Movva Logo
QuestionsContact
Join
Privacy PolicyTerms of Service

Privacy Policy

Effective as of: 2026-02-21

This Privacy Policy explains how Movva collects, uses, shares, stores, and protects personal data when you use Movva’s app, website, and related services. It also explains your rights and how to contact Movva regarding privacy requests.

Movva is a performance-based fitness challenge platform. Users create and join challenges, submit check-ins (manual or imported from Apple Fitness), process payments, and request withdrawals. This Policy applies to these flows and to support and legal interactions connected to Movva services.

1. Scope & Applicability

1.1 Where this Policy applies. This Policy applies to personal data processed through:

  • Movva mobile application features;
  • Movva websites and related landing pages;
  • challenge participation, payments, withdrawals, support, and account management services.

1.2 Third-party environments. Some features depend on third-party providers (for example Stripe, Wise, Apple Health/HealthKit integrations, Unsplash-powered media library, Firebase infrastructure). Their own terms and privacy notices also apply. See Section 8 and [THIRD_PARTY_POLICY_LINKS].

2. Definitions

2.1 Personal Data. Any information relating to an identified or identifiable person (for example email, CPF, payout details, device identifiers, check-in content linked to a user).

2.2 Processing. Any operation performed on personal data, including collection, use, storage, sharing, deletion, and transfer.

2.3 Controller. Movva, which determines the purposes and means of processing personal data for the Movva service.

2.4 Processor. A third party that processes personal data on behalf of Movva under contractual instructions.

2.5 User. A person who registers, accesses, or uses Movva.

2.6 Account. A User’s Movva identity and profile records, including authentication and settings.

2.7 Check-in. A challenge activity record submitted by a User, manually or via Apple Fitness import.

2.8 Payout Data. Data required to process withdrawals:

  • BRL/PIX: full name, CPF, PIX key type, PIX key;
  • Non-BRL/Wise: full name and email.

2.9 HealthKit / Apple Fitness Data. Workout records imported from Apple Health only when the User grants Apple permissions.

3. Data Collected

3.1 Account and authentication data.

  • Sign in: email, password.
  • Sign up (email/password): public name, email, password, legal acceptance metadata.
  • Apple sign-in/sign-up: Apple-auth identity, display name/email available from Apple flow, plus Movva account creation data.
  • Registration setup: country and currency (supported currencies: BRL, USD, NZD).
  • Password handling: passwords are managed by authentication infrastructure and are not stored in plain text in Movva profile documents.

3.2 Profile data.

  • Public name (display name), profile picture, language preference, profile update timestamps.
  • Account-level email, country, currency, and auth provider metadata.

3.3 Challenge and check-in data.

  • Challenge creation: title, description, start/end dates, approval required flag, tracker-only flag, banner image, scoring mode, prize setup, min/max prize constraints by currency.
  • Join challenge: invite code/link, membership status (pending/active/banned/etc.), payment state.
  • Check-in fields: title, description, date/time, duration, distance, calories, optional image.
  • Imported workout metadata (Apple Fitness): workout identifier and source type (appleFitness).
  • Moderation state metadata (active/archived/inactive check-ins, member/admin actions).

3.4 Payment, transaction, and payout data.

  • Incoming payments: card payment intents and related transaction metadata processed via Stripe.
  • In-app balance ledger: credits/debits (entry fee discounts, prizes, refunds, withdrawals).
  • Withdrawal account data:
  • BRL/PIX: full name, CPF, PIX type, PIX key.
  • Non-BRL/Wise: full name, email.
  • Withdrawal requests: amount, method, currency, status, timestamps.
  • Refund data (where applicable): refunded amount, currency, challenge references.

3.5 Device, operational, and usage data.

  • Device and app data in support submissions: app version, OS, OS version.
  • Push notification data: token, language topic subscriptions, reminder preferences/schedule.
  • Error/operational logs: application and backend error context (including Sentry-based monitoring in app/backend code paths).
  • Network and technical metadata processed by infrastructure providers (for example IP/device/network metadata at provider level) [TO_BE_FILLED: document exact data fields available to Movva dashboards].

3.6 Media uploads.

  • User-uploaded images for profile pictures, challenge banners, and check-in images.
  • Library-sourced banner images via Unsplash-powered gallery integration.

3.7 Contact and support data.

  • Contact Us messages: topic, message content, reply email.
  • Associated metadata in contact flow: optional user ID linkage, locale language/country/currency, device information.

4. Legal Bases for Processing

4.1 Contract performance.

  • Creating and managing accounts.
  • Running challenges, rankings, check-ins, entry payments, refunds, withdrawals.
  • Maintaining in-app balance records and transaction history.

4.2 Consent.

  • Apple Health/HealthKit workout access (granted through Apple permission screens).
  • Push notification permissions (device-level opt-in).
  • Optional profile/media data submitted by users.

4.3 Legitimate interests.

  • Service security, fraud prevention, abuse investigation, and enforcement.
  • Service reliability, diagnostics, and operational analytics.
  • Product improvement and support quality.

4.4 Legal obligation.

  • Retention and processing of accounting/transaction records for legal, tax, and compliance requirements.
  • Responding to lawful requests from authorities.

5. How We Use Data

5.1 Service provision. To register users, authenticate access, create/join/manage challenges, publish rankings, and process check-ins.

5.2 Payments and payouts. To process entry fees, refunds, in-app balance updates, and payout requests.

5.3 Withdrawal/KYC operations. For non-BRL withdrawals, Wise may require user verification (KYC/compliance). Movva sends required payout instruction data to Wise and is not responsible for third-party verification delays, additional data requests, or rejections.

5.4 Fraud and abuse prevention. To detect suspicious behavior, enforce rules, investigate manipulation, and preserve records where needed for review.

5.5 Support and communications. To respond to Contact Us requests (target response stated in-app as up to 24 hours), send transactional notices, and deliver challenge-related notifications.

5.6 Operational quality and reliability. To monitor failures, debug incidents, improve app stability, and protect users and Movva services.

6. Transfers, Payouts & Transactions

6.1 Incoming payments. Entry-fee payments are processed through Stripe. Settlement to Movva is managed through Movva’s banking/payment operations (including EFIBank as Movva’s bank).

6.2 In-app balance nature. In-app balance is denominated in real currency (BRL, USD, NZD). It is not a token, not points, and not a crypto-asset. Movva is a technology platform and not a bank.

6.3 Balance usage for challenge entry. Eligible users may use in-app balance for up to 50% of entry fee value.

6.4 Withdrawal request minimum. Minimum withdrawal request is 5 units in account currency (BRL 5 / USD 5 / NZD 5).

6.5 Withdrawal processing flow.

  • BRL/PIX: full name, CPF, PIX key type, and PIX key are used to execute payout.
  • Non-BRL/Wise: full name and email are used to initiate Wise payout flow.
  • Operational timing communicated for users: payout initiation/processing may take up to 5 business days, and final receipt depends on provider verification/compliance flow.

6.6 Refund handling. If a paid challenge is canceled and the user is eligible under app logic, refund amounts are credited to in-app balance ledger records.

7. Sharing & Third Parties

7.1 Payment and payout providers.

  • Stripe: payment processing, payment intents, and transaction-related metadata.
  • EFIBank: Movva banking operations related to settlement and payout operations.
  • Wise: international payout processing and verification/KYC for non-BRL withdrawals.

7.2 Platform and infrastructure providers.

  • Firebase/Google cloud services for authentication, database, storage, functions, messaging, and operational infrastructure.
  • Apple services for Apple sign-in and HealthKit permissioned data imports.
  • Unsplash-powered image library services for browsing/selecting media assets.

7.3 Monitoring/diagnostics providers.

  • Error monitoring and incident diagnostics providers used by Movva operations (for example Sentry paths present in implementation).

7.4 Authorities and legal recipients.

  • Courts, regulators, law enforcement, or tax/compliance authorities where required by law or to protect rights and safety.

7.5 Third-party privacy notice. For more information about third-party data collection, users should review the privacy policies of services used by Movva, including Stripe, EFIBank, Wise, Apple Health/HealthKit, Unsplash, and Firebase. Data may be shared with these providers as required to operate the service.

8. Apple Health / HealthKit

8.1 Permission-based access only. Movva reads Apple workout data only after you grant permission in Apple Health/HealthKit.

8.2 Scope of imported data. Imported records may include workout metrics (for example start date/time, duration, calories, distance) and source metadata used to prevent duplicate check-ins.

8.3 No medical service. Movva is not a medical, diagnosis, or treatment service and does not provide clinical advice.

8.4 Apple terms. Apple’s own privacy rules apply to Apple Health/HealthKit data handling by Apple services. See [THIRD_PARTY_POLICY_LINKS].

9. Cookies & Tracking

9.1 Mobile app tracking context. The primary service is a mobile app and does not rely on browser cookies for core app flows.

9.2 Website and SDK tracking. Website sessions, diagnostics, and app SDK telemetry may involve identifiers and logs needed for security, performance, and support.

9.3 Tracking inventory. Movva uses monitoring and error-diagnostics tools (for example Sentry) to improve service quality and reliability. No additional behavioral tracking is performed.

9.4 User controls. Users may control some tracking through device permissions (for example notifications), OS settings, and applicable cookie controls on websites where available [TO_BE_FILLED: specific consent banner/provider controls].

10. Cross-Border Transfers

10.1 Transfer scope. Personal data may be processed in Brazil and in other countries where Movva service providers operate (including Wise and cloud infrastructure providers).

10.2 Safeguards. Movva applies legal and contractual safeguards appropriate to applicable law for international data transfers, including provider commitments and security controls.

10.3 Transfer mechanism. Personal data may be transferred internationally to service providers that commit to maintaining protection equivalent to LGPD standards.

11. Retention & Deletion

11.1 Retention baseline from current terms.

  • General user/challenge/check-in/log data: retained for 1 year after user requests account deletion.
  • Payment and transaction records: retained for 5 years for tax/accounting/compliance purposes.

11.2 Category-level retention view (current + pending confirmation).

  • Account/profile data: account lifetime + 1 year after deletion request (based on terms baseline).
  • Transaction/ledger/payment records: 5 years.
  • Check-ins and challenge participation data: retained until account deletion and for 1 year after deletion request.
  • Uploaded images (profile/banner/check-in): retained until account deletion and for up to 1 year after deletion request, subject to storage lifecycle and legal obligations.
  • Technical logs/diagnostics: retained according to operational necessity and legal requirements, with deletion/archival aligned to account-deletion retention baseline where applicable.

11.3 Deletion effects. Deleting or terminating an account may remove access to challenge history, balance views, and related records, subject to legal retention obligations.

11.4 How to request deletion. Users may request deletion via hello@movva.app. Movva verifies requester identity and processes data requests within 30 business days, in accordance with LGPD.

12. User Rights & How to Exercise

12.1 Applicable rights. Depending on jurisdiction and law, users may request:

  • access to personal data;
  • correction of inaccurate data;
  • deletion/anonymization where legally applicable;
  • data portability where technically and legally applicable;
  • restriction or objection to certain processing;
  • withdrawal of consent where processing is consent-based;
  • review by a supervisory authority.

12.2 Request channel. Send requests to hello@movva.app with sufficient information to identify your account and request scope.

12.3 Response timing. Movva targets responses within 30 days, subject to lawful extensions where applicable.

12.4 Process details. Movva verifies the identity of the requester and processes privacy/data requests within 30 business days, in accordance with LGPD.

12.5 Brazil supervisory authority. Users in Brazil may contact ANPD (Autoridade Nacional de Proteção de Dados) if they believe rights were not handled properly.

13. Security Measures

13.1 Security approach. Movva uses technical and organizational safeguards designed to protect personal data against unauthorized access, loss, misuse, and alteration.

13.2 Examples from implementation context.

  • authentication and access controls;
  • transport/storage protections provided by cloud providers;
  • role-based operations for challenge moderation and payment workflows;
  • operational monitoring and error reporting.

13.3 Detailed controls. Movva adopts industry-standard security controls, including Firebase-based authentication, data encryption in transit, regular backups, and access monitoring. Complete details of the internal security plan are confidential.

14. Children’s Privacy

14.1 Minimum age. Movva is intended for users aged 13 and older.

14.2 Minors. Underage users must have consent from a parent or legal guardian to create an account or participate in challenges.

15. Automated Decision-Making

15.1 No significant automated decisions. Movva does not perform automated decisions that significantly affect users.

15.2 Operational automation. App logic automatically computes rankings, challenge outcomes, and transaction state transitions based on configured rules and recorded metrics.

15.3 Policy confirmation. [AUTOMATED_DECISION_PLACEHOLDER: confirm whether any profiling is used for fraud/risk scoring with legal or significant impact].

16. Changes to This Policy

16.1 Updates. Movva may update this Policy from time to time to reflect product, legal, operational, or provider changes.

16.2 Notice method. Material changes may be communicated through in-app notice, website publication, and/or email where appropriate.

16.3 Effective date control. The “Effective as of” date at the top indicates when the latest version becomes valid.

16.4 Canonical public URLs.

17. Contact Information & Supervisory Authority

17.1 Contact Movva.

Movva

CNPJ: 63.963.260/0001-82

Phone: +55 48 99614 3303

Email: hello@movva.app

Address: RODM PREF ROMEU CARLESSI, Turvo, SC - Brazil

17.2 Privacy complaints. You may contact Movva first at hello@movva.app. In Brazil, you may also file complaints with ANPD.