive. We use this information only to provide the features you request, such as daily targets, meal estimates, corrections, saved entries, optional energy check-ins, energy-pattern insights, export, and deletion.

To the extent any information you provide is treated as special category health data, sensitive personal information, or similarly protected data under applicable law, we process it only for the app functionality you request, with your affirmative use of those features, and not for advertising, sale, or data brokerage.

6. Legal Bases for Processing

Where GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases:

• Providing app features, meal analysis, local storage, subscription entitlement checks, support, and requested exports or deletion: performance of a contract or steps requested before entering a contract.
• Camera/photo permissions, microphone permissions, optional meal-photo analysis, voice-note transcription, optional AI pattern insights, and optional support attachments: your consent or affirmative request, depending on the legal framework and platform permission flow. If Apple speech recognition is used as a fallback, the Apple speech-recognition permission flow may also apply.
• Anonymous usage diagnostics: legitimate interests in improving product usability, reliability, activation, retention, and subscription flows, balanced against user rights through data minimization, no ad tracking, no sensitive meal/body analytics payloads, hashed app-local identifiers, and an in-app off switch.
• Security, fraud prevention, rate limiting, debugging, service reliability, and abuse prevention: legitimate interests in operating a secure, reliable service, balanced against user rights.
• Tax, accounting, legal claims, App Store compliance, consumer protection compliance, and responses to lawful requests: legal obligation or legitimate interests, depending on the context.

7. Meal Photos, Speech, and AI Processing

Riveryn uses meal photos, typed notes, and dictated text only when you ask the app to check or correct a meal. A photo estimate is inherently approximate because an image may not reveal hidden oils, sauces, recipes, brands, portion weight, or preparation details.

In production mode, the iOS app sends the selected image, typed note, dictated text, correction text, and limited plan context to the Riveryn backend. The backend is designed to process the request in memory, call OpenAI with application-state storage disabled where supported, return structured nutrition estimates or corrections, and avoid storing raw image files. The backend is designed not to intentionally write raw photos, meal names, user notes, correction text, or nutrition totals to application logs.

For voice input, the app records a short temporary audio file, sends it to the Riveryn backend, and the backend sends it to ElevenLabs for speech-to-text transcription in the current production configuration. The returned transcript is shown as editable text before you use it for a meal check or correction. If backend transcription is unavailable, the app may use Apple speech recognition as a fallback. Riveryn is designed not to intentionally retain raw voice audio or transcript text after the transcription request is serviced.

For energy-pattern insights, Riveryn may send a limited completed-check-in history to the backend and OpenAI once enough completed check-ins exist. This history includes meal titles and estimated nutrition totals tied to completed energy labels, but it does not include optional energy check-in notes. The backend logs pattern-insight metadata such as history count and token usage, not the raw history payload.

AI providers may process request data to return the requested estimate and may maintain temporary abuse-prevention, security, or reliability logs under their own service terms. Riveryn uses provider terms and settings intended to support the privacy commitments described in this policy.

8. How We Use Personal Data

• To provide onboarding, plan targets, meal analysis, speech transcription, corrections, saved entries, daily progress, optional energy check-ins, energy-pattern insights, export, and local deletion.
• To process subscriptions and restore purchases through Apple StoreKit.
• To respond to support, privacy, and legal requests.
• To protect the service from excessive automated use and keep the backend available.
• To measure aggregate website App Store button intent by campaign, variant, CTA surface, destination, and page path.
• To comply with applicable law, tax, accounting, consumer protection, privacy, and App Store requirements.

Riveryn does not sell personal data, share nutrition or photo data with data brokers, or use health, fitness, photo, or nutrition data for targeted advertising.

9. Sharing and Service Providers

Riveryn may share data with service providers only as needed to operate the app and website. Categories of providers include:

• Apple, for App Store distribution, StoreKit purchases, subscription management, refunds, device permission flows, and Apple speech recognition if backend transcription fallback is used.
• Cloud hosting, CDN, DNS, and backend providers, for website hosting, API hosting, TLS, logs, rate limiting, and production availability.
• OpenAI, for requested meal-photo, text-note, correction, and eligible energy-pattern analysis.
• ElevenLabs, for requested speech-to-text transcription of short user-initiated voice notes in the current production path.
• Privacy-forward analytics providers, for anonymous coarse app usage diagnostics that help improve onboarding, retention, paywall, purchase, restore, and error flows.
• Email or support tools, for support, legal, and privacy request handling.
• Professional advisers, regulators, courts, law enforcement, or transaction counterparties where legally required or reasonably necessary.

Riveryn limits providers to processing data for Riveryn's service purposes. Riveryn does not authorize providers to use meal photos, voice audio, nutrition information, transcripts, or profile inputs for third-party advertising.

10. International Transfers

MyTip Innovations s.r.o. is established in the Czech Republic. Riveryn users, hosting providers, AI providers, Apple services, and support tools may be located in the United States, the European Economic Area, the United Kingdom, Canada, Australia, and other countries.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to countries that do not provide an adequate level of protection, Riveryn relies on appropriate safeguards such as Standard Contractual Clauses, provider data processing terms, or another lawful transfer mechanism.

11. Retention

• Local profile, meal history, saved entries, energy check-ins, pattern-insight cache, free-check balance, and entitlement cache remain on your device until you delete them, uninstall the app, or iOS removes app data.
• Raw meal photos are not intentionally retained by the Riveryn backend after the analysis request is serviced.
• Raw voice audio is recorded to a temporary local file for transcription and is deleted after transcription finishes or fails. Raw voice audio and transcript text are not intentionally retained by the Riveryn backend after the transcription request is serviced.
• Short-term rate-limit data may be held in backend memory during the rate-limit window.
• Operational logs are kept only as long as needed for security, reliability, debugging, and abuse prevention, subject to hosting provider controls.
• Anonymous product diagnostics may be retained by the analytics provider according to the provider settings and terms. Riveryn keeps event-level analytics only as long as needed for product learning and prefers short retention or aggregate-only retention where available.
• Support communications may be retained as needed to handle the request, keep business records, resolve disputes, and comply with law.
• Apple may retain purchase, subscription, refund, and billing records under Apple's own terms and policies.

12. Privacy Rights

Depending on where you live, you may have rights to request access, correction, deletion, restriction, portability, objection, withdrawal of consent, or a copy of information about how your data is processed. You may also have the right to complain to a data protection authority.

For EU users, the relevant supervisory authority for MyTip Innovations s.r.o. may include the Czech Office for Personal Data Protection unless another authority is competent for a specific matter. UK, Canadian, Australian, and US state privacy rights may also apply depending on your location and the facts of processing.

For California and other US state privacy laws, Riveryn does not sell or share personal information for cross-context behavioral advertising and does not use sensitive personal information to infer characteristics for unrelated purposes. Even where a particular statute does not apply, privacy requests can still be sent through the Privacy Choices page.

13. Your Choices and Controls

• Export: Settings > Data and privacy > Export local data creates a JSON file for the profile, meals, saved entries, energy check-ins, free-check balance, pattern-insight cache, and entitlement cache stored by the app.
• Delete local data: Settings > Data and privacy > Delete all local data removes the local profile, meals, saved entries, energy check-ins, pattern-insight cache, free-check balance, and entitlement cache from the device.
• Anonymous diagnostics: Settings > Data and privacy > Anonymous usage diagnostics lets you turn coarse product diagnostics on or off. Deleting local Riveryn data resets the local analytics installation identifier for future events.
• Subscriptions: Local data deletion does not cancel an Apple subscription. Use App Store subscription management to cancel or change billing.
• Photos and voice: You can deny camera, photo-library, or microphone access in iOS Settings. Without photo access, photo-based meal analysis will be limited. Without microphone access, voice notes will be unavailable. If Apple speech recognition fallback is used, you may also see Apple's speech-recognition permission flow.
• Privacy requests: The Privacy Choices page explains how to request help with access, deletion, or correction for support records or any server-side data that may exist.

14. HealthKit and Motion

Riveryn does not use HealthKit or the Motion and Fitness API in the current app. If HealthKit or Motion and Fitness support is introduced, Riveryn will request only the specific permissions needed, explain them before requesting access, avoid using that data for advertising or data brokerage, and update this policy and App Store privacy answers.

15. Children

Riveryn is not directed to children under 13 and should not be marketed to minors. Riveryn is a consumer wellness tool for users age 13 or older who can make their own nutrition decisions or who use it with appropriate adult and professional guidance. If you believe a child under 13 has provided personal data to Riveryn, contact support@platecue.com.

16. Security

Riveryn uses reasonable technical and organizational safeguards, including server-side API keys, HTTPS production endpoints, local-first storage, no committed secrets, body-size limits, and rate limiting. No method of transmission or storage is perfectly secure.

17. Changes

Riveryn may update this policy as the app, backend, providers, launch territories, or legal requirements change. Material changes will be reflected in the policy, in-app links, App Store privacy details, and release notes where appropriate.

18. Contact

MyTip Innovations s.r.o.

K lukam 1071/19a, 142 00 Praha-Libus, Czech Republic

Email: support@platecue.com

Support URL: https://riveryn.com/support/