Community Guidelines & User Conduct Code

Effective Date: 14 December 2025

Unified Retention Practices (Mobile & Web)

GRITFIT.AI applies a consistent retention policy across both mobile and web versions. All personal and operational data is managed under the same principles and safeguards (e.g. GDPR and related laws). The primary difference is technical: mobile apps often cache data locally on the device rather than in a central browser store. Our policy accounts for this by requiring any app-cached data be encrypted or cleared on a regular schedule; otherwise it will expire under the unified retention rules when the account is closed or by system routine. This approach keeps compliance simple while allowing for device-specific technical exceptions (e.g. local temporary files, operating-system caches).

Categories of Data Collected

GRITFIT.AI collects a broad range of data, organized into clear categories with tailored retention rules. Key categories include:

• Account & Profile Data: User identifiers, contact info (name, email, etc.), account settings and preferences.
• Fitness & Performance Data: Training goals, workout history, fitness metrics entered by the user.
• AI Interaction Logs: Prompts, generated responses, and conversation history from in-app AI features (used to maintain context and improve service).
• User-Generated Content: Any text, images or files the user uploads or submits within the platform.
• Technical & Usage Data: Device identifiers (type, OS), app version, logs, timestamps, and activity metrics.
• Subscription & Entitlement Records: Plan level, access rights, and billing status (note: actual payment details are handled by external payment processors, not stored).

Each category is documented separately and given its own retention timeline based on legal or operational need. For transparency, we explicitly explain in our policy how long we keep each category and why.

Retention Periods by Data Type

Retention periods are purpose-driven and risk-based, following GDPR’s storage limitation principle (“not longer than necessary”). In practice this means:

• Active Account Data: Core profile and fitness data are kept for the entire time a user’s account is active. Once the account is closed or inactive beyond a reasonable buffer, personal data is deleted or irreversibly anonymized.
• AI & Activity Logs: Interaction histories and performance logs are retained only as needed to provide service continuity or improve the system. These are normally purged shortly after an account ends or after a defined inactivity period, unless retaining them (in anonymized form) is needed for security or compliance.
• Technical Logs: Diagnostic and error logs are kept for a short window (typically days or weeks) to support troubleshooting and security. We routinely erase old logs once they serve their purpose.
• Aggregated/Analytic Data: Non-identifiable analytics or aggregated usage statistics may be retained longer for product improvement or legal defence. However, we minimize personal data – for example, once data is aggregated for insights it is stripped of identifiers in accordance with GDPR’s data minimization principle.

We implement automated deletion jobs (e.g. scheduled cleanup scripts) to enforce these timelines consistently. This ensures stale data is removed without manual intervention. (Guidance explicitly advises avoiding vague retention statements; instead, we tie retention to events or timeframes, and document them in our policy.)

User Rights: Deletion and Data Export

Users can exercise their data-protection rights at any time. In particular:

• Right to Erasure (“Right to be Forgotten”): Users may request deletion of their personal data. We honour such requests without undue delay (generally within 30 days). Upon request, we remove or anonymize the user’s personal data from active systems. (Note: as with most services, data on encrypted backups is not instantly erased – it will naturally phase out as backups expire. We make clear that deleted data will not be restored once removed.)
• Right to Data Portability: Users can request a copy of all their personal data in a structured, commonly used, machine-readable format. We provide this export in full compliance with GDPR’s portability requirements.

These rights (and any limitations, such as legal holds or backup timelines) are clearly described in our privacy documentation. We also require a formal process (e.g. a request form) to verify identity and fulfil requests efficiently, in line with GDPR/CCPA standards.

Backup Retention and Disposal

All system backups are encrypted and retained only for disaster recovery/business continuity. Backups are kept on a rolling basis (for example, daily/weekly snapshots for a limited time) and are not used for active processing. When personal data is deleted or an account is closed, that data is removed from live databases immediately. We do not restore deleted data from backups; instead, deleted items simply age out of backup retention naturally. This follows GDPR guidance: the regulation does not require immediate purging of backups, only that organizations take reasonable steps (e.g. encryption, regular overwrite cycles) to ensure deleted data is not inadvertently kept longer than necessary. In short, encrypted backups exist strictly for recovery; deleted personal data is effectively gone once our retention window passes.

Best Practices and Compliance

This policy adheres to the strictest applicable standards (e.g. UK/EU GDPR, Data Protection Act, etc.). We maintain detailed records of retention schedules and data inventories, and we review the policy regularly. Automated deletion workflows, encryption of stored/backed-up data, and staff training on retention safeguards are all in place. By explicitly covering cross-platform consistency, all major data categories, tailored retention periods, user deletion/export rights, and controlled backups, the GRITFIT.AI policy leaves no significant loophole. It balances operational needs and legal requirements while maximizing user privacy and transparency.