Data Retention Policy

• We will never sell your data.
• We will never share your data with third parties for their own purposes. The only third parties that ever touch it are the processors listed in our Privacy Policy, and only to the extent needed to operate Shy for you.
• You can delete your account and data at any time from Settings.

We keep different categories of data for different periods:

• Account data (email, hashed password, sign-in method): kept while your account is active. Deleted within 30 days of account closure.
• Profile data (date of birth, sex, height, weight, etc.): kept while your account is active. Deleted within 30 days of account closure.
• Provider raw payloads (the raw JSON we receive from Strava, Oura, etc.): rolling 24 months. Older raw payloads are deleted.
• Normalised activity, sleep, recovery records: 36 months from the date of the activity or measurement.
• Derived daily metrics (trends, summaries): kept while your account is active.
• AI conversations (prompts, responses, the data summary used to ground each response): 12 months, or until you delete them, whichever is sooner.
• Reports: kept until you delete them or close your account.
• OAuth tokens for connected providers: kept while the connection is active. Revoked and deleted when you disconnect the provider or close your account.
• Application and security logs: 90 days, then purged. Required to operate the service securely.
• Backups: encrypted backups are retained for 30 days on a rolling basis. Deleted data persists in backups for up to 30 days before being overwritten.
• Billing records (if you are on a paid plan): retained for 5 years to meet South African tax and accounting obligations under the Tax Administration Act, 2011, and the Companies Act, 2008.

When you use the Ask AI feature or generate a report, the relevant slice of your data plus your prompt is sent to a third-party AI provider (currently OpenAI and/or Anthropic) so they can compute a response.

Once a request is sent, we no longer have visibility or control over what happens to that copy of the data inside the AI provider’s environment. We choose providers whose contracts state they will not train their public models on your input data, and who commit to short retention periods for abuse monitoring ( typically 30 days or less). Their handling is governed by their own data processing agreements, which we have entered into on your behalf.

If you do not want any of your data sent to an AI provider, do not use the Ask AI or report generation features. The dashboard and your stored data will continue to work as normal.

1. Open Settings and choose “Delete account”.
2. We immediately disable your account and revoke OAuth tokens for connected providers.
3. Within 30 days, we hard-delete your account, profile, provider, derived, AI, and report data from primary storage.
4. Within 30 further days, the data is overwritten in encrypted backups on the standard backup rotation.
5. Records we are legally required to keep (e.g. billing for tax purposes) are retained in line with Section 2 and isolated from product systems.

You can exercise the POPIA and GDPR rights set out in our Privacy Policy, including the right to request earlier deletion than the periods above (right to deletion under POPIA s. 24; right to erasure under GDPR), unless we have an overriding legal obligation to retain a specific record.

Shyshark Digital (Pty) Ltd, Loch Venus Road, Cape Town, 7979, South Africa. privacy@shyshark.co.za.