1. Introduction
Motiw8 is committed to transparency and user rights regarding personal data.
This guide explains all rights you have under GDPR, including:
- Right to access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restrict processing
- Right to withdraw consent
- Right to object
- Right to data portability
- Rights related to automated decision-making
- Rights under CCPA/CPRA (California)
- Rights under LGPD (Brazil)
- Rights under UK GDPR
It also details:
- Why some data cannot be deleted for legal reasons
- How deletion works with backups
- How we verify identity
- Timeline for responding
- How to escalate if unsatisfied
2. How to Submit a Rights Request
Users can submit a request through:
2.1 In-App
Settings → Account → My Data → Request Data / Delete Account
2.2 Email
2.3 Website Form
https://motiw8.com/legal/data-request (optional future implementation)
2.4 Verification
For security, we verify your identity by:
- Email confirmation
- Logged-in session
- Additional validation for sensitive requests (e.g., deletion, export)
For high-risk actions (e.g., deleting financial data), we may require:
- Stripe Identity verification (future)
- Government ID (for AML compliance)
3. GDPR Rights in Detail
Below are all GDPR rights as defined by Articles 12–23.
3.1 Right to Access (Art. 15)
You can request:
- All personal data collected
- Categories of data processed
- Processing purposes
- Data recipients
- Source of data (if not provided by you)
- Retention periods
- Copy of your personal data
- Explanation of automated decisions
What you receive in an export:
- Profile data
- Challenge history
- Weight and steps data
- Verification results
- Risk flags related to your account
- Copies of all stored media still retained
- All consents
- All financial transactions (pseudonymized)
What you will NOT receive:
- AI model weights
- Anti-fraud internal algorithms
- Other users' data
- Backend logs with security-sensitive detail
Format Provided
Export is delivered in:
- JSON
- CSV
- ZIP with media files (if applicable)
3.2 Right to Rectification (Art. 16)
You may request correction of:
- Name, profile information
- Country, preferences
- Incorrect weights (future entries only)
- Mistaken steps imports
- Incorrect metadata (EXIF)
Not rectifiable:
- Verified challenge results
- Historical weight/step data used in scoring
- Financial transactions
- Anti-fraud results (except factual errors)
3.3 Right to Erasure — Right to Be Forgotten (Art. 17)
You may request deletion of:
- Your account
- Personal profile information
- Health data
- Media evidence still within retention window
- Derived biometric vectors
- Risk flags attributed to you (after retention period)
- Subscriptions, consents, preferences
Data that CANNOT be deleted (legal exemptions):
Financial records (7 years)
Required by:
- EU VAT Directive
- EU Accounting Directive
- US IRS compliance
- Anti-money-laundering laws
Payout history
Needed to maintain audit trail.
Challenge results
Needed to preserve fairness for other participants.
Instead, your name becomes "Deleted User".
Fraud investigation records (up to 3 years)
Security logs (7 years)
Backups (30–90 days)
Data remains in encrypted backups until overwritten.
Process after erasure:
- All identifiers removed
- Media files deleted from storage
- Biometrics deleted immediately
- Profile becomes anonymized
3.4 Right to Restrict Processing (Art. 18)
You may request restriction if:
- Data is inaccurate
- Processing is unlawful
- You contest the purpose
- We no longer need the data but you require it for legal claims
Restricted data is:
frozen, not deleted, until case resolution.
3.5 Right to Data Portability (Art. 20)
You may request export of:
- Weight history
- Steps history
- Challenge history
- Verification results
- Consents
- Profile data
Delivered in:
- JSON
- CSV
- ZIP (for media)
Portability does NOT cover:
- Internal fraud scores
- Internal logs
- AI outputs beyond what relates to you
3.6 Right to Object (Art. 21)
You may object to:
- Non-essential analytics
- Non-essential profiling
- Marketing communications
- Cookies and tracking technologies
You may NOT object to:
- Fraud detection
- Anti-cheat processing
- Verification processing
- Required evidence processing
- Financial compliance
- AML/KYC requirements
These are legal obligations.
3.7 Right to Withdraw Consent (Art. 7)
You may withdraw consent for:
- Biometric processing
- Health data processing
- Marketing communications
- Analytics (optional categories)
Important:
Withdrawal does NOT invalidate past lawful processing.
If you withdraw biometric consent:
- You cannot participate in challenges requiring liveness
- Biometric vectors are deleted
3.8 Rights Related to Automated Decision-Making (Art. 22)
Motiw8 uses automated systems for:
- OCR weight extraction
- Face matching
- Liveness detection
- Risk scoring
Users have a right to:
- Human review of any automated decision
- Challenge a result
- Submit additional evidence
- Receive explanation of decision logic
Fully automated decisions are never binding without human review.
4. CCPA / CPRA (California)
If a user resides in California:
Rights Include:
- Right to know categories of data
- Right to access
- Right to deletion
- Right to correct
- Right to opt out of sale/sharing
- Right to limit sensitive data processing
- Right to non-discrimination
Motiw8 does NOT:
- Sell personal data
- Share data for cross-context advertising
- Use sensitive data for marketing
Deletion exceptions mirror GDPR.
5. Brazil LGPD
Brazilian users have:
- Right to confirmation of processing
- Right to access
- Right to correction
- Right to anonymization or blocking
- Right to deletion
- Right to portability
- Right to information on sharing
- Right to revoke consent
LGPD largely mirrors GDPR.
6. UK GDPR
UK users receive identical rights to EU users.
Data is stored in EU but accessible globally on request.
7. Timeline for Responding to Requests
GDPR:
- 30 days
- +60 days extension for complex cases (with explanation)
CCPA/CPRA:
- 45 days
- +45 days extension
LGPD:
- 15 days
Motiw8 Standard:
Typically responds within 7–14 days.
8. Identity Verification for Requests
Required to protect users.
Verification may include:
- Email confirmation
- Logged-in session check
- IP match
- Device match
- Additional authentication (for high-risk requests)
For deletion and financial data access, we may require:
- Stripe Identity verification
- Government ID (if needed for AML compliance)
9. Special Rules for Minors
Motiw8 requires all users to be 18+, so additional parental rights do not apply.
If a user is mistakenly identified as a minor:
- Account is suspended
- Identity verification is requested
- Data is deleted if minor status is confirmed
10. Appeals and Escalations
If you disagree with a response:
- Reply to the email for re-evaluation
- Request human review
- Contact Lithuanian Data Protection Authority
Authority:
Valstybinė duomenų apsaugos inspekcija (VDAI)
Users worldwide may also contact their local DPA.
11. How Requests Interact with Backups
Backups cannot be modified.
When data is deleted:
- It is removed from production immediately
- It remains in encrypted backups until backup rotation completes (30–90 days)
- Backups are never used to restore erased personal data
12. How to Exercise Your Rights
Email:
In-App:
Settings → Account → My Data
Postal Address:
Motiw8 UAB
Vilnius, Lithuania
(Full address added later)