Gryter Privacy Policy

Effective Date: February 27, 2026  |  Last Updated: February 27, 2026

App name: Gryter ("Gryter", "we", "us", "our")
Contact: abidwaqar98@gmail.com

This Privacy Policy explains how Gryter collects, uses, shares, and protects information when you use our mobile application and our website that hosts our legal pages (the "Services").

1. Who we are

Gryter is operated by Gryter (Pakistan). For purposes of the EU/UK GDPR, we act as the data controller of your personal data. For California law (CCPA/CPRA), we act as a business.

If you have questions or requests, contact: abidwaqar98@gmail.com

2. Who this policy applies to

This policy applies to:

• The Gryter mobile app (iOS/Android)
• Our website at gryter.com (used primarily to host Privacy Policy/Terms)

3. Age limits (Children)

Gryter is not intended for children. Users must be 16+.

We do not knowingly collect personal data from anyone under 16. If you believe a child provided data, contact us and we will delete it.

4. Information we collect

We collect information in the following categories:

A. Account and profile information

When you sign in (Google or Apple), we may collect:

• Name
• Email address
• Profile photo (if provided by your sign-in provider)

B. Onboarding and fitness profile information

You may provide (or we may infer from your selections):

• Training goal (e.g., build muscle)
• Training days / weekly target
• Workout location (gym/home)
• Session length preferences
• Experience level
• Form confidence
• Biggest blocker (e.g., time)
• Gender
• Date of birth (or age-related info)
• Height/weight (body stats)

C. Workout and usage data (fitness data)

When you log workouts, we collect and store:

• Workout sessions
• Exercises performed
• Sets, reps, weight
• Timestamps and workout history

This data can be considered health/fitness-related data because it reflects physical performance and body characteristics.

D. AI-generated workout outputs

We generate workout plans (and related structured outputs) and store:

• Generated workout details (e.g., exercises, sets/reps prescriptions)
• Any summaries needed to adapt future sessions

We do not store AI chat conversations, only the output workout structure.

E. App analytics and crash diagnostics

If enabled, we collect:

• App interaction events (analytics)
• Crash reports and performance diagnostics (crash reporting)

We use Firebase Analytics and Firebase Crashlytics.

F. Device and technical data

Some SDKs may process technical identifiers for security, analytics, fraud prevention, and app functionality, such as:

• Device/app identifiers (e.g., Firebase App Instance / installation identifiers)
• IP address (typically processed transiently by network services)
• Device model, OS version, app version
• Regional settings

G. Purchases and subscription information

Subscriptions are sold through Apple App Store / Google Play using RevenueCat.

We do not receive your full payment card details. We may store:

• Subscription/entitlement status
• Product identifiers
• Purchase/renewal timestamps
• Transaction identifiers/receipt metadata (as provided by app stores/RevenueCat)

H. Future free-text inputs (injury notes)

In the future we may allow free-text injury/limitations notes. Free-text can accidentally include sensitive medical details. If implemented, users should avoid entering medical diagnoses or highly sensitive details.

5. Where data is stored

Your data may be stored:

• On your device (local database; Gryter uses a local storage layer such as Drift/SQLite).
• In the cloud using Google Firebase services (e.g., Authentication, Cloud Functions, and other Firebase components).

6. How we use information

We use personal data for the following purposes:

A. Provide and operate the Services

• Create and manage your account and sign-in
• Save your workouts and progress
• Generate and show workouts and plans
• Maintain app features and core functionality

B. Personalization and coaching adaptation

• Use your onboarding profile and workout history to adapt future workouts
• Store generated workout outputs to support "resume" and progression

C. AI processing (workout generation)

We use AI to generate workout structures and recommendations. Inputs may include your onboarding profile and historical workouts, and outputs are saved to your device and Firestore.

D. Analytics and diagnostics

• Understand feature usage to improve the app (Firebase Analytics)
• Detect and fix crashes (Crashlytics)

E. Security and fraud prevention

• Protect accounts and infrastructure
• Detect abuse, bot activity, or malicious usage
• Enforce rate limits and subscription entitlements

F. Legal compliance

Comply with applicable laws, requests, and enforce our Terms.

7. Legal bases (GDPR/UK GDPR)

If you are in the EEA/UK, we rely on the following legal bases:

• Contract (Art. 6(1)(b)): to provide the Services (account, workout logs, generating plans).
• Consent (Art. 6(1)(a)): for analytics where required; and for processing health/fitness-related data where such data is treated as special-category data.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, service improvements (where consent is not required).
• Legal obligation (Art. 6(1)(c)): compliance with law.

Special category data (Art. 9): To the extent your workout/body data is considered "health data," we process it based on your explicit consent (Art. 9(2)(a)) and/or as necessary to provide the service you request.

8. Sharing and disclosure of information

We do not sell your personal information.

We share information only as needed with:

A. Service providers (processors)

• Google Firebase (authentication, cloud functions, analytics, crash reporting, and related infrastructure).
• RevenueCat (subscription management and entitlement verification).
• AI providers (one of: OpenAI, Google Gemini, Anthropic — final provider not yet selected) via our backend. We send the minimum data necessary to generate workouts.

B. Legal and safety

We may disclose information if required to:

• Comply with law or legal process
• Protect rights, safety, and security
• Prevent fraud/abuse

C. Business transfers

If Gryter is involved in a merger, acquisition, or asset sale, information may be transferred as part of that transaction.

9. "Sale" / "Share" under CCPA/CPRA (California)

Under California law, "sell" and "share" have specific definitions.

• We do not sell personal information.
• We do not share personal information for cross-context behavioral advertising.

If this changes (e.g., we add advertising SDKs), we will update this policy and provide required opt-out mechanisms.

10. International transfers

Some vendors (including AI providers and cloud infrastructure) may process data in other countries, including the United States.

For users in the EEA/UK/Switzerland, when personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or other lawful transfer mechanisms supported by our vendors.

11. Data retention

We retain your personal data until you request deletion, unless a longer retention period is required by law or needed for legitimate purposes such as security, fraud prevention, or dispute resolution.

Typical retention examples:

• Account profile + workout history: until deletion
• Analytics and crash logs: retained per vendor defaults or for a limited period needed for debugging
• Subscription records: may be retained longer where required for compliance and dispute handling

12. Account deletion

You may request account deletion via email.

To request deletion, email abidwaqar98@gmail.com from the email associated with your account.

Upon verified request, we will delete your personal data from our active systems. Some limited data may remain in backups for a short period and will be deleted on a rolling basis.

13. Security

We use reasonable administrative, technical, and organizational measures to protect data, including:

• Encryption in transit (TLS/HTTPS)
• Vendor-managed encryption at rest (e.g., cloud storage encryption)
• Access controls and least-privilege practices
• 2FA on administrative accounts
• Logging and monitoring for abuse/security

No method of transmission or storage is 100% secure, but we work to protect your information.

14. Your choices and controls

Depending on your location, you may have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data
• Object to or restrict certain processing (EEA/UK)
• Withdraw consent (where we rely on consent)
• Data portability (EEA/UK)
• Opt out of certain uses (California)

Where processing is based on consent (e.g., analytics, special-category/health data in certain jurisdictions), you can withdraw consent. If you withdraw consent for processing needed to provide the core service, Gryter may not be able to provide some features.

15. GDPR/UK GDPR rights (EEA/UK)

If you are in the EEA/UK, you have rights under GDPR/UK GDPR, including:

• Access, correction, deletion
• Restriction and objection
• Data portability
• Lodge a complaint with your local data protection authority

16. California privacy rights (CCPA/CPRA)

If you are a California resident, you may have rights to:

• Know what personal information we collect, use, and disclose
• Request deletion
• Correct inaccurate information
• Opt out of "sale" or "sharing" (we do not sell/share as defined for ads)
• Not be discriminated against for exercising your rights

To submit a request: email abidwaqar98@gmail.com. We may need to verify your request.

17. Third-party links and content

Gryter may provide links to third-party websites or services (e.g., support pages). We are not responsible for the privacy practices of third parties.

18. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice in the app or by other appropriate means. The "Effective date" will be updated.

19. Contact

For privacy questions or requests: abidwaqar98@gmail.com