← GRYTT

Privacy Policy

Effective: 2026-05-01 · Last updated: 2026-05-01

1. Who We Are

GRYTT (the "Service") is operated by Sentravision, LLC. Our primary contact for privacy matters is privacy@grytt.app. For general support, contact support@grytt.app.

2. Scope

This policy applies to grytt.app, the GRYTT mobile applications, and trainer and enterprise dashboards. It does not apply to third-party websites or services linked from our app.

3. Data We Collect

3.1 Account information

Email, display name, password hash (Supabase Auth), birthdate (used to verify 18+ eligibility at signup), timezone, and your assigned role (client, trainer, enterprise admin, or platform admin).

3.2 Profile information

Goals, experience level, biological sex, age range, dietary preferences, injuries, and other onboarding answers. For trainers: business name, bio, certifications, specializations, and Stripe Connect account identifier. For enterprises: company name, billing email, company logo, and Stripe customer identifier.

3.3 Health and fitness data

When you grant permission, we read fitness metrics from Apple HealthKit (iOS) or Health Connect (Android): steps, active calories, heart rate, resting heart rate, sleep duration, and weight. We do not write to these stores. Read values are stored server-side so your AI coach can reference them.

You may also log body stats (height, weight, goal weight, body-fat percentage, blood pressure, body measurements, and other custom metrics), workouts, exercise sets, meals, supplement schedules, and answers to short check-in questions. All of this is stored server-side and visible to you, to a trainer you have linked to your account (if any), and to any enterprise that employs your trainer.

3.4 Conversational content

Chat messages you send to the AI coach, messages you exchange directly with a linked trainer, structured plan output the AI returns, and short summaries ("memories") the AI extracts from your chats to personalize future sessions. AI chat is sent to Anthropic for processing on every turn (see §6); direct trainer messages are not.

3.5 Payment metadata

We never see, store, or process your credit-card number. Card entry happens directly inside Stripe (web) or Apple/Google native sheets (mobile). We retain only: subscription status, plan identifier, platform of purchase (Stripe, Apple, or Google), and opaque transaction or receipt identifiers (including Apple originalTransactionId and Google purchaseToken used for renewal reconciliation and refund handling). For Stripe checkout, we also collect billing address (country/postal code) and any optional VAT/GST/Sales Tax ID you choose to enter at checkout — these are required so Stripe Tax can determine the correct tax rate and so we can issue compliant invoices in your jurisdiction. Tax IDs are stored on your Stripe Customer record, not in GRYTT's database.

3.6 Device and usage data

Device model, operating system, app version, Expo push notification token, and crash/error telemetry (sent to Sentry — see §6). We do not collect IDFA, Android Advertising ID, or any cross-app advertising identifier.

3.7 Derived and operational data

Vector embeddings of conversational content (generated by OpenAI — see §6), AI-generated plans, flags raised for trainer review, and operational telemetry about AI tasks (task type, model used, token counts, timings) used for service quality and billing reconciliation.

4. How We Use Your Data

  • Deliver the Service and personalize your AI coaching.
  • Enforce safety rails (18+ verification, medical disclaimers, harm-reduction policy for supplements and performance-enhancing topics).
  • Process subscription payments and reconcile renewals or refunds.
  • Detect and prevent abuse, fraud, and policy violations.
  • Improve product quality through aggregated usage and reliability data.
  • Send transactional email (account verification, billing, alerts).

6. Third-Party Processors

We use the following processors. Each is bound by a Data Processing Agreement (DPA) limiting use of your data to providing services to GRYTT.

  • Anthropic (US) — receives your AI chat messages, recent profile and body-stats context, retrieved memories, and (for paired clients) your trainer's philosophy on every chat turn for LLM inference. Anthropic operates a zero-retention policy for API traffic.
  • OpenAI (US) — receives text derived from your conversation content for embedding generation (text-embedding-3-small, 768 dimensions). Embeddings are stored in our database and used to retrieve relevant memories during future sessions.
  • Supabase (US) — primary database, authentication, file hosting, and realtime messaging.
  • Stripe (US) — web payment processing, including for trainer and enterprise subscriptions and trainer-client payments via Stripe Connect.
  • Apple (US) — In-App Purchase processing on iOS for client subscriptions.
  • Google (US) — Play Billing processing on Android for client subscriptions.
  • Sentry (US/EU) — crash and error telemetry, performance traces, and (for web errors) session replays. We do not forward IP addresses or user identifiers to Sentry.
  • Resend (US) — transactional email delivery, including authentication emails sent via Supabase SMTP.
  • Expo (US) — push notification delivery via APNs (iOS) and FCM (Android).
  • Railway (US) — application hosting for the GRYTT web app and backend worker. Logs request metadata only; no application-layer POST bodies are written to Railway logs.

Recipient disclosure (GDPR Art. 13(1)(e)). When you are linked to a trainer, your chat content, memories, body stats, and direct messages to that trainer are visible to the trainer; the AI uses the trainer's philosophy to personalize your coaching. When that trainer is employed by an enterprise (e.g., a gym or organization), the enterprise admin can also view your data. You control these pairings and may unlink at any time via in-app settings. Unlinking stops future access but does not retroactively recall data the trainer or enterprise has already viewed or downloaded.

7. Your Rights

Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to our processing of your data, as well as to withdraw consent and to lodge a complaint with a supervisory authority. To exercise these rights, email privacy@grytt.app. You can delete your account at any time from in-app settings (mobile) or by contacting us (web). Deletion triggers a 30-day soft-delete window followed by hard deletion of personal data.

8. Children

GRYTT is intended for users 18 years of age and older. By creating an account, you represent that you are 18 or older. We do not knowingly collect data from minors. If we determine that an account belongs to a person under 18, we will delete it. To report an under-18 account, email privacy@grytt.app.

8.5 Refunds & Disputes

Refunds on web Stripe subscriptions may be issued at our discretion by support or automatically by Apple/Google on mobile. When a refund is issued we cancel the subscription immediately and revoke access to the Service. For annual or multi-period subscriptions, a single-period refund still ends access for the remainder of that period.

If you file a chargeback or payment dispute with your card network instead of contacting us, we cancel the subscription, revoke access, and block re-subscription for 30 days. We share your subscription history and account metadata with Stripe and the card networks as needed to respond to the dispute.

9. Retention

We retain account data for the life of your account. After you request deletion, we soft-delete your account for 30 days (so the action is reversible) and then hard delete your personal data and anonymize any residual audit rows. Financial records are retained for 7 years to satisfy US tax law. Administrative audit logs (which may include IP addresses captured during admin actions for security and fraud investigation) are retained indefinitely at present and reviewed periodically.

10. International Transfers

GRYTT's primary infrastructure is hosted in the United States. By using the Service, users in the European Union, the United Kingdom, and other jurisdictions consent to the transfer of personal data to the United States. Where required, we rely on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK IDTA) to safeguard cross-border transfers.

11. Security

We use TLS 1.2 or higher for data in transit and AES-256 encryption at rest (Supabase). Database access is restricted by Postgres Row-Level Security on every table, with a dedicated worker role for backend automation. Stripe handles all payment-card data under PCI-DSS Level 1. Sentry telemetry is scrubbed of personally identifying information before transmission.

12. Automated Decision-Making

GRYTT uses AI to generate workout plans, nutrition guidance, and supplement recommendations personalized to your goals and history. These outputs are informational and are not medical advice. If you are paired with a trainer, you may request human review of any AI-generated plan from your trainer at any time.

13. Changes to This Policy

We will notify you of material changes via in-app banner and email. Continued use of the Service after the effective date of an updated policy constitutes acceptance.

14. Contact

Privacy inquiries: privacy@grytt.app
General support: support@grytt.app
Operating entity: Sentravision, LLC.

← Return to GRYTT