Privacy Policy

Last updated: 5 May 2026

This Privacy Policy explains how Rugga ("we", "us", "the app") collects, uses, stores, and shares personal data when you use the Rugga mobile and web applications.

Rugga is operated by Rugga Limited, a company registered in England and Wales (Company No. 17249798). Contact: hello@rugga.app.

We are the data controller for the personal data described in this policy.

1. What we collect

1.1 You give us directly

• Account info: email, password (hashed and never visible to us in plain text), display name.
• Profile info: rugby playing position, training goals, equipment access, gym days per week, match day, kickoff time, current injuries (optional), bodyweight (optional).
• Club affiliation: the club you join (or create), and your role within it (member / vice-captain / captain).
• Workout data: completed sets, weights lifted, exercises performed, session duration, notes you add to exercises.
• Nutrition data (if you opt in): meals logged, water intake, daily macro targets.
• Photos: profile picture, club badge (if you're a captain), photos attached to feed posts.
• Match readiness check-ins: your morning self-rated readiness score.
• Social posts: text and photos you post to your club's squad feed; likes and comments on others' posts.
• Challenges you create or accept: PvP and squad-vs-squad challenges, the metric chosen, and your scores.

1.2 Collected automatically

• Device info: device type, operating system version, app version (used for crash reporting and compatibility).
• Usage analytics: anonymised, aggregated data about which features are used.
• Crash reports: stack traces when the app crashes (no personal data attached).

1.3 Payment data (only if you subscribe)

We do not see or store your payment card details. All payment processing is handled by Apple (App Store), Google (Play Store), or Stripe (web/club). We receive only subscription status, billing period dates, and a payment provider customer ID.

2. How we use it

• Provide the app's core features (workouts, programmes, club feed, nutrition tracking) — performance of contract.
• Send transactional emails (password reset, account deletion confirmation, trial-ending reminders) — performance of contract.
• Personalise your training programme recommendations — performance of contract.
• Show you to your club's squad feed and leaderboards — performance of contract.
• Improve the app via anonymised analytics and crash reports — legitimate interest.
• Detect abuse and prevent fraud — legitimate interest.
• Marketing emails — consent only (unsubscribe anytime).

We do not sell your data. We do not run third-party advertising in the app.

3. Who sees your data

• Other members of your club can see: your name, profile picture, position, workout activity, leaderboard rank, and challenge scores.
• Your captain can additionally see: your role within the club and (for captain-paid seat packs) which seat slot you occupy.
• Players you've challenged in PvP can see your challenge progress.
• Anyone in the app can see your username and rank if you opt in to the global leaderboard. (You can opt out anytime.)

We share data with these third-party processors:

• Supabase (database / auth / storage) — EU (Frankfurt)
• RevenueCat (subscription management) — US
• Apple App Store (iOS payments) — US / your region
• Google Play (Android payments) — US / your region
• Stripe (web / club payments) — UK / EU
• Expo / EAS (push notifications) — US

All processors are bound by data processing agreements. We do not transfer your data to any other third party.

4. International transfers

Some processors (RevenueCat, Apple, Google, Expo) are based in the US. Where personal data is transferred outside the UK / EEA, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses approved by the UK Information Commissioner's Office. You can request copies of these safeguards by emailing hello@rugga.app.

5. How long we keep your data

• Active accounts: held for as long as your account is active.
• Deleted accounts: soft-deleted immediately on request, hard-deleted within 30 days. Anonymised aggregate data may be retained indefinitely.
• Backups: may persist up to 30 days after deletion before being permanently overwritten.
• Payment records: retained for 7 years to comply with UK tax law (HMRC).

6. Your rights (UK GDPR)

You have the right to:

• Access your data — email us, we'll provide a copy within 30 days.
• Correct inaccurate data — most fields are editable in-app under Profile → Settings.
• Delete your account and data — in-app via Profile → Settings → Delete Account.
• Restrict processing while we investigate a query.
• Object to processing based on legitimate interests.
• Data portability — receive your data in JSON on request.
• Withdraw consent for marketing emails anytime.

You can complain to the UK Information Commissioner's Office at ico.org.uk.

7. Children

Rugga is intended for users aged 16 and over. We do not knowingly collect data from children under 16. If you believe a child has registered an account, email hello@rugga.app and we'll delete it.

8. Security

• TLS encryption in transit between your device and our servers.
• Encryption at rest in our database (Supabase).
• Row-level security policies preventing users from accessing each other's data without permission.
• Private storage buckets with signed-URL access — your photos are not publicly indexed.
• Regular dependency updates and security patching.

No system is 100% secure. If you suspect your account has been compromised, change your password immediately and email hello@rugga.app.

9. Cookies (web only)

On the web version of Rugga (rugga.app), we use strictly necessary cookies for authentication and session management, and anonymised analytics cookies you can opt out of. We do not use advertising cookies or third-party tracking cookies.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via in-app notification and email at least 30 days before they take effect.

11. Contact

For any privacy questions, data requests, or complaints, email hello@rugga.app. We respond within 5 working days, and to formal data requests within 30 days as required by UK GDPR.