№ Legal How we handle your data
Privacy Policy
Effective 29 April 2026 · Last updated 29 April 2026 · Plain English
This is the privacy policy for max (Ravaga Studio, "we", "us"), a personal kinesiology coaching service available at max.ravaga.com and through its companion apps.
We've tried to write this in plain English, not lawyer-speak. If anything is unclear, email contact@ravaga.com.
iWho we are
Ravaga Studio is the data controller for the personal data described in this policy. More about us at studio.ravaga.com. For data-protection questions, contact contact@ravaga.com.
iiWhat we collect
We collect three categories of data.
A. Account data — what you give us when you sign up
- Email address
- First and last name
- Authentication tokens (managed by our auth provider)
B. Health and coaching data — what you give us so we can build a plan that fits
- Body areas you want to work on (e.g. lumbar, shoulder, knee)
- How long the issue has been present
- Current pain level (a number from 0 to 10)
- Aggravating activities you describe in your own words
- A self-recorded assessment video showing how you move
- Pain, mood, and notes you log after each session
- Reps, sets, and durations the app records as you do exercises
- Notes your coach writes about your progress
This is health data — what GDPR calls a special category — so we treat it with extra care. We process it only with your explicit consent (which you give by signing up and submitting your assessment) and only to deliver the service.
C. Technical data — what your browser and device tell us automatically
- IP address (briefly, used by our hosting provider for security and routing)
- Browser type, language, operating system
- Pages visited, timestamps, referrer
- Anonymous performance metrics (Core Web Vitals)
We do not use third-party advertising trackers and we do not sell data to anyone.
iiiWhy we collect it
| What we do | Why | Legal basis (GDPR) |
|---|---|---|
| Run your account (email, name) | We need it to provide the service | Contract |
| Build and adjust your courses (health data, video, logs) | The service we promised | Contract + explicit consent |
| Send you transactional email (magic links, course updates) | You need it to use the service | Contract |
| Operate the website and apps (technical data) | We need it to keep things working and secure | Legitimate interests |
| Anonymous analytics on landing pages | To understand traffic and improve | Legitimate interests |
We do not send marketing email without your separate, explicit opt-in.
ivWho we share data with
We work with a small number of vetted service providers. Each one is a "data processor" under GDPR, which means they only process data on our written instructions, never their own. We have data-processing agreements (DPAs) with all of them.
| Provider | What they handle | Where |
|---|---|---|
| Supabase | Database, authentication, file storage (your assessment video and any photos) | EU (Frankfurt region) |
| Vercel | Web hosting and edge delivery for the landing and the apps | Global edge; primary data centres in the EU and US |
| Cloudflare | DNS, content delivery, DDoS protection | Global edge |
| Mailgun | Transactional email (magic links, system messages) | EU region |
| Vercel Analytics | Anonymous, cookieless pageview and performance metrics. Also minimal product events (e.g. "session started", "session completed") tagged with operational identifiers like course IDs. No health data — pain levels, mood scores, and notes never leave Supabase. | EU |
Your coach is a person who works with us, and they see the data necessary to coach you (your assessment, your check-ins, your progress). Coaches are bound by the same confidentiality obligations.
We do not share your data with anyone else, except where the law strictly requires it (e.g. a court order).
vInternational transfers
Our primary data storage is in the European Union. Some of our infrastructure providers (Vercel, Cloudflare) operate global edge networks, which means data can briefly transit through other regions on its way between you and us. Where transfers leave the EU, they're covered by the EU's Standard Contractual Clauses or equivalent safeguards.
viHow long we keep it
| Data | Retention |
|---|---|
| Account data | While your account is active, plus 30 days after deletion |
| Health and coaching data | While your account is active, plus 30 days after deletion. Aggregated, de-identified statistics may be retained longer for service improvement. |
| Assessment videos | Until you delete them, your account, or six months after course completion (whichever is earliest) |
| Technical logs | 90 days |
| Anonymous analytics | 90 days |
When you delete your account, we delete or de-identify your personal data within 30 days. Some records (e.g. invoices, if we charge you) may need to be kept longer to satisfy legal obligations like tax retention.
viiCookies and similar technologies
We use the smallest set of storage we can.
- Session cookies and local storage for keeping you signed in. These are strictly necessary to use the service and don't require consent under GDPR.
- Local storage for your language preference, offline cache, and a few UI preferences. Strictly necessary.
- Vercel Analytics is cookieless — it counts pageviews without setting any cookie or persisting any identifier on your device.
We do not use advertising, retargeting, or third-party tracking cookies. If that ever changes, this policy will be updated and we'll request consent before loading them.
viiiYour rights
Under GDPR (and most equivalent regimes), you have the right to:
- Access the data we hold about you (we'll send you a copy)
- Correct anything that's wrong (you can do most of this yourself in the profile screen)
- Delete your account and your data ("right to be forgotten")
- Export your data in a machine-readable format (portability)
- Restrict how we process your data
- Object to processing based on legitimate interests
- Withdraw consent at any time, where we rely on consent (this won't affect processing that already happened)
- Complain to your local data-protection authority if you think we've handled your data poorly
To exercise any of these, email contact@ravaga.com. We respond within 30 days.
ixSecurity
We protect your data with industry-standard measures: encryption in transit (TLS) and at rest, scoped access (Row Level Security on every table, signed URLs for video uploads), limited access for our team, and regular review. No system is perfect, but we treat security as a continuous practice, not a checkbox.
If we ever discover a personal-data breach affecting you, we'll notify you and the relevant supervisory authority within 72 hours, as required by law.
xChildren
The service is not intended for people under 18. We don't knowingly collect data from minors. If you believe a child has signed up, email us and we'll delete the account.
xiChanges
If we change this policy materially, we'll update the "Last updated" date and, where the change is significant, notify you by email or in-app banner before it takes effect. Continued use after the effective date means you accept the change.
xiiContact
For privacy questions, data requests, or anything else covered here:
- Email: contact@ravaga.com
- Web: studio.ravaga.com
If you're in the EU and unhappy with our response, you can also contact your national data-protection authority. The EDPB maintains a list at edpb.europa.eu.