Skip to main content

Submit a privacy request

Use this form to exercise any of your privacy rights. You'll get a verification link by email; the request is queued once you confirm.

Last updated: 2026-05-16

Your Privacy Rights — How to Use Them

Your data, your call. This page is the menu — every action you can take, how to ask for it, and what we will do when you do. If you would rather skip the menu and just write to a human, dpo@gila.coach gets you Sezen.

The legal frameworks behind these rights (GDPR, UK GDPR, the Swiss revFADP, Türkiye's KVKK, Brazil's LGPD, Canada's PIPEDA + Quebec Law 25, Australia's Privacy Act, and the US state privacy statutes including California CCPA/CPRA, Washington MHMDA, Colorado CPA, Connecticut CTDPA, Virginia VCDPA, Texas TDPSA, Oregon OCPA and equivalents) are listed for transparency. You do not need to know which one applies — just tell us what you want.

1. What you can ask us to do

You have seven distinct rights. You can use them one at a time or together.

1.1 Access — get a copy of your data

You can ask us to send you a copy of every personal data field we hold about you. Examples: your account profile, your weight logs, your medication shots, your mood entries, your food logs, your habit history, your AI-generated insights, our communications log, and your consent receipts.

What you get: a structured JSON file (or set of files) containing every row from our database that is linked to your account, plus a plain-English summary of what each section contains. We provide this through a one-time signed download URL valid for 24 hours.

Limits: the access right does not cover information about other people. If your free-text journal mentions someone else, that is yours. If you ask for "all data about a friend of mine," we cannot help. We may also redact a small number of fields where disclosure would reveal something about another individual or breach a contractual confidentiality obligation we owe.

1.2 Rectification — fix something that is wrong

You can ask us to correct any personal data we hold about you that is inaccurate or incomplete.

Most of this you can do yourself, instantly, inside the app: edit your profile, edit any weight log, edit a meal session, edit a medication shot, edit your name. If you want us to correct something that is not user-editable — for example a system-generated audit field or a value mirrored from a third-party processor — write to us and we will do it.

Limits: we cannot rewrite history. Past entries you logged remain as they were at the time, but you can edit, delete, or annotate them.

1.3 Erasure — delete your data ("right to be forgotten")

You can ask us to delete your account and all linked personal data.

Fastest path: open the Gila app and go to Settings → Account → Delete Account (Apple requires this in-app path). Or use the web form at gila.coach/delete-account.

What we delete:

  • Your account record and all linked rows in our database (weight logs, medication shots, side-effects, mood entries, food logs, habit logs, habit evidence, journal entries, AI-derived insights, consent and email-preference state).
  • Your photos in our storage bucket (profile photos and habit-evidence photos).
  • Your push-notification device tokens at Firebase.
  • Your subscriber record at Beehiiv (if you opted in to the newsletter).
  • Your customer record at RevenueCat (when subscriptions are active).

What survives, and why:

  • Consent receipts (consent_log) — these are retained as audit evidence that consent was validly captured, with your user_id set to NULL so they cannot identify you. GDPR Article 5(2) and KVKK Article 12 require us to be able to demonstrate compliance.
  • Backup copies — production data is purged within 24 hours; backups age out within 30 days under our normal backup rotation.
  • Anonymized aggregate analytics — counts, percentages, funnels, and similar non-identifying numbers may persist because they cannot be tied back to you.
  • Community contributions you chose to publish (a habit, a habit stack) stay in the Habit Library as part of the corpus, but your display name is anonymized.

Limits: we may refuse erasure to the extent we are required to keep some data by law — for example invoices and tax records (Turkish Tax Procedure Law requires retention typically 5 years; equivalent rules apply in other tax jurisdictions). We will tell you exactly what we kept and why.

For more on health-data erasure specifics, see the Health Data Notice.

1.4 Portability — get your data in a re-usable format

You can ask us to give you the data you provided to us in a structured, commonly used, machine-readable format so that you can take it to another service. In practice this overlaps almost entirely with the access right (section 1.1) and produces the same JSON export.

Limits: portability covers the data you provided, not data we derived from yours through AI inference or analytics. Those derived fields are still available under the access right but are not strictly "portable" in the legal sense.

1.5 Restriction — pause processing without deleting

You can ask us to stop processing specific data while keeping it stored. Useful when:

  • You contest the accuracy of something — we restrict use until we have verified.
  • Processing is unlawful but you do not want erasure (for example you want to keep the data for a legal claim).
  • You no longer need the data but you want us to keep it for a legal claim of yours.
  • You have objected to processing and we are still considering it.

What restriction looks like in Gila: the data is flagged in our database; downstream systems (AI features, analytics, email triggers, push notifications) skip the flagged records; the data is still visible to you in the app for review and export.

1.6 Object — tell us to stop a specific use of your data

You can object to:

  • AI features processing your health data — we will turn the AI-features consent off and the AI features will become unavailable to you. Your underlying journal data stays unless you also ask for erasure.
  • Marketing emails and newsletter — instant one-click unsubscribe in any email. Or write to us. You will still receive transactional emails (account verification, deletion confirmation, security alerts).
  • Milestone celebrations or onboarding nudges — granular toggles in Settings.
  • Analytics and error tracking — opt out of optional analytics in the cookie preference center on the website and in Settings → Privacy in the app.
  • Any processing based on legitimate interest (for example error tracking via Sentry). When you object, we stop unless we can show we have compelling legitimate grounds that override your interests, rights, and freedoms — and even then we will explain our reasoning.

1.7 Withdraw consent

Wherever we rely on your consent as the legal basis (especially for processing your health data and for AI features), you can withdraw consent at any time. Withdrawal:

  • Takes effect prospectively. Past processing under the prior valid consent remains lawful.
  • Is as easy as giving consent in the first place — a toggle in Settings or a one-click email link.
  • Triggers a deletion of the data we were holding under that specific consent if there is no other lawful basis to keep it.

We log each consent grant and each withdrawal in consent_log so you and we can both see the history.

2. Region-specific rights

Many jurisdictions add their own twists on top of the global rights above. We honor the most-protective rule for each user. Selected callouts:

  • California residents — CCPA/CPRA rights including a right to know, a right to delete, a right to correct, a right to opt out of "sale" or "sharing" (we do neither, but we honor the signal), a right against discrimination for exercising your rights, and a right to limit use of sensitive personal information. See /privacy/california.
  • Washington residents — under MHMDA (RCW 19.373), specific rights over "consumer health data" including a separate authorization for any sharing. See /privacy/washington and the Health Data Notice.
  • Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Iowa, Tennessee, Minnesota, Delaware, New Jersey, New Hampshire, Maryland, Indiana, Kentucky residents — comparable state-law rights to access, delete, correct, port, and opt out. Write to dpo@gila.coach referencing your state and we will respond under your state's rights framework.
  • EU/EEA residents — full GDPR rights and the right to lodge a complaint with your local supervisory authority (see section 7 below).
  • UK residents — full UK GDPR / DPA 2018 rights and the right to complain to the Information Commissioner's Office (ICO).
  • Swiss residents — full revFADP rights and the right to complain to the Federal Data Protection and Information Commissioner (FDPIC).
  • Turkish residents — full KVKK rights and the right to complain to the Kişisel Verileri Koruma Kurumu (KVKK Board). See /privacy/turkey.
  • Brazilian residents — full LGPD rights and the right to complain to the Autoridade Nacional de Proteção de Dados (ANPD).
  • Canadian residents — PIPEDA rights and Quebec Law 25 additions for Quebec residents.
  • Australian residents — Privacy Act 1988 rights and the right to complain to the Office of the Australian Information Commissioner (OAIC).

Look up your jurisdiction page from the index at /privacy for the exact local procedure.

3. How to send us a request

There are two channels. Both are equally valid.

3.1 The web form (preferred)

Go to gila.coach/dsar.

The form asks for:

  • Your account email address.
  • Which right you want to exercise (you can pick one or several).
  • An optional free-text description if you want to add detail.
  • A Cloudflare Turnstile bot check (because the form is public).

When you submit, you will get an email at the address you entered with a verification link. Click the link from the email account in question — that is how we confirm the request really comes from you. The link expires in one hour.

Once you click the link, the request enters our queue and you will get a second email confirming receipt.

3.2 Email

Write to dpo@gila.coach from the email address on your account. Tell us what you want. If you write from a different email, we may ask you for the verification link described above before acting.

If you are an authorized agent (for example, an attorney acting on behalf of a California resident under CCPA), include proof of your authority — a written authorization signed by the data subject, or a power of attorney. We will verify directly with the data subject before acting.

3.3 What we will NOT ask for

Things we will never ask you for:

  • Your password (we never need it).
  • A scan of your government ID (in the rarest fraud case we might, and we will explain why first — but we hate doing this and avoid it).
  • A payment for any of these requests (see section 5).

4. What we will do, and how fast

4.1 Acknowledge — within 72 hours

We will email you within 72 hours of receiving your verified request to confirm we have it and to tell you the next steps. If we need anything else from you to act on the request, we will ask in this first email.

4.2 Respond — typically within 7 days, never longer than 30

Most access requests are fulfilled within 7 days; complex requests may take up to 30 days, with extensions in limited cases.

We will substantively respond and (for most rights) complete the action within 30 days of receiving the verified request — and almost always much faster.

If your request is complex (for example, an access request that spans years of data across many systems, or where we need to coordinate with a processor for deletion across vendor systems) we may extend the response window by an additional 60 days, for a maximum of 90 days from the verified request. If we extend, we will tell you in the original 30-day window, explain why, and give you a target date.

4.3 Deliver

Depending on the right you exercised:

  • Access or portability — we send you an email with a one-time signed download URL. The URL is valid for 24 hours, after which it auto-expires for security. You can request a fresh URL by writing back to us.
  • Erasure — we send you a confirmation email once production deletion is complete (typically within 24 hours of acting on the request). Backups age out within 30 days. We will also tell you which records were retained (if any) and why.
  • Rectification — we send you an email confirming the correction, with the before/after value where helpful.
  • Restriction — we send you an email confirming the flag is in place and naming the affected processing.
  • Objection — we send you an email confirming we will stop the objected-to processing, or explaining (with reasons) why we cannot.
  • Consent withdrawal — we send you a confirmation email, and the change takes effect immediately in the app.

5. Fees

DSARs are free. We will not charge you a fee for any of the rights above.

The single exception is the narrow one allowed by GDPR Article 12(5): for requests that are manifestly unfounded or excessive — for example, very high-volume repetition of the same request after we have already responded — we may either:

  • Charge a reasonable fee to cover the administrative cost of acting again, OR
  • Refuse to act on the repeat request, with our reasoning.

We have never charged a fee and we hope we never need to. If we do, we will tell you the proposed fee in writing before we charge it.

6. When we may refuse, in part or in full

We will tell you in writing if we are refusing all or part of your request. The most common reasons we might refuse:

  • We cannot verify your identity after a reasonable attempt. The email-link verification described above almost always solves this. If you cannot access the email on the account, write to us from an email that previously corresponded with us about the account.
  • The data is not about you. We can only act on data about you. If you ask us for someone else's data, we will explain we cannot.
  • Acting would breach someone else's rights. Releasing a journal entry that quotes a third party at length may need to be redacted in part.
  • The law requires us to keep the data. Tax records, accounting records, and certain audit logs (consent logs, breach records, abuse-prevention records) are retained as required by law.
  • Manifestly unfounded or excessive requests as described in section 5.
  • An ongoing legal claim, dispute, or investigation where retention is necessary.

When we refuse, we will:

  • Identify which specific part of the request we are not actioning.
  • Explain the reason in plain English.
  • Tell you about your right to lodge a complaint with your supervisory authority (see section 7).

7. If you are not happy with how we handled your request

You can complain. The first step is to write to us at dpo@gila.coach with the subject "DSAR complaint" — we will look at it personally and try to resolve it within 14 days.

If we still cannot agree, you have the right to lodge a complaint with a supervisory authority:

  • EU/EEA — the data protection authority in your country of residence (in Spain, the Agencia Española de Protección de Datos / AEPD; in Germany, your Land DPA or BfDI; in France, the CNIL; in Ireland, the DPC; etc.). A directory is at edpb.europa.eu/about-edpb/about-edpb/members_en.
  • United Kingdom — the Information Commissioner's Office at ico.org.uk/concerns.
  • Switzerland — the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.
  • Türkiye — the Kişisel Verileri Koruma Kurumu (KVKK Board) at kvkk.gov.tr.
  • Brazil — the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
  • Canada — the Office of the Privacy Commissioner at priv.gc.ca.
  • Australia — the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
  • United States — your State Attorney General's office (California Attorney General, Washington Attorney General, etc.). In Washington, MHMDA also gives you a private right of action to sue us directly.

You can also go straight to the supervisory authority without coming to us first. We would prefer the chance to fix the problem first, but it is your call.

8. Need help?

If anything on this page is unclear, write to dpo@gila.coach. A real human (Sezen, who is also our DPO) reads every email at that address and will reply.

You will never get worse service for asking us to delete, restrict, or correct anything. No slowed responses, no hidden features, no different pricing. Asking is the same as not asking. We mean it.

This document is the master English source. Translations into Spanish (es) and Turkish (tr) live in the same docs/privacy/source/ folder and are kept in sync with this version. If a translation diverges from this English source, the English version controls, except where local law requires otherwise.

Last reviewed: 2026-05-16.