Privacy Policy

Hi. This policy explains what we do with your data — written by a human, not a legal template generator. If anything reads like jargon to you, that's a bug. Email dpo@gila.coach and we'll fix it. We have this in Spanish (/es/privacy) and Turkish (/tr/privacy) too; we work hard to keep them in sync. If you spot a gap, please tell us — we will trust the version that is most accurate to what we actually do, and update the others.

Quick summary

The full policy below is the source of truth. This box is here so you can decide whether you need to read further.

Who we are. Gila is one person: Sezen Soykut, a sole-trader registered in Türkiye. Sezen is also the Data Protection Officer — write to dpo@gila.coach and she reads it.
Where your data lives. Your weight, medication, side effects, food, mood, habits, and journal entries live on US servers (Supabase in Ohio) under layered safeguards — encryption, strict contracts, row-level access controls. Data you've synced from Apple Health or Health Connect stays on your phone — delete it from iOS or Android Settings if you want it gone.
What we never do. Your data is not for sale. We do not run ads, share you with ad networks, or use any AI provider that trains on your prompts. AI suggestions you can accept, edit, or ignore — no AI inside Gila gets to decide anything about you without you.
How to leave. If you ever want to walk away, you can take everything with you and leave nothing behind. Delete in the app or at /delete-account — your data is removed from our live database within 24 hours and from rolling backups within 30 days.

1. Who we are

Gila is one person: Sezen Soykut. She runs the business as a sole-trader (şahıs şirketi) registered in the Republic of Türkiye, trading as "Gila", and she is also the internal Data Protection Officer — meaning when you write to dpo@gila.coach with a privacy question, Sezen reads it. That is a small team by design. It also means the privacy decisions do not get diffused across a department; they sit with the same human you can email.

Registered business address Karya Evleri 3/18, Ataşehir Mahallesi, Çiğli, İzmir, Türkiye. This is our registered sole-trader (şahıs şirketi) address with the Turkish tax authority. Postal mail and formal legal-process notices may be sent here.

Data Protection Officer (DPO) Sezen Soykut serves as the internal Data Protection Officer. Contact: dpo@gila.coach. The DPO designation reflects that our core processing involves health data on a regular and systematic basis (GDPR Article 37).

EU representative (GDPR Article 27) We are appointing an Article 27 EU representative. In the interim, contact our Data Protection Officer at dpo@gila.coach for any matter that would normally route through an EU representative. We will update this notice as soon as the representative is in place.

UK representative (UK GDPR Article 27) We are appointing an Article 27 UK representative. In the interim, contact our Data Protection Officer at dpo@gila.coach for any matter that would normally route through a UK representative. We will update this notice as soon as the representative is in place.

Türkiye (KVKK) Gila is operated from Türkiye. The Personal Data Protection Board (KVKK — Kişisel Verileri Koruma Kurulu) is our primary supervisory authority. See /privacy/turkey for KVKK-specific disclosures, including the explicit cross-border transfer consent we collect from Turkish users.

2. What this policy covers

This Privacy Policy applies to:

The Gila mobile app for iOS and Android (bundle identifier coach.gila).
The gila.coach website, including the pilot signup, learning hub, newsletter, and account deletion pages.
The Gila newsletter (operated through Beehiiv) for subscribers who are not yet account holders.
Pre-account pilot signups collected via the gila.coach landing page.

It does not cover the App Store or Google Play storefronts themselves — Apple and Google operate those independently — and it does not cover third-party websites we link to from learning content.

Our Terms of Service are a separate document at /terms. The Terms set out the contract between you and Gila; this Privacy Policy explains what we do with your data.

3. What we collect and why

You can use much of Gila without giving us any optional data. We collect only what we need for the feature you are using, and we tell you in-app before sensitive fields appear.

The table below groups data by category. Each row tells you what we collect, where it comes from, what we use it for, our legal basis under EU/UK GDPR, and how long we keep it. The full per-table inventory and our internal Records of Processing are produced on request to supervisory authorities and data subjects via dpo@gila.coach.

3.1 Identity and account data

Item	Examples	Source	Why we use it	Legal basis	Retention
Account identifier	Email, display name, profile photo URL	You — at signup	Create and authenticate your account; address you by name	Art. 6(1)(b) contract	Indefinite while account active; deleted within 30 days of account deletion (including backups)
Authentication credentials	Password hash (bcrypt, managed by Supabase Auth), or OAuth subject ID for Google / Apple Sign-In	You — at signup	Verify it is you when you sign in	Art. 6(1)(b) contract	Same as account
Device push token	FCM token registered when you allow push	Your device (with your permission)	Send the notifications you have opted in to	Art. 6(1)(a) consent	Until token rotates or you disable notifications; purged on account deletion
Pilot signup record (pre-account)	First name, email, self-reported medication status, journey stage, what matters most, UTM parameters	You — at the landing-page form	Notify you when the pilot cohort opens; segment outreach	Art. 6(1)(a) consent	Until account creation, unsubscribe + 30-day audit, or 6 months of inactivity (whichever comes first)

3.2 Health and wellness data (special category — GDPR Article 9)

This data is sensitive. We process it only with your explicit consent, captured at onboarding through our in-app consent gate, and you can withdraw consent at any time.

Item	Examples	Source	Why we use it	Legal basis	Retention
Body weight and measurements	Weight entries, height, baseline + goal weight	You — manually, or via Apple Health / Health Connect (with your permission)	Show trends; calibrate goals; feed AI coaching if you have enabled it	Art. 6(1)(b) contract + Art. 9(2)(a) explicit consent	Indefinite while account active; per-entry delete available; cascade purge on account deletion
Medication tracking	GLP-1 drug name, dose, injection zone, pain level, date and time, free-text notes	You	Show adherence and side-effect trends; feed AI coaching if enabled	Art. 6(1)(b) contract + Art. 9(2)(a) explicit consent	Same
Side effects	Description, severity, date and time, notes	You	Surface side-effect trends; help you and your prescriber spot patterns	Art. 6(1)(b) contract + Art. 9(2)(a) explicit consent	Same
Mood and journal	Mood label, emoji, category, free-text reflections	You	Surface mood trends; feed AI report narratives if enabled	Art. 6(1)(b) contract + Art. 9(2)(a) explicit consent	Same
Food intake	Search queries, photos, barcode scans, meal sessions (calories, macros, meal type)	You — via search, scan, or AI food-vision	Build your nutrition timeline; calibrate goals	Art. 6(1)(b) contract + Art. 9(2)(a) explicit consent	Meal sessions: indefinite while active; search history: 90 days rolling
Apple Health / Health Connect sync	Steps, active minutes, sleep duration, heart rate, exercise minutes, weight	Your device — with your explicit OS-level permission	Aggregate your activity into the daily health summary	Art. 6(1)(a) consent + Art. 9(2)(a) explicit consent	Daily aggregates retained while active; on-device originals stay on your device
Progress photos and habit evidence	User-uploaded images	You	Visual progress and habit-completion evidence	Art. 9(2)(a) explicit consent	Indefinite while you keep the entry; cascade purge on account deletion

Calorie and macronutrient tracking is treated as "consumer health data" under Washington State's My Health My Data Act (RCW 19.373); we apply the same explicit-consent standard globally so the experience is the same wherever you are.

3.3 Behavioural and inferred data

Item	Examples	Source	Why we use it	Legal basis	Retention
Habit tracking	Habit titles, frequency, completion status, streaks, scheduled and logged dates, notes	You	Run habit tracking and surface streaks	Art. 6(1)(b) contract	Indefinite while active; per-entry delete; cascade purge on deletion
Search history	Food search queries	You	Speed up repeated searches	Art. 6(1)(b) contract	90 days rolling
AI-generated recommendations	Habit suggestions, activity-goal recommendations, nutrition-goal calibrations, weekly briefings, report narratives	Gila AI — built from your data with your consent	Provide AI coaching	Art. 6(1)(a) consent + Art. 9(2)(a) where health data is involved	Indefinite while active; cascade purge on deletion
Content engagement	Article + podcast views, time-on-page	You	Improve the learning library	Art. 6(1)(f) legitimate interest	12 months rolling

3.4 Technical and operational data

Item	Examples	Source	Why we use it	Legal basis	Retention
Device + app info	Device type, OS version, app version, locale, time zone	Your device	Make the app work on your device; debug crashes	Art. 6(1)(b) contract / Art. 6(1)(f) legitimate interest	Tied to error logs (90 days)
IP address (transient)	Used to serve your request and apply Cloudflare bot protection	Your device	Network routing; abuse prevention; rough country guess	Art. 6(1)(f) legitimate interest	Transient — we do not persist your IP on your user record
Error and crash reports	Stack traces, breadcrumbs, performance traces. Per our engineering guidelines, no Tier-1 health data should be attached to error events.	App and website	Find and fix bugs	Art. 6(1)(f) legitimate interest	90 days (Sentry default)
Product analytics	Hashed user ID, screen names, event names, feature-flag exposure	Mobile app only (PostHog is NOT loaded on gila.coach)	Understand which features help you	Art. 6(1)(a) consent in EEA/UK/CH/BR; Art. 6(1)(f) legitimate interest elsewhere	12 months (PostHog default)

3.5 Commercial data (subscriptions)

Item	Examples	Source	Why we use it	Legal basis	Retention
Subscription state	Tier, status, start and end dates, store transaction identifiers	Apple App Store / Google Play (via RevenueCat when paywall is enabled)	Provide the plan you paid for; honour renewals and cancellations	Art. 6(1)(b) contract + Art. 6(1)(c) tax retention	Active: indefinite while subscribed; cancelled: per RevenueCat defaults plus statutory accounting retention

Payment card data never reaches Gila. Apple or Google handles the payment; we only receive the resulting subscription state.

3.6 Marketing and engagement data

Item	Examples	Source	Why we use it	Legal basis	Retention
Newsletter subscriber record	Email, first name, signup source, UTM	You — via newsletter form	Send the newsletter you opted in to	Art. 6(1)(a) consent	Until you unsubscribe + 30-day audit, or account deletion
Email delivery logs	Template ID, status, timestamp	Our email provider	Troubleshoot delivery problems	Art. 6(1)(f) legitimate interest	12 months
Email engagement	Opens, clicks (newsletter only)	Beehiiv	Improve newsletter relevance	Art. 6(1)(a) consent	While subscribed

We have disabled Beehiiv's cross-newsletter recommendation and audience-share features for our list. Your email is not exposed to other newsletter operators on Beehiiv for cross-promotion or recommendation purposes.

4. How we use AI

We use AI to power the following features. We disclose this here in line with EU AI Act Article 50 (so you know when you are interacting with AI) and GDPR Article 13(2)(f) (so you have meaningful information about the logic).

4.1 Which features use AI

#	Feature	What it does
1	Food vision	You photograph a meal, barcode, or label; AI recognises the dish and looks up nutrient values.
2	Activity-goal AI	Generates a personalised weekly active-minute + strength target based on your profile and recent activity.
3	Nutrition-goal AI	Generates personalised calorie + macro targets based on your weight, goal, dietary preferences, and GLP-1 status.
4	Habit suggestions	Suggests next habits matched to your goals, current habits, and recent mood.
5	Habit Lab (playground)	An interactive AI playground for refining your own habit ideas, accessible inside the Habit Lab area of the app.
6	Onboarding insight	A one-time personalised "wow moment" message after onboarding, built from your onboarding answers.
7	Weekly narrative report	A plain-English narrative summary of your week — habits, mood, weight trend, medication adherence.
8	Health analysis	AI-assisted analysis of aggregated weight, mood, and medication adherence.
9	Weekly briefing	An optional push-notification narrative summarising your week.
10	Journal embeddings	Vector embeddings of your journal text so we can power semantic search and "find similar entries".
11	Community-submission safety review	When another user submits a habit or stack to the public library, we run an AI safety + quality review before publication.
12	Habit-signal agent	Ranks suggested habits and grounds them with source citations from public research.

4.2 Which AI providers we use

Our primary AI provider is Google Gemini (Gemini 2.5 Flash and the Gemini embedding model). It powers all 12 features above as the default.

For specific features we may also use:

Anthropic Claude (Haiku / Sonnet / Opus) — used in Habit Lab (feature 5) as the conversational model and in our internal QA evaluation pipeline (eval-score), and as an opt-in A/B path inside food vision (feature 1). The A/B path is off by default in production.
OpenAI — available only as an opt-in A/B path inside food vision (feature 1). Off by default in production; we have pre-disclosed OpenAI as a conditional provider so that if we ever switch the default, the disclosure is already in place.
Perplexity (sonar-pro) — used by Habit-signal agent (feature 12) for source-grounded research citations and by food vision (feature 1) as a research fallback for ambiguous foods. Only anonymised topical queries are sent — never your identifier.

You can see the per-feature, per-provider mapping in our Subprocessor List.

4.3 Data sent per request

For every AI feature we send only the minimum context needed for that specific request — never your full record. A typical request includes a curated snapshot (e.g., recent weight, recent mood, current goals) plus, for vision features, the relevant image. Identifiers like your email and name are stripped before the request leaves our servers.

4.4 Not used to train

None of our AI providers use your prompts or data to train their foundation models:

Google Gemini — Google's commercial API terms state that customer data submitted to the API is not used to improve Google's models. We set the "no training" flag on every request.
Anthropic Claude — Anthropic's Commercial Terms commit that customer data submitted via the API is not used to train models.
OpenAI — OpenAI's Business Terms (which govern API usage) commit that customer data is not used for training by default.
Perplexity — Perplexity's API terms commit that data submitted via the API is not used to train Perplexity's models.

If any provider changes its terms to reverse the no-training default, we will re-evaluate the affected feature, ask you to re-consent before further processing, and update this notice.

4.5 Automated decision-making under GDPR Article 22

GDPR Article 22 applies when a decision is solely automated and produces legal or similarly significant effects. Per our internal Data Protection Impact Assessment (available on request from dpo@gila.coach), none of Gila's AI features make such decisions. They are AI suggestions you can accept, edit, or ignore — you remain in the loop:

Food vision returns a calorie estimate; you can edit it before saving and you decide whether to act on it.
Habit and goal suggestions are presented to you — you accept, edit, or reject them.
The Habit Lab is a conversational playground; nothing in it gates access or imposes a contract.
No AI feature in Gila affects your access to the service, your account standing, or any external right.

You can still ask us about the logic of any AI output that affected you, and you can request human review by emailing dpo@gila.coach.

4.6 EU AI Act Article 50 transparency

Under EU AI Act Article 50, you have the right to be told when you are interacting with an AI system. Every AI-generated surface in Gila carries an "AI-generated" label with the provider name in the in-app information panel. The Habit Lab and the onboarding "AI moment" feature display this disclosure prominently when AI is in use.

4.7 Calorie counting and food recognition: an honest caveat

Food vision is an estimate. The model can confuse similar dishes, miss ingredients in a mixed plate, or misjudge portion size. The number we show you is informational — not medical advice and not a substitute for a registered dietitian, doctor, or pharmacist. The same applies to all AI-generated coaching content in the app: it is a prompt to think, not a clinical recommendation.

4.8 What we do not do with AI

We do not make legal, employment, financial, or other significant decisions about you using AI alone.
We do not allow AI providers to train their foundation models on your prompts or data (per provider-by-provider contracts above).
We do not use AI for advertising, profiling for ads, or any third-party marketing purpose.
We do not combine your AI inputs with data from data brokers or social-media platforms.

4.9 Withdrawing AI consent

AI features are opt-in. If you withdraw AI consent, the app continues to work — manual tracking, charts, and the timeline remain — but features marked "AI" stop sending data to any AI provider. The withdrawal is provider-agnostic — a single decision covers all providers above. Visit our self-service rights form or email dpo@gila.coach to withdraw.

5. Where your data goes

Gila's primary database and most of our supporting services are based in the United States. Every non-US user therefore generates a cross-border transfer of personal data.

5.1 Where the data sits

Service	Function	Location
Supabase	Database, authentication, file storage, edge functions	United States (Ohio — `us-east-2`)
Firebase / FCM	Push notifications	United States
Google Gemini	Primary AI provider (all 12 AI features)	United States (Google global infrastructure)
Anthropic Claude	AI provider for Habit Lab + QA evaluation + food-vision A/B opt-in path	United States
OpenAI	AI provider for food-vision A/B opt-in path only (default off in production)	United States
Perplexity	Research grounding for habit-signal agent + food-vision research path	United States
Resend	Transactional and marketing email	United States
Beehiiv	Newsletter	United States
PostHog	Product analytics	United States (EU region available — under evaluation)
Sentry	Error tracking	United States (EU region available — under evaluation)
RevenueCat	Subscription management (when paywall enabled)	United States
Vercel	Website + edge function hosting	United States primary, global edge
Cloudflare Turnstile	Bot protection	Global edge
FatSecret	Nutrition database lookups	United States

Apple HealthKit (iOS) and Health Connect (Android) keep their data on your device; we only receive the per-day aggregate you have consented to share with Gila.

5.2 How we make those transfers lawful

For users in the EU, EEA, UK, and Switzerland, we rely on:

Standard Contractual Clauses (SCCs) — the European Commission's 2021 Module 2 (Controller → Processor) annexed to every processor agreement.
The EU-US Data Privacy Framework (DPF), the UK Extension, and the Swiss-US DPF as a defence-in-depth where the provider is DPF-certified (notably Google and Cloudflare).
Supplementary technical and organisational measures — encryption in transit (TLS 1.3) and at rest (AES-256), row-level security on every Supabase table, data minimisation per AI request, hashed analytics identifiers, contractual restrictions on government-access requests, and commitments to challenge overbroad demands. Our Transfer Impact Assessment (dated 2026-05-16) is available on request from dpo@gila.coach.

For users in Türkiye, we cannot rely on SCCs or the DPF — the US is not on Türkiye's "adequate countries" list and we have no KVKK Board approval. Instead, we rely on explicit consent under KVKK Article 9, captured at onboarding and recorded in our consent log. Without that consent we cannot serve the app to you, because the data must travel to the US to run.

For users in Brazil, we rely on LGPD Article 33 with specific consent. For Canada, we rely on the PIPEDA accountability principle and remain liable for the data after transfer. For Australia, we comply with APP 8 cross-border disclosure.

5.3 Honest residual risk

US law (FISA §702, the CLOUD Act, National Security Letters) permits US authorities to compel a US-headquartered provider to produce data in certain circumstances. We have not received any such request to date. If we ever do, we commit to:

challenging any overbroad, vague, or disproportionate request;
seeking release from any gag order so we can tell you (where lawfully permitted);
notifying our EU representative and relevant supervisory authorities where appropriate;
publishing this in our annual transparency posture once volumes warrant it.

We do not pretend US transfers are risk-free. We have weighed the risk, applied the supplementary measures above, and judged the present design acceptable for our user base. If that calculation changes — for example, if the EU-US DPF is invalidated again, or our EEA user share grows materially — we will move our primary database to an EU region.

The complete subprocessor list lives at /subprocessors and is referenced in section 6 below.

6. Sharing

We want to be specific about what we do not do with your data:

We do not sell your personal data. Not under CCPA's definition, not under any state law's definition, not under any common-sense definition.
We do not share your data with advertisers. No ad networks. No retargeting pixels. No "lookalike audiences". No data brokers.
We do not use your health data for marketing. We do not segment marketing emails by your medication, weight, or any other Article 9 attribute.

6.1 Who we do share with

We share data only with the processors who run parts of the service for us. Every processor is bound by a written data-processing agreement and may only use your data on our instructions. The full list, including each processor's role, region, data category, and DPA status, is at /subprocessors.

6.2 Legal disclosures

We may disclose your data when we are legally required to — for example, a valid court order, a subpoena from a competent authority, or a request from a supervisory authority. When that happens:

We review the request and challenge it if it is overbroad, vague, or appears to exceed the requester's lawful authority.
We notify you, unless we are legally prohibited from doing so.
We disclose only the specific data the order compels, never the user's full record.

6.3 Business transfers

If we are ever acquired, merged, or restructured (Gila is currently a single-person business so this is unlikely, but worth saying), your data may transfer to the new operator. You will be notified at least 30 days before the change and you will keep the right to delete your data before any transfer occurs.

7. Children

Gila is built for adults. You need to be 16 or older — we ask you at signup. If you tell us you are and you're not, we will close the account when we find out. Parents: if you think a child under 16 has signed up, write to dpo@gila.coach and we will delete the account and the data the same day.

We chose 16 because it is the highest digital-consent age across the jurisdictions we serve, which keeps the rule simple.

Full child-safety disclosures, including how we handle reports and the safeguards we apply, are in our Child Safety Notice.

8. Your rights

You have the rights below across every jurisdiction we serve. The wording differs between regimes (GDPR, UK GDPR, KVKK, LGPD, CCPA, MHMDA, and the other US state laws), but the practical effect is largely the same. Where a right is jurisdiction-specific, we have called that out.

Right	What it means	How to exercise it
Access	Get a copy of the personal data we hold about you, in a portable format	`/dsar` — self-service web form
Rectification / correction	Fix anything inaccurate or out-of-date	In-app for most fields; `/dsar` for anything you cannot edit yourself
Erasure / deletion	Have your data permanently deleted	In-app Settings → Account → Delete account or `/delete-account`
Restriction	Have us pause processing while we resolve a dispute or correction request	`/dsar`
Portability	Receive your data in a structured, machine-readable format (JSON)	`/dsar`
Objection	Object to processing based on our legitimate interest (e.g. analytics, error tracking)	`/dsar` or email dpo@gila.coach
Withdraw consent	Revoke any consent you previously gave, without affecting the lawfulness of prior processing	`/dsar` or email dpo@gila.coach
Lodge a complaint	Complain to a privacy regulator if you think we have got something wrong	See the supervisory authorities list below

Most access requests are fulfilled within 7 days; complex requests may take up to 30 days, with extensions in limited cases (the GDPR Article 12(3) ceiling is 30 days, extendable by 60 days for complex matters; we tell you within the first 30 days if an extension is necessary). We do not charge a fee for any reasonable request.

8.1 Verifying identity

To protect your data, we verify your identity before acting on any access, deletion, or portability request — usually with an email-link challenge and our bot-protection check. If we cannot verify you, we will tell you what we need.

8.2 Supervisory authorities

If you believe we have not handled your request properly, you can complain to a supervisory authority. You can choose your home authority or the one for our establishment.

Türkiye (our home regulator) — Kişisel Verileri Koruma Kurulu (KVKK), Ankara — kvkk.gov.tr
Spain (EU representative jurisdiction) — Agencia Española de Protección de Datos (AEPD) — aepd.es
United Kingdom — Information Commissioner's Office (ICO) — ico.org.uk
Other EU/EEA Member States — your national data protection authority; the list is at edpb.europa.eu
Switzerland — Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
Brazil — Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
Canada — Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca; Québec residents may also contact the Commission d'accès à l'information
Australia — Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
United States — see /privacy/california, /privacy/washington, and other state notices for the relevant attorney-general contact

9. Security

Gila is run by one person, and that person — Sezen — touches your data only when she has to: a bug, a support ticket, a quality benchmark, a deletion request you asked for, or a security incident. "Curiosity browsing" is not a thing here. Every touch is logged. The technical layer underneath:

Encryption in transit — TLS 1.2+ (TLS 1.3 preferred) on every connection, with weak cipher suites disabled.
Encryption at rest — AES-256 at the platform layer on Supabase, Firebase, and every other named processor.
Row-level security (RLS) — every Supabase table holding personal data enforces row-level security so you can only read your own data, and our application code cannot bypass it.
Authentication — bcrypt password hashing (Supabase-managed); OAuth 2.0 with PKCE for Google Sign-In and Sign in with Apple; session tokens scoped to short refresh windows.
Bot protection — Cloudflare Turnstile on every public form.
Audit logging — Supabase audit log and Sentry breadcrumbs capture access and errors.
Data minimisation per AI request — we send only the smallest snapshot of your data needed for the feature, never a full export.
Telemetry boundary discipline — PostHog and Sentry receive a hashed identifier rather than your email. Per our engineering guidelines, no Tier-1 health data is included in analytics or error-tracking events. If a leak is discovered, we treat it as a privacy incident under our 72-hour notification commitment.

Breach response

If a personal-data breach occurs that is likely to result in a risk to your rights, we commit to:

notify the lead supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33;
notify you directly without undue delay where the breach is likely to result in a high risk (GDPR Article 34);
publish a public notice when an incident affects a material share of users — and you may always contact dpo@gila.coach directly for security concerns.

10. Retention

We keep personal data for the period required by the purpose, then we delete or anonymise it. Summary:

Category	Retention	Trigger
Active account personal + health data	Indefinite while your account is active	Account deletion → live database purged within 24 hours; rolling backups age out within 30 days
Per-entry timeline data (weight, mood, food, medication)	Indefinite while active; per-entry delete available	You delete the entry, or your account
Search history (food)	90 days rolling	Time-based
Email delivery logs	12 months rolling	Time-based
Account-deletion verification tokens	1 hour	Token issuance
Consent receipts (audit log)	Indefinite (we retain the receipt itself, not your identity)	Deletion: receipt is preserved with `user_id` nulled, as audit evidence under GDPR Article 7(1)
Anonymised aggregate analytics	Indefinite (no re-identification risk)	Never deleted
Transactional email content (Resend)	~90 days (Resend default)	Rolling
PostHog event data	12 months	Configurable per-region
Sentry error events	90 days	Rolling
Newsletter subscriber data	Until unsubscribe + 30-day audit	You unsubscribe
Backups	30 days rolling	Includes deleted user data for the rollover window
Subscription / billing records	Per RevenueCat defaults + statutory accounting retention (typically 5-10 years for tax records)	Legal obligation

Account deletion is permanent. Once we have processed your request and the 30-day backup window has rolled over, we cannot recover your data — including journal entries, photos, and history.

11. How to exercise your rights

The fastest way to exercise any privacy right is the self-service DSAR form at /dsar. It walks you through identity verification and lets you choose access, correction, deletion, portability, restriction, or objection in a single place. We respond within 30 days.

You can also email us at dpo@gila.coach. If you do, please include enough detail for us to identify your account (the email you used to sign up is usually enough) and tell us which right you are exercising.

For account deletion specifically, the in-app shortcut is Settings → Account → Delete account (iOS and Android), and the web shortcut is /delete-account. Apple requires in-app account deletion; we comply.

If your request comes through an authorised agent (for example a CCPA-authorised agent in California), we will verify both your identity and the agent's authority before acting.

12. Changes to this policy

We update this policy when something material changes — a new processor, a new AI feature, a new jurisdiction, a regulatory development. Whenever we make a material change, we commit to:

publishing the updated policy at least 30 days before it takes effect;
emailing the change summary to every account holder;
flagging the change in-app through the legal-change banner on the next sign-in.

Minor edits (typo fixes, broken-link repairs, formatting) take effect immediately and are recorded in the change log at the bottom of this policy. The current version is shown in the policy's metadata at the top.

13. Region-specific rights

Different jurisdictions add specific rights or specific disclosures on top of this master policy. The links below take you to the regional supplement that applies to you. They sit alongside this policy — read them together.

Privacy notice for EU and UK residents — full GDPR and UK GDPR rights, including the right to object to legitimate-interest processing.
Privacy notice for California residents (CCPA / CPRA) — California-specific categories, right-to-know, right-to-delete, right-to-correct, right-to-limit, and our "we do not sell" certification.
Privacy notice for Washington State residents (My Health My Data Act) — explicit consumer-health-data disclosures, separate health-data authorisation, and the WA AG complaint route.
Privacy notice for Türkiye residents (KVKK) — KVKK Article 9 explicit consent for international transfers, KVKK Article 11 rights, and the KVKK Board complaint route.
Privacy notice for Brazil residents (LGPD) — LGPD rights and ANPD complaint route.
Privacy notice for Canada residents (PIPEDA + Québec Law 25).
Privacy notice for Australia residents (Privacy Act 1988).
Privacy notice for Switzerland residents (revFADP).

US state coverage extends beyond California and Washington: residents of Virginia, Colorado, Connecticut, Oregon, Texas, Montana, Iowa, Delaware, Maryland, New Hampshire, New Jersey, Tennessee, Minnesota, and Kentucky also have rights under their state consumer-privacy laws. The two state-specific pages above (California and Washington) cover the most enforcement-active regimes; for any of the other states named here, write to dpo@gila.coach and we will respond under your state's rights framework.

14. Cookies and similar technologies

The gila.coach website uses cookies and similar technologies to keep you signed in, remember your language, run product analytics (with your consent in EEA / UK / Switzerland / Brazil), and protect forms from bots. The Gila mobile app does not use web cookies.

The full per-cookie inventory, including duration, type, and category, is in our Cookie Policy. You can change your choices at any time from the cookie banner on the website footer, or by emailing dpo@gila.coach.

15. Contact

For any question, request, or concern about this policy or your data:

Privacy + DPO: dpo@gila.coach
General support: support@gila.coach
Postal address: Karya Evleri 3/18, Ataşehir Mahallesi, Çiğli, İzmir, Türkiye
EU representative (GDPR Article 27): being appointed; in the interim, contact dpo@gila.coach
UK representative (UK GDPR Article 27): being appointed; in the interim, contact dpo@gila.coach

If you have read this far and your concern has not been answered, write to the DPO and we will reply within 30 days, free of charge.

Change log

Version	Date	Summary
2.0	2026-05-16	Complete rewrite from v1. Adds explicit cross-border transfer disclosure (Schrems II + KVKK Article 9), EU AI Act Article 50 disclosure, full processor inventory, breach-response commitments, jurisdiction-specific links, EU + UK representative placeholders, and the in-app + web account-deletion paths. Replaces the partial v1 policy at `gila-landing/src/app/[locale]/privacy/page.tsx`.
2.1	2026-05-16	Phase 6 wrap-up. Expanded section 4 (How we use AI) to enumerate all 12 user-facing AI features and disclose Anthropic Claude + OpenAI as additional providers (decision-log #18). Replaced `[REGISTERED BUSINESS ADDRESS]` placeholders with the Türkiye-on-request formulation (decision-log #19). Section 5 processor table updated with Claude + OpenAI rows.