Privacy Policy
Last updated: June 2025
Rithim is built by someone with ADHD, for people with ADHD. Your health data is yours. We will never sell it, use it for advertising, or share it with third parties for their own purposes.
1. Who We Are
Rithim is a cycle and ADHD symptom tracking application created by Dr Deirdre Ryan and operated by KOA Psychology Limited, a company registered in Ireland. KOA Psychology Limited is the data controller for the purposes of GDPR and applicable data protection legislation. This privacy policy explains how we collect, use, and protect your personal data when you use the Rithim mobile application and website.
2. What Data We Collect
When you create an account and use Rithim, we collect and store:
- Account information: Username and password (your password is cryptographically hashed using scrypt — we cannot read it)
- Profile information: Name, date of birth, cycle start date, life stage, and cycle length
- Daily symptom logs: Focus, energy, mood, anxiety, and impulsivity ratings, along with notes and sleep data
- Medication data: Medication names, dosages, frequencies, and daily medication logs
- Daily actions: Phase-aware micro-actions assigned to you and which ones you completed
- Suggestion feedback: Whether personalised suggestions were helpful
3. Health Data
Rithim processes sensitive health-related data including menstrual cycle information and ADHD symptom tracking. This data is processed on the basis of your explicit consent when you create an account and begin logging. You can stop logging at any time and request deletion of your data.
4. How We Use Your Data
Your data is used exclusively to:
- Provide cycle-aware ADHD symptom tracking and insights within the app
- Generate personalised daily actions and suggestions based on your cycle phase
- Display your historical patterns and trends
- Sync your data securely across devices
- Send transactional emails (welcome email, password reset) if you provide an email address
5. Data Storage and Security
Your data is stored in a secure PostgreSQL database hosted in the European Union (Frankfurt, Germany) — the same type used by banks and healthcare providers. Your health data remains within EU jurisdiction at all times, in full compliance with GDPR data residency requirements. All data transmitted between your device and our servers is encrypted using HTTPS/TLS. Your login session is protected by a secure server-side key. Data is encrypted at rest using industry-standard AES-256 encryption.
When using the app without an account or in Developer Preview (demo mode), your data is stored locally on your device only and is not transmitted to our servers.
6. Third-Party Services
Rithim uses the following third-party services:
- SendGrid (Twilio): For sending transactional emails (welcome emails, password resets). SendGrid processes your email address only. SendGrid Privacy Policy
- RevenueCat: For managing subscriptions (Rithim Plus). RevenueCat processes your app user ID and purchase information. RevenueCat Privacy Policy
We do not use any analytics, advertising, or tracking SDKs. We do not share your health data with any third party.
7. Your Rights (GDPR)
Rithim is designed with European privacy law (GDPR) in mind. You have the right to:
- Access: See all data we store about you
- Rectification: Correct any inaccurate data
- Erasure: Request deletion of your data
- Data portability: Receive your data in a structured format
- Withdraw consent: Stop using the app at any time; your data will not be used for any other purpose
- Restriction of processing: Request that we limit how we use your data
You can exercise your right to data access and portability directly in the app: go to Settings > Privacy & Data Security > "Export My Data" to download a complete copy of all your data in JSON format. To permanently delete your account and all associated data, use Settings > Privacy & Data Security > "Delete My Account." You can also contact us at the email address listed below for any privacy-related requests.
8. Data Retention
Your data is retained for as long as your account is active. If you delete your account using the in-app deletion feature, your data is permanently removed from our servers immediately. If you contact us to request deletion, your data will be removed within 30 days.
9. Children's Privacy
Rithim is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any material changes through the app or by email. The "Last updated" date at the top of this page indicates when this policy was last revised.
11. Legal Basis for Processing
We process your data on the following legal bases under GDPR:
- Consent (Article 6(1)(a) and Article 9(2)(a)): You provide explicit consent when you create an account and begin logging health-related data. You can withdraw consent at any time by deleting your account.
- Contract (Article 6(1)(b)): Processing necessary to provide you with the Rithim service, including managing your account and subscription.
- Legitimate interest (Article 6(1)(f)): Processing necessary to maintain the security of the service and prevent fraud.
12. Contact
If you have any questions about this privacy policy or your data, please contact us at:
Dr Deirdre Ryan
KOA Psychology Limited
Email: support@rithimapp.com