Privacy Policy for GRLY

Effective Date: 3 July 2025 Last Updated: 3 July 2025

1. Introduction & Scope

This Privacy Policy ("Policy") explains how “GRLY” ("GRLY", "we", "us", or "our"), collects, uses, discloses, and protects your personal information when you use the GRLY mobile application (the "App"), the website at grlyapp.co (the "Website"), and any related products or services (collectively, the "Services").

This Policy is designed to be compliant with major privacy regulations including the EU and UK General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable laws.

Legal Entity & Contact Details:

  • Primary Privacy Contact & Data Protection Officer (DPO): connect@grlyapp.co

  • 2. Information We Collect

We collect the following categories of personal data:

  • Account Data: Your name, email address, and encrypted password.

  • Health-Related Data (Special Category Data): Your answers to our onboarding questionnaire, your supplement-intake habits, and reminder logs. Under GDPR, this is "special category" health data. Under CPRA, this is "sensitive personal information." We only process this data with your explicit consent.

  • E-commerce Data: If you make a purchase on our Website, we collect your order ID, shipping address, and a tokenized representation of your payment method (e.g., last 4 digits). This data is processed via our e-commerce partner, Shopify.

  • Device & Technical Data: Your device model, operating system, IP address, and crash logs to help us diagnose and fix issues.

  • Usage & Analytics Data: In-app events, search terms, page views, and interactions with app features. This may include advertising identifiers (such as Apple's IDFA or Android's GAID), subject to your device's privacy settings and your consent where required.

  • Marketing & Communications Data: Your preferences for receiving marketing from us, including your email opt-in status and push notification settings.

3. How We Use Your Information & Our Legal Bases

We only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Purpose of Processing Categories of Data Used Lawful Basis under GDPR To register you as a new user and manage your account.Account DataPerformance of a contract with you. To provide the core App services, including supplement tracking and reminders.Account Data, Health-Related DataExplicit Consent (Article 9(2)(a)) for health data; Performance of a contract for other data.To process and deliver your orders made via our Website.Account Data, E-commerce DataPerformance of a contract; Necessary for our legitimate interests (to recover debts).To manage our relationship with you, including notifying you about changes to our terms or privacy policy.Account Data, Marketing & Communications DataPerformance of a contract; Necessary to comply with a legal obligation.To improve our App, Website, products, and services through analytics and diagnostics. Device & Technical Data, Usage & Analytics DataNecessary for our legitimate interests (to keep our Services updated and relevant, and to study usage).To send you promotional emails and push notifications about our products and services. Account Data, Marketing & Communications Data, Usage & Analytics Data Explicit Consent. To prevent fraud and secure our Services.All categories as necessary.Necessary for our legitimate interests (to protect our business and customers).To respond to legal requests and comply with legal obligations. All categories as necessary. Necessary to comply with a legal obligation.

4. Explicit Consent for Health Data

Because our App helps you track supplement intake, we process data related to your health. Under data protection law, this is a special category of data that requires a higher standard of protection.

We will not process your Health-Related Data without your explicit consent.

Consent Mechanism: During the App's onboarding process, before you can complete the health questionnaire, you will be presented with a dedicated screen titled "Health Data Processing Consent." This screen clearly explains what health data we collect and why. To proceed, you must actively tick an unchecked box to provide your consent. We create and store a timestamped record of your consent in our database.

You may withdraw this consent at any time through the "Settings" section of the App. Withdrawing consent will disable the questionnaire and reminder features, and we will stop all future processing of your health data, subject to our data retention policies.

5. Profiling & Automated Decision-Making

To provide you with a more relevant experience, we may engage in light profiling. With your consent, we analyze your in-app behavior (such as the supplement pages you view or search for) to tailor promotional emails or push notifications we send you.

  • You may opt-out of this profiling and marketing at any time via the in-app settings or by using the "unsubscribe" link in our emails.

  • We do not use your personal data for any automated decision-making that produces legal or similarly significant effects on you.

6. Data Retention Schedule

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.

Data CategoryRetention PeriodReasonAccount CredentialsFor as long as your account is active, plus 30 days in backup systems following deletion.To provide you with the service and for system integrity.Health-Related DataFor as long as your account is active. Data is deleted 2 years after the last recorded activity on an inactive account.To provide you with the service. We do not keep sensitive data indefinitely.E-commerce / Purchase Records7 years following the transaction, or longer if required by applicable local tax law.To comply with tax and financial regulations.Crash & Analytics Logs13 months.For trend analysis and product improvement, after which it is anonymized or deleted.Marketing Consent LogsFor the duration of your opt-in, plus 3 years after you opt-out.To maintain evidence of your consent choices as required by law.

7. Data Sharing & Disclosures

We do not "sell" your personal information as the term is traditionally understood. Furthermore, we do not "share" your personal information for cross-context behavioral advertising as defined by the CPRA. We may disclose your data to the following categories of recipients:

  • Service Providers: Companies that provide services on our behalf, such as cloud hosting, analytics providers (e.g., Google Firebase), crash reporting, and email delivery services. They are bound by contract to protect your data and may only use it to provide services to us.

  • Shopify: Our e-commerce partner, who processes orders and payments for our Website. Shopify processes data in accordance with its own privacy policy. We do not store your full payment card details.

  • Professional Advisors: Lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.

  • Legal Authorities: We may disclose your information to law enforcement, regulators, and other parties for legal reasons, such as to comply with a subpoena or other legal process, or to protect our rights, your safety, or the safety of others.

  • Successor Entities: In connection with a merger, acquisition, or sale of all or a portion of our assets.

8. International Data Transfers

Our primary operations are based in the United States, and your data is hosted there. When we transfer personal data from the European Economic Area (EEA), the UK, or Switzerland to the USA, we rely on legally-provided mechanisms to lawfully transfer data across borders. These include:

  • The EU-U.S. Data Privacy Framework (DPF) and the UK and Swiss Extensions to the DPF.

  • Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK Information Commissioner's Office.

We conduct Transfer Impact Assessments (TIAs) where required to ensure that any such transfers are adequately protected. Please note that while our App may be used globally, we do not currently sell or ship physical goods to customers in the EU, EEA, or UK.

9. Your Privacy Rights

Depending on your location, you have various rights regarding your personal data. These may include:

  • The right to access: You can request a copy of the personal data we hold about you.

  • The right to correction (rectification): You can ask us to correct any inaccurate or incomplete data.

  • The right to deletion (erasure): You can ask us to delete your personal data, subject to certain legal exceptions.

  • The right to restrict processing: You can ask us to suspend the processing of your personal data in certain situations.

  • The right to data portability: You can request that we transfer your personal data to you or a third party in a machine-readable format.

  • The right to object to processing: You can object to our processing of your data where we are relying on a legitimate interest.

  • The right to withdraw consent: Where we rely on consent to process your data, you can withdraw it at any time.

  • Rights related to profiling: You have the right to object to profiling for direct marketing.

U.S. State-Specific Rights: Residents of states like California, Virginia, and Colorado have specific rights.

  • Limit Use of Sensitive Personal Information: The Health-Related Data we collect is considered 'sensitive personal information' under CPRA. You can exercise your right to limit our use of this information at any time via the toggle in the App's 'Settings > Privacy' menu.

  • Financial Incentives: We do not offer financial incentives, as defined under the CCPA, in exchange for your personal information.

How to Exercise Your Rights: You may exercise your rights by contacting us at connect@grlyapp.co

We will respond to your request within the timeframes required by law (typically 30-45 days). To protect your privacy, we will verify your identity before processing your request by matching at least two data points from your account (e.g., email address and recent login IP). For sensitive requests, such as a full data access report, we may require a signed declaration under penalty of perjury to confirm your identity.

If we deny your request, you may appeal by emailing connect@grlyapp.co with ‘Appeal’ in the subject. We will respond to appeals within 45 days as required by law.

10. Security & Data Integrity

We have implemented appropriate technical and organizational security measures to protect your personal data from being accidentally lost, used, accessed, altered, or disclosed in an unauthorized way. These measures include TLS 1.3 encryption for data in transit, AES-256 encryption for data at rest, role-based access controls, and annual external penetration testing. We are actively working towards SOC 2 Type I compliance.

We maintain a Record of Processing Activities (RoPA) as required by GDPR and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

In the event of a personal data breach, we will notify the relevant supervisory authority (e.g., under GDPR) within 72 hours of becoming aware of it, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.

11. Representative for EU, UK, and Switzerland

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the European Union (EU), United Kingdom (UK), and Switzerland.

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit the following website:

https://app.prighter.com/portal/11237469594

12. Children’s Privacy

The Services are not intended for or directed to individuals under the age of 16. We do not knowingly collect personal information from individuals under 16. If a user indicates during registration that they are under the age of 13, the account creation process is blocked, and no data is collected. If we otherwise learn that we have collected personal information from a user under 16, we will take steps to delete that information immediately. If you are a parent or guardian and believe your child has provided us with information, please contact us at connect@grlyapp.co.

13. Cookies, SDKs, and Tracking Technologies

Our Website uses cookies and our App uses Software Development Kits (SDKs) from our partners. These technologies help us operate our Services, analyze usage, and remember your preferences. For detailed information about the cookies used on our Website, please see our separate Cookie Policy. For our App, we use SDKs for:

  • Analytics: To understand user behavior and improve the App (e.g., Google Firebase).

  • Crash Reporting: To identify and fix bugs.

  • Functionality: To enable features like push notifications.

This list is representative and will be reviewed and updated on at least a quarterly basis. You can control many tracking technologies through your device settings, such as by resetting your advertising ID. In compliance with platform rules like Apple's App Tracking Transparency (ATT) framework, we will request your permission before tracking you across apps and websites owned by other companies.

14. Disclaimers & Accessibility

Health Information: The informational content provided within the GRLY app is for general informational purposes only and is not a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition or before starting any new supplement regimen.

FDA Disclaimer: These statements have not been evaluated by the Food and Drug Administration. Our products are not intended to diagnose, treat, cure, or prevent any disease.

Accessibility: We are committed to making our Services accessible and aim to conform to WCAG 2.1 AA standards. If you encounter any accessibility barriers, please contact us at connect@grlyapp.co.

15. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and, where appropriate, by notifying you via email or through the App. Your continued use of the Services after such a notice constitutes your acceptance of the new terms.