Legal

Privacy Policy

Last updated: 1 March 2026

Our commitment

Your recovery data is deeply personal. Renovyn is built on a simple principle: your data belongs to you. We will never sell, share, or monetise your personal information. Period.

Health data under UK GDPR (Article 9)

Addiction recovery data is classified as special category health data under UK GDPR Article 9. We process this data only with your explicit consent, provided when you create an account and configure your addiction profiles. You can withdraw this consent at any time by deleting your account.

What we collect

  • Account information: email address, display name, and authentication credentials.
  • Recovery data: addiction profiles, daily check-in responses, streak information, and journal entries.
  • Location data: danger zone coordinates and proximity alerts. Location data is processed on-device where possible and only transmitted when required for geofencing functionality.
  • Financial data: if you use the debt tracker, we store aggregate debt amounts and payoff progress. We never access bank account details directly unless you opt in to open banking integration.
  • Usage analytics: anonymised, aggregated usage patterns to improve the product. These cannot be linked back to individual users.

Data minimisation

We collect only what is necessary to provide the service. We do not require your real name. We do not track browsing activity outside the app. We do not build advertising profiles. Features like the journal are stored with end-to-end encryption — we cannot read your entries.

Accountability partners

When you add an accountability partner, they receive traffic-light status signals (green, amber, red) based on your check-in patterns. Partners never see your journal entries, specific check-in answers, danger zone locations, or financial data. This is accountability, not surveillance.

Journal privacy

Journal entries (text and audio) are encrypted at rest and in transit. They are never shared with accountability partners, never used for analytics, and never accessible to Renovyn staff. If you delete a journal entry, it is permanently removed from our systems within 30 days.

Location data

Danger zone geofencing requires location access. We process proximity calculations on your device whenever possible. When server-side processing is required (e.g., for partner alerts), we use only the minimum data needed: whether you are near a zone, not your continuous location. You can disable location features at any time without losing other functionality.

Data retention and deletion

You can export your data at any time (Pro plan). You can delete your account at any time, which triggers permanent deletion of all personal data within 30 days. Anonymised, aggregated statistics may be retained for research purposes.

Third parties

We use the following third-party services to operate Renovyn:

  • Convex — database and backend infrastructure
  • WorkOS — authentication
  • Stripe — payment processing (we never see your full card number)
  • Resend — transactional email delivery

Each provider is contractually bound to process your data only as instructed by us, in compliance with UK GDPR.

Your rights

Under UK GDPR, you have the right to: access your data, rectify inaccurate data, erase your data, restrict processing, data portability, object to processing, and withdraw consent. To exercise any of these rights, contact privacy@renovyn.io.

Contact

For privacy-related enquiries, email privacy@renovyn.io. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.