Last Updated: 6 July 2025
At GritFit, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our multivendor marketplace platform for health, fitness, and wellness products.
By accessing or using GritFit, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.
When you register, buy, sell, or interact with GritFit, we may collect:
Buyers: Name, email, phone number, shipping address, payment details (processed securely via third-party gateways).
Sellers: Business name, contact details, tax/VAT information (if applicable), bank/PayPal details for payouts.
All Users: Account credentials, transaction history, customer support inquiries.
We automatically collect:
Device information (IP address, browser type, operating system).
Usage data (pages visited, time spent, interactions with vendors).
Cookies & tracking technologies (to improve user experience).
We use collected data to:
Process orders, payments, and vendor payouts.
Verify seller identities and prevent fraud.
Improve platform functionality and user experience.
Communicate updates, promotions, or policy changes.
Comply with legal obligations (e.g., tax laws).
We do not sell your personal information. Data may be shared with:
Vendors: Only to fulfill orders (e.g., shipping details).
Payment Processors: PayPal, banks, or card providers for transactions.
Legal Authorities: If required by Zimbabwean law (e.g., fraud investigation).
Service Providers: Hosting, analytics, or customer support tools (under confidentiality agreements).
We implement:
Encryption (SSL) for data transmission.
Secure payment gateways (no raw card data stored).
Restricted access to personal information.
However, no system is 100% secure—users must also protect their account credentials.
Access/Update Data: Edit your profile via account settings.
Delete Account: Request via support (subject to legal retention needs).
Marketing Opt-Out: Unsubscribe from emails via link or settings.
Cookies: Adjust browser settings to disable (may affect functionality).
EU Users: Under GDPR, you have rights to access, rectify, port, or erase your data. Contact us with "DATA REQUEST" in the subject line.
Zimbabwe Users: Protected under the Data Protection Act [Chapter 11:12], you may request data access, corrections, or lodge complaints with the Postal and Telecommunications Regulatory Authority (POTRAZ).
We retain personal data:
For active accounts and as needed to provide services
To comply with Zimbabwean tax and commercial laws (typically 5-7 years for financial records)
Until deletion is requested (where permissible by law)
Data may be transferred to and processed in:
Zimbabwe (our primary operations base)
Other countries where our service providers operate
We ensure all transfers comply with applicable laws and use standard contractual clauses where required.
GritFit may link to external sites (e.g., vendor websites). We are not responsible for their privacy practices—review their policies separately.
Our platform is not intended for users under 18. We do not knowingly collect data from minors.
We may update this policy periodically. Changes will be posted here, with the "Last Updated" date revised. Material changes will be notified to users.
For questions, data requests, or to exercise your rights:
Email: hello@gritfitapp.com (Subject: "DATA REQUEST")
Physical Address:
89 Haydon Park
Westgate
Harare
Zimbabwe
Data Protection Officer: Shannon Nyagoro
Data Collection:
For cash-on-delivery (COD) or in-person transactions, we collect:
Buyer contact details (phone/email for order confirmation)
Seller verification data (ID/business registration for compliance)
Transaction amounts (for monthly fee calculation and tax records)
Security Measures:
Cash transaction records are stored separately with limited access
Sellers must report cash sales within 24 hours via seller dashboard
Monthly reconciliation required for all cash deals
Retention:
Cash transaction logs retained for 5 years (per Zimbabwean Revenue Authority requirements)
Vendor Obligations:
Must maintain their own GDPR/ZDPA-compliant privacy policies if processing user data independently
Required to:
Secure buyer shipping/contact information
Delete customer data upon request (unless legally required to retain)
Report data breaches to GritFit within 72 hours
Shared Liability:
Vendors are independently responsible for:
Product compliance (e.g., health supplement regulations)
Accurate product descriptions (wellness claims must be verifiable)
Special Category Data:
For wellness products requiring health disclosures (e.g., immunity boosters):
Buyers may voluntarily provide health information
Such data is:
Encrypted during transmission
Not used for marketing
Deleted after order fulfillment (unless retention required by law)
Pandemic Measures:
Temperature checks/logs at pickup locations (if applicable):
Collected data is anonymized
Destroyed after 30 days
Vaccine requirement disclosures (for in-person events):
Clearly stated at point of registration
Verification data is processed offline and not stored digitally
Cash Transactions:
Monthly fee structure detailed in Vendor Agreement (Section 4.2)
ZIMRA reporting requirements apply to all cash deals over $500
Vendor Audits:
Random quarterly checks for data compliance
Penalties for violations (up to account suspension)
Health Data:
Special protections under Zimbabwe's Public Health Act
EU users: Additional safeguards per GDPR Article 9
