legal
Privacy Policy
Last updated: June 9, 2026
We built Ryli so we wouldn’t need to collect much from you. The app works entirely on your device by default. If you choose to sign in, this policy explains exactly what syncs, where it lives, and how to delete it.
1. Who we are
Ryli is built and operated by Hung Le Ngoc, an independent developer (“we,” “us”). For the purposes of the EU and UK General Data Protection Regulation (GDPR), that individual is the data controller responsible for the personal data described here. You can reach the controller anytime at [email protected].
2. What we collect
We collect as little as we can while still letting the app work. Here’s the honest breakdown.
Stored locally on your device only
- Your alarms, missions, and difficulty settings
- Your streak and consistency score
- App preferences (sound, theme, snooze duration)
- Photos taken to complete Sky Photo and Object Hunt missions — held in memory only for the duration of the mission, analyzed on-device by Apple’s Vision framework, then discarded. Never written to disk, never saved to your Photos library, and never uploaded — not even when you sign in.
Synced to your Ryli account — only if you sign in with Apple
If you never sign in, nothing below leaves your device. When you do sign in, we store and sync:
- Your Apple user ID — the stable, app-specific identifier Apple gives us through Sign in with Apple. It is not your name, and not your email unless you choose to share a relay address.
- Your alarms, missions, and settings
- Your streak and consistency stats
- Your usage-event history. Before you sign in, these events are tied only to a random device identifier; once you sign in, they are associated with your Apple user ID so your account is consistent across devices.
Used for advertising measurement — only if you allow tracking
- Your device advertising identifier (IDFA), along with basic install and device signals. We read these only if you allow tracking when iOS shows you the App Tracking Transparency prompt. If you decline, none of this is collected and we fall back to Apple’s aggregated SKAdNetwork (see Advertising measurement).
Received by Apple, not by us
- Standard App Store subscription data — handled per Apple’s privacy policy, not ours.
3. Accounts & sync (Sign in with Apple)
Ryli works fully without an account. Signing in is optional — it exists so your alarms, missions, settings, and stats can follow you across your devices.
When you choose Sign in with Apple, Apple gives us a stable user identifier for you (and, only if you allow it, a private relay email). We use it to create your Ryli account and to sync the data listed above. We never receive or store your Apple ID password. You stay signed in until you sign out or delete your account.
4. Why we process it
Under the GDPR we rely on the following legal bases:
- Performance of a contract. To provide the app and the cross-device sync you asked for when you signed in.
- Legitimate interests. To keep accounts secure, prevent fraud and abuse, and measure our own ad campaigns at an aggregate level through Apple’s privacy-preserving SKAdNetwork (see Advertising measurement).
- Consent, where it applies — for example, allowing tracking through the App Tracking Transparency prompt so we can measure which campaigns drive installs using your advertising identifier, and the optional, anonymous usage events you can opt into. You can withdraw this consent anytime in iOS Settings.
Under the California Consumer Privacy Act (CCPA/CPRA), we do not sell your personal information for money. If you allow tracking through the ATT prompt, we share your advertising identifier with advertising networks for cross-context behavioral advertising measurement. Declining the prompt — or turning tracking off in iOS Settings — is your opt-out (see Advertising measurement).
5. Who processes data for us
We keep our list of third parties short, and each one acts only on our instructions under a data processing agreement:
- Supabase, Inc. — hosts your synced account data (Apple user ID, alarms, missions, settings, and stats) on infrastructure located in the United States. Supabase privacy policy.
- Apple Inc. — provides Sign in with Apple and App Store subscription billing.
- AppsFlyer Ltd. — measures which of our ad campaigns drive installs. It processes basic install and device signals, and your advertising identifier (IDFA) only if you allow tracking. It never receives the content of your alarms, missions, photos, or synced account data (see Advertising measurement). AppsFlyer privacy policy.
- Advertising networks we run campaigns on — such as Meta, TikTok, and Google. If you allow tracking, AppsFlyer shares the install-attribution result, including your advertising identifier, with the network that drove your install so it can measure its own campaigns. They receive nothing if you decline tracking, and never receive the content of your alarms, missions, photos, or synced account data.
6. International data transfers
Your synced account data is stored in the United States. If you are in the European Economic Area, the United Kingdom, or Switzerland, this means your personal data is transferred outside your home region. Where that happens, we rely on appropriate safeguards — the Standard Contractual Clauses and our processors’ data processing agreements — to keep your data protected to the standard the law requires.
If you allow tracking, the advertising-measurement data handled by AppsFlyer and the ad networks we work with may also be processed outside your home region. The same safeguards apply.
7. What we don’t collect
Whatever you choose at the App Tracking Transparency prompt, we never collect, sell, or share any of the following:
- Your location
- Your contacts
- Third-party in-app behavioral analytics — no Google Analytics, Firebase Analytics, or similar SDKs that profile what you do inside the app
- A behavioral advertising profile that we build about you — the advertising identifier, when you allow tracking, is used only for install attribution (see Advertising measurement)
- Health, fitness, or biometric data
- The content of your mission photos — it never leaves your device
- Your personal information sold to data brokers for money
And if you decline the App Tracking Transparency prompt, we never read your advertising identifier (IDFA) at all.
8. Advertising measurement
Ryli shows no ads. There is no advertising anywhere inside the app, and we never sell ad space against your attention. We do, however, run our own ads elsewhere (for example, the App Store and social platforms) to help people discover Ryli.
To understand which of those campaigns actually bring people in, we use the AppsFlyer mobile measurement SDK for install attribution. How much information this involves is your choice, and it comes down to one prompt.
The App Tracking Transparency prompt. iOS shows you Apple’s App Tracking Transparency (ATT) prompt asking whether Ryli may track you. Your answer controls everything below, and you can change it anytime in iOS Settings → Privacy & Security → Tracking.
- If you allow tracking, AppsFlyer may read your device advertising identifier (IDFA) and use it, with basic install and device signals, to match your install to the campaign that drove it. That attribution result — including the advertising identifier — is shared with the advertising network you came from (such as Meta, TikTok, or Google) so it can measure its own campaign. Under California law this counts as “sharing” for cross-context behavioral advertising.
- If you decline, or take no action, we do not read your advertising identifier and nothing is linked to your identity across other companies’ apps. We fall back to Apple’s privacy-preserving SKAdNetwork, which reports only aggregated, campaign-level install numbers — never that you specifically installed.
Either way, the measurement data is limited to what is needed for install attribution and basic fraud prevention. It never includes the content of your alarms, missions, photos, or synced account data, and we never build a behavioral profile about you or sell your data to data brokers. For details, see the AppsFlyer privacy policy.
9. Alarm permission (AlarmKit)
Ryli uses Apple’s AlarmKit to schedule and ring alarms — the same system Apple Clock uses. The first time you create an alarm, iOS prompts you for alarm permission. This permission lives in iOS, not with us; we only receive whether you granted or denied it so the app knows whether it can schedule.
You can change this anytime in iOS Settings → Ryli → Alarms.
10. Camera access
We ask for camera access so the Sky Photo and Object Hunt missions can verify you completed them. Each image is held in memory only, analyzed on your device using Apple’s Vision framework, and discarded as soon as the mission finishes. Nothing is written to disk, saved to Photos, or uploaded to our servers — signing in does not change this.
11. Notifications
Ryli does not request push notification permission and does not operate a push notification server. The alarm ring itself is handled by AlarmKit on your device, not by a notification — signing in does not change this.
12. Subscription data
Subscriptions are billed by Apple through your Apple ID. We receive only the receipt information Apple provides for entitlement verification (subscription status, plan, and renewal date). We never receive your payment card details.
13. Retention & deleting your account
- Local data stays on your device until you delete the app.
- Synced account data is kept only for as long as your account exists. We do not retain it longer than we need to provide the service.
You can delete your account at any time under Settings → Account → Delete Account — see our Delete account page. When you do, we (1) revoke the Sign in with Apple token through Apple’s token-revocation endpoint, severing the link between your Apple ID and Ryli, and (2) hard-delete all of your server-side personal data — a permanent erase, not a hidden flag. Any other devices you’re signed in on clear their session automatically the next time they sync. Deletion is irreversible.
14. Children
Ryli is not directed to children under 13 (or the equivalent minimum age in your jurisdiction) and we do not knowingly collect personal information from them. If you believe a child has provided personal information, contact us and we will delete it.
15. Your rights (GDPR & CCPA)
Depending on where you live, you have rights over your personal data.
If you are in the EEA, UK, or Switzerland (GDPR), you have the right to access, rectify, erase, port, restrict, or object to the processing of your personal data, and to withdraw consent where processing is based on it. You also have the right to lodge a complaint with your local data protection supervisory authority.
If you are in California (CCPA/CPRA), you have the right to know what personal information we collect and why, to delete it, to correct it, and to opt out of its sale or sharing. We do not sell or share your personal information, and we will never discriminate against you for exercising any of these rights.
How to exercise them:
- Access & correct: Most of your data is in the app — open it to view and edit your alarms, missions, and settings directly.
- Delete: Use Settings → Account → Delete Account in the app, or the Delete account page, to erase your synced data and revoke your sign-in. Delete the app to remove local data.
- Anything else — including access, portability, or restriction requests: email [email protected] and we’ll respond within the timeframe the law requires.
16. Contact
Privacy questions or requests, including anything addressed to the data controller: [email protected].
17. Changes to this policy
If we make material changes, we’ll show an in-app banner before the changes take effect and update the “Last updated” date at the top of this page. Older versions are available on request.