Gryter Privacy Policy

Effective Date: April 16, 2026  |  Last Updated: May 19, 2026

App name: Gryter ("Gryter", "we", "us", "our")
Contact: abidwaqar98@gmail.com

This Privacy Policy explains how Gryter collects, uses, shares, and protects information when you use our mobile application and our website that hosts our legal pages (the "Services").

1. Who we are

Gryter is operated by Abid Waqar, a sole proprietor based in Pakistan, doing business as Gryter ("Gryter," "we," "us"). For purposes of the EU/UK GDPR, we act as the data controller of your personal data. For California law (CCPA/CPRA), we act as a business.

If you have questions or requests, contact: abidwaqar98@gmail.com

2. Who this policy applies to

This policy applies to:

• The Gryter mobile app (iOS/Android)
• Our website at gryter.com (used primarily to host Privacy Policy/Terms)

3. Age limits (Children)

Gryter is not intended for children. Users must be 16+.

We do not knowingly collect personal data from anyone under 16. If a parent or guardian believes their child has provided data, they may email abidwaqar98@gmail.com and we will delete the data within 7 days of receiving the request.

4. Information we collect

We collect information in the following categories:

A. Account and profile information

When you sign in (Google or Apple), we may collect:

• Name
• Email address
• Profile photo (if provided by your sign-in provider)

B. Onboarding and fitness profile information

You may provide (or we may infer from your selections):

• Training goal (e.g., build muscle)
• Training days / weekly target
• Workout location (gym/home)
• Session length preferences
• Experience level
• Form confidence
• Biggest blocker (e.g., time)
• Gender
• Date of birth (or age-related info)
• Height/weight (body stats)
• Optional free-text preferences (e.g., equipment or scheduling notes you provide on the final onboarding step). See Section 4.H for how this field is described and Section 8.A for how it is shared.

C. Workout and usage data (fitness data)

When you log workouts, we collect and store:

• Workout sessions
• Exercises performed
• Sets, reps, weight
• Timestamps and workout history
• Self-reported readiness / RIR (reps in reserve) and recovery inputs
• Body weight log entries (where you choose to log them)

This data can be considered health/fitness-related data because it reflects physical performance and body characteristics. We do not integrate with Apple HealthKit or Google Fit, and we do not access biosensor measurements (heart rate, blood oxygen, sleep, etc.). All fitness data is information you provide through the in-app session capture flow.

How we treat health/fitness data:

• Used only to generate, adapt, and track your training plan and to show your progress to you.
• Never sold, never shared with advertising networks, never used for cross-context behavioral advertising.
• Structured fitness inputs (goal, experience, body stats, training schedule, recent workout history) are sent to our AI provider in a form that contains no name, email, or account identifier. Optional free-text preferences (if you provided them) are sent as you typed them — see Section 8.A.
• Treated as special-category data under GDPR Article 9 in the EEA/UK; processed on the basis of your explicit consent (Article 9(2)(a)) and as necessary to provide the service you request.

D. AI-generated workout outputs

We generate workout plans (and related structured outputs) and store:

• Generated workout details (e.g., exercises, sets/reps prescriptions)
• Any summaries needed to adapt future sessions

We do not store AI chat conversations, only the output workout structure.

E. App analytics and crash diagnostics

If enabled, we collect:

• App interaction events (analytics)
• Crash reports and performance diagnostics (crash reporting)

We use Firebase Analytics and Firebase Crashlytics.

F. Device and technical data

Some SDKs may process technical identifiers for security, analytics, fraud prevention, and app functionality, such as:

• Device/app identifiers (e.g., Firebase App Instance / installation identifiers)
• IP address (typically processed transiently by network services)
• Device model, OS version, app version
• Regional settings

G. Purchases and subscription information

Subscriptions are sold through Apple App Store / Google Play using RevenueCat.

We do not receive your full payment card details. We may store:

• Subscription/entitlement status
• Product identifiers
• Purchase/renewal timestamps
• Transaction identifiers/receipt metadata (as provided by app stores/RevenueCat)

H. Optional free-text preferences

On the final onboarding step you may provide a short, optional free-text note about your preferences (for example, equipment or scheduling preferences). The field is labeled "Any preferences?" and is capped at 500 characters.

If you fill it, the contents are stored in your Gryter profile and sent to our AI provider with each training-plan generation (see Section 8.A). We recommend you do not include sensitive medical details — the in-app field includes a notice to this effect.

If you do mention a health condition spontaneously, that text is treated under the same special-category-data terms described in Section 4.C and Section 7.

You can clear or edit the field at any time from the Preferences section of your Profile, which removes it from your profile and stops sending it in future plans.

5. Where data is stored

Your data may be stored:

• On your device (the Firebase SDK maintains an encrypted local cache of your data for offline use).
• In the cloud using Google Firebase services (e.g., Authentication, Cloud Functions, and other Firebase components).

6. How we use information

We use personal data for the following purposes:

A. Provide and operate the Services

• Create and manage your account and sign-in
• Save your workouts and progress
• Generate and show workouts and plans
• Maintain app features and core functionality

B. Personalization and coaching adaptation

• Use your onboarding profile and workout history to adapt future workouts
• Store generated workout outputs to support "resume" and progression

C. AI processing (workout generation)

We use AI to generate workout structures and recommendations. Inputs may include your onboarding profile and historical workouts, and outputs are saved to your device and Firestore.

D. Analytics and diagnostics

• Understand feature usage to improve the app (Firebase Analytics)
• Detect and fix crashes (Crashlytics)

E. Security and fraud prevention

• Protect accounts and infrastructure
• Detect abuse, bot activity, or malicious usage
• Enforce rate limits and subscription entitlements

F. Legal compliance

Comply with applicable laws, requests, and enforce our Terms.

7. Legal bases (GDPR/UK GDPR)

If you are in the EEA/UK, we rely on the following legal bases:

• Contract (Art. 6(1)(b)): to provide the Services (account, workout logs, generating plans).
• Consent (Art. 6(1)(a)): for analytics where required; and for processing health/fitness-related data where such data is treated as special-category data.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, service improvements (where consent is not required).
• Legal obligation (Art. 6(1)(c)): compliance with law.

Special category data (Art. 9): To the extent your workout/body data is considered "health data," we process it based on your explicit consent (Art. 9(2)(a)) and/or as necessary to provide the service you request.

8. Sharing and disclosure of information

We do not sell your personal information.

We share information only as needed with:

A. Service providers (processors)

• Google Firebase (authentication, cloud functions, analytics, crash reporting, and related infrastructure).
• RevenueCat (subscription management and entitlement verification).
• Anthropic (workout generation) — api.anthropic.com. We use Anthropic on a paid API tier to generate personalized workout plans on our behalf. We do not currently use OpenAI or Google Gemini for any user-facing feature.

  What we send:

  • Your structured fitness profile (goal, experience level, body stats, training location, weekly schedule).
  • Your recent workout history (exercises, sets, reps, weights, perceived exertion).
  • Optional free-text preferences (if you provided them in the onboarding field).

  What we do not send: your name, email address, profile photo, or any account identifier.

  Anthropic's data handling for our paid API tier:

  • Not used to train Anthropic's models.
  • Retained by Anthropic for a short period (typically up to 30 days) for trust-and-safety review, then deleted.
  • For EEA/UK users: transferred to the United States under Standard Contractual Clauses approved by the European Commission.
  • Anthropic acts as a data processor under our Data Processing Agreement.

B. Legal and safety

We may disclose information if required to:

• Comply with law or legal process
• Protect rights, safety, and security
• Prevent fraud/abuse

C. Business transfers

If Gryter is involved in a merger, acquisition, or asset sale, information may be transferred as part of that transaction.

9. "Sale" / "Share" under CCPA/CPRA (California)

Under California law, "sell" and "share" have specific definitions.

• We do not sell personal information.
• We do not share personal information for cross-context behavioral advertising.

California residents have the right to opt out of the sale or sharing of their personal information. We do not currently sell or share personal information; if our practices change, we will update this policy, provide notice, and provide required opt-out mechanisms.

Global Privacy Control (GPC)

If your browser or device sends a Global Privacy Control (GPC) signal, we treat it as a valid opt-out request for the sale or sharing of personal information. We do not currently sell or share personal information for cross-context behavioral advertising; this honor commitment ensures that if our practices ever change, the opt-out is automatic for users sending GPC.

10. International transfers

Some vendors (including AI providers and cloud infrastructure) may process data in other countries, including the United States.

For users in the EEA/UK/Switzerland, when personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or other lawful transfer mechanisms supported by our vendors.

Because Gryter is operated by a controller based in Pakistan, the act of providing your personal data to us is itself a transfer to a country outside the EEA/UK/Switzerland that has not received an adequacy decision from the European Commission or the UK ICO. Where you reside in the EEA, UK, or Switzerland, you provide this data on the basis of your explicit consent (GDPR Art. 49(1)(a)) to the controller's processing in Pakistan, with the understanding that Pakistan does not have an EU adequacy decision and that you may have less recourse under Pakistani law than under EU/UK law.

11. Data retention

We retain your personal data only as long as needed for the purposes described in this policy, unless a longer retention period is required or permitted by law (including for security, fraud prevention, dispute resolution, or compliance with tax, accounting, or other legal obligations). This statement is provided per GDPR Article 13(2)(a).

Concrete retention periods:

• Account profile + workout history + body weight log: retained while your account is active. Deleted on account deletion, with full server-side wipe completed within 30 days of the deletion request (typically immediate for in-app deletion; the 30-day window covers backup-rolloff edge cases).
• Analytics events (Firebase Analytics): retained for up to 14 months at the vendor default; aggregated metrics may be retained longer.
• Crash and performance diagnostics (Crashlytics): retained for up to 90 days.
• Security and fraud-prevention logs (App Check, function logs, IP-based abuse logs): retained for up to 90 days.
• Subscription records (RevenueCat / Apple App Store / Google Play): may be retained for the period required by tax, accounting, and consumer-protection law (typically 7 years after the last transaction).
• Account-deletion feedback (the optional reason you give when deleting your account): retained for up to 90 days for product improvement, then automatically purged by a scheduled job.
• Prior feedback or bug reports you submitted before deleting your account: retained in anonymized form (your user identifier is removed) for product improvement.

12. Account deletion

A. Delete from inside the app (recommended)

You can permanently delete your account directly from the app at any time:

1. Open Gryter and go to Settings.
2. Scroll to the Account section.
3. Tap Delete Account and confirm.

For non-anonymous accounts (signed in with Google or Apple), you will be asked to re-authenticate before the deletion proceeds. Deletion is instant and permanent — there is no recovery, undo, or "soft delete" period.

B. Delete by email (if you've already uninstalled)

If you no longer have the app installed, email abidwaqar98@gmail.com from the email address associated with your account. Email-based requests are processed within 7 days.

C. What gets permanently deleted

• Your profile and all onboarding answers
• All workout history and training plans
• Exercise progression and autoregulation data
• Body weight log entries
• App preferences and on-device caches
• Your Firebase Authentication account

D. What is anonymized rather than deleted

Any feedback or bug reports you submitted prior to deletion are retained in anonymized form — your user identifier is stripped, but the message body, rating, and device metadata are kept so we can continue learning from past feedback to improve the product.

E. What may be retained for a limited period

• The optional reason you provide on the deletion screen is retained for up to 90 days for product improvement, then automatically purged.
• Some limited data may persist in encrypted backups for a short period and will be deleted on a rolling basis.

F. Subscription billing must be cancelled separately

If you have an active Gryter subscription, you must cancel billing in your App Store or Google Play account settings — Gryter cannot cancel store subscriptions on your behalf, and deleting your Gryter account does not stop store-level recurring charges. The in-app deletion confirmation screen includes a direct link to your store subscription settings.

13. Security

We use reasonable administrative, technical, and organizational measures to protect data, including:

• Encryption in transit (TLS/HTTPS)
• Vendor-managed encryption at rest (e.g., cloud storage encryption)
• Access controls and least-privilege practices
• 2FA on administrative accounts
• Logging and monitoring for abuse/security

No method of transmission or storage is 100% secure, but we work to protect your information.

14. Your choices and controls

Depending on your location, you may have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data — see Section 12 for in-app and email options
• Object to or restrict certain processing (EEA/UK)
• Withdraw consent (where we rely on consent)
• Data portability (EEA/UK): You can download a complete copy of your Gryter data from inside the app at any time — go to Settings → Download my data. The file is delivered to your email as a JSON attachment, typically within a minute.
• Opt out of certain uses (California)

Where processing is based on consent (e.g., analytics, special-category/health data in certain jurisdictions), you can withdraw consent. If you withdraw consent for processing needed to provide the core service, Gryter may not be able to provide some features.

15. GDPR/UK GDPR rights (EEA/UK)

If you are in the EEA/UK, you have rights under GDPR/UK GDPR, including:

• Access, correction, deletion
• Restriction and objection
• Data portability: exercise this right directly from Settings → Download my data in the app, or by emailing abidwaqar98@gmail.com.
• Lodge a complaint with your local data protection authority

16. California privacy rights (CCPA/CPRA)

If you are a California resident, you may have rights to:

• Know what personal information we collect, use, and disclose
• Request deletion
• Correct inaccurate information
• Opt out of "sale" or "sharing" (we do not sell/share as defined for ads)
• Not be discriminated against for exercising your rights

To submit a request: email abidwaqar98@gmail.com. We may need to verify your request.

17. Third-party links and content

Gryter may provide links to third-party websites or services (e.g., support pages). We are not responsible for the privacy practices of third parties.

18. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice in the app or by other appropriate means. The "Effective date" will be updated.

19. Contact

For privacy questions or requests, including data access, deletion, or portability, email abidwaqar98@gmail.com.