Privacy Policy

Version 1.1 Effective date: 1 March 2026 | Last updated: 1 March 2026

IMPORTANT — PLEASE READ CAREFULLY

This Privacy Policy explains how Rituo collects, uses, stores, and shares your personal data when you use our mobile application (iOS and Android), our website, and our supplements online store. It applies to all users of the Rituo app and to all customers of our supplements brand.

Rituo processes special category personal data (health data) through the app, including mood data, emotional reflections, and AI-derived wellness insights. We treat this as health data and require your explicit consent before processing it. That consent is obtained separately within the application at registration.

The Rituo app and supplements are wellness and lifestyle products. They are not medical devices, do not provide medical advice or diagnosis, and are not medicinal products. Nothing in this Privacy Policy or on the Platform constitutes medical advice.

If you do not agree with this Privacy Policy, please do not use the Rituo platform or purchase our products.

Who We Are

Rituo is operated by Rituo Ltd (company number 16548467), a company incorporated in England and Wales, with its registered office at 3rd Floor, 86-90 Paul Street, London EC2A 4NE (“Rituo”, “we”, “us” or “our”).

We are a UK-based wellness business operating two services: (a) the Rituo mobile application (available on iOS and Android), providing guided daily rituals, journalling, mood tracking, goal-setting, and AI-assisted coaching; and (b) a direct-to-consumer supplements brand, through which we sell food supplements and nutraceutical products via our e-commerce website. We are the data controller in respect of all personal data processed through both services.

We are registered as a data controller with the Information Commissioner’s Office (“ICO”) under registration reference number [ICO REGISTRATION NUMBER].

If you have any questions about this Privacy Policy or wish to exercise your legal rights, please contact our data privacy team using the details below.

Data enquiries: privacy@rituo.co.uk

ICO registration: [ICO REGISTRATION NUMBER]

Scope Of This Privacy Policy

This is a single unified Privacy Policy governing how we process personal data across all Rituo services and channels. It applies when you:

download, install, or use the Rituo mobile application (iOS and Android);

visit or interact with our website at rituo.co.uk;

browse, place an order, or otherwise interact with our supplements e-commerce store;

subscribe to Rituo via the Apple App Store or Google Play Store;

correspond with us by email or otherwise.

It does not apply to third-party services, applications, or websites that are linked to from our Platform. Those third parties operate under their own privacy policies (see section 16).

Age restriction — 18 and over only

Our Platform is intended for users aged 18 and over. We do not knowingly collect personal data from persons under 18, and our food supplements are not intended for persons under 18.

Important: there is currently no technical age-verification mechanism in the app or supplements store.

If you become aware that a person under 18 has provided personal data to us or purchased our products, please contact privacy@rituo.co.uk immediately so we can delete the data and cancel any order.

Wellness and lifestyle disclaimer: The Rituo app and our supplements are general wellness and lifestyle products. They are not medical devices, do not constitute medical advice, diagnosis, or treatment, and our supplements are not medicinal products regulated as medicines. If you have a health condition or are taking prescription medication, please seek advice from a qualified healthcare professional before using our products or app features.

The Personal Data We Collect About You

Personal data means any information from which an individual can be identified. We collect different categories of personal data depending on which of our services you use. Not all categories will apply to every user.

Identity Data. First name, last name, username or similar identifier, and profile picture.

Contact and Authentication Data. Email address, hashed password, delivery address, billing address, and telephone number. Where you use social sign-in, your Google or Facebook account identifier and the associated contact data received from that provider.

Wellness and Health Data (app only). Ritual session content, mood slider values (pre- and post-ritual on a 0–100 scale), free-text reflections and micro-journal entries, full journal entries and topics, onboarding wellness goals, AI-generated coaching feedback, and AI-derived insights about your emotional state, behavioural patterns, and wellbeing. We treat this data as special category (health) data. See section 5.

AI Profile Data (app only). The AI-generated composite profile maintained by our coaching system from your Wellness and Health Data, capturing emotional patterns, behavioural insights, and personalised wellness goals and their progress. We treat this as special category data. See section 5.

Transaction and Purchase Data. Details of products and services purchased from us (including supplement orders and app subscriptions), order reference numbers, order and subscription history, and transactional correspondence. Payment card data is never transmitted to or stored by Rituo — all card processing is handled by our third-party payment processor (Shop Pay) in a PCI-DSS compliant environment, and in-app purchases are processed directly by Apple or Google.

Technical Data. IP address, device identifiers, operating system and browser type, Firebase Cloud Messaging (FCM) token (for push notifications), timezone (IANA format), server log data, and data collected via cookies and analytics tools (including browsing behaviour, pages visited, session duration, and referral source). See section 14.

Subscription and In-App Purchase Data. In-app purchase and subscription information received from Apple (iOS) and Google Play (Android): transaction identifiers, product identifiers, subscription status, trial and renewal dates, grace or cancellation data, and auto-renewal status. Payment card data is not shared with us.

Preference and Notification Data. Push notification preferences (on/off and preferred delivery time per wellness category: Rise, Focus, Calm, Sleep), device notification permission status, text-to-speech voice preference, and marketing communication preferences.

Marketing and Communications Data. Preferences for receiving marketing from us, records of consent, opt-in, and opt-out, and the content of communications you send to us.

Health-Related Purchase Data (supplements store). Where you voluntarily provide health-related information in connection with a supplement purchase (for example, health goals, dietary requirements, or details of a health condition in a product enquiry), we will treat that information as special category data and handle it accordingly. We do not ask you for information about medical conditions as part of our standard supplement ordering process.

We also collect and use aggregated, anonymised data (for example, aggregate user counts, supplement sales volumes, or ritual completion rates) that does not identify any individual and is not personal data.

Failure to provide personal data

Where we need to collect personal data by law or under the terms of a contract with you (for example, a delivery address to fulfil a supplement order, or an email address to administer your account), failure to provide that data may mean we cannot perform the contract or provide the service. We will notify you of this at the time.

How Is Your Personal Data Collected?

4.1 Data you provide to us directly

Account registration — Identity Data and Contact and Authentication Data on account creation, or received from Google or Facebook on OAuth sign-in.

App use — Wellness and Health Data when you complete rituals, record journals, submit mood values, use voice input, or set wellness goals.

App onboarding — wellness goal selections used to personalise your initial experience.

Supplement orders — Identity Data, Contact Data (delivery and billing address), and Transaction Data. Payment card data is captured by the payment processor directly.

Newsletter and marketing sign-up — email address and (optionally) name when subscribing to marketing.

Profile updates — name, address, or profile picture changes within the app or account.

Correspondence — contact details and communication content when you contact us by any means.

4.2 Data collected automatically

Technical Data — collected via server logs, JWT authentication tokens, Firebase Cloud Messaging tokens, and cookies and analytics tools on our website.

Subscription event data — received automatically from Apple and Google via webhook notifications on subscription lifecycle events.

Website analytics — pages visited, session duration, traffic source, and device information collected via [ANALYTICS PROVIDER e.g. Google Analytics] when you use our website or supplements store (subject to your cookie consent choices — see section 14).

4.3 Data received from third parties

OAuth providers (Google, Facebook) — Identity and Contact Data on social sign-in.

Apple App Store / Google Play — Subscription and In-App Purchase Data on purchase or lifecycle events.

[PAYMENT PROCESSOR] — payment confirmation and transaction reference (not card data).

Delivery and logistics providers — consignment and delivery status data for supplement orders.

Special Category (Health) Data

Some of the personal data we process constitutes “special category data” under Article 9 UK GDPR, which attracts a higher level of legal protection and requires an additional condition for lawful processing beyond the Article 6 basis.

We treat the following categories as special category (health) data:

Wellness and Health Data (app) — mood slider values, free-text reflections and journal entries, ritual session content, and onboarding health goals all fall within or enable inferences about data concerning health within the meaning of Article 4(15) UK GDPR. The Court of Justice of the EU confirmed in Case C-184/20 that data from which health-related inferences can be drawn constitutes health data, irrespective of whether it is explicitly labelled as such.

AI Profile Data (app) — the AI-generated profile derives insights about your emotional state, stress, and behavioural patterns from the Wellness and Health Data above and is accordingly treated as health data.

Health-Related Purchase Data (supplements) — any health or medical information you voluntarily provide in connection with a supplement purchase or product enquiry, as described in section 3.

The lawful basis under Article 9 UK GDPR for processing these categories is your explicit consent (Article 9(2)(a)). For Wellness and Health Data and AI Profile Data, that consent is sought in the app at registration via a clear affirmative act. For any health-related information provided in connection with supplement purchases, we will seek your explicit consent before processing it for any purpose beyond handling your specific enquiry.

You may withdraw your consent at any time (see the right to withdraw consent in section 14). Withdrawal does not affect the lawfulness of processing before withdrawal. However, withdrawal of consent for Wellness and Health Data processing will prevent us from providing the core app features (rituals, journalling, and AI coaching) that depend on that processing.

How We Use Your Personal Data

UK GDPR requires a lawful basis for each purpose for which personal data is processed. The table below sets out our purposes, the data categories used, the lawful basis, and indicative retention periods. Where we also process special category data for a purpose, the Article 9 basis is noted alongside the Article 6 basis.

Purpose / Activity

Data categories

Lawful basis (Art. 6 + Art. 9 where applicable)

Retention

Rituo App

Account creation and email verification

Identity; Contact and Authentication

Performance of a contract (Art. 6(1)(b))

Account lifetime + 6 years

Contact and Authentication; Technical (JWT — stored on-device / admin cookie only)

Performance of a contract (Art. 6(1)(b))

Session / configurable token TTL

Providing ritual and journalling features (core app service)

Wellness and Health; Preference

Performance of a contract (Art. 6(1)(b)) + Explicit consent for special category data (Art. 9(2)(a))

Account lifetime + 6 years

AI-powered coaching: personalised recommendations, goal generation, and AI profile maintenance

Wellness and Health; AI Profile

Performance of a contract (Art. 6(1)(b)) + Explicit consent for special category data (Art. 9(2)(a))

Account lifetime + 6 years

Text-to-speech synthesis for in-app coach audio

Wellness and Health (ritual text sent to ElevenLabs for synthesis); Preference (voice ID)

Performance of a contract (Art. 6(1)(b)) + Explicit consent for special category data (Art. 9(2)(a))

Synthesised audio cached; source text not retained post-synthesis

Real-time speech-to-text transcription

Voice audio (streamed to ElevenLabs in real time; not retained by Rituo or ElevenLabs)

Performance of a contract (Art. 6(1)(b))

Not retained by Rituo

Managing app subscription and in-app purchases (via Apple / Google)

Subscription and In-App Purchase; Contact and Authentication

Performance of a contract (Art. 6(1)(b))

7 years (tax / accounting obligations)

Service push notifications — transactional and in-service alerts (e.g. ritual reminders, streak updates, account notifications)

Technical (FCM token); Preference and Notification

Performance of a contract (Art. 6(1)(b)) — these are service communications integral to the app functionality you have subscribed to; not electronic marketing under PECR

Until notification disabled or account deleted

Marketing push notifications — promotional messages, new features, offers

Technical (FCM token); Preference and Notification; Marketing and Communications

Consent (Art. 6(1)(a)) obtained via device-level notification permission request on app install, consistent with PECR Regulation 22; opt-out available at any time in device or app settings

Until consent withdrawn or account deleted

Sending transactional emails (OTP verification, password reset, subscription lifecycle)

Identity; Contact and Authentication; Subscription

Performance of a contract (Art. 6(1)(b))

6 years from date of communication

Supplements E-commerce

Processing and fulfilling supplement orders (payment, dispatch, and delivery)

Identity; Contact (including delivery and billing address); Transaction and Purchase

Performance of a contract (Art. 6(1)(b))

7 years (tax / accounting; Consumer Contracts Regulations 2013)

Managing your supplements customer account and order history

Identity; Contact; Transaction and Purchase

Performance of a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) — maintaining accurate customer records and supporting future orders

Account lifetime + 7 years

Sending order confirmation, dispatch, and delivery communications

Identity; Contact; Transaction

Performance of a contract (Art. 6(1)(b))

7 years

Processing returns, refunds, and warranty or statutory claims

Identity; Contact; Transaction

Performance of a contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) — Consumer Rights Act 2015; Consumer Contracts Regulations 2013

7 years

Email marketing to existing supplement customers (similar products / services, soft opt-in)

Identity; Contact; Transaction; Marketing and Communications

Legitimate interests (Art. 6(1)(f)) under the PECR Regulation 22 soft opt-in — contact details obtained in the course of a sale; we market similar products; we offered a clear opt-out at point of sale and in each subsequent communication

Until opt-out or 3 years from last purchase if no further engagement

Email marketing to newsletter subscribers (non-customers)

Identity; Contact; Marketing and Communications

Consent (Art. 6(1)(a)) + consent for electronic marketing (PECR Regulation 22)

Until consent withdrawn or 2 years of inactivity

Across All Services

Website and store analytics (understanding user interaction, improving the Platform)

Technical; Marketing and Communications (aggregated / pseudonymous where possible)

Legitimate interests (Art. 6(1)(f)) — improving Platform quality and relevance; Consent (Art. 6(1)(a)) where PECR requires it for analytics cookies (see section 14)

Anonymised analytics retained indefinitely; identifiable technical logs: 90 days

Security, fraud prevention, and platform integrity

Technical; Contact and Authentication

Legitimate interests (Art. 6(1)(f)) — protecting the Platform and users from misuse and security threats

Server logs: 90 days; security incident records: 3 years

Compliance with legal obligations

All categories as required

Legal obligation (Art. 6(1)(c))

As required by applicable law

Business reorganisation, merger, or sale of assets

All categories as required

Legitimate interests (Art. 6(1)(f)) — pursuing or responding to a change of control; the acquirer will be bound to equivalent data protection obligations

Duration of transaction process

Where we rely on legitimate interests, we have conducted a balancing assessment and are satisfied that our interests do not override your interests or fundamental rights. You may request a copy of any relevant legitimate interests assessment by contacting us at privacy@rituo.co.uk.

Change of Purpose

We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that a new purpose is compatible with the original purpose (applying the Article 6(4) UK GDPR compatibility test). If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis. We may process your personal data without your knowledge or consent where required or permitted by law.

Automated Processing and AI-Assisted Profiling (App Only)

The Rituo app uses artificial intelligence to provide personalised wellness coaching. This involves automated processing — including profiling within the meaning of Article 22 UK GDPR — specifically:

analysing your ritual sessions, journal entries, mood values, and wellness goals to generate personalised coaching feedback and recommendations;

building and maintaining an AI Profile capturing patterns in your emotional state, behaviour, and wellbeing; and

generating and tracking personalised wellness goals.

This profiling does not produce decisions that have legal or similarly significant effects on you (such as decisions affecting access to credit, employment, insurance, or public services). The AI’s outputs are wellness recommendations within the Platform only, and you retain full ability to disregard or override them.

AI training — your personal data

Your identifiable personal data (including Wellness and Health Data and AI Profile Data) is used solely to generate personalised outputs for you within the Platform. It is never used to train AI models that serve other users. Only anonymised, aggregated data that cannot identify you may be used for broader model improvement purposes.

Data Protection Impact Assessment: given the combination of large-scale processing of health data and use of AI-driven profiling, we have conducted (or are in the process of conducting) a Data Protection Impact Assessment (DPIA) in accordance with Article 35 UK GDPR prior to deployment of these features. The DPIA is available to the ICO on request.

You may object to this profiling at any time (see section 14). As AI personalisation is integral to the Rituo service, objecting to or withdrawing consent for this processing may mean we are unable to provide core app features.

Marketing

9.1 Marketing from us

We may send you marketing communications by email or push notification in the following circumstances:

Existing customers — Existing supplement customers (soft opt-in): where you have purchased a supplement product from us and we obtained your contact details in the course of that sale, we may send you email marketing about similar products and offers, unless you have opted out. This is the ‘soft opt-in’ under PECR Regulation 22(3). You were given a clear opportunity to opt out at the time your details were collected and will be given that opportunity in every subsequent marketing communication.

Newsletter subscribers — Newsletter and marketing subscribers: where you have actively opted in to receive our newsletter or marketing by ticking a consent box or similar affirmative step, we will send communications on that consent basis. You may withdraw consent at any time.

App users — App marketing push notifications: where you have granted notification permission at app install, we may send marketing push notifications. You may withdraw this permission at any time via your device settings or the in-app notification preferences.

9.2 Opting out

You can opt out of marketing communications at any time by:

clicking the unsubscribe link in any marketing email;

adjusting your notification permissions in your device settings or in-app preferences;

contacting us at privacy@rituo.co.uk.

Opting out will not affect transactional or service-essential communications, including order confirmations, dispatch notifications, OTP emails, and subscription or account security alerts.

9.3 Third-party marketing

We will obtain your express consent before sharing your personal data with any third party for that party’s own direct marketing purposes. We do not currently engage in such sharing.

Disclosure of Your Personal Data

We share your personal data with the third-party processors listed below. All processors are engaged under written data processing agreements and may only process your data for the specified purposes and in accordance with our instructions. We do not sell your personal data.

Processor / Provider

Country

Data shared

Purpose

Transfer safeguard

OpenAI

USA

Wellness and Health Data (journal content, ritual summaries, mood data, goals, AI profile — as prompt context)

AI coaching, recommendations, goal generation, and AI profile updates. Note: OpenAI is engaged as a data processor under its API terms; user data is not used by OpenAI to train models serving other users

IDTA / SCCs

ElevenLabs

USA

Text content (TTS synthesis); real-time voice audio (STT — streamed only, not retained)

Text-to-speech audio generation; real-time speech-to-text transcription

IDTA / SCCs

Firebase (Google LLC)

USA

FCM token; push notification payload

Push notification delivery (service and marketing)

IDTA / SCCs

SendGrid (Twilio Inc.)

USA

Email address, name, and transactional or marketing email content

Transactional and marketing email delivery

IDTA / SCCs

Amazon Web Services (AWS)

Uk / Eu / Usa

All application data; profile images and ritual assets (S3 / CloudFront)

Cloud hosting, storage, and CDN

UK adequacy (EU); IDTA (USA)

MongoDB Atlas

Eu / Usa

All application database records

Database hosting

IDTA / SCCs

Shop Pay / Stripe

Usa / Eu

Payment confirmation and transaction reference (not card data)

Payment processing for supplement orders

IDTA / SCCs / Adequacy

Delivery / Logistics Provider e.g. Royal Mail / DPD

Uk / Eu

Name; delivery address; order reference; contact telephone

Physical fulfilment and delivery of supplement orders

UK / EEA adequacy

Analytics provider e.g. Google Analytics

USA

Technical Data (pseudonymised browsing, device, and session data)

Website and supplements store analytics

IDTA / SCCs; PECR consent where required

Apple Inc.

USA

In-app purchase and subscription event data (iOS)

In-app purchase and subscription lifecycle (iOS)

Apple standard terms / IDTA

Google LLC (Google Play)

USA

In-app purchase / subscription event data (Android); FCM token

In-app purchase and subscription lifecycle (Android); push notifications

IDTA / SCCs

Google LLC / Meta Platforms (OAuth providers)

USA

Name, email, OAuth identifier, and (optionally) profile picture on social sign-in

Social sign-in functionality

IDTA / SCCs

We may also disclose your personal data to: competent authorities, regulators, courts, or law enforcement where required by law; professional advisers under duties of confidentiality; and a buyer or successor entity in the event of a merger, acquisition, or sale of our business (in which case the acquirer will be bound to equivalent data protection obligations).

International Data Transfers

Several of our third-party processors are located outside the UK — primarily in the United States. Processors based within the EEA benefit from a UK adequacy regulation; the EEA is recognised by the UK as providing an adequate level of data protection. For transfers to countries without an adequacy decision (principally the USA), we apply the following safeguards:

IDTA: The ICO’s International Data Transfer Agreement (IDTA), which provides UK-equivalent contractual protections for transfers from the UK to third countries.

EU SCCs + UK Addendum: The EU Standard Contractual Clauses (SCCs) with the ICO’s UK Addendum, where our processors use EU SCCs as their primary transfer mechanism.

Transfer risk assessments: Transfer impact assessments conducted (or relied upon from published processor documentation) to ensure that the level of protection in the destination country is not materially undermined by local law or practice.

You may request further information about the safeguards applicable to any specific transfer by contacting us at privacy@rituo.co.uk.

Data Security

We have implemented appropriate technical and organisational security measures proportionate to the risks presented by our processing, including:

bcrypt password hashing — passwords are never stored in plain text;

JWT authentication tokens with configurable expiry, held in device secure storage (mobile) or secure cookies (admin portal) — not stored in our database;

time-limited OTPs and password reset tokens;

HTTPS encryption for all data in transit;

private AWS S3 storage for profile pictures and ritual assets, accessible only through the application;

role-based access control for the admin portal with an invite-only, expiring token flow;

payment card data is never transmitted to or stored by Rituo — handled entirely by our PCI-DSS certified payment processor; and

server-side logging and active monitoring for security and diagnostic purposes.

Access to personal data is limited to those with a business need to access it. All such persons process data on our instructions and are subject to confidentiality obligations. We have breach detection, assessment, and response procedures in place. Where legally required, we will notify you and/or the ICO of a breach without undue delay.

No transmission over the internet can be guaranteed to be 100% secure. Whilst we take all reasonable steps to protect your personal data, you acknowledge that internet-based transmission involves an inherent risk.

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account applicable legal, regulatory, tax, accounting, and reporting requirements. Specific periods are set out in the purpose table at section 6.

In determining retention periods we consider: the nature and sensitivity of the data; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process it; whether we can achieve those purposes through other means; and applicable legal obligations.

Summary of our principal retention periods:

App account and core wellness data: account lifetime plus six years.

Supplement order and transaction records: seven years from the transaction date (tax and accounting; Consumer Contracts Regulations).

Email marketing records: until opt-out, or two to three years of inactivity (depending on consent basis).

Server logs and technical diagnostic data: up to 90 days.

Security incident records: up to three years.

Voice audio (speech-to-text): not retained by Rituo.

Account deletion: deleting your app account triggers deletion or anonymisation of: ritual sessions, journal sessions, streak history, notification preferences, AI profile, goals, voice preference, subscription records, and profile picture (from S3). Admin invitation records referencing your user ID are anonymised. Supplement order history is retained for the minimum legally required period even following account deletion, given our statutory obligations.

We may retain personal data for longer in the event of a complaint or where we reasonably anticipate litigation, and where required to do so by law. In some circumstances we will anonymise data; anonymised data may be retained indefinitely for research or statistical purposes without further notice to you.

Your Legal Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights. There is generally no fee for exercising these rights. We may charge a reasonable fee for manifestly unfounded, repetitive, or excessive requests. We will respond within one month of receipt of a valid request (extendable by two further months for complex or multiple requests, of which we will notify you).

Right

What it means in practice

Right of access

You may request a copy of the personal data we hold about you (a ‘subject access request’) and information about how we process it. You can view and update your profile within the app.

Right to rectification

You may request correction of inaccurate or incomplete personal data. You can update your name, profile picture, and delivery address within the app or by contacting us.

Right to erasure

You may request deletion of your personal data in specified circumstances: where it is no longer necessary, where you withdraw consent, where processing is unlawful, or where erasure is required by law. App account deletion (available in-app) triggers deletion of all associated personal data as described in section 13. We may be unable to comply in full where we are required to retain data by law (for example, transaction records for tax purposes).

Right to restriction

You may request suspension of our processing in certain circumstances: where you contest accuracy; where processing is unlawful but you prefer restriction to erasure; where you need us to retain data for a legal claim; or where you have objected and we are verifying whether we have overriding grounds.

Right to object

You may object to processing based on legitimate interests, including AI profiling. You have an absolute right to object to processing for direct marketing, including profiling related to direct marketing. Where you object to direct marketing, we will cease immediately. For other objections, we will cease unless we can demonstrate compelling legitimate grounds.

Right to data portability

Where we process your data on the basis of consent or contract by automated means, you may request a copy in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible. A self-service export feature is not currently available; please contact privacy@rituo.co.uk to exercise this right.

Right to withdraw consent

Where we rely on consent (including explicit consent for Wellness and Health Data), you may withdraw at any time by contacting us at privacy@rituo.co.uk, using the in-app settings, or deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawal of consent for Wellness and Health Data will prevent delivery of core app features.

Rights regarding automated decisions

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. As described in section 8, our AI outputs are wellness recommendations only. If you have concerns about any automated processing, please contact us.

To exercise any right, please contact us at privacy@rituo.co.uk. We will ask you to verify your identity. If you are dissatisfied with our response, you have the right to complain to the ICO or another supervisory authority (see section 17).

Cookies

15.1 Mobile application

The Rituo mobile app does not use browser cookies. Authentication tokens (JWT access and refresh tokens) are held in your device’s secure storage using platform-standard mechanisms (iOS Keychain / Android Keystore equivalent) and are not accessible to other applications on your device.

15.2 Website and supplements store

Our website and supplements e-commerce store use cookies and similar technologies. We obtain your consent before placing any non-essential cookies via our cookie consent banner. The categories of cookies we use are:

15.3 Admin portal

The Rituo admin portal (admin.rituo.co.uk) uses strictly necessary authentication cookies (access token, refresh token) and a functional sidebar-state cookie. No advertising or analytics cookies are used on the admin portal.

15.4 Third-party cookies

Where you use Google or Facebook OAuth sign-in, those providers may set their own cookies under their own privacy policies. Analytics and advertising partners may set cookies subject to your consent choices. These are outside our direct control.

Third-Party Links

Our Platform may contain links to third-party websites, plug-ins, and applications. Selecting those links may allow third parties to collect data about you. We do not control these third-party services and are not responsible for their privacy practices. We encourage you to read the privacy policy of every third-party service you access. This Privacy Policy does not govern third-party processing.

Complaints and Contact

17.1 Contact us

Please contact us in the first instance with any questions, concerns, or complaints. We will make every effort to address your concerns promptly.

Email: privacy@rituo.co.uk

Post: Rituo Ltd, 3rd Floor, 86-90 Paul Street, London EC2A 4NE

17.2 ICO (UK residents)

UK residents have the right to lodge a complaint with the ICO at any time, though we would appreciate the opportunity to address your concern first.

Information Commissioner’s Office

Website: www.ico.org.uk

Helpline: 0303 123 1113

Post: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

17.3 EEA residents

EEA residents also have the right to complain to their local supervisory authority. Contact details for EEA supervisory authorities are available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Changes to This Privacy Policy

We keep this Privacy Policy under regular review and will update it to reflect changes in our data practices, services, or applicable law. The version date is shown at the top of this document. Historic versions are available on request by contacting privacy@rituo.co.uk.

Where changes are material, we will notify you by email (to the address associated with your account) or by in-app notification before the changes take effect. Your continued use of the Platform after notification of a material change constitutes acceptance of the updated policy.

Please keep us informed of any changes to your personal data (for example, a new email address or delivery address) by updating your profile or contacting us.

Glossary

Lawful bases for processing (UK GDPR Article 6)

Term

Meaning

Performance of a contract

Processing necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract (Art. 6(1)(b)).

Legitimate interests

Processing necessary for our (or a third party’s) legitimate interests, provided those interests are not overridden by your interests, rights, or fundamental freedoms. We conduct a balancing assessment (LIA) before relying on this basis and will share the assessment with you on request (Art. 6(1)(f)).

Legal obligation

Processing necessary to comply with a legal obligation to which we are subject (Art. 6(1)(c)).

Consent

A freely given, specific, informed, and unambiguous indication of your agreement to processing. You may withdraw consent at any time without detriment (Art. 6(1)(a)).

Explicit consent (special category data)

For special category data, consent must be explicit — a clear affirmative act, not an implied agreement. Required under Art. 9(2)(a) UK GDPR.

Key defined terms

Term

Definition

Children’s Code

The UK ICO’s Age Appropriate Design Code, a statutory code of practice under section 123 of the Data Protection Act 2018, applying to information society services likely to be accessed by children (under 18s). The Code imposes obligations including privacy by default, no profiling of children without appropriate consent, and no nudge techniques.

Controller

The entity that determines the purposes and means of processing personal data. Rituo is the controller for all processing described in this Privacy Policy.

DPIA

Data Protection Impact Assessment — a process required under Article 35 UK GDPR before undertaking processing that is likely to result in a high risk to the rights and freedoms of data subjects. Required where processing involves large-scale special category data, systematic profiling, or innovative technology.

IDTA

International Data Transfer Agreement — the ICO’s standard contractual mechanism for transfers of personal data from the UK to third countries without an adequacy decision.

PECR

Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) — UK regulations governing electronic marketing communications (including email, SMS, and push notifications), cookies, and similar tracking technologies. PECR operates alongside UK GDPR and restricts certain processing even where UK GDPR would permit it.

Platform

Collectively, the Rituo mobile application (iOS and Android), the Rituo website (rituo.co.uk), and the Rituo supplements e-commerce store.

Processor

A third party that processes personal data on behalf of, and on the instructions of, the controller under a written data processing agreement.

ROPA

Record of Processing Activities — a mandatory internal record required under Article 30 UK GDPR documenting all processing activities carried out by the organisation. Not published as part of this Privacy Policy but maintained internally and available to the ICO on request.

SCCs

Standard Contractual Clauses — the European Commission’s standard data transfer contracts, which (with the ICO’s UK Addendum) provide an appropriate safeguard for transfers from the UK to third countries.

Special category data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data concerning health, sex life, or sexual orientation (Art. 9 UK GDPR). Requires an Article 9 condition in addition to an Article 6 lawful basis.

Uk Gdpr

The retained version of EU Regulation 2016/679 as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018, as supplemented and modified by the Data Protection Act 2018.