Back to Login

ApexCoaching Privacy & Personal Data Protection Policy

Effective Date: [Effective Date]
Data Controller (Veri Sorumlusu): ApexCoaching – [Legal Entity Name], Trade Registry No. [•], MERSİS No. [•]
Registered Office: [Registered Address], İstanbul, Türkiye
Website: [website]
Privacy Contact: [privacy email]

1. Scope & Applicability

This Privacy Policy explains how ApexCoaching collects, uses, stores, shares, and protects your personal data when you use our fitness and nutrition coaching platform.

ApexCoaching operates from the Republic of Türkiye and processes personal data primarily in accordance with the Turkish Personal Data Protection Law No. 6698 ("KVKK") and its secondary legislation.

Where we provide services to individuals in the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), we also seek to align with the EU GDPR (Regulation (EU) 2016/679) and UK GDPR. In case of conflict, mandatory local legal requirements prevail to the minimum extent required by law.

2. Purpose & Related Documents

This Policy explains our data practices in connection with:

  • Workout and training programs
  • Meal and nutrition programs
  • Progress tracking (measurements, photos, goals, habits, personal records)
  • Appointment scheduling and messaging
  • Subscriptions and membership services
  • Website and platform usage

This Policy forms part of our legal framework together with our Terms & Conditions and any additional consents you provide (e.g., explicit consent for health data).

3. Data Controller & Contact

For the purposes of KVKK (and, where applicable, GDPR), ApexCoaching is the Data Controller for personal data processed through the Platform.

Privacy Contact: [privacy email]

Where required by law or operational needs, ApexCoaching may appoint a data protection representative and/or a Data Protection Officer (DPO). If appointed, contact details will be published on the Website.

4. Data Protection Principles (KVKK Art. 4)

We process personal data:

  • Lawfully and in good faith;
  • Accurately and, where necessary, kept up to date;
  • For specific, explicit, and legitimate purposes;
  • In a relevant, limited, and proportionate manner;
  • For the period required by law or the purpose of processing.

These principles align with GDPR Article 5 where GDPR applies.

5. Personal Data We Collect

5.1 Identity Data

Name, date of birth, gender (where you provide it).

5.2 Contact Data

Email address, phone number.

5.3 Account & Membership Data

Account identifiers, role (member, trainer, nutritionist), subscription status, and plan history.

5.4 Health & Fitness Data (Special Category Data – KVKK Art. 6 / GDPR Art. 9)

Collected only when you voluntarily provide it or request related services, and may include:

  • Body measurements and composition
  • Progress photos
  • Injury history and mobility limitations
  • Nutrition logs and dietary preferences
  • Training history and performance metrics

5.5 Payment & Transaction Data

Subscription and payment status and transaction history. Full card details are handled by our PCI-compliant payment provider and are not stored by ApexCoaching.

5.6 Technical & Usage Data

IP address, device identifiers, browser type, log data, cookies, and similar technologies.

5.7 Communications Data

In-app messages between you and your coach, notifications, and support requests.

6. How We Collect Data

  • Information you submit (registration, onboarding, forms, uploads, messages);
  • Account creation and subscription activity;
  • Your communications with coaches and support;
  • Platform usage and technical logs;
  • Cookies and similar technologies (where applicable).

7. Legal Bases for Processing (KVKK Art. 5–6 / GDPR Art. 6 & 9)

We process personal data on one or more of the following bases:

  • Performance of a contract (providing the Services you request);
  • Your explicit consent, in particular for health and fitness data;
  • Compliance with a legal obligation;
  • Our legitimate interests, balanced against your rights.

Health and fitness data (special category data) is processed on the basis of your explicit consent (KVKK Art. 6 / GDPR Art. 9(2)(a)). You may withdraw consent at any time; withdrawal may limit our ability to provide certain Services.

8. Purposes of Processing

  • To create and manage your account and subscription;
  • To deliver coaching, workout, and nutrition programs;
  • To enable progress tracking, scheduling, and messaging with your coach;
  • To process payments and prevent fraud;
  • To provide support and maintain service quality and security;
  • To comply with legal obligations;
  • To improve platform performance and user experience.

We do not sell your personal data.

9. Health & Fitness Data (Enhanced Safeguards)

Health and fitness data is treated as highly sensitive. Safeguards include restricted, need-to-know access, role-based permissions, secure storage, controlled sharing, and additional consent controls.

This data is shared only:

  • With your assigned coach so they can provide your programs;
  • Where necessary to deliver a Service you request;
  • Where required by law.

10. Data Sharing & Recipients

10.1 Your Coaches

Trainers and nutritionists assigned to you receive the data needed to prepare and manage your programs and to communicate with you.

10.2 Service Providers (Processors)

IT hosting and infrastructure, email delivery, and support tools, subject to contractual confidentiality and security obligations.

10.3 Payment Providers

Our third-party payment processor for subscription and service payments.

10.4 Legal & Regulatory Authorities

Where required by law, lawful request, or to protect rights and safety.

We do not sell or rent personal data to third parties for their own marketing.

11. International Transfers

Your data is primarily processed within Türkiye. Where data is transferred abroad (e.g., to hosting or infrastructure providers), we apply the safeguards required under KVKK Art. 9 and, where GDPR applies, Chapter V (such as Standard Contractual Clauses), together with appropriate technical and organisational measures.

12. Data Retention

We retain personal data only as long as necessary:

  • While your account is active;
  • To deliver the Services;
  • To comply with legal, tax, and financial obligations;
  • To resolve disputes and enforce agreements.

Financial records are kept for the periods required by Turkish law. Health and fitness data is retained while needed for your Services and is deleted upon a valid request unless a legal retention obligation applies.

13. Your Rights (KVKK Art. 11 / GDPR Art. 12–23)

Subject to applicable law, you have the right to:

  • Learn whether your personal data is processed and request information about it;
  • Access and request a copy of your data;
  • Request rectification of inaccurate data;
  • Request erasure or destruction where conditions are met;
  • Object to or request restriction of certain processing;
  • Request data portability (where GDPR applies);
  • Withdraw consent at any time;
  • Lodge a complaint with the competent authority.

Requests: [privacy email]. We aim to respond within 30 days, and in any event within the periods required by KVKK.

14. Cookies & Tracking Technologies

We may use cookies and similar technologies for essential platform function, security, and (where enabled) performance and analytics. Where required by law, we implement consent mechanisms. You can manage cookies through your browser settings and any on-site consent tool.

15. Automated Processing & AI

We may use AI-supported tools to assist with wellness analytics, summaries, and program structuring. We do not use fully automated decision-making that produces legal or similarly significant effects without human oversight. All guidance remains advisory and subject to human review and your own decisions.

16. Security Measures

We implement commercially reasonable measures such as access controls and authentication, secure hosting, monitoring and logging, organisational confidentiality controls, and vendor security obligations. No system is fully secure, but we continuously work to improve protection.

17. Data Breach Response

In the event of a personal data breach, we will assess the risk promptly, notify the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) and, where GDPR applies, the relevant supervisory authority within the legally required timeframe, notify affected individuals where required, and document and remediate the incident.

18. Children & Minors

ApexCoaching is not directed to individuals under the age of 18. We do not knowingly process personal data of minors without verified parental or legal guardian consent. If a minor wishes to use the Platform, a parent or legal guardian must provide verified consent and accept the Terms & Conditions and this Policy on the minor's behalf. If we learn that a minor's data was collected without appropriate consent, we will take steps to delete it. Parents/guardians may contact us at [privacy email].

19. Governing Law, Complaints & Updates

19.1 Governing Law

Unless mandatory local law requires otherwise, this Policy is governed by the laws of the Republic of Türkiye.

19.2 Complaints

Please contact us first at [privacy email]. You may also lodge a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) or, where GDPR applies, with your local supervisory authority.

19.3 Updates

We may update this Policy from time to time. The latest version will be published on the Platform, and continued use after publication constitutes acceptance of the updated Policy.

Contact

  • Privacy Contact: [privacy email]
  • Website: [website]
  • Registered Office: [Registered Address], İstanbul, Türkiye
  • Jurisdiction: Republic of Türkiye