User Rights Guide

1. Introduction

Motiw8 is committed to transparency and user rights regarding personal data.

This guide explains all rights you have under GDPR, including:

• Right to access
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to restrict processing
• Right to withdraw consent
• Right to object
• Right to data portability
• Rights related to automated decision-making
• Rights under CCPA/CPRA (California)
• Rights under LGPD (Brazil)
• Rights under UK GDPR

It also details:

• Why some data cannot be deleted for legal reasons
• How deletion works with backups
• How we verify identity
• Timeline for responding
• How to escalate if unsatisfied

---

2. How to Submit a Rights Request

Users can submit a request through:

2.1 In-App

Settings → Account → My Data → Request Data / Delete Account

2.2 Email

legal@motiw8.com

2.3 Website Form

https://motiw8.com/legal/data-request (optional future implementation)

2.4 Verification

For security, we verify your identity by:

• Email confirmation
• Logged-in session
• Additional validation for sensitive requests (e.g., deletion, export)

For high-risk actions (e.g., deleting financial data), we may require:

• Stripe Identity verification (future)
• Government ID (for AML compliance)

---

3. GDPR Rights in Detail

Below are all GDPR rights as defined by Articles 12–23.

3.1 Right to Access (Art. 15)

You can request:

• All personal data collected
• Categories of data processed
• Processing purposes
• Data recipients
• Source of data (if not provided by you)
• Retention periods
• Copy of your personal data
• Explanation of automated decisions

What you receive in an export:

• Profile data
• Challenge history
• Weight and steps data
• Verification results
• Risk flags related to your account
• Copies of all stored media still retained
• All consents
• All financial transactions (pseudonymized)

What you will NOT receive:

• AI model weights
• Anti-fraud internal algorithms
• Other users' data
• Backend logs with security-sensitive detail

Format Provided

Export is delivered in:

• JSON
• CSV
• ZIP with media files (if applicable)

3.2 Right to Rectification (Art. 16)

You may request correction of:

• Name, profile information
• Country, preferences
• Incorrect weights (future entries only)
• Mistaken steps imports
• Incorrect metadata (EXIF)

Not rectifiable:

• Verified challenge results
• Historical weight/step data used in scoring
• Financial transactions
• Anti-fraud results (except factual errors)

3.3 Right to Erasure — Right to Be Forgotten (Art. 17)

You may request deletion of:

• Your account
• Personal profile information
• Health data
• Media evidence still within retention window
• Derived biometric vectors
• Risk flags attributed to you (after retention period)
• Subscriptions, consents, preferences

Data that CANNOT be deleted (legal exemptions):

Financial records (7 years)

Required by:

• EU VAT Directive
• EU Accounting Directive
• US IRS compliance
• Anti-money-laundering laws

Payout history

Needed to maintain audit trail.

Challenge results

Needed to preserve fairness for other participants.

Instead, your name becomes "Deleted User".

Fraud investigation records (up to 3 years)

Security logs (7 years)

Backups (30–90 days)

Data remains in encrypted backups until overwritten.

Process after erasure:

• All identifiers removed
• Media files deleted from storage
• Biometrics deleted immediately
• Profile becomes anonymized

3.4 Right to Restrict Processing (Art. 18)

You may request restriction if:

• Data is inaccurate
• Processing is unlawful
• You contest the purpose
• We no longer need the data but you require it for legal claims

Restricted data is:

frozen, not deleted, until case resolution.

3.5 Right to Data Portability (Art. 20)

You may request export of:

• Weight history
• Steps history
• Challenge history
• Verification results
• Consents
• Profile data

Delivered in:

• JSON
• CSV
• ZIP (for media)

Portability does NOT cover:

• Internal fraud scores
• Internal logs
• AI outputs beyond what relates to you

3.6 Right to Object (Art. 21)

You may object to:

• Non-essential analytics
• Non-essential profiling
• Marketing communications
• Cookies and tracking technologies

You may NOT object to:

• Fraud detection
• Anti-cheat processing
• Verification processing
• Required evidence processing
• Financial compliance
• AML/KYC requirements

These are legal obligations.

3.7 Right to Withdraw Consent (Art. 7)

You may withdraw consent for:

• Biometric processing
• Health data processing
• Marketing communications
• Analytics (optional categories)

Important:

Withdrawal does NOT invalidate past lawful processing.

If you withdraw biometric consent:

• You cannot participate in challenges requiring liveness
• Biometric vectors are deleted

3.8 Rights Related to Automated Decision-Making (Art. 22)

Motiw8 uses automated systems for:

• OCR weight extraction
• Face matching
• Liveness detection
• Risk scoring

Users have a right to:

• Human review of any automated decision
• Challenge a result
• Submit additional evidence
• Receive explanation of decision logic

Fully automated decisions are never binding without human review.

---

4. CCPA / CPRA (California)

If a user resides in California:

Rights Include:

• Right to know categories of data
• Right to access
• Right to deletion
• Right to correct
• Right to opt out of sale/sharing
• Right to limit sensitive data processing
• Right to non-discrimination

Motiw8 does NOT:

• Sell personal data
• Share data for cross-context advertising
• Use sensitive data for marketing

Deletion exceptions mirror GDPR.

---

5. Brazil LGPD

Brazilian users have:

• Right to confirmation of processing
• Right to access
• Right to correction
• Right to anonymization or blocking
• Right to deletion
• Right to portability
• Right to information on sharing
• Right to revoke consent

LGPD largely mirrors GDPR.

---

6. UK GDPR

UK users receive identical rights to EU users.

Data is stored in EU but accessible globally on request.

---

7. Timeline for Responding to Requests

GDPR:

• 30 days
• +60 days extension for complex cases (with explanation)

CCPA/CPRA:

• 45 days
• +45 days extension

LGPD:

• 15 days

Motiw8 Standard:

Typically responds within 7–14 days.

---

8. Identity Verification for Requests

Required to protect users.

Verification may include:

• Email confirmation
• Logged-in session check
• IP match
• Device match
• Additional authentication (for high-risk requests)

For deletion and financial data access, we may require:

• Stripe Identity verification
• Government ID (if needed for AML compliance)

---

9. Special Rules for Minors

Motiw8 requires all users to be 18+, so additional parental rights do not apply.

If a user is mistakenly identified as a minor:

• Account is suspended
• Identity verification is requested
• Data is deleted if minor status is confirmed

---

10. Appeals and Escalations

If you disagree with a response:

• Reply to the email for re-evaluation
• Request human review
• Contact Lithuanian Data Protection Authority

Authority:

Valstybinė duomenų apsaugos inspekcija (VDAI)

https://vdai.lrv.lt

Users worldwide may also contact their local DPA.

---

11. How Requests Interact with Backups

Backups cannot be modified.

When data is deleted:

• It is removed from production immediately
• It remains in encrypted backups until backup rotation completes (30–90 days)
• Backups are never used to restore erased personal data

---

12. How to Exercise Your Rights

Email:

legal@motiw8.com

In-App:

Settings → Account → My Data

Postal Address:

Motiw8 UAB
Vilnius, Lithuania
(Full address added later)