Privacy Policy

PRIVACY POLICY Last updated: November 21, 2025 INTRODUCTION Welcome to Motus! Your privacy is extremely important to us. This Privacy Policy clearly and transparently explains what data we collect, why we collect it, how we use it, and what your rights are. By using the App, you agree to the practices described in this Privacy Policy. 1. DATA CONTROLLER The data controller for your personal data is: Yuzu Labs SAS 11 rue de Lorraine, 68490 PETIT-LANDAU, France SIREN: 994879013 Email: [email protected] 2. FUNDAMENTAL PRINCIPLES We commit to respecting the following principles: ✓ Transparency: Clearly informing you about our practices ✓ Minimization: Collecting only strictly necessary data ✓ Security: Protecting your data with best practices ✓ Control: Giving you control over your data ✓ Compliance: Respecting GDPR and applicable laws 3. DATA COLLECTED 3.1 Data You Provide to Us PROFILE DATA • First name (required) • Age (optional) • Gender (optional) PREFERENCES AND GOALS DATA • Main goal (flexibility, pain relief, posture, mobility, stress) • Targeted body areas (full body, neck, back, shoulders, legs, feet) • Specific flexibility goals • Professional context (office, standing, physical, mixed, flexible) • Fitness level (beginner, intermediate, advanced) • Preferred time for exercises • Reminder time (optional) ACTIVITY DATA • Session history (date, duration, type, difficulty) • Completed exercises with dates • Favorite exercises • Custom sessions created • Progress metrics (streaks, total exercises, total time) MOTUS-SPECIFIC DATA (Physio Mode) • Physio connection QR code • Programs prescribed by physio • Pain reports • Physio notes and comments 3.2 Automatically Collected Data TECHNICAL DATA • Device identifier • Device model and system version • App version • Device language • Push notification token (if enabled) • Time zone USAGE DATA • Usage dates and times • Features used • Errors and crashes (anonymized data) 3.3 Data We DO NOT Collect ✗ Last name ✗ Full postal address ✗ Phone number ✗ Banking information ✗ Precise GPS location ✗ Contacts ✗ Personal photos or videos ✗ Sensitive health data (medical diagnoses, treatments) ✗ Biometric data 4. USE OF DATA We use your data to: • Provide App services (Legal basis: Contract) • Personalize your experience (Legal basis: Contract) • Generate tailored programs (Legal basis: Contract) • Save your progress (Legal basis: Contract) • Sync across multiple devices (Legal basis: Contract) • Enable follow-up by your physiotherapist (Legal basis: Consent) • Send reminder notifications (Legal basis: Consent) • Improve the App (Legal basis: Legitimate interest) • Ensure security (Legal basis: Legitimate interest) • Customer support (Legal basis: Legitimate interest) You can withdraw your consent at any time for processing that depends on it. 5. DATA RETENTION • Profile data and preferences: As long as your account is active • Session history: As long as your account is active • Favorite exercises: As long as your account is active • Custom sessions: As long as your account is active • Physio follow-up data: As long as the patient-physio relationship is active • Technical data and logs: 12 months maximum • Customer support data: 3 years after ticket closure AFTER ACCOUNT DELETION: All your personal data is deleted within 30 days maximum. 6. DATA SHARING AND TRANSFER We NEVER sell your personal data. SHARING WITH YOUR PHYSIOTHERAPIST If you use the physio mode, your progress data and reports are shared with your connected physiotherapist, only with your explicit consent. TECHNICAL SERVICE PROVIDERS Supabase (Hosting and Database) • Service: Supabase Inc. • Location: Servers located in the European Union • Role: Secure hosting, authentication, synchronization • Protection: TLS and AES-256 encryption, SOC 2 Type II compliance Notification Services (Apple/Google) • Apple Push Notification Service (APNs) for iOS • Firebase Cloud Messaging (FCM) for Android • Shared data: Only notification token and message content • Control: Can be disabled at any time in settings EU HOSTING Your data is hosted exclusively in the European Union, ensuring the highest level of GDPR protection. 7. DATA SECURITY 7.1 Technical Measures ✓ Encryption in transit: TLS 1.3 for all communications ✓ Encryption at rest: AES-256 for stored data ✓ Secure authentication: Session management with JWT tokens ✓ Data isolation: Row Level Security (RLS) - each user only sees their own data ✓ Regular backups: Automatic daily backups ✓ Monitoring: 24/7 system monitoring 7.2 Organizational Measures ✓ Access restricted to authorized personnel only ✓ Principle of least privilege ✓ Regular security audits ✓ Team training on data protection 7.3 In Case of Data Breach We commit to: • Notify the supervisory authority (CNIL) within 72 hours • Inform you without delay if the risk is high • Take all necessary measures to limit the impact 8. YOUR DATA RIGHTS (GDPR) 8.1 Right of Access You can request a copy of all your data. How? Settings > My data or contact us 8.2 Right of Rectification You can correct inaccurate data. How? Modify directly in settings 8.3 Right to Erasure You can request deletion of your data. How? Settings > Delete my data 8.4 Right to Portability You can receive your data in structured format (JSON, CSV). How? Settings > Export my data 8.5 Right to Object You can object to the processing of your data. How? Disable the relevant options in settings 8.6 Right to Withdraw Consent For notifications and sharing with your physio, you can withdraw your consent at any time. How? Disable in Settings 8.7 Right to Lodge a Complaint If you believe your rights are not being respected: CNIL (Commission Nationale de l'Informatique et des Libertés) 3 Place de Fontenoy TSA 80715 75334 PARIS CEDEX 07 Phone: 01 53 73 22 22 Website: https://www.cnil.fr/ RESPONSE TIME We commit to responding to your requests within one month maximum. 9. CHILDREN'S DATA The App is accessible to individuals aged 13 and over. For users under 18, we strongly recommend obtaining parental consent. If we discover that a child under 13 has provided personal data, we will immediately delete that data. 10. COOKIES AND SIMILAR TECHNOLOGIES The App does not use cookies in the traditional sense. LOCAL STORAGE The App stores certain data locally on your device to: • Improve performance • Allow offline use • Save your preferences This data remains on your device and is deleted if you uninstall the App. 11. CHANGES TO THIS POLICY We may update this Privacy Policy to reflect changes in our practices or legislation. In case of significant changes: • We will notify you via the App • We will update the date at the top of this policy • Your continued use constitutes acceptance of the new terms 12. CONTACT For any questions regarding this Privacy Policy or to exercise your rights: Email: [email protected] Address: 11 rue de Lorraine, 68490 PETIT-LANDAU, France Data Protection Officer: MEYER Raphaël [email protected] We commit to responding to your requests as quickly as possible. MOTUS'S COMMITMENTS 💙 Respect your privacy 💙 Be transparent about our practices 💙 Give you control over your data 💙 Protect your data with the best security measures 💙 Never sell your data to third parties 💙 Respond quickly to your requests Your trust is essential to us. Thank you for being part of the Motus community! 💙 By using the Motus App, you acknowledge that you have read, understood, and accepted this Privacy Policy. Version 1.0 - November 2025 Compliant with GDPR (EU 2016/679) and Apple App Store requirements