Privacy Policy

1. Introduction

Ravini ("we", "our", or "us") operates ravini.co.uk and the Ravini mobile applications (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered lead management platform for fitness businesses, including our mobile apps for gym members and gym owners.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Ravini is the data controller for the personal data we collect about gym owners and administrators.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, gym/business name, and password
• Billing Information: Payment card details (processed securely via Stripe), billing address
• Business Information: Gym details, address, timetable, programmes, pricing
• Communications: Messages you send to our support team

2.2 Information Collected Automatically

• Usage Data: Log files, IP address, browser type, device information, pages visited, time spent on pages
• Cookies: Session cookies for authentication, preference cookies for settings
• AI Agent Data: Conversation logs, message content, token usage, API interactions

2.3 Lead Data You Process

When you use our AI agents to communicate with your leads, we process:

• Lead names, email addresses, phone numbers
• SMS and form submission content
• Conversation history between AI agents and leads
• Calendar booking information

Important: You act as the data controller for your leads' personal data. We act as a data processor on your behalf. You are responsible for obtaining necessary consents from your leads and complying with GDPR when using our Service.

3. How We Use Your Information

We use the collected information for:

• Service Provision: Operating and maintaining the Ravini platform, processing AI conversations
• Billing: Processing payments, managing subscriptions, sending invoices
• Communication: Sending service updates, security alerts, support responses
• Improvement: Analyzing platform usage patterns to improve features (excludes Google user data; see Section 4)
• Security: Detecting fraud, preventing abuse, securing accounts
• Legal Compliance: Meeting legal obligations and enforcing our Terms of Service

Legal Basis for Processing (UK GDPR)

• Contract Performance: Processing necessary to provide the Service you've signed up for
• Legitimate Interests: Improving our Service, preventing fraud, ensuring security
• Legal Obligation: Compliance with tax, accounting, and data protection laws
• Consent: Marketing communications (you can opt-out anytime)

4. Google User Data

Ravini offers optional integrations with Google services. This section describes how we handle data received from Google APIs, in compliance with the Google API Services User Data Policy.

4.1 Google Data We Access

When you connect your Google account, we may access the following data depending on which integrations you enable:

• Google Calendar: Calendar events (titles, times, attendees, locations) and free/busy information, used solely to sync bookings and prevent scheduling conflicts
• Google Drive: Files you explicitly select through the Drive picker, used solely to import images or documents into your Ravini content
• Email Address: Your Google account email, used solely to identify your connected account within Ravini

4.2 How We Use Google Data

Google user data is used exclusively to provide and improve the user-facing features you have enabled:

• Displaying your calendar availability and syncing bookings you create in Ravini to your Google Calendar
• Importing images or documents you select from Google Drive into your Ravini content
• Showing which Google account is connected in your integration settings

4.3 Google Data We Do NOT Use For

• Training AI or machine learning models
• Advertising, retargeting, or interest-based profiling
• Selling or transferring to third parties, data brokers, or information resellers
• Determining creditworthiness or lending purposes
• Any purpose unrelated to providing the calendar sync or file import features you enabled

4.4 Google Data Sharing

Google user data is not shared with any third parties except as strictly necessary to provide the integration features (for example, storing calendar event references in our database hosted by Supabase). No Google user data is transferred for advertising, analytics, or any purpose beyond providing the features described above.

4.5 Revoking Access

You can disconnect your Google account at any time from Settings → Integrations. Upon disconnection, we delete your stored Google access tokens. You can also revoke access directly from your Google Account permissions page.

5. Mobile Applications

Ravini offers mobile applications for iOS and Android, including the Ravini Members app (for gym members) and the Ravini Owner app (for gym owners). This section describes additional data we collect and process through our mobile apps.

5.1 Data Collected via Mobile Apps

• Account Information: Name, email address, and membership details linked to your gym
• Device Information: Device model, operating system version, and unique device identifiers for push notifications
• Push Notification Tokens: Used solely to deliver notifications about bookings, classes, and messages from your gym
• Camera Access: Used only when you choose to scan a QR code for gym check-in or take a profile photo. Images are not stored beyond their intended purpose
• Microphone Access: Used only during voice calls with your gym via the in-app calling feature

5.2 Apple HealthKit and Google Health Connect

The Ravini Members app offers an optional integration with Apple HealthKit (iOS) and Google Health Connect (Android) to help gym members and their coaches track fitness progress.

Health Data We Read (With Your Permission)

• Step count
• Heart rate and resting heart rate
• Active calories burned
• Sleep data
• Walking/running distance
• Exercise and workout sessions

Health Data We Write (With Your Permission)

• Workout sessions logged through the Ravini app

How We Use Health Data

• Displaying your fitness activity and progress within the app
• Sharing aggregated health summaries with your gym coach (only with your explicit consent)
• Providing personalised coaching feedback based on your activity levels

How We Do NOT Use Health Data

• Health data is never used for advertising, marketing, or interest-based profiling
• Health data is never sold to or shared with third parties, data brokers, or analytics providers
• Health data is never used to train AI or machine learning models
• Health data is never stored in iCloud or any third-party cloud storage outside our secure infrastructure

Consent and Control

Health data access is entirely optional. You will be asked for explicit permission before any health data is read or written. You can revoke access at any time through:

• iOS: Settings → Health → Data Access & Devices → Ravini
• Android: Settings → Health Connect → App permissions → Ravini
• In-app: Profile → Health Settings → Disconnect

Upon revoking access, we stop reading new health data. Previously synced summaries stored on our servers can be deleted by contacting sam@ravini.co.uk or using the account deletion feature in the app.

5.3 Account Deletion

You can delete your account and all associated data directly within the app via Profile → Delete Account. This permanently removes your personal data, health data, booking history, and membership information from our servers within 30 days. Billing records are retained for 7 years as required by UK tax law.

6. Data Sharing and Third Parties

We share data with:

• Anthropic: AI model provider (Claude) - conversation data for AI responses
  Data Processing Agreement in place, GDPR compliant
• Stripe: Payment processing - billing information for transactions
  PCI DSS Level 1 compliant, GDPR compliant
• Supabase: Database hosting - all platform data storage
  EU-based servers, ISO 27001 certified, GDPR compliant
• Vercel: Application hosting - logs and usage data
  EU deployment available, GDPR compliant
• GoHighLevel (Optional): If you connect your GHL account - lead data syncing
  Your GHL API key, calendar data - DPA in place

We do NOT:

• Sell your personal data to third parties
• Use your lead data to train AI models for other customers
• Share data with advertisers or data brokers
• Transfer data outside the UK/EU without adequate safeguards

7. Your Data Protection Rights (UK GDPR)

You have the following rights:

• Right of Access: Request a copy of your personal data
  Settings → Export Data or email sam@ravini.co.uk
• Right to Rectification: Correct inaccurate or incomplete data
  Update directly in Settings or contact support
• Right to Erasure: Request deletion of your data ("right to be forgotten")
  Settings → Delete Account or email sam@ravini.co.uk
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
  CSV/JSON export available in Settings
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: For marketing communications
  Click "unsubscribe" in any email

How to Exercise Your Rights:
Email: sam@ravini.co.uk
We will respond within 30 days (as required by UK GDPR)

8. Data Retention

• Account Data: Retained while your account is active + 30 days after deletion
• Conversation Logs: Retained for 12 months (or as configured by you)
• Billing Records: Retained for 7 years (UK tax law requirement)
• Usage Logs: Retained for 90 days
• Backup Data: Encrypted backups retained for 30 days

9. Data Security

We implement industry-standard security measures:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Control: Role-based access, multi-factor authentication available
• Infrastructure: EU-based servers, ISO 27001 certified hosting
• Monitoring: 24/7 security monitoring, automated threat detection
• Backups: Daily encrypted backups with 30-day retention
• Incident Response: Data breach notification within 72 hours (UK GDPR requirement)

10. Cookies and Tracking

We use the following cookies:

• Essential Cookies: Authentication session (required for Service)
• Functional Cookies: User preferences, language settings
• Analytics Cookies: Usage statistics (anonymized, opt-out available)

You can control cookies through your browser settings. Disabling essential cookies will prevent you from using the Service.

Anonymous landing-page analytics

On public landing pages (such as ravini.co.uk/try) we record anonymous click and scroll patterns to improve page design and conversion. This is a no-cookie analytics layer:

• No cookies are set. A short-lived session ID is stored only in sessionStorage and is deleted when you close the tab.
• No IP address is stored. Country (e.g. "GB") is recorded from the request header but not your full IP.
• No personal data, form input values, or text content of clicked elements is collected — only the identifier of the section or button you interacted with.
• Data is used solely to improve the page itself; it is never shared with third parties or used for profiling.
• Raw event data is automatically deleted after 90 days. Aggregate counts are retained.

We rely on the ICO "statistical purposes" basis (PECR) and your browser's Do-Not-Track / Global Privacy Control signal — when present, the tracker does not load.

Third-party analytics (Microsoft Clarity, Meta Pixel)

Where Microsoft Clarity or Meta Pixel are loaded on a page, those services may set their own cookies. Their privacy practices are governed by their respective policies. You can opt out of Meta tracking via your Facebook ad settings and Microsoft Clarity via privacy.microsoft.com.

11. International Data Transfers

Our primary data storage is within the UK/EU (Supabase EU region). Where data is transferred outside the UK/EU (e.g., Anthropic API in the US), we ensure:

• Standard Contractual Clauses (SCCs) are in place
• Adequate data protection safeguards per UK GDPR Article 46
• Data minimization - only necessary data is transferred
• Encryption during transfer and at rest

12. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Your Responsibilities as a Data Controller

When you use Ravini to process your leads' data, you must:

• Obtain valid consent from leads before collecting their data
• Provide leads with your own privacy notice
• Inform leads that AI is used to communicate with them
• Honor leads' data rights (access, deletion, etc.)
• Have a lawful basis for processing lead data
• Implement appropriate security measures

See our Data Processing Agreement (DPA) for full details of our processor responsibilities.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via:

• Email notification to your registered email address
• Prominent notice on the Service
• Update to the "Last updated" date at the top of this page

Continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us