PRIVACY POLICY

This Privacy Policy explains how the Fitmeup platform ("Fitmeup") processes personal data in connection with its web application, mobile applications (iOS & Android), APIs, and related services (collectively, the "Services"). Fitmeup is operated by Halil İbrahim Hatun, a sole proprietor established in Turkey.

Fitmeup is a B2B SaaS platform providing digital infrastructure for fitness coaches, personal trainers, studios, and gyms, as well as a client-facing mobile application used by end users receiving coaching services.

This Privacy Policy is structured separately for:

• Section 2 – Coaches (Trainers / Studios)
• Section 3 – Clients (End Users / Athletes)

It applies globally, with region-specific rights described in Section 7. Additional sections cover AI processing (Section 4), data sharing and transfers (Section 5), data retention (Section 6), security measures (Section 8), cookie and tracking technologies (Section 9), children's data (Section 10), data breach notification (Section 11), and dispute resolution (Section 12).

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email, in-app notification, or prominent notice on our website at least 30 days before the changes take effect, unless required by law to implement sooner. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

1.1 Data Roles

Depending on the usage model:

• Standard Fitmeup Model: Coach / Studio acts as Independent Data Controller for their clients' data; Fitmeup acts as Data Processor.
• White-Label Model: Coach / Studio acts as Sole Data Controller; Fitmeup acts as Data Processor acting strictly under documented instructions.

Fitmeup does not determine coaching purposes, health decisions, or training outcomes. As a processor, we process data only as instructed by controllers and in compliance with applicable laws. Coaches/Studios are responsible for ensuring their own compliance with data protection laws, including obtaining necessary consents and entering into data processing agreements (DPAs) with us where required (e.g., under GDPR Art. 28).

1.2 Key Principles

We adhere to data protection principles including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. We collect only data necessary for the stated purposes and implement measures to protect it.

We process the following categories of personal data for coaches. Purposes are based on legal grounds such as contract performance (GDPR Art. 6(1)(b)), legitimate interests (e.g., security), or consent where applicable. Optional data is collected only if provided and is minimized to essentials.

2.1 Identity & Contact Information

• First and last name
• Email address
• Phone number
• Profile photo (optional)
• Professional title
• Brand / business name
• Country, city, time zone
• Website or social media links (optional)

Purpose: Account creation, communication, service delivery.

Legal Basis: Contract necessity; consent for optional fields.

2.2 Account & Authentication Data

• Unique user ID
• Username
• Encrypted (hashed) password
• Account role and permissions
• Login timestamps
• Session logs
• Two-factor authentication status (if enabled)

Purpose: Security, authentication, fraud prevention.

Legal Basis: Legitimate interests in security.

2.3 Subscription, Billing & Financial Data

• Subscription plan and history
• Invoices and billing records
• Business billing details (if provided)
• Commission rates
• IBAN / payout account (where Fitmeup facilitates payments)

Purpose: Contract performance, accounting, legal compliance (e.g., tax obligations).

Legal Basis: Contract necessity; legal obligation.

2.4 Operational & Coaching Content

• Client lists and segmentation
• Workout programs
• Nutrition plans
• Supplement recommendations
• Check-in forms
• Assessment templates
• Progress frameworks
• Automation rules
• AI-generated content

Purpose: Core platform functionality.

Legal Basis: Contract necessity.

2.5 Communication & Interaction Data

• Coach-to-client messages
• Notes and internal evaluations
• Client feedback

Purpose: Coaching workflow and quality assurance.

Legal Basis: Contract necessity; legitimate interests in service improvement.

2.6 Support & Technical Data

• Support tickets
• Emails and system messages
• Bug reports
• IP address
• Device and browser data
• App version
• Error and crash logs

Purpose: Support, security, platform optimization.

Legal Basis: Legitimate interests in maintenance and security.

We process the following categories of personal data for clients, primarily as instructed by your coach/studio (the controller). Purposes are based on consent (for health data), contract performance, or legitimate interests. Optional data is collected only if provided.

3.1 Identity & Contact Information

• First and last name
• Email address
• Phone number
• Profile photo (optional)
• Gender (optional)
• Age or date of birth (optional)
• Country, language, time zone

Purpose: Account identification and communication.

Legal Basis: Contract necessity; consent for optional fields.

3.2 Account & Usage Data

• Unique user ID
• Login history
• Assigned coach
• Account status
• Membership and package details

Purpose: Service continuity and access.

Legal Basis: Contract necessity.

3.3 Health & Fitness Data

(Special Category Personal Data)

Processed only with explicit consent, which can be withdrawn at any time without affecting core service access (though personalization may be limited). Includes:

• Height, weight, body measurements
• Body fat percentage (if provided)
• Fitness level and training history
• Physical goals
• Injury history
• Chronic conditions (voluntarily declared)
• Medication information (optional)
• Lifestyle data (sleep, stress – self-reported)

Purpose: Personalized coaching and program design.

Legal Basis: Explicit consent (GDPR Art. 9(2)(a); KVKK Art. 6).

3.4 Workout & Performance Data

• Assigned workouts
• Completed exercises
• Sets, reps, weights
• Compliance metrics
• Progress trends

Purpose: Performance tracking and optimization.

Legal Basis: Contract necessity; consent for health-linked data.

3.5 Wearable & Health Platform Data

(Google Fit / Apple Health – Optional)

Collected only if the client explicitly authorizes integration. Includes:

• Heart rate & HRV
• VO₂ max
• Blood oxygen (if available)
• Activity data (steps, distance, calories)
• Sleep stages and duration
• Recovery and stress indicators

Purpose: Enhanced personalization.

Legal Basis: Explicit consent.

3.6 Visual & Assessment Data

• Progress photos
• Body transformation images
• Form check images or videos

Purpose: Physical assessment and progress evaluation.

Legal Basis: Explicit consent.

3.7 Check-in & Questionnaire Data

• Periodic check-ins
• Open-ended responses
• Mood and motivation ratings

Purpose: Adaptive coaching insights.

Legal Basis: Contract necessity; consent for sensitive elements.

3.8 Payment & Transaction Data

• Purchased packages
• Payment status
• Transaction references

Purpose: Service access and reconciliation.

Legal Basis: Contract necessity.

3.9 Technical & Usage Data

• IP address
• Device type
• OS and app version
• Logs and diagnostics

Purpose: Security and troubleshooting.

Legal Basis: Legitimate interests in security.

4.1 AI Input Data

AI features may process:

• Coach prompts and parameters
• Client health & fitness data (with consent)
• Wearable summaries
• Check-ins and questionnaires
• Progress images

4.2 AI-Generated Outputs

• Workout plans
• Nutrition recommendations
• Supplement suggestions
• Performance insights
• Progress summaries

AI outputs are decision-support tools only and do not constitute medical advice. Final decisions remain with the coach and client. Fitmeup disclaims liability for reliance on AI outputs.

4.3 AI Training & Improvement

AI models may use anonymized and aggregated usage data (irreversibly anonymized to prevent re-identification). Identifiable health data, images, and personal content are excluded by default. AI training on personal or health data occurs only with explicit opt-in consent, which you can manage and change at any time via your account settings in the product (settings apply per user). If consent is withdrawn, previously used data will not be retroactively removed from models but will not be used further.

4.4 No Automated Decision-Making

Fitmeup does not perform:

• Automated medical decisions
• Automated legal decisions
• Fully automated profiling with legal or similar significant effects

We conduct regular audits to ensure AI compliance and mitigate biases.

Data may be shared with the following categories of recipients, all bound by data processing agreements (DPAs) ensuring equivalent protections:

• Hosting & cloud infrastructure providers (e.g., AWS, Google Cloud)
• Payment service providers (e.g., Stripe)
• Analytics & monitoring tools (e.g., Google Analytics, limited to aggregated data)
• Customer support tools (e.g., Zendesk)
• AI service providers (if applicable, e.g., OpenAI, with strict controls)

We do not sell personal data. Sharing is limited to what is necessary for the purposes described.

International transfers (e.g., to servers outside Turkey/EU) are safeguarded via:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework if certified)
• Binding Corporate Rules (if applicable to sub-processors)

Clients consent to data being shared with their assigned coach/studio as part of the service.

We retain data only as long as necessary:

• Account and identity data: While account is active, plus 6 months post-deactivation for dispute resolution.
• Billing/financial data: 7 years for tax and accounting obligations (e.g., under Turkish tax law).
• Health & fitness data: While consent is active or account is open; deletable immediately upon request or consent withdrawal.
• Technical logs: 1 year for security audits.
• Other operational data: Up to 2 years post-account closure for legitimate interests (e.g., analytics).

Data is securely deleted or anonymized when no longer needed. You can request earlier deletion where not required by law.

You may exercise these rights free of charge (except for manifestly unfounded or excessive requests). Submit requests via info@fitmeup.com. We verify identity and respond within:

• 1 month (GDPR/KVKK, extendable to 2 months for complex requests)
• 45 days (CCPA/CPRA, extendable to 90 days)

If denied, we explain why and provide appeal options.

GDPR (EU/EEA) Rights

Include: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection (e.g., to direct marketing), and withdraw consent. We appoint an EU representative if required (contact via info@fitmeup.com).

KVKK (Turkey) Rights

Under Law No. 6698 include: learning if data is processed, requesting information on processing, correction or deletion, objecting to unlawful processing or automated decisions, and compensation for damages.

CCPA / CPRA (California) Rights

Include: know what data is collected/disclosed/sold, request deletion, opt-out of sale/sharing (Fitmeup does not sell or share for cross-context behavioral advertising), limit use of sensitive data, and non-discrimination. We provide two designated methods for requests: email and in-app form.

For other regions (e.g., Brazil LGPD, Canada PIPEDA), equivalent rights apply mutatis mutandis. Contact us for details.

Fitmeup implements industry-standard measures, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls (RBAC)
• Logging, monitoring, and intrusion detection
• Secure development practices (e.g., OWASP guidelines)
• Regular vulnerability scans and penetration testing
• Employee training on data protection
• Compliance with ISO 27001 principles (certification in progress)

We conduct annual security audits and ensure sub-processors meet similar standards.

Our web and mobile Services use cookies, pixels, local storage, and similar technologies for functionality, performance, and analytics. Categories:

• Essential Cookies: For core functions (e.g., authentication). No consent needed.
• Performance/Analytics Cookies: Track usage (e.g., via Google Analytics). Aggregated and anonymized.
• Functional Cookies: Remember preferences.

We obtain consent for non-essential cookies via a banner on first visit, manageable in settings. You can block cookies in your browser, but this may limit functionality. No targeted advertising cookies are used. For details, see our Cookie Policy at [fitmeup.com/cookies].

The Services are not intended for children under 13 years old (or equivalent minimum age in your jurisdiction, e.g., 16 under some laws). We do not knowingly collect data from children under 13. If we discover such data, we delete it immediately. Parents/guardians: contact us at info@fitmeup.com if you believe your child has provided data. Age verification may be required for certain features. This complies with COPPA (US) and GDPR Art. 8.

In case of a personal data breach, we notify affected individuals and relevant authorities (e.g., KVKK Board within 72 hours, per KVKK Art. 12; EU DPAs within 72 hours per GDPR Art. 33) if the breach poses a risk to rights and freedoms. Notifications include breach details, impacts, and mitigation steps.

For questions or complaints, contact info@fitmeup.com. Unresolved issues can be escalated to supervisory authorities (e.g., Turkish KVKK Board, EU national DPAs). This policy is governed by Turkish law, with exclusive jurisdiction in Istanbul courts, subject to mandatory consumer protections in your jurisdiction.