Privacy Policy

Last Updated: 2025-05-16

1. Who We Are

Rowlytix is operated by Wizify, a sole trader registered in the United Kingdom. Our contact details are:

  • Email: help@rowlytix.com
  • Address: Rowlytix, Unit 153042, PO Box 7169, Poole, BH15 9EL, United Kingdom

We are the data controller for your personal data under UK GDPR. If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at help@rowlytix.com.

2. Information We Collect

We collect the following types of personal data from you:

  • Account Information: Name, surname, email address, username, and password (encrypted and managed by AWS Cognito).
  • Workout Data: Photos of your rowing machine screen (processed via OpenAI API for OCR but not stored by us), workout stats (e.g., distance, time), and any details you provide for custom rowing training plans.
  • Device Information: IP address and device ID, collected through cookies and similar technologies.
  • Tracking and Analytics: Data on how you use our app and website, collected via Google Analytics, Google Tag Manager, and Meta Pixel.
  • Payment Information: Managed by Stripe (for website payments) and Apple/Google (for app store subscriptions).

We do not collect location data. We are committed to ensuring that our services are used only by individuals aged 16 and above. We do not knowingly collect or process personal data from individuals under the age of 16. If we become aware that we have collected personal data from someone under 16 without verifiable parental consent (where required by applicable law), we will take steps to delete that information as quickly as possible.

3. How We Use Your Information

We use your personal data for the following purposes:

  • To provide and maintain our services (e.g., data extraction, training plan generation, and workout history)
  • To improve our services (e.g., usage analysis to enhance app and website performance)
  • To communicate with you (e.g., account updates, service notifications, and marketing if opted in)
  • To comply with legal obligations

4. Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR and EU GDPR:

  • Consent: For processing photos and generating custom training plans.
  • Contractual Necessity: For providing subscription services and custom plans.
  • Legitimate Interests: For improving services and limited marketing, unless your rights override these interests.

5. Information Sharing

We may share your personal data with:

  • Service Providers:
    • AWS: Cognito, Lambda, Amplify, DynamoDB, AppSync, API Gateway
    • OpenAI: For AI processing of photos (see Section 8)
    • Stripe and RevenueCat: For subscription and payment management
    • Google Analytics, Google Tag Manager, Meta Pixel: For analytics and marketing
  • Legal Requirements: If required by law or legal request

6. International Transfers

Your personal data may be transferred to and processed in countries outside the UK and the European Economic Area (EEA), which may have data protection laws that differ from those in the UK and the EEA. These countries may include:

  • United States: For example, your photos are processed by OpenAI, a company located in the United States.
  • Ireland: Your personal data is processed by Amazon Web Services (AWS), which has data processing facilities in Ireland. Data may also be processed in other AWS regions globally.

To ensure that your personal data receives an adequate level of protection when transferred outside the UK/EEA, we implement the following safeguards in accordance with applicable data protection laws:

  • Transfers to Adequate Jurisdictions: Where the recipient country has been deemed by the UK or the European Commission to provide an adequate level of data protection, such as the United States (under the UK Extension to the EU-US Data Privacy Framework and the EU-US Data Privacy Framework) and Ireland (within the EEA), the transfer is made on the basis of this adequacy decision.
  • Standard Contractual Clauses (SCCs): For transfers to countries that have not been deemed to provide an adequate level of protection, we rely on Standard Contractual Clauses approved by the relevant authorities (the UK Information Commissioner's Office and the European Commission). These clauses impose contractual obligations on the recipient of the data to protect your personal data to a standard comparable to that within the UK/EEA. You can request a copy of the relevant SCCs by contacting us at help@rowlytix.com.
  • Transfer Impact Assessments (TIAs): Where necessary, we conduct Transfer Impact Assessments to evaluate the circumstances of the transfer and implement supplementary measures to ensure an essentially equivalent level of protection is maintained.

Note on the UK-EU Adequacy Decision: The UK currently benefits from an adequacy decision from the EU. We will continue to monitor any changes to this decision and update our data transfer practices as necessary to ensure compliance with both UK and EU GDPR.

By using our services, you consent to these international transfers of your personal data in accordance with this Privacy Policy and the safeguards we have in place.

7. Data Security

We implement technical and organizational measures — including encryption, secure cloud infrastructure provided by AWS, and access controls — to protect your data from unauthorized access, disclosure, or loss. Data transmitted between your device and our AWS-hosted services is secured using HTTPS (TLS) encryption. For data at rest within our AWS infrastructure (such as account details and workout stats), AWS provides robust encryption mechanisms, further safeguarding your information. We also ensure that the transmission of photos to the OpenAI API for processing is done over a secure HTTPS connection. While photos are not stored by us or used for OpenAI model training, we prioritize the security of this temporary data transfer.

8. Data Retention

  • Account and Workout Data: Retained until you delete your account.
  • Photos: Not stored. Images are sent via API to OpenAI for immediate OCR processing and are deleted immediately after processing.

We configure the OpenAI API to ensure that your data is not used for model training and is not retained after processing.

9. Your Rights

Under the UK and EU GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure of your data
  • Restrict or object to certain processing
  • Receive your data in a portable format (data portability)
  • Withdraw consent at any time (e.g., for photo processing or marketing)

You can exercise these rights via in-app settings or by contacting us at help@rowlytix.com. We will respond within one month.

If you are unsatisfied with our handling of your data, you may contact the UK Information Commissioner’s Office (ICO): https://ico.org.uk

10. Cookies and Tracking

Our app and website use cookies and similar technologies:

  • Website Cookies: For performance, analytics, and marketing. You can manage preferences via our cookie banner or your browser settings.
  • App Tracking: Google Analytics and Meta Pixel may collect usage data. You can opt out via app permissions or by contacting us.

See our [Cookie Policy] for more detail.

11. Consent

By uploading photos, you consent to them being processed by OpenAI’s API for workout data extraction. You can withdraw consent at any time by deleting your account or contacting us.

Marketing communications require separate opt-in consent and can be managed in your account settings.

12. Age Restriction

Our services are exclusively for individuals aged 16 or older. By creating an account and using Rowlytix, you represent and warrant that you are at least 16 years of age. While we implement measures to encourage compliance with this age restriction through user declarations during signup, we cannot guarantee that all users will meet this requirement. If you are under 16, please do not attempt to register for or use our services. Parents or guardians who become aware that their child under 16 has provided us with personal data should contact us immediately at help@rowlytix.com so that we can take appropriate action.

13. Disclaimer on AI-Generated Content

AI-generated training plans are based on your data and general rowing principles. They are not a substitute for professional coaching or medical advice. Always consult a qualified professional before beginning a new fitness routine. Rowlytix is not liable for any outcomes or injuries resulting from the use of these plans.

14. Changes to This Policy

We may update this Privacy Policy from time to time. You will be notified via email or in-app notice when significant changes are made. Please review this policy periodically.

15. Data Breaches

If a data breach occurs and poses a risk to your rights or freedoms, we will notify you and the relevant supervisory authority within 72 hours, as legally required.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact:

  • Email: help@rowlytix.com
  • Post: Rowlytix, Unit 153042, PO Box 7169, Poole, BH15 9EL, United Kingdom

17. Notes for EU Users

While Rowlytix is based in the UK, we may process data from EU users. We comply with EU GDPR requirements, including data transfer safeguards. The UK currently benefits from an adequacy decision, but changes may occur after June/December 2025.