Privacy Policy - Revorg Group AB

Version 1.0
Last updated: 15 August 2025

Privacy at a Glance

  • We don't require an account. Most of your data stays on your phone.

  • Your Health data is private. If you connect a health service like Apple Health or Google Fit, your information is processed on your device. We never upload it to our servers or use it for ads.

  • You are in control. You choose whether to consent to optional features like analytics and ads, and you can change your mind at any time in the app's settings.

  • We don't sell your data. We only share data with trusted partners who help us operate and improve our services, as explained in this policy.

Company

Revorg Group AB , org.nr 559421-1053
Registered address:
Fredens Torg 4b, LGH 1801, Stockholm, 17 453, Sundbyberg, Sweden
Contact: wecare@revorg.se

Scope

This Privacy Policy applies to all consumer-facing products and services from Revorg—present and future—including our iOS, Apple Watch, and Android applications, and any websites, notifications, in-app messages, and related services (the "Services"). We make our Services available worldwide. If a product needs extra detail (e.g., future user accounts), we will issue a product-specific supplement that works with this Policy.

Legal framework. We process personal data under the EU General Data Protection Regulation (GDPR) and Swedish complements (including the Act on Electronic Communications (LEK) for cookies/SDKs).

1) Personal data we process

We design our apps so that most data stays on your device. Depending on how you use the Services (and only if you enable a given feature), we may process:

  • Diagnostics & usage: app events, crash logs, device/OS info, language, time zone, IP address (used to determine approximate location for aggregated analytics and to ensure service security).

  • Purchases: subscription status/receipts via app stores (e.g., Apple App Store, Google Play Store), which act as independent controllers.

  • Marketing/ads (optional): advertising identifiers and campaign/attribution data (e.g., Meta SDK); mediation/partner identifiers via ironSource/Unity LevelPlay when ads are shown and consented.

  • Notifications: local push reminders (e.g., workout prompts).

  • Health & Wellness Data (if you enable it): With your explicit permission, our apps may interact with health platforms on your device (such as Apple Health or Google Fit). This may include workout sessions you start/finish and selected metrics—heart rate, active energy/calories, distance, step count, and workout routes/GPS/location. Processing is on device; we do not upload this data to our servers and do not use it for advertising.

  • Future optional account data (if we later add sign-in with Firebase Authentication): basic profile and authentication identifiers.

We obtain data from your device/browser (including via SDKs), from app stores for purchases, and from our processors operating analytics, crash reporting, consent, mediation, and hosting.

2) Purposes and legal bases

We process personal data only where a lawful basis applies:

  • Operate the Services (core functionality, local pushes, purchases, support) - Contract (GDPR Art. 6(1)(b)).

  • Diagnostics & security (stability, crash analysis, fraud/abuse prevention) - Legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligations.

  • Analytics & product improvement (understanding usage to improve UX) - Legitimate interests or consent where e-privacy/LEK requires it for non-essential SDKs on apps/web.

  • Marketing/attribution & ads (optional) - Consent in the EEA/UK; we pass your choices via a Google-certified consent management platform that integrates with IAB TCF v2.2 (Google UMP).

  • Compliance (tax/accounting, lawful requests) - Legal obligations; certain records are typically kept 7 years under Swedish bookkeeping rules.

Meta attribution. If implemented, the Meta SDK is initialized for campaign measurement and will only run in the EEA/UK after you have given consent.

Children (Sweden). If we ever rely on consent for information-society services offered directly to children in Sweden, a child can consent from age 13; below that, parental consent is required. We do not design our Services for children under 13 and do not knowingly collect their data.

Health & Wellness Data. Any health data you choose to read/write is processed on your device under the respective platform's permission system (e.g., Apple Health, Google Fit). We do not use this data for advertising, do not sell it, and do not transfer it to our servers. See "Health & Wellness Data" below.

3) Cookies & SDKs (apps and any websites)

We and our partners may use SDKs/cookies and similar technologies to run the Services, measure usage, and—if you allow it—serve or measure ads. In the EEA/UK, we seek informed consent for non-essential technologies under LEK/e-privacy. You can manage or withdraw consent at any time via the in-app Consent Settings (Google UMP) or our website Cookie Settings; your choices propagate to participating ad/measurement vendors under IAB TCF v2.2.

Examples of SDKs (subject to change and your consent where required): Firebase Analytics & Crashlytics (Google), ironSource/Unity LevelPlay mediation (with participating ad networks), Meta SDK (attribution if enabled), and Firebase Remote Config/Firestore (read-only app configuration; no write access from user devices).

4) Health & Wellness Data (e.g., Apple Health, Google Fit)

If you enable integrations with health platforms, our apps may read from or write to those services on your device:

  • Processing happens on your device under the platform's specific permission framework.

  • We do not upload Health & Wellness data to our servers or use it for advertising or profiling.

  • You can revoke permissions anytime in your device's health or app settings.

  • We follow the respective platform's developer privacy requirements (e.g., Apple HealthKit Human Interface Guidelines, Google Fit Developer and User Data Policy).

Health data types we may access (only if you grant permission): workout sessions (start/stop), heart rate, active energy/calories, distance, step count, and workout routes (GPS/location).

5) Sharing of personal data

We share personal data only as needed:

  • Processors: hosting, analytics/crash reporting, consent/CMP (Google UMP), ad-mediation (ironSource/Unity LevelPlay) and participating ad networks. (LevelPlay can forward your consent status to integrated networks.)

  • Payment & app stores: Apple App Store, Google Play Store, etc. (independent controllers).

  • Legal/disclosure recipients: to comply with law, enforce terms, or protect rights/safety.

  • Business transfers: in a merger, acquisition, or restructuring, with appropriate protections.

6) International data transfers

Some providers are outside the EEA/UK (e.g., Apple commerce infrastructure; Google/Firebase; ad-mediation partners). We use appropriate safeguards, including recipients certified under the EU-US Data Privacy Framework and/or the EU Standard Contractual Clauses (SCCs) with supplementary measures.

7) Data retention

We keep personal data only as long as needed or required by law. Because we do not currently offer user accounts, defaults are:

  • Analytics & ad/attribution data (subject to consent): retained while consent remains active, then stopped/deleted according to partner settings.

  • Crash/stability logs: retained for the minimal period needed for diagnostics and deleted when no longer necessary.

  • Purchase/transaction evidence: retained as needed for accounting/tax (typically 7 years in Sweden).

If you withdraw consent, we will honor it and instruct relevant partners via CMP/SDK signals.

8) Your rights

Under the GDPR you can access, rectify, erase, restrict, object (including to processing based on legitimate interests), port your data, and withdraw consent at any time (without affecting past processing). To exercise rights, contact wecare@revorg.se. You may also lodge a complaint with IMY (the Swedish Authority for Privacy Protection).

9) Security

We apply technical and organizational measures appropriate to risk, including encryption in transit, encrypted on-device storage, access controls, and vulnerability management. No system is perfectly secure; we maintain incident-response procedures and will notify you and regulators of personal-data breaches when required by law.

10) Children

Our Services are not directed to children under 13. If we learn that we have inadvertently collected personal data from a child under 13 without appropriate consent, we will delete it. If we later offer features directed at children, we will implement age-gating and parental-consent controls consistent with Swedish/EU law.

11) Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. The updated version will be indicated by a revised "Last updated" date and the new version will be effective as soon as it is accessible. We will post the updated Privacy Policy here.
For any material changes, we will notify you through the app or other reasonable means and, where required by law, we will obtain your consent.

Annex A - Retention schedule (current app)

Data category

Typical retention

Analytics & ad/attribution (subject to consent): While consent is active, then stopped/deleted per partner settings

Crash/stability logs: Minimal period needed for diagnostics, typically up to 90 days; deleted when no longer necessary

Consent and opt-out records (CMP)
As needed to demonstrate compliance

Purchase/transaction evidence (our records)

7 years (accounting/tax)

Health & Wellness Data

On device only; not stored on Revorg servers

Annex B - SDKs & partners (initial list)

  • Firebase Analytics & Crashlytics (Google LLC) - diagnostics/usage analytics and crash reporting. Legal basis: consent in EEA/UK for analytics; legitimate interests or essential uses for stability where applicable (subject to LEK). Controls: in-app consent (Google UMP), device settings.

  • Google UMP (Consent Management Platform) - presents consent UI and sends IAB TCF v2.2 signals; Google requires a Google-certified CMP for personalized ads in EEA/UK.

  • ironSource/Unity LevelPlay (ad mediation) - mediates ad networks; forwards consent to supported networks via APIs/TCF signals. Legal basis: consent (EEA/UK).

  • Meta SDK (attribution/ads, if enabled) - initialized for campaign measurement only; runs in EEA/UK after consent.

  • Firebase Remote Config & Firestore (EU/US regions) - fetch read-only app configuration; no write access from user devices. (This allows us to update app settings, like workout plans or feature availability, without you needing to update the app itself.)

We will keep this Annex updated as SDKs/partners change.

Annex C - International & regional notes

  • Data transfers to the U.S. and other third countries. We use the EU-US Data Privacy Framework, where the recipient is certified and SCCs otherwise.

  • United Kingdom. "GDPR" includes the UK GDPR and the Data Protection Act 2018; UK residents may contact the ICO.

  • United States (where applicable). For states with consumer-privacy laws, we offer opt-out of targeted advertising via in-app settings and honor supported opt-out signals.