1. Introduction
This Health Data Processing Notice ("Notice") supplements the Motiw8 Privacy Policy and explains in full detail how Motiw8 UAB ("we", "us") processes health-related data, including:
- Weight
- Steps
- Heart rate (if user connects a supported wearable)
- Body fat % (from smart scales or lab documents)
- Baseline health measurements
- Derived insights
- Apple HealthKit, Google Fit, Garmin, Strava, Withings data
Under the GDPR, this data is classified as Special Category Personal Data (Article 9), subject to enhanced protection and explicit consent. This document expands on the Privacy Policy and provides transparency into every aspect of processing.
2. Categories of Health Data We Collect
2.1 Data Users Provide Directly
- Weight entries (baseline, weekly, final)
- Scale readings in photos and videos
- Photos/videos showing the user's body, scale, and timestamp
- Body-fat percentage test results from certified laboratories, including official lab reports with full name, test date, laboratory name and contact information, and measured fat percentage
- Optional uploaded lab results (e.g., medical weight documentation)
- Profile fields relating to fitness history or goals
2.2 Data From Device Integrations
Apple HealthKit (iOS)
If the user grants permission, we collect:
- Steps
- Weight
- Body fat %
- Heart rate (if enabled in the future)
- Active energy / distance walked (if user enables in future)
HealthKit permissions are granular and controlled by the user.
HealthKit data never leaves the device unless explicitly approved by the user.
Google Fit (Android)
If user consents, we collect:
- Steps
- Weight
- Heart rate (if user enables)
Wearables / Integrations
If user connects:
- Garmin
- Strava
- Withings
- Fitbit
- Omron
We may receive:
- Weight
- Steps
- Distance
- Body composition
- Heart rate
- Daily summaries
2.3 Derived Data
We also create derived health data:
- Baseline step averages
- Baseline weight metrics
- Predicted weight loss curves
- Daily and weekly improvement percentages
- Challenge consistency metrics
- Hydration fluctuation indicators (anti-cheat)
This data is mathematically derived from raw health data and still considered health data under GDPR.
3. Purposes of Processing Health Data
Each purpose below is a direct expansion of what appears in your Privacy Policy.
3.1 Challenge Participation (Primary Purpose)
Health data is necessary to:
- Join a challenge
- Determine eligibility
- Calculate baseline
- Validate weekly check-ins
- Evaluate the final submission
- Rank participants
- Distribute prizes
This is contractual necessity (GDPR Art. 6(1)(b)) and requires explicit consent (Art. 9(2)(a)).
3.2 Fair Play & Integrity
We use health data to:
- Detect impossible step counts
- Identify abnormal weight fluctuations
- Enforce consistency rules (premium challenges)
- Prevent manipulation or cheating
- Validate scale readings
- Confirm legitimate fitness progress
3.3 Syncing With Health & Fitness Providers
We process synced data to:
- Match device summaries with in-app logs
- Provide a consistent record of user progress
- Detect discrepancies for anti-fraud measures
- Offer optional deeper health insights
3.4 Analytics (Strictly Aggregated/Anonymous)
We may use anonymized, aggregated data to:
- Understand usage patterns
- Improve challenge design
- Improve coaching/insight algorithms
- Detect technical issues
No identifiable health data is used for analytics.
3.5 Dispute Handling
If a user disputes results:
- Health data is used to resolve the claim
- Moderators may review the evidence
- Audit logs of health data may be consulted
3.6 Safety & Abuse Prevention
Health data helps detect:
- Fake accounts
- Automated submissions
- Unusual patterns indicating manipulation
3.7 Laboratory Verification for Premium Challenges
For premium challenges requiring lab documents, we process health data to:
- Verify the authenticity of lab documents submitted by participants
- Contact laboratories to confirm that the report corresponds to the participant and has not been falsified
- Verify that the participant's identity matches the name on the lab report
- Confirm that the laboratory is legitimate and the report is authentic
The scope of this processing is limited to verification purposes only. We do not request broader medical records or any information beyond what is necessary to confirm the authenticity and identity verification of the submitted document.
4. Legal Basis for Processing
4.1 Explicit Consent (GDPR Art. 9(2)(a))
You provide explicit consent before:
- Enabling HealthKit/Google Fit sync
- Uploading weight/steps data
- Submitting photos/videos
- Joining a challenge
- Uploading lab documents containing body fat % test results
For lab documents: Uploading lab documents containing body fat % test results requires explicit consent before submission. This consent must be:
- Given before data collection (pre-consent)
- Clear about the scope and purpose of processing
- Easy to withdraw (with the understanding that withdrawal may make verification impossible and may disqualify you from the challenge)
- Recorded and stored by Motiw8
Consent can be withdrawn anytime. However, withdrawing consent for lab document processing may make verification impossible and may result in disqualification from the challenge.
4.2 Contract (GDPR Art. 6(1)(b))
To participate in challenges, certain health data is required.
4.3 Legitimate Interests (GDPR Art. 6(1)(f))
For:
- Fraud prevention
- Platform security
- Integrity of competitions
This does not override user fundamental rights.
5. How Health Data Is Stored
5.1 Storage Infrastructure
Health data is stored in:
- Supabase PostgreSQL (EU – Frankfurt)
- Supabase Storage (EU – Frankfurt) for media
- Encrypted backups (daily rotation)
5.2 Security
- AES-256 encryption at rest
- TLS/SSL encryption in transit
- Row-Level Security (RLS) on all tables
- Strict Access Controls (SAC)
- Least privilege principle
- Separate storage buckets per data type
- Automatic anomaly monitoring
- Encryption for health documents, including lab documents
- Access controls specifically for lab documents and sensitive health data
- Separate storage for sensitive health data, including lab documents
6. Data Retention Policy for Health Data
This expands the retention periods from the main Privacy Policy.
| Data Type | Retention | Reason |
|---|---|---|
| Health metrics | Until account deletion | Needed for challenge history |
| Steps history | Until deletion | Required for integrity |
| Weight history | Until deletion | Needed for ranking, fraud detection |
| Photos/videos | 90–180 days after challenge end | Necessary evidence retention |
| Derived metrics | 3 years | Auditability |
| Lab documents (body fat % reports) | Until user requests deletion or account deletion | User control over health data, verification and dispute resolution |
Users may request deletion of lab documents at any time. However, deletion during an active challenge may affect verification and challenge participation.
6.1 Third-Party Contact for Verification
For premium challenges requiring lab documents, we may contact the issuing laboratory to verify the authenticity of submitted documents. This contact is limited to:
- Verifying the participant's name matches the report
- Confirming the test result (fat percentage) is authentic
- Verifying the laboratory's identity and legitimacy
We do not:
- Request broader medical records
- Access any information beyond what is necessary for verification
- Share your health data with the laboratory beyond what is needed for verification
This contact is for verification purposes only and is necessary to ensure the integrity of premium challenges. By participating in a premium challenge requiring lab documents, you consent to this limited contact with the laboratory.
7. Access to Health Data
7.1 Internal
- Verification automation
- Support (only after flagged cases)
- Admin team (minimal access)
7.2 External
- Apple Health (only with permission)
- Google Fit (permission)
- AWS Rekognition (if media contains health data)
- Wearables via OAuth integration
- Vercel backend logs (no raw health data stored)
No health data is sold or shared with advertisers.
8. Automated Decision-Making & Example Scenarios
Some decisions are machine-evaluated:
8.1 Automated
- Step count anomaly detection
- Weight curve plausibility
- Consistency rule enforcement
- Hydration spike detection
- Scale OCR discrepancies
8.2 Human Review Required
- Appeal cases
- Moderation of flagged content
- Dispute resolution
- Reported cheating
Example: Baseline Rejection
If your baseline appears manipulated:
- AI flags the submission
- A human moderator reviews
- You receive explanation and a redo request
Example: Step Fraud Detection
If 25,000 steps appear in a 5-minute interval:
- Automatic rejection
- Appeal possible
9. Your Rights Regarding Health Data
You may request:
- Access
- Correction
- Export (JSON or PDF)
- Deletion
- Restriction of processing
- Withdrawal of consent
- Human review
- Objection to automated decisions
Exercise via: legal@motiw8.com
10. Revocation & Consequences
If you revoke consent:
- HealthKit sync is disabled
- Google Fit sync is disabled
- Challenge participation is paused
- Verification becomes impossible
- Payout eligibility may be lost
You may re-enable consent anytime.
11. Special Notes for HealthKit (Apple Rules)
Apple requires:
- No health data used for advertising
- No sharing with third parties
- User may disable access anytime
- No health data stored in iCloud without consent
- Only minimum required data is requested
Motiw8 fully complies.