Last updated: 2026-05-16
California Privacy Notice
This page is the California-specific notice Gila publishes for California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). It supplements — and does not replace — our main Privacy Policy and Health Data Notice. Where this notice and the main Privacy Policy diverge for a California resident, this notice controls.
If anything is unclear, email dpo@gila.coach and we will explain it.
1. What this notice adds
The CCPA gives California residents specific privacy rights and imposes specific obligations on businesses that meet the statutory applicability thresholds. The CPRA, in force since January 1, 2023, expanded those rights — adding correction, the right to limit use of sensitive personal information, and recognition of universal opt-out signals — and established the California Privacy Protection Agency (CPPA) as a dedicated enforcement regulator alongside the California Attorney General.
The CCPA/CPRA covers California consumers (residents), and as of January 1, 2023 also covers California employees, applicants, and B2B contacts (the prior exemptions for these categories expired). Gila is a consumer health-tracking app with no current B2B sales motion and no California employees; the rights below are framed for California consumer users, but the same response process is available to any other California resident whose personal information Gila holds.
2. Sensitive Personal Information
The CPRA created a distinct "sensitive personal information" (SPI) category under Cal. Civ. Code §1798.140(ae). For California consumers, Gila collects the following sensitive personal information categories:
| SPI category (§1798.140(ae)) | What Gila collects | Stored where |
|---|---|---|
| Account log-in + password (§1798.140(ae)(1)(C)) | Email + hashed password (bcrypt, Supabase-managed) | Supabase Auth (US) |
| Health information (§1798.140(ae)(2)(B)) | Body weight, GLP-1 medication name and dose, injection zone, side effects, mood, food intake (calories, macros), Apple Health / Health Connect synced signals (steps, sleep, heart rate), AI-derived health insights, journal entries | Supabase (US us-east-2) |
| Biometric data (§1798.140(ae)(2)(A)) — only when used for unique identification | None. Face ID / Touch ID authentication is processed on-device by Apple / Google platform APIs; Gila never receives or stores biometric templates. | n/a |
| Precise geolocation (§1798.140(ae)(1)(F)) — within 1,850 feet | None. Gila does not request location permission and does not collect precise geolocation. | n/a |
| Genetic data | None | n/a |
| Racial / ethnic origin, religious or philosophical beliefs, union membership, sex life or sexual orientation, contents of mail/email/text | None directly collected. Free-text journal entries may incidentally contain such content; we do not infer, profile, or use such inferences for any purpose. | n/a |
| Government ID numbers (SSN, driver's license, passport) | None | n/a |
How we use SPI. We use the SPI categories above only to perform the Gila service that you have requested — recording your weight and medication, showing your trends, computing nutrition totals, delivering AI-generated insights when you have separately consented to AI features, and operating your account. We do not use SPI to infer characteristics about you, and we do not use SPI for profiling, targeted advertising, cross-context behavioural advertising, sale, or sharing.
Because we do not use SPI for any purpose beyond the §1798.121(a)(1)–(8) permitted purposes, the CPRA "Right to Limit Use and Disclosure of Sensitive Personal Information" is effectively honoured by default for every California user. You do not need to file a request to limit our use of your sensitive personal information — we already do. You are still free to file a request and we will confirm the limit in writing.
3. Categories of Personal Information collected — last 12 months
Per Cal. Civ. Code §1798.130(a)(5)(B) and §1798.110, the following table lists, by statutory category, the categories of personal information Gila has collected from California consumers in the preceding 12 months, the sources, the business or commercial purpose, the categories of recipients, and the retention for each.
| Statutory category (§1798.140(v)) | Collected? | Examples at Gila | Sources | Business purpose | Recipients (categories) | Retention |
|---|---|---|---|---|---|---|
| A. Identifiers | Yes | Email, name (display), Apple/Google OAuth subject ID, push device token, profile photo URL | Directly from you; OAuth provider | Account creation, authentication, push delivery, support | Cloud infrastructure provider (Supabase, US); identity providers (Apple, Google); push provider (Firebase Cloud Messaging, US); email provider (Resend, US) | Active account: indefinite. Deletion request: purged within 30 days including from backups |
| B. Customer records (Cal. Civ. Code §1798.80(e)) | Yes (overlap with A) | Email, name | Directly from you | Account record | Same as A | Same as A |
| C. Protected classifications | No | n/a | n/a | n/a | n/a | n/a |
| D. Commercial information | Yes (when paywall enabled) | Subscription tier, status, transaction reference | App Store / Play Store via RevenueCat | Subscription management | Subscription provider (RevenueCat, US); cloud infrastructure (Supabase, US) | Active subscription: indefinite. After cancellation: per statutory accounting retention (typically 5–10 years for tax records, then deleted or pseudonymised) |
| E. Biometric information (for unique identification) | No | n/a | n/a | n/a | n/a | n/a |
| F. Internet or other electronic network activity | Yes (limited) | Screen names, event names, feature-flag exposure, session duration, app version, OS, locale | Pseudonymised SDK telemetry | Product analytics, error tracking, feature-flag evaluation | Product analytics provider (PostHog, US); error tracking (Sentry, US); web analytics (Google Analytics 4, US — if enabled) | PostHog: 12 months. Sentry: 90 days. GA4: minimum retention configured |
| G. Geolocation data | No (only country-level inference from IP, transient, not persisted) | n/a | n/a | n/a | n/a | n/a |
| H. Sensory information | Yes (limited, food vision feature) | Food photographs you take | Directly from you (camera) | AI calorie recognition (Gemini vision) when invoked | AI provider (Google Gemini, US); cloud infrastructure (Supabase, US) | Transient — request bodies not persisted in Supabase beyond a metadata log; Google retains for up to 30 days for abuse detection per Gemini API terms |
| I. Professional / employment-related | No | n/a | n/a | n/a | n/a | n/a |
| J. Non-public education information (FERPA) | No | n/a | n/a | n/a | n/a | n/a |
| K. Inferences | Yes | AI-generated habit suggestions, activity-goal recommendations, weekly briefing narrative, persona type tag | Derived from items A, D, F, L below | Personalisation of the Gila service (only with your separate AI-features consent) | Cloud infrastructure (Supabase, US); AI provider (Google Gemini, US) | Active account: indefinite. Deletion request: purged within 30 days |
| L. Sensitive personal information | Yes (see §2 above) | See SPI table in §2 | Directly from you, Apple Health / Health Connect (with permission) | Health tracking — providing the service you requested | Cloud infrastructure (Supabase, US); AI provider (Google Gemini, US — when AI features invoked with separate consent) | Active account: indefinite. Per-entry user delete supported. Deletion request: purged within 30 days |
A more detailed breakdown of each processor, the precise data sent, and the contractual basis is at /subprocessors. Our internal Records of Processing Activities document the same flows in GDPR Article 30 format.
4. Sale and sharing of personal information
Gila does not sell personal information, and Gila does not share personal information for cross-context behavioural advertising.
This is true within the CCPA/CPRA statutory definitions:
- "Sale" (§1798.140(ad)) — disclosure of personal information to a third party for monetary or other valuable consideration. We do not do this.
- "Sharing" (§1798.140(ah)) — disclosure of personal information to a third party for cross-context behavioural advertising. We do not do this.
We do not run advertising in the app or on the website. We do not allow any third-party advertising pixel, ad-tech vendor, or behavioural-advertising tag on the gila.coach website. We do not contract with data brokers. Routine processor relationships — for example, directing Supabase to store your account data on our behalf so we can give it back to you — are not sales because no monetary or valuable consideration flows in exchange for the personal information itself, and the processor is contractually prohibited from re-using or re-selling it.
Because we do not sell or share, the CPRA "Right to Opt-Out of Sale or Sharing of Personal Information" is honoured by default for every California user. You do not need to file a request, post a "Do Not Sell or Share My Personal Information" link is therefore not required, but we still honour the right by design and we honour Global Privacy Control signals (see §10).
If we ever introduce a sale or sharing arrangement, we will (a) update this notice 30 days before the change takes effect, (b) post the required "Do Not Sell or Share My Personal Information" link in the website footer and in-app, and (c) treat opt-outs at first detection.
5. Use of Sensitive Personal Information
Section 1798.121 grants you the right to direct us to limit our use and disclosure of your SPI to (a) performing the services or providing the goods reasonably expected by an average consumer, (b) preventing security incidents, (c) resisting malicious or deceptive actions, (d) ensuring physical safety, (e) short-term transient use, (f) services on behalf of the business such as customer service, (g) verifying or maintaining quality, (h) upgrading or enhancing service.
As stated in §2, Gila's use of your SPI is already restricted to purpose (a) — providing the Gila service you have requested — plus minimal use of (b) and (c) for fraud and abuse prevention. We do not use SPI for inference, profiling, targeted advertising, sale, sharing, or any other purpose outside the §1798.121(a) permitted purposes. The SPI limit right is therefore honoured by default for every California user, and you do not need to file a request. If you wish to receive written confirmation, file a request at /dsar and we will reply.
6. Your California consumer rights
You have the following rights under the CCPA/CPRA. Each right is free to exercise, twice in any 12-month period.
| Right | Statute | What it gets you |
|---|---|---|
| Right to Know — categories | §1798.110, §1798.130 | The categories of personal information we have collected about you, the sources, the business or commercial purpose, the categories of third parties to whom we have disclosed or sold it, the categories of personal information sold or shared, and the categories of personal information disclosed for a business purpose |
| Right to Know — specific pieces | §1798.110(a)(5) | A copy of the specific pieces of personal information we hold about you, in a portable, machine-readable format |
| Right to Delete | §1798.105 | Deletion of personal information we have collected from you, subject to the nine exceptions in §1798.105(d) (transaction completion, security, debugging, free speech, research, internal use compatible with collection, legal obligation, etc.) |
| Right to Correct | §1798.106 | Correction of inaccurate personal information we maintain about you |
| Right to Portability | §1798.130(a)(2) | Receive specific pieces of your personal information in a portable, readily usable format that allows transmission to another business |
| Right to Opt-Out of Sale or Sharing | §1798.120 | Direct us to stop selling or sharing your personal information (already honoured by default — see §4) |
| Right to Limit Use of Sensitive Personal Information | §1798.121 | Direct us to limit use of SPI to the §1798.121(a) permitted purposes (already honoured by default — see §5) |
| Right to Non-Discrimination | §1798.125 | We may not deny you the Gila service, charge a different price, or provide a different level or quality of service because you exercised any of these rights |
| Right to Opt-Out of Automated Decisionmaking | §1798.185(a)(15) — pending CPPA regulations | Once CPPA regulations on automated decisionmaking take effect, we will support the opt-out. Today, Gila's AI features (habit suggestions, activity goals, AI coaching, weekly briefing, food vision) are decision-support features under your control — they do not make legally significant or similarly significant decisions about you without human (your own) involvement |
7. How to submit a request
Two channels, both free, both designed to be easy:
- Self-service web form — visit
/dsarand select California (CCPA/CPRA) as your jurisdiction. We will email a verification link to confirm the request is yours. - Email — write to dpo@gila.coach stating which right you are exercising and a contact email associated with your Gila account.
We do not require a toll-free number because Gila operates exclusively online and through its mobile app, per §1798.130(a)(1)(A). If you cannot use the web form or email, we will accept a written request mailed to the address in §15.
7.1 Verification
For requests for categories of personal information, deletion, correction, opt-out, and limit-SPI, we will verify your identity by matching at least two data points you provide (typically your account email plus a one-time code we email you).
For requests for specific pieces of personal information, the CCPA requires a higher confidence standard. We will verify by matching at least three data points and we may require a signed declaration under penalty of perjury per CPPA Regulation §7062(d).
We will not require you to create an account to submit a request, and we will not require you to provide more personal information than is reasonably necessary to verify you.
7.2 Response window
- Acknowledgement: within 10 business days of receipt (CPPA Regulation §7021(a))
- Substantive response: within 45 calendar days of receipt of a verifiable request
- Extension: up to an additional 45 days (90 days total) for complex requests, with written notice of the extension and the reason within the initial 45-day window
- Lookback period: at least the 12 months preceding your request (we will provide a longer history where reasonably feasible)
7.3 Response format
- We deliver category-level responses in plain language by email
- We deliver specific-pieces responses as a portable JSON or CSV export
- We deliver deletion confirmations in writing with a breakdown of what was deleted and what was retained under a §1798.105(d) exception (if any), with the specific exception cited
- We do not return raw SPI values (such as password hashes) in a Right-to-Know response; we confirm their existence and the category
8. Authorised agents
You may designate an authorised agent to submit a request on your behalf, per §1798.130(a)(1) and CPPA Regulation §7063. We will accept the request if:
- The agent provides signed written permission from you (or a power of attorney under California Probate Code §§4000–4465), and
- We can verify the agent's identity by a reasonable method, and
- For Right to Know and Right to Delete, we can independently verify your identity (we may ask you to confirm the request directly)
For an authorised agent registered with the California Secretary of State, we will accept proof of that registration in lieu of additional verification of the agent's status.
9. Children under 16
Gila has a 16-and-over self-attested age gate (see Privacy Policy §11). We do not knowingly serve California residents under 16, and we do not sell or share their personal information (per §1798.120(c) and the CCPA's opt-in-for-minors rule):
- Under 13: opt-in to sale or sharing requires parental affirmative authorisation
- 13 to 15: opt-in requires the minor's affirmative authorisation
Because Gila does not sell or share personal information, neither opt-in is operative. If we learn that a California resident under 16 has registered, we will delete the account and associated personal information promptly.
10. Global Privacy Control (GPC)
Gila honours the Global Privacy Control browser signal as a valid opt-out request from California consumers under §1798.135(b)(1) and CPPA Regulation §7025. When the gila.coach website detects the Sec-GPC: 1 HTTP header or navigator.globalPrivacyControl === true:
- We treat it as an opt-out of sale and sharing (which, per §4 above, is already our default)
- We suppress any third-party advertising or behavioural-advertising tag that might otherwise load (in practice there are none, by design — see §4)
- We do not display a pop-up asking you to reconsider or to confirm the GPC signal, per CPPA Regulation §7025(d)
- We do not require you to provide identity information to honour the signal
- If you are signed in to your Gila account, the GPC opt-out also applies to your account state across devices
- We log GPC detections in our consent-event store for compliance evidence
GPC handling is implemented in gila-landing/src/components/consent/ and tested as part of the consent banner QA workflow.
11. Notice at collection
Whenever we collect personal information from you (registration, onboarding, in-app inputs, web forms), we provide a notice at collection per §1798.100(a) and §1798.100(b) that links back to this notice. The notice at collection identifies the categories of personal information to be collected, the categories of SPI to be collected, the purposes, the retention period or criteria, and whether the information is sold or shared (we never sell or share — see §4). The notice at collection is reachable from every onboarding screen and every web form that collects personal information.
12. "Shine the Light" — Cal. Civ. Code §1798.83
California's "Shine the Light" law (Cal. Civ. Code §1798.83) gives California residents the right, once per calendar year, to request a list of the personal information categories we have disclosed to third parties for their direct-marketing purposes in the preceding calendar year, and the names and addresses of those third parties.
Gila does not disclose personal information to third parties for their own direct-marketing purposes. We have no such list to provide. If this ever changes, this notice will be updated 30 days before the change takes effect.
13. Annual metrics disclosure
CPPA Regulation §7102 requires businesses that, alone or in combination, buy, sell, or share the personal information of 10,000,000 or more California consumers in a calendar year to compile and publish annual privacy-request metrics. Gila is well below that threshold, does not buy, sell, or share personal information at all, and therefore is not required to publish the annual metrics. If we cross the threshold or change our business model, we will begin publishing the metrics in this notice.
14. Enforcement and complaint
You may file a complaint with the California Privacy Protection Agency (CPPA) or the California Attorney General:
- CPPA online complaint: https://cppa.ca.gov/complaints
- CPPA mailing address: 2101 Arena Boulevard, Sacramento, CA 95834
- California Attorney General: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
The CCPA also provides a limited private right of action for certain data breaches under §1798.150(a)(1) — specifically, where non-encrypted and non-redacted personal information as defined in §1798.81.5(d)(1)(A) is subject to unauthorised access and exfiltration, theft, or disclosure as a result of the business's failure to implement and maintain reasonable security procedures. Statutory damages of $100 to $750 per consumer per incident, or actual damages (whichever is greater), are available. We maintain encryption in transit and at rest, RLS scoping on every Supabase table containing personal information, and our other security measures are described in §6 of the main Privacy Policy.
15. Contact
For any California privacy question or request:
- Email: dpo@gila.coach
- Self-service:
/dsar(select California (CCPA/CPRA)) - Mailing address: Karya Evleri 3/18, Ataşehir Mahallesi, Çiğli, İzmir, Türkiye
Our internal Data Protection Officer (Sezen Soykut) is the privacy contact for California matters.
16. Updates to this notice
Per §1798.130(a)(5), we update this notice at least every 12 months. We will also update it whenever:
- The CCPA, CPRA, or CPPA regulations change in a way that affects our practices
- The CPPA issues guidance that materially affects our practices
- Our processing of personal information or sensitive personal information materially changes
- A material processor change occurs
We will give you at least 30 days' notice before any change that reduces your CCPA/CPRA protections takes effect, by email (if you have an account) and by an in-app banner. The effective_date in the frontmatter above is the current version date.