Privacy Policy

Effective Date: March 31, 2026

This Privacy Policy explains how Ritma ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Ritma service ("Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection laws.

1. Data Controller

Ritma is the data controller responsible for your personal data. Contact: legal@ritma.org.

2. Personal Data We Collect

Account Data

Email address, full name, avatar URL, preferred language, time zone, and chronotype.

Authentication Data

Sign-in timestamps, sign-in count, IP addresses (current and last sign-in), OAuth provider and user ID (if using Google Sign-In), password hash (if using email authentication).

Usage Data

Habits (names, descriptions, schedules, completion records), goals (titles, descriptions, deadlines, status), tasks and todos (titles, completion status), life equilibrium assessments (category scores, notes, triggers), and activity logs (daily counts by type).

Technical Data

Server request logs including IP address, user agent, request path, response status, and request duration. These are retained for security and operational purposes.

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)) — to provide the Service as agreed in the Terms of Service.
  • Consent (Art. 6(1)(a)) — for optional features where we specifically request your consent.
  • Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, service improvement, and operational logging.

4. How We Use Your Data

We use your personal data to: provide and maintain the Service; authenticate your identity; track your habits, goals, and life balance as you direct; generate personalized insights and activity trends; send transactional emails (password reset, account notifications); ensure the security and integrity of the Service; and comply with legal obligations.

5. Third-Party Processors

We share your data with the following third-party service providers who process data on our behalf:

  • Google Cloud Platform (Cloud Run, Cloud SQL, Cloud Storage) — hosting, database, and file storage. Data is processed in the EU region.
  • Google OAuth 2.0 — authentication only. We receive your email, name, and profile picture from Google when you choose to sign in with Google.
  • Google Fonts — loaded in the browser to display the application. Google may collect anonymous usage data. See Google's privacy policy for details.

We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising or profiling.

6. Data Retention

We retain your personal data for as long as your account is active. When you close your account, your data enters a 30-day grace period, after which it is permanently deleted. If you request immediate deletion, your data is removed without delay. Server logs containing IP addresses and request metadata are retained for up to 90 days for security and operational purposes, then automatically purged.

7. Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate personal data via your Account Settings.
  • Right to erasure (Art. 17) — request deletion of your personal data. You can delete your account from Account Settings.
  • Right to data portability (Art. 20) — download all your data in a machine-readable JSON format from Account Settings.
  • Right to restriction (Art. 18) — request that we limit how we process your data.
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right to withdraw consent — withdraw consent at any time for processing based on consent.

You can exercise most of these rights directly from Account Settings. For other requests, contact us at legal@ritma.org. We will respond within 30 days.

8. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal data, please contact us at legal@ritma.org.

9. International Data Transfers

Your data is primarily stored and processed within the European Union on Google Cloud Platform. Where data is transferred outside the EU (for example, to Google services), it is protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: encryption of data in transit (TLS/HTTPS); encryption of data at rest; hashed passwords (bcrypt with appropriate cost factor); role-based access controls; regular security reviews; and Content Security Policy headers. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or in-app notification at least 30 days before the changes take effect. The "Effective Date" at the top indicates the latest revision.

12. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

13. Contact

For privacy-related inquiries, contact us at legal@ritma.org.