Rhythmo Privacy Policy

Effective date: 4 May 2026

Last updated: 19 May 2026

Rhythmo ("Rhythmo", "we", "us", "our") is operated by S-Labs AI Pty Ltd (ABN: 28 675 317 110).

This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information, including health and fitness data, when you use the Rhythmo mobile app and related services. 

We are committed to handling personal information in accordance with applicable privacy laws, including the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, and relevant health privacy requirements where applicable.

By using Rhythmo, you acknowledge this Privacy Policy:

1. Scope

This Privacy Policy applies to:

  • The Rhythmo mobile app;

  • Our related backend services and infrastructure; and

  • Data we collect directly from you or via Apple Health (with your permission).

2. Data We Collect

A. Account and profile data

When you create or manage an account, we collect:

  • Email address;

  • Full name;

  • Preferred name (optional);

  • Account user ID;

  • Password (stored as a secure hash);

  • Consent settings (for example, study consent and optional future research contact preference);

  • Account and consent timestamps.

B. Health and fitness data (from Apple Health)

With your explicit permission, Rhythmo reads selected Apple Health data, currently:

  • Activity metrics including step count, workout metrics, basal energy burned;

  • Body temperature;

  • Electrodermal activity;

  • Heart rate and heart rate variability;

  • Menstrual cycle metrics;

  • Respiration metrics;

  • Sleep metrics like duration, start and end times;

From those records, Rhythmo derives and stores daily summary metrics, including:

  • Daily resting heart rate estimate;

  • Sleep duration, start and end timing summaries;

  • Cycle and chronotype insights generated from these summaries.

These metrics are stored locally on your device and may be synced to our backend databases.

Rhythmo may also store higher-frequency health samples, such as heart rate, step count, and sleep-related samples in backend storage. These archives support syncing, backup, data export/deletion, service reliability, and research or analytics where permitted by user consent settings.

C. App usage, sync, and technical data

We process operational and security data such as:

  • API request metadata (for example, timestamps and response status);

  • Sync event metadata (for example, rows processed/updated/unchanged);

  • Diagnostic and reliability information needed to run and secure the service.

D. Optional user-provided logbook content

Rhythmo includes optional logbook features. If you use these features, we may collect and store:

  • Logbook dates and event times;

  • Tags, tag labels, tag colours, and tag changes

  • Logged events

  • Any notes you choose to enter.

Logbook content is stored locally on your device and may also be synced to our backend storage. 

E. Storage and encryption

Daily summary metrics as well as higher frequency health samples and logbook archive data are stored in private AWS infrastructure which is encrypted at rest. All data is transmitted between the app and backend over encrypted HTTPS/TLS connections. This storage is not end-to-end encrypted. This means authorised Rhythmo backend systems may decrypt and process the data where necessary to provide application services, support syncing, backup, account export and deletion, and perform analytics or for research use as described in this policy and user consent processes.

3. How We Use Data

We use data to:

  • Provide core app functionality;

  • Authenticate your account and keep your account secure;

  • Read Apple Health data you authorize and generate insights;

  • Sync daily summary metrics with our backend;

  • Sync and archive health samples and logbook content;

  • Maintain backups, account export, and account deletion processes;

  • Maintain and improve app performance, reliability, and security;

  • Provide support and respond to requests;

  • Support optional research activities only where you have consented; 

  • Analyse usage of structured health and logbook data where permitted; and

  • Comply with legal obligations.

4. Apple Health / HealthKit-Specific Disclosures

Rhythmo is designed for health and fitness purposes and uses Apple Health data only for those purposes.

In line with Apple requirements:

  • We request Health access only with your permission;

  • We do not use HealthKit-derived data for advertising, marketing, or use-based data mining;

  • We do not sell HealthKit-derived data;

  • We do not disclose HealthKit-derived data to third parties except as needed to provide our service, where required by law, or where you explicitly consent.

You can revoke Health permissions at any time in Apple Health / iOS privacy settings. If you revoke access, related features may be limited.

5. Data Sharing and Disclosure

We may disclose information to:

  • Service providers who support hosting, infrastructure, security, analytics, and service delivery;

  • Professional advisers (for example, legal/accounting) where required;

  • Regulators, law enforcement, or government authorities where required by law;

  • Other parties with your consent.

We require service providers handling personal information on our behalf to apply appropriate confidentiality and security controls.

We do not sell personal information to data brokers.

6. Data Retention

We retain personal information only for as long as reasonably necessary for the purposes in this Policy, including legal, accounting, dispute-resolution, and security needs.

Retention examples:

  • Account and profile data: retained while your account is active;

  • Synced daily health summaries and sync logs: retained while needed for service functionality and compliance;

  • Local device data: retained on your device until deleted by you, app reset, or account deletion flows that remove local scoped data.

When you request account deletion, we delete or de-identify relevant backend account data, unless retention is legally required.

7. Security

We implement reasonable technical, administrative, and organizational safeguards to protect information from unauthorized access, disclosure, alteration, and loss.

No system is completely secure. You are responsible for keeping your credentials confidential and notifying us of suspected unauthorized account use.

8. International Processing

We currently configure our core AWS-hosted backend infrastructure to operate in Australian regions.

Some service providers or support functions may involve limited processing from other Asia-Pacific locations. Where required, we use safeguards designed to protect personal information in cross-border processing.

If our likely overseas recipient locations materially change, we will update this Privacy Policy.

9. Your Rights and Choices

Depending on applicable law, you may have rights to:

  • Access personal information we hold about you;

  • Request correction of inaccurate information;

  • Request deletion of your account and associated backend data;

  • Withdraw optional consents;

  • Request a copy/export of your account data.

Rhythmo currently provides in-app account export and account deletion functionality.

Account deletion requests can also be submitted outside the app by emailing: rachel@s-labs.com with subject line "Account Deletion Request".

This option is provided for users who cannot access the app (for example, after uninstalling).

10. Minors and Capacity to Consent

Rhythmo is intended for users aged 18 and over. If we become aware that personal information has been provided by a person under 18, we may suspend or terminate the account and delete or de-identify relevant personal information, unless we are required to retain it by law.

A parent or guardian may contact us using the details below to request review or deletion.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date, and where required we will provide additional notice.

12. Privacy Complaints

If you believe we have mishandled your personal information or breached applicable privacy laws, please contact us with details of your complaint.

We will acknowledge privacy complaints within a reasonable period (generally within 7 business days) and aim to provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

13. Contact Us

For privacy requests, complaints, or questions:

S-Labs AI Pty Ltd

Data Compliance Manager

Email: rachel@s-labs.com