Rylu legal

Privacy Policy

Last updated: 28 March 2026

This explains what personal data Rylu collects, why we collect it, and how we handle it. Plain English throughout. If something isn't clear, contact us at privacy@rylu.app.

Who controls your data

The data controller for Rylu is [INSERT LEGAL ENTITY], registered in [INSERT COUNTRY]. Address: [INSERT ADDRESS].

For all privacy questions and rights requests: privacy@rylu.app

Data we collect

Depending on how you use Rylu, we may hold:

  • Account data — your email address and account identifier.
  • Authentication records — sign-in sessions and one-time login link tokens.
  • Plan activity— prompts you've entered, plans generated, plans saved, feedback given, and progress history.
  • Preferences — budget, vibe, preferred times, and plan style settings.
  • Location data — coordinates, area labels, or search radius, when you actively choose to share your location.
  • Subscription data — your Pulse subscription status and Stripe references needed to manage access.
  • Usage and analytics data — page and feature usage, only when you have allowed analytics in your cookie preferences.

How we collect it

  • Directly from you when you use the app, save plans, or update preferences.
  • When you request a magic-link sign-in email.
  • From your browser when you grant location permission.
  • From Stripe event webhooks, to keep subscription status accurate.
  • From service logs and, where consented, analytics tools.

Why we use it

  • To run the service and generate plan suggestions.
  • To keep your account signed in and secure.
  • To save your plans, history, and preferences.
  • To manage Pulse subscriptions and premium feature access.
  • To send sign-in emails and service messages you request.
  • To understand usage, diagnose issues, and improve Rylu.
  • To detect and prevent abuse or fraud.

Lawful bases

Where UK data protection law applies, we rely on:

  • Contract — to deliver features you request: accounts, saved plans, and Pulse subscription access.
  • Legitimate interests — to secure, maintain, and improve the service in a proportionate way.
  • Consent — for optional analytics, and for browser location access.
  • Legal obligation — where we must keep records or respond to lawful requests.

Location and preferences

Rylu only uses your device location after you actively share it. We use it to surface nearby options and personalise relevance. If you save location settings, those values are stored in your account profile.

Saved plans, history, and improvement

Rylu may use your saved choices, preferences, and engagement patterns to improve the relevance of future suggestions and overall product quality over time.

Subscriptions and payment

Paid subscriptions are handled by Stripe. Rylu stores your subscription status and Stripe identifiers to manage access. Card details are handled directly by Stripe and are not stored by Rylu.

Cookies and similar technologies

Rylu uses cookies and browser storage for session security, app continuity, and analytics (where consented). See the Cookie Policy for details.

Service providers

We use third-party providers to operate Rylu. Each receives only the data needed for their specific role:

  • Vercel — hosting, serverless infrastructure, and (where consented) product analytics.
  • Stripe — subscription billing, payment processing, and the customer billing portal.
  • Resend — transactional email delivery for sign-in links and service messages.
  • OpenStreetMap services (Nominatim / Overpass) — location lookups and nearby place data used to generate suggestions. Queries are point-in-time and are not stored by those services on our behalf.
  • PostgreSQL / Neon — the database that stores your account data, saved plans, and preferences, accessed via Prisma.

International transfers

Some providers may process data outside the UK. Where that occurs, we use provider-level safeguards and contractual controls appropriate for cross-border processing.

Retention

Different categories of data are kept for different periods, depending on account status, legal obligations, security needs, and operational requirements:

  • Short-lived security records (such as magic-link tokens) expire automatically after a brief window.
  • Account data and saved plans are held for as long as your account is active.
  • After account deletion, we may retain minimal records for legal, security, or dispute resolution purposes — typically for no longer than is necessary.
  • Anonymised or aggregated data may be retained for longer periods.

Your rights

Depending on your circumstances and applicable law, you may have the right to:

  • access a copy of your personal data;
  • correct inaccurate or incomplete data;
  • request deletion of your data in certain circumstances;
  • object to or restrict certain processing;
  • request a portable copy of data you have provided to us.

To exercise any of these rights, email privacy@rylu.app. Please include your name, the email address linked to your Rylu account, and a description of your request. We may need to verify your identity before acting — we will let you know if that applies and what we need.

Complaints

If you are unhappy with how we have handled your data, contact us first at privacy@rylu.appand we will do our best to resolve it. You can also contact the UK Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully or unfairly.

Changes

We may update this policy as Rylu evolves. We will post the updated version here and revise the date shown above.

Your cookie choices

Rylu uses essential cookies and local storage to keep sign-in sessions, saved plans, and your in-app memory working. We also use analytics to understand what is useful and improve the app. You can accept analytics, reject non-essential use, or choose now in settings.

Read our Cookie Policy.