Ritmo Privacy Policy

1. Who We Are, Scope, and Contact Channels

1.1. This Policy describes how RITMO APLICATIVO LTDA, registered under CNPJ No. 63.677.137/0001-03, with its registered office at Rua Pais Leme, 215, Suite 1713, Pinheiros, São Paulo, SP, ZIP Code 05424-150 (Brazil), processes personal data through the Ritmo Platform, which comprises:

• (a) the Ritmo application
• (b) the website and related pages

1.2. For purposes of Law No. 13,709/2018 (LGPD — Brazil's data protection law), Ritmo acts, as a general rule, as the Controller of the personal data processed to operate the Platform.

1.3. Privacy channel: privacidade@appritmo.com

1.4. User support channel: suporte@appritmo.com

2. Definitions

2.1. Personal data: any information relating to an identified or identifiable natural person.

2.2. Sensitive personal data: data concerning health or sexual life, among other categories set out in the LGPD.

2.3. Processing: any operation performed with personal data, such as collection, use, access, storage, sharing, deletion, and anonymization.

2.4. Processor: a natural person or legal entity that processes personal data on behalf of Ritmo, under our instructions.

3. Data We Collect

3.1. Account and authentication data

• (a) email address
• (b) password, stored in protected form by the authentication provider
• (c) username (nickname), where applicable, for use in the community

3.2. Profile photo (optional)

Image voluntarily submitted to compose the user profile.

3.3. Onboarding responses, which may include sensitive data

We collect onboarding responses to personalize content and training routines. Some responses may reveal sensitive personal data related to health and sexual life. The current onboarding data list is set out in Annex I.

3.4. Community

Content and interactions published by the user, such as posts, comments, and reactions. Content you choose to publish may reveal sensitive data at your own initiative.

3.5. Technical and security data (logs)

• (a) IP address
• (b) date and time of access
• (c) technical information about the device and browser, particularly on the website

3.6. Payments and subscription (Asaas)

Subscription payments are processed through Asaas, outside the app stores. Asaas may collect and process the data required for billing, fraud prevention, and compliance with legal obligations — such as name, tax identification number, email address, phone number, and address, as applicable to the chosen payment method.

Ritmo receives only the minimum information needed to confirm and manage the subscription, such as payment status, plan, dates, and technical identifiers, without access to full card details.

3.7. Cookies and pixels on the website

On the website, we may use cookies and similar technologies for:

• (a) operation and security
• (b) performance measurement and improvement
• (c) marketing and campaign attribution, when enabled by the user

These technologies may collect online identifiers and browsing data.

4. How We Use Data and Legal Bases

4.1. Purposes

• (a) creating and managing your account and authentication
• (b) delivering and personalizing the in-app experience based on onboarding responses and progress
• (c) operating the community and applying moderation
• (d) ensuring security, audit, fraud prevention, and abuse control
• (e) managing the subscription, payment status, and access to paid features
• (f) improving the website and measuring campaigns, in accordance with cookie preferences

4.2. Legal bases

• (a) performance of a contract (LGPD art. 7, V)
• (b) consent, including for non-essential cookies on the website, where applicable
• (c) consent for sensitive data (LGPD art. 11, I), where required for personalization based on onboarding responses
• (d) compliance with a legal obligation, including the retention of access logs pursuant to the Marco Civil da Internet (Brazil's Internet Civil Rights Framework — Law No. 12,965/2014, art. 15)
• (e) regular exercise of rights (LGPD art. 7, VI, and art. 11, II, d, when sensitive data is involved), for defense in proceedings and handling of claims
• (f) legitimate interest, where applicable and balanced against the rights of data subjects, particularly for security and fraud prevention purposes

5. Data Sharing

5.1. We do not sell personal data.

5.2. We share data only when necessary:

• (a) Supabase: database, authentication, and storage infrastructure, acting as a processor under Ritmo's instructions
• (b) Asaas: billing and subscription management. Depending on the flow, Asaas may act as a controller for data collected directly at checkout for its own billing, fraud prevention, and legal compliance purposes
• (c) media and advertising platforms, such as Meta, Google, and TikTok, when the user enables cookies and pixels on the website, for measurement and marketing in accordance with their preferences
• (d) public authorities, pursuant to a court order, valid legal request, or legal obligation

6. International Transfers

6.1. App and account data may be processed on infrastructure configured for the operation of the Platform.

6.2. The use of global measurement and advertising platforms on the website may involve processing or storage outside Brazil, constituting an international transfer in accordance with LGPD art. 33 and applicable mechanisms.

7. Retention, Deletion, and Restoration

7.1. We retain data for as long as necessary to provide the service and fulfill the purposes set out in this Policy.

7.2. Account deletion: you may request the deletion of your account within the app, where available, or through the privacy channel.

7.3. Restoration window: following a deletion request, we may retain data for up to 3 months to allow reactivation without losing your progress. After that period, we delete or anonymize data where technically feasible.

7.4. Exceptions and minimum retention:

• (a) access logs: minimum 6 months, pursuant to the Marco Civil da Internet, art. 15
• (b) evidence of acceptance, consents, and minimum data required for defense and legal compliance, retained for as long as necessary in accordance with applicable legal and statutory limitation periods

8. Information Security

8.1. We adopt reasonable technical and administrative measures to protect data, including access controls, permission management, and secure transmission.

8.2. Internal access is restricted to authorized individuals who are subject to confidentiality obligations.

8.3. Users also play an essential role in security: keeping a strong password, avoiding sharing credentials, and protecting the device.

9. Security Incidents

9.1. In the event of an incident that may pose a relevant risk or harm, we will notify the competent data protection authority (in Brazil, the ANPD — Autoridade Nacional de Proteção de Dados) and the affected data subjects as required by applicable law.

10. Cookies, Pixels, and Preferences

10.1. Types of cookies and technologies:

• (a) necessary, for operation and security
• (b) performance and analytics
• (c) marketing and attribution

10.2. You may manage your preferences through the website's cookie banner, as well as through your browser or device settings. Disabling certain cookies may affect website functionality.

11. Data Subject Rights and How to Exercise Them

11.1. Under the terms of the LGPD, you may request:

• (a) confirmation that processing is taking place
• (b) access to your data
• (c) correction of incomplete, inaccurate, or outdated data
• (d) anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
• (e) data portability, where applicable
• (f) deletion of data processed on the basis of consent, where applicable
• (g) information about sharing arrangements
• (h) information about the possibility of withholding consent and the consequences of doing so
• (i) revocation of consent, where applicable
• (j) objection to processing carried out under other legal bases, where applicable
• (k) review of decisions made solely on the basis of automated processing, where applicable
• (l) lodging a complaint with the data protection authority (in Brazil, the ANPD)

11.2. Channel: privacidade@appritmo.com

11.3. To protect your data, we may request identity verification before fulfilling a request.

12. Children and Minors

12.1. The Platform is intended for users aged 18 and over, and we do not knowingly collect data from minors.

12.2. If we identify that a minor has registered, we may suspend or close the account and take steps to delete or anonymize the relevant data, subject to minimum legal retention requirements.

13. Updates to This Policy

13.1. This Policy may be updated. Material changes will be communicated through a notice in the app or on the website and, where appropriate, by email.

14. Important Links

14.1. This Policy: appritmo.com/en/privacy

14.2. Terms of Use: appritmo.com.br/termos

Annex I. Onboarding: Data Collected

A. Multiple-choice questions, as per the current onboarding flow

• Age range: 18 to 25, 26 to 33, 33 to 40, 41 to 50, over 50
• Whether the user has previously trained the pelvic floor
• Informational screens with no data input, where applicable
• Average duration of sexual intercourse, in time ranges
• How often the user finishes sooner than desired
• Satisfaction with erection quality, self-assessment options
• Self-assessment of sexual performance
• Whether the user avoids sex due to insecurity
• Relationship status, including an option to decline to answer
• Monthly frequency of sexual activity, in ranges
• Use of performance-enhancing medications, options
• Alcohol consumption, options
• Smoking habits, options
• Diet and eating habits, options
• Physical activity level, options
• Stress levels, options
• Whether stress affects sexual performance, options