Privacy first
Rhythm is built to keep health and performance data useful, limited, and respectful. We do not sell personal or health data, and cycle information for real users is intended to stay on-device.
Rhythm collects account data, subscription state, workout logs, goals, routines, body measurements, the wearable daily snapshots created when you connect Oura or Whoop, and the settings needed to personalize your training experience. Health and wearable data is only accessed when you grant permission.
Apple Health, Oura, and Whoop data is permission-based and feature-limited. Oura and Whoop OAuth tokens are exchanged server-side and stored in secure backend tables, not in the client bundle. Whoop data (recovery, strain, sleep, workouts, and body measurements) is synced via their official API and through real-time webhooks. You can revoke access in Rhythm settings and at each provider's own platform.
Cycle start date, cycle length, and calculated phase are stored locally on-device for real users. Rhythm does not sync personal cycle data to Supabase. Apple Health, Oura, and Whoop cycle-related signals (such as HRV, resting heart rate, and temperature patterns) are read only when smart tracking is enabled.
Account and training data is retained while your account is active. When you request deletion, we remove user-owned records from active systems and process cleanup in backup windows. Wearable tokens and snapshots are removed when you disconnect integrations or delete your account.
Rhythm uses infrastructure and service providers including Supabase (backend, auth, and storage), RevenueCat (subscription management), Expo (app delivery and over-the-air updates), PostHog (product analytics; events never include cycle data, raw biometrics, or direct identifiers), Sentry (crash and error reporting; events are scrubbed of cycle data, raw biometrics, and direct identifiers before leaving the device), and wearable APIs such as Apple Health, Oura, and Whoop when connected. We do not sell health data or use it for advertising.
We use authenticated access controls, row-level authorization patterns, and secure transport to protect account data. No system is perfectly secure, but Rhythm applies reasonable safeguards and limits data access to product operations and support.
You can export data, disconnect wearables, adjust permissions, and request account deletion from within the app. Full legal text and future policy updates will live at the public policy link below.
Health permissions
Apple Health permissions can be reviewed in Settings > Privacy & Security > Health > Rhythm.