Privacy Policy

Last updated:

Who We Are

Gram Fit is developed and operated by NIKO LABS PTE LTD (“we,” “us,” “our”). For the purposes of GDPR/UK GDPR, we are the data controller of your personal data processed in connection with the Services.

This Privacy Policy describes how and why we might access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:

  • Download and use our mobile application Gram Fit
  • Visit and use our website at gram.fit
  • Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this Privacy Policy will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services.

Summary of Key Points

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

How do we keep your information safe? We implement a layered set of organizational and technical safeguards designed to protect personal data, including encryption in transit and at rest, access controls, role-based permissions, logging/monitoring, secure software development practices, and vulnerability management.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information.

How do you exercise your rights? The fastest way is via the in-app Privacy Request Center: go to FAQ → My Data and choose from the different data rights. You can also write to our DPO at dpo@nikolabs.ai.

1. What Information Do We Collect?

We collect your Personal Data in a number of ways and for various purposes:

Data Collection Overview

PurposeData CategoriesLegal Basis
Account Creation & ManagementName, email, password, profile photo, age, gender, locationContract performance
Health & Fitness TrackingBody measurements, workout data, nutrition logs, health goals, biometric dataExplicit consent (Art. 9(2)(a) GDPR)
App FunctionalityDevice data, usage patterns, app interactions, crash reportsLegitimate interest
Payment ProcessingPayment information, billing data, subscription detailsContract performance
Customer SupportSupport communications, account information, feedbackLegitimate interest
Analytics & ImprovementUsage statistics, feature interactions, performance dataLegitimate interest
Marketing CommunicationsEmail preferences, engagement dataConsent
Health App IntegrationHealth metrics, activity data, biometricsExplicit consent

Health and Fitness Data Collection

Special Category Health Data: We collect sensitive health information including:

  • Body measurements (height, weight, BMI, body fat percentage)
  • Fitness activity data (workouts, steps, calories burned, heart rate)
  • Nutrition and dietary information (food logs, meal plans, nutritional goals)
  • Health goals and progress tracking
  • Sleep patterns and wellness metrics
  • Medical conditions and medications (if voluntarily provided)

Biometric Data: We may collect biometric information including heart rate data from connected devices, body composition measurements, sleep pattern analysis, and activity pattern recognition.

Consent for Health Data: We obtain explicit consent before collecting, processing, or sharing any health-related personal information. You can withdraw this consent at any time through the app settings or by contacting us.

Health Platform Data (HealthKit / Health Connect)

With your permission, we may collect relevant data from your device's health and fitness repository, such as Apple's HealthKit or Android's Google Health Connect.

Data types we may access include:

  • Activity data (steps, workouts, calories burned)
  • Body measurements (weight, height, BMI)
  • Nutrition data (if you sync from other apps)
  • Heart rate and vitals
  • Sleep data

Important Restrictions:

  • We only access data you explicitly authorize
  • We never use HealthKit/Health Connect data for advertising
  • We never sell health platform data
  • You can revoke access anytime via your device settings

Information Automatically Collected

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information.

2. How Do We Process Your Information?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • Account management: To facilitate account creation and authentication and otherwise manage user accounts
  • Service delivery: To deliver and facilitate delivery of services to you
  • Customer support: To respond to your inquiries and solve potential issues
  • Administrative communications: To send you details about our products and services, changes to our terms and policies, and other similar information
  • Feedback: To request feedback and to contact you about your use of our Services
  • Security: To protect our Services, including fraud monitoring and prevention
  • Service improvement: To evaluate and improve our Services, products, marketing, and your experience
  • Personalized recommendations: To process your health data to provide customized workout plans, nutrition advice, and wellness insights
  • Progress tracking: To process your fitness and health data to generate progress reports and analytics
  • Vital interests: To save or protect an individual's vital interest, such as to prevent harm

4. When and With Whom Do We Share Your Personal Information?

We do not sell your personal information for monetary consideration.

Service Providers (Processors)

We use carefully selected third parties to help us operate, secure, and improve the Services. They may access personal data only to perform services for us and must protect it under contract. Common categories include:

  • Hosting, infrastructure, and storage (e.g., cloud platforms, CDNs)
  • Product/usage analytics and A/B testing
  • Attribution & mobile SDKs (install/source analytics and campaign measurement)
  • Crash reporting, diagnostics, and performance monitoring
  • Payments and billing (including fraud screening and chargeback handling)
  • Customer support and communications (in-app messaging, email/SMS providers)
  • Security & abuse prevention (monitoring, DDoS protection, bot detection)
  • Professional services (auditors, consultants, legal counsel)
  • Health app integrations (Apple Health, Google Fit, Samsung Health) with your explicit consent

Key Service Providers

Service ProviderCountryPurposeRetention
Amazon Web ServicesUnited StatesCloud hosting and data storageAs long as necessary
Google AnalyticsUnited StatesUsage analytics and app performance26 months (anonymized after 14 months)
FirebaseUnited StatesApp analytics and crash reportingAs long as necessary

Advertising & Marketing Disclosure

We may share limited personal information with advertising and marketing partners to provide personalized content and measure campaign effectiveness. Users may opt out of targeted advertising where required by law. You can manage your preferences through our Cookie Preferences panel or by contacting us.

Health Data Protection: We do NOT use health data for advertising purposes. Your nutrition, fitness, and health information is never shared with advertisers or used for targeted advertising.

We honor Global Privacy Control (GPC) signals. When detected, we treat this as an opt-out of sale and sharing.

Other Sharing

  • With your direction: When you connect a third-party account, sync/export data, or authorize integration with health apps
  • Legal, safety, and compliance: When required by law, lawful requests, or legal process
  • Business transfers: If we are involved in a merger, acquisition, financing, or sale, information may be shared with relevant participants
  • Aggregated/anonymized data: We may share data that does not identify you for research, analytics, or marketing

When you request correction or deletion of your personal data, we will notify relevant third-party processors of these changes where feasible and required by law.

5. How Do We Handle Your Social Logins?

Our Services offer you the ability to register and log in using your third-party social media account details (like Google, Apple, or Facebook Login). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, and profile picture.

We will use the information we receive only for the purposes that are described in this Privacy Policy. We do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy policy to understand how they collect, use, and share your personal information.

6. Is Your Information Transferred Internationally?

The Personal Data we process — along with our Services and supporting systems — are primarily hosted in the United States. We may also engage providers or affiliates in other countries where we operate. These countries may have data-protection laws that are different from those in your country.

Our Transfer Safeguards (EEA/UK/Switzerland)

Where we transfer personal data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to countries that have not been found to provide an “adequate” level of protection, we rely on one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (and, where applicable, the UK International Data Transfer Addendum)
  • EU-U.S. Data Privacy Framework (DPF) and/or the UK Extension to the EU-U.S. DPF, if and when we are certified under those frameworks
  • Other permitted grounds under GDPR/UK GDPR in limited circumstances (e.g., explicit consent, performance of a contract, or defense of legal claims)

7. How Long Do We Keep Your Information?

We retain your information for as long as necessary to provide our services and fulfill the purposes described in this policy. Specific retention periods include:

  • Activity Logs: Retained for 90 days
  • Usage Analytics: Retained for 12 months
  • Account Data: Retained while your account is active; deleted within 30 days of account deletion request
  • Backup Data: Purged from backup systems within 60 days of deletion request
  • Health Data: Retained for the duration of your account plus 3 years for analytics and service improvement purposes, unless you request earlier deletion
  • Biometric Data: Retained only as long as necessary to provide the Services and is automatically deleted when no longer needed

Upon account deletion, we will remove your personal data from our active systems within 30 days, and from backup systems within 60 days.

8. How Do We Keep Your Information Safe?

We implement a layered set of organizational and technical safeguards designed to protect personal data, including encryption in transit and at rest (where appropriate), access controls, role-based permissions, logging/monitoring, secure software development practices, and vulnerability management.

While we work to protect your data, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

Health Data Security

We implement additional security measures for health data including:

  • End-to-end encryption for sensitive health information
  • Access logging and monitoring
  • Regular security audits and penetration testing
  • Employee training on health data protection

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.

9. Do We Collect Information from Minors?

The Services are intended for adults (18+). We do not knowingly collect personal data from children under 18 years of age. We do not knowingly collect data from or market to children under 18.

If we learn we have inadvertently collected personal data from a child under 18, we will delete that information promptly.

For Parents and Guardians: If you believe your child has provided us with personal data, please contact us at dpo@nikolabs.ai to request deletion. We will respond to verified parental requests within 30 days.

10. Location-Specific Disclosures

Residents of the European Economic Area and the United Kingdom

If you reside in the EEA or UK, you have the following rights under GDPR/UK GDPR:

  • Right of access (Art. 15 GDPR): Ask us for confirmation on whether we are processing your Personal Data and access to it
  • Right to correction (Art. 16 GDPR): Have your Personal Data corrected if inaccurate or incomplete
  • Right to erasure (Art. 17 GDPR): Ask us to delete your Personal Data, as permitted by law
  • Right to restriction of processing (Art. 18 GDPR): Request limiting of our processing under certain circumstances
  • Right to data portability (Art. 20 GDPR): Receive your Personal Data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21 GDPR): Object to our processing of your Personal Data, including profiling and direct marketing

You have the right to lodge a complaint with a competent data protection supervisory authority, in particular in the EU Member State where you reside, work, or the place of the alleged infringement.

Residents of the United States

Depending on your state of residence, you may have additional privacy rights:

  • California Residents: California Privacy Notice — Your rights under CCPA/CPRA including the right to know, delete, correct, opt-out, and non-discrimination
  • Washington Residents: Washington Health Data Privacy Policy — Your rights under the My Health My Data Act including the right to know, delete, withdraw consent, and access your consumer health data

Additional US state-specific rights:

  • Nevada (SB370): We obtain explicit consent before collecting consumer health data. You have rights to access, delete, and manage your consumer health data.
  • Connecticut (CTDPA): Access, correction, deletion, and portability of personal data. We obtain explicit consent for processing sensitive data including health data. You can opt out of targeted advertising and data sales.
  • Illinois (BIPA): We obtain written consent before collecting biometric information. We maintain a retention schedule for biometric data and destroy biometric data when no longer needed. We do not sell, lease, trade, or profit from biometric information.
  • Texas: We comply with Texas biometric privacy requirements including consent before collection and reasonable security measures.

International Compliance

  • Canada (PIPEDA): We obtain consent before collecting, using, or disclosing your personal information. You may request access, correction, withdrawal of consent, or file a complaint with the Privacy Commissioner of Canada.
  • Brazil (LGPD): We process personal data based on consent, contract performance, and legitimate interest. You have rights to access, correction, deletion, portability, and information about data processing activities.
  • South Korea: We comply with Korean privacy laws regarding mandatory and optional information collection and retention.
  • Australia: We comply with all 13 Australian Privacy Principles. You have access rights, correction rights, and complaint rights with the Australian Privacy Commissioner. We will notify you and the Commissioner of eligible data breaches.

11. How to Exercise Your Rights

To exercise your rights to your Personal Data, please contact our DPO at dpo@nikolabs.ai.

You can also exercise your rights through the in-app Privacy Request Center (FAQ → My Data).

To prevent unauthorized access to your Personal Data, we take steps to verify an individual's right to the data — including requiring users to reach out to us directly from a verified email address, pass a challenge response, and/or confirm information associated with the account.

For more information about your rights by region, see:

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to analyze website traffic, remember your preferences, and personalize your experience.

Session Storage Buffering: When you first visit our website, we may temporarily store essential tracking events (such as how you arrived at our site and which page you landed on) in your browser's session storage while you review our consent banner. This data is only transferred to our analytics system if you grant consent. If you deny consent or close your browser, this temporary data is automatically deleted.

Types of Cookies We Use

Cookie TypePurposeLegal Basis
Essential CookiesApp functionality, security, authenticationLegitimate interest
Analytics CookiesUsage analysis, performance monitoringConsent
Marketing CookiesPersonalized content, advertisingConsent

Health Data and Tracking: We never use health data for advertising or marketing purposes. Health-related cookies are only used for app functionality, health app integration, and data synchronization.

For more information about how we use cookies and tracking technologies, please see our Cookie Policy.

You can manage your cookie preferences by clicking the “Cookie Preferences” link in our website footer.

13. Do We Make Updates to This Policy?

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

Notification of Changes: Material changes to this policy will be communicated via email to registered users and/or via in-app notification. We will provide at least 30 days' notice before material changes take effect.

Continued use of the service after changes become effective constitutes acceptance of the updated policy.

14. How Can You Contact Us About This Policy?

If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO):

Email: dpo@nikolabs.ai

Mailing Address:
NIKO LABS PTE LTD
Data Protection Officer
1 Raffles Place, #34-04
One Raffles Place
Singapore 048616

We aim to respond to all inquiries within 30 days.

15. How Can You Review, Update, or Delete Your Data?

You have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

Data Portability Rights

Data Export Rights:

  • You may request a copy of your personal data in a structured, commonly used, and machine-readable format
  • This includes your profile information, health data, fitness logs, progress tracking, and other personal information you've provided
  • We will provide this data within 30 days of your verified request, subject to identity verification requirements

Data Transfer Rights:

  • Where technically feasible and legally permissible, you may request that we transmit your personal data directly to another service provider
  • This right applies to data you have provided to us with your consent or for the performance of our Services
  • We may charge a reasonable fee for complex or repeated requests

How to Exercise Your Rights: Submit data portability requests to dpo@nikolabs.ai. Include your full name, registered email address, and specific data you wish to export. We may require additional verification to protect against unauthorized access.

Limitations: Data portability rights do not apply to anonymized or aggregated data that cannot be attributed to you. We may exclude data that would infringe on the rights of others or proprietary algorithms. Certain data may be retained as required by law or for legitimate business purposes even after export.

Data Retention After Export: Exporting your data does not automatically delete it from our systems. To delete your data, submit a separate deletion request. Some data may be retained as required by law or for safety and security purposes.