1. Introduction
This Privacy Policy explains how Motiw8 UAB ("Motiw8", "we", "us", "our") collects, uses, stores, and protects your personal data when you use the Motiw8 mobile application, website, or related services ("Services").
We take privacy seriously and comply with the EU General Data Protection Regulation (GDPR), Lithuanian data protection laws, and applicable global privacy laws.
By using Motiw8, you agree to the practices described in this Privacy Policy.
2. Who We Are
Data Controller:
Motiw8 UAB (placeholder)
Registered in Lithuania
Email: legal@motiw8.com
3. Data We Collect
3.1 Personal Identifiers
- Email address
- Full name (optional)
- Date of birth
- Country and locale
- Phone number (optional)
3.2 Authentication Data
- Password (hashed)
- Apple Sign-In, Google Sign-In identifiers
3.3 Device & Technical Data
- Device model and OS version
- IP address, user agent
- Push notification token
- Crash logs (via Firebase Crashlytics)
3.4 Fitness Data
Collected with your permission:
- Weight
- Steps (Apple Health, Google Fit, Strava, Garmin)
- Body fat % (smart scale or lab documents)
- Smart scale data (if integrated)
Body fat percentage test results from certified laboratories: For premium challenges, we collect body-fat percentage test results from official laboratory reports, including the user's full name, test date, laboratory name and contact information, and measured fat percentage. This data is classified as special category health data under GDPR Article 9 and requires explicit consent before collection.
3.5 Verification Data (Photos & Videos)
- Scale photos
- Full-body photos
- Verification videos (3–10 seconds)
- Timestamp screenshots
These may include visible biometric features (face, body silhouette).
3.6 Biometric-Derived Data
Collected only with explicit consent when required (e.g., stakes ≥ €50):
- Face vectors (mathematical representations for matching)
- Liveness scores (AWS Face Liveness)
- Face similarity scores
We do not permanently store images in AWS Rekognition. AWS receives temporary copies of your images to perform analysis.
3.7 Financial Data
- Stripe Customer ID
- Stripe Connect Account ID (for payouts)
- Transaction history
- Payout records
- Subscription status (via RevenueCat)
We do not store card numbers or sensitive payment details. Stripe manages all PCI-compliant payment information.
3.8 Usage & Analytics
- Screen views
- Buttons clicked
- Challenge participation actions
- Conversion metrics
- Error events
4. How We Use Your Data
4.1 To Operate the Motiw8 App
- Create and maintain your account
- Authenticate your login
- Sync steps and fitness data
- Allow you to join and participate in challenges
4.2 To Verify Challenge Submissions
- Extract weight via OCR
- Detect timestamp validity
- Compare baseline and final submissions
- Perform face liveness detection (if required)
- Detect inappropriate or unsafe content
We use AWS Rekognition exclusively in the EU (Frankfurt).
4.3 To Ensure Fair Play & Security
- Detect fraud, cheating, manipulation, or suspicious activity
- Prevent re-use of old images or videos
- Verify consistency of weight changes and metadata
4.4 To Process Payments & Payouts
- Process stake payments via Stripe
- Handle subscription renewals
- Transfer payouts to your Stripe Express account
- Maintain transaction and audit logs
4.5 To Communicate With You
- Challenge reminders
- Verification results
- Updates, news, and in-app notifications
- Security alerts
4.6 To Improve the Service
- Analytics and usage metrics
- Bug reports and crash diagnostics
- A/B testing and feature improvements
4.7 Laboratory Verification
For premium challenges requiring lab documents, we may contact the issuing laboratory to verify:
- That the report corresponds to you and has not been falsified
- That your identity matches the name on the report
- That the laboratory is legitimate and the report is authentic
This contact is limited to verification purposes only—we will not request broader medical records or information beyond what is necessary to confirm the authenticity and identity verification of the submitted document. Lab contact is for verification purposes only and does not constitute data sharing with third parties.
5. Legal Basis for Processing (GDPR)
- Contract (Art. 6(1)(b)) – to operate your account and challenges
- Consent (Art. 6(1)(a)) – for health data, biometric data, analytics
- Legal obligation (Art. 6(1)(c)) – financial records, AML/KYC
- Legitimate interest (Art. 6(1)(f)) – fraud prevention, security
- Special category data (Art. 9(2)(a)) – health and biometric data require explicit consent. Body fat percentage test results from lab documents are special category health data and require explicit consent (Art. 9(2)(a)) before collection. We cannot rely on implied consent for this data.
6. Sharing Your Data
6.1 Third-Party Processors
We share data only with trusted infrastructure providers:
- Supabase – database, authentication, file storage
- AWS Rekognition – liveness, OCR, face matching (EU region)
- Stripe – payments and payouts
- RevenueCat – subscription management
- Firebase Analytics – app usage analytics
- Firebase Crashlytics – error and crash reporting
- Apple HealthKit – steps and weight sync (user consent)
- Google Fit – steps sync (user consent)
- Vercel – backend hosting
6.2 No Sale of Personal Data
We do not sell, rent, or trade your data with advertisers.
6.3 Laboratory Contact for Verification
For premium challenges requiring lab documents, we may contact laboratories to verify document authenticity. This contact is limited to verification purposes only and does not constitute data sharing. We only request information necessary to confirm the report's authenticity and verify your identity. We do not request broader medical records or any information beyond what is needed for verification.
6.4 When Required by Law
We may disclose data when necessary to comply with Lithuanian or EU law, court orders, tax authorities, or fraud investigations.
7. International Transfers
Most data is stored within the EU (Frankfurt). Some processors (e.g., Firebase, Stripe) may transfer data to the U.S. under:
- Standard Contractual Clauses (SCCs)
- Adequate safeguard mechanisms
8. Data Retention
We retain data only as long as necessary:
- Evidence photos: ~180 days after challenge end
- Evidence videos: ~90 days after challenge end
- Face vectors / biometric-derived data: up to 36 months
- Audit logs: 7 years
- Financial/payment records: 7 years
- User account data: until deletion request
See Appendix B for the full retention schedule.
9. Your Rights (GDPR)
- Right to access
- Right to rectification
- Right to erasure ("Right to be forgotten")
- Right to restrict processing
- Right to portability
- Right to object
- Right to withdraw consent
- Right to complain to a supervisory authority (Lithuanian DPA)
To exercise your rights, email us at: legal@motiw8.com
10. Cookies
Motiw8 uses minimal cookies (session, security, analytics) in the web version.
11. Children
Motiw8 is strictly 18+. We do not knowingly collect data from minors.
12. Security
- End-to-end encrypted communications (TLS)
- Supabase Row-Level Security (RLS)
- Signed URLs for file access
- Encrypted storage at rest
- Strict IAM permissions
13. Changes to This Policy
We may update this Privacy Policy periodically. The version and effective date will always be shown at the top.
Appendix A — Biometric Data Addendum
Appendix A — Biometric Data Addendum
Version: 1.0.0
Effective Date: 01 January 2025
Controller: Placeholder UAB (Lithuania)
Contact: legal@motiw8.com
1. Why We Process Biometric Data
Motiw8 uses photos, videos, and limited facial recognition technology to ensure that fitness challenges involving financial rewards remain fair, safe, and free from fraud.
We may process biometric data when you:
- Join a high-stakes challenge (≥ €50 / $50)
- Submit baseline, weekly, or final progress evidence
- Verify your identity before receiving challenge payouts
2. What Biometric Data We Collect
Depending on the challenge type, we may collect:
- Photos of you on a scale (face visible)
- Full-body photos
- Timestamp screenshots
- Short verification videos (3–10 seconds)
Derived biometric data
- Face similarity scores
- Liveness detection scores
- Facial feature vectors ("embeddings") used to check that the same person appears in both photos
We never use your biometric data for advertising, personalization, or training AI models.
3. How We Use This Data
We use biometric data to:
- Confirm that the person submitting evidence is the correct participant
- Prevent identity substitution or cheating
- Verify timestamps for fairness
- Protect honest participants
- Determine challenge results accurately
4. Who Processes Your Data
AWS Rekognition (EU Region)
AWS processes your photos and videos temporarily for:
- Face comparison
- Liveness detection
- Text extraction (OCR)
Processing happens in the EU (Frankfurt). AWS does not store your images.
Supabase
Stores:
- Your uploaded photos and videos (temporarily)
- Your facial embeddings (mathematical data, not the image)
- Verification results
5. How Long We Keep Your Biometric Data
- Photos: 180 days after challenge ends
- Videos: 90 days
- Facial embeddings: until you delete your account or request deletion
- Verification results: 3 years (fraud protection)
6. Your Rights
You have the right to:
- Access a copy of all biometric data processed
- Request deletion at any time
- Withdraw consent
- Correct errors in your verification results
- Ask for human review if automated verification raises concerns
We respond to requests within 30 days.
7. Withdrawal of Consent
You may withdraw consent anytime, but this may prevent you from participating in verification-based challenges or receiving payouts.
8. Contact
Email: legal@motiw8.com
Supervisory Authority: Lithuanian State Data Protection Inspectorate
Appendix B — Data Retention Schedule
| Data Type | Retention |
|---|---|
| Evidence photos | 180 days after challenge end |
| Evidence videos | 90 days after challenge end |
| Biometric-derived data | 36 months |
| Fitness data | Indefinite (until account deletion) |
| Financial records | 7 years |
| Audit logs | 7 years |
| Supabase storage files | Deleted at retention expiration |
| User account | Until deletion request |
Appendix C — U.S. CCPA Notice
This applies only to California residents (CCPA & CPRA).
C.1 Categories of Personal Information Collected
- Identifiers (email, device IDs)
- Biometric data (face vectors, liveness scores)
- Financial data (Stripe tokens, transactions)
- Health data (weight, steps)
- User content (photos, videos)
C.2 Your CCPA Rights
- Right to know
- Right to delete
- Right to correct
- Right to data portability
- Right to opt out of sale (we do not sell data)
- Right to non-discrimination
End of Motiw8 Privacy Policy – Version 1.0.0