Data Processing Agreement

Effective: 15 May 2026 · Version 2.0

This Data Processing Agreement ("DPA") forms part of the Terms of Service between dynaimic ("Data Controller", "we", "us"), operated by Burak Ozaslan, and you, the user of the dynaimic application ("Data Subject", "you"). It governs the processing of your personal data in connection with the Service.

This DPA also establishes the framework governing our relationship with sub-processors who process personal data on our behalf.

1. Definitions

• "Personal Data" — any information relating to an identified or identifiable natural person, as defined by GDPR Art. 4(1) and KVKK Art. 3.
• "Special Category Data" — personal data relating to health (including body measurements, fitness data, and workout performance), as defined by GDPR Art. 9 and KVKK Art. 6.
• "Processing" — any operation performed on personal data: collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
• "Data Controller" — dynaimic / Burak Ozaslan, the entity that determines the purposes and means of processing.
• "Data Processor" / "Sub-Processor" — a third party that processes personal data on behalf of the Data Controller.
• "Data Subject" — the individual whose personal data is being processed (you, the user).
• "AI Processing" — transmission of personal data to artificial-intelligence service providers for the purpose of generating personalised workout recommendations.

2. Scope & Purpose

This DPA applies to all processing of personal data carried out by dynaimic and its sub-processors in connection with providing the Service. The purpose of data processing is exclusively to:

1. Provide AI-generated personalised workout programmes
2. Adapt future sessions based on your "How did it feel?" feedback
3. Track and analyse fitness performance over time
4. Deliver progressive-overload recommendations based on historical data
5. Enable exercise logging (structured and free-text)
6. Manage workout routine templates and user-created routines
7. Track body composition metrics and trends
8. Provide fitness analytics (muscle heatmap, personal records, streaks, rank progression)
9. Authenticate users and maintain account security via Sign in with Apple
10. Administer subscriptions, free trials, and enforce rate limits
11. Diagnose and resolve software defects via pseudonymised crash reports

3. Categories of Personal Data Processed

Category	Data Elements	Classification
Identity Data	Apple ID identifier (via Sign in with Apple), email (real or Apple Private Relay), display name, user ID (UUID)	Personal Data
Demographic Data	Gender, date of birth, height, timezone	Personal Data
Health & Body Data	Body weight, body fat percentage, measurement notes, weight trends	Special Category Data
Fitness Profile	Fitness goal, experience level, preferred session duration, routine preference, available equipment, selected coach personality, unit preferences	Personal Data
Workout Performance Data	Session records (date, type, duration, status, source), exercise logs (weight, reps, sets, RPE), "How did it feel?" feedback, personal records, training streaks, XP, progressive-overload history	Special Category Data
User-Generated Content	Session ratings, feedback text, pre-assessment Q&A answers, free-text workout descriptions, exercise notes, custom routine configurations, measurement notes	Personal Data
AI Processing Metadata	AI model used, AI reasoning text, generation timestamps	Personal Data
Subscription Data	Subscription tier (free / premium), free-trial state, Apple-issued receipts, renewal dates, daily generation count	Personal Data
Authentication Data	Sign in with Apple identity tokens, JWT session tokens (transient), authentication timestamps	Personal Data
Diagnostics (Pseudonymised)	Crash reports, performance traces, salted hash of user ID; no email, name, IP, or free-text content	Pseudonymised Personal Data

4. Data Subjects

The data subjects covered by this DPA are registered users of the dynaimic mobile application (both Free and Premium tiers).

5. Processing Activities

5.1 AI Workout Generation

5.2 Free-Text Workout Parsing

Data Sent to AI Provider: Your natural-language workout description and the relevant subset of the exercise catalogue.

Purpose: Convert unstructured text into structured exercise-log records.

5.3 Semantic Exercise Search

Data Sent to AI Embedding API: A concatenated search string containing muscle-group names (derived from your 48-hour training history), equipment types, fitness goal, experience level, and optional modifier.

Purpose: Generate vector embeddings for cosine-similarity search against the exercise database.

5.4 Coach Personality & Message Generation

Data Sent to AI Provider: Selected coach personality, recent session feedback, current session context.

Purpose: Generate coach voice / messages that match the selected personality and adapt to recent feedback.

5.5 Progressive Overload Computation

Data Processed Locally on Our Backend: Previous weeks' performance data (weights, reps) and exercise-level progression rules.

Purpose: Auto-populate target weights and generate progression suggestions for the current week.

5.6 Background Session Management

Data Processed: Workout session statuses and timezone information.

Purpose: Hourly background job marks stale draft / active sessions from previous days as "skipped" based on user timezone.

5.7 Analytics Computation

Data Processed Locally: Workout sessions, exercise logs, body measurements, XP events.

Purpose: Generate muscle heatmaps, personal-record tracking, training-streak calculations, and rank progression.

5.8 Subscription State Management

Data Sent to RevenueCat: Your user identifier and Apple-issued purchase receipts.

Purpose: Maintain subscription and free-trial state across devices, enable Restore Purchases.

5.9 Diagnostics & Performance

Data Sent to Sentry: A salted SHA hash of your user identifier, app version, OS version, device model, and the crash / performance trace. No email, name, IP address, or user-typed content is sent.

Purpose: Group multiple events from the same account for triage without re-identifying you.

5.10 Admin Monitoring

Data Processed: Aggregated, non-individually-identifiable metrics (user counts, session statistics, generation trends).

Purpose: Service-health monitoring.

6. Controller Obligations

As Data Controller, dynaimic shall:

1. Process personal data only for the purposes specified in this DPA and the Privacy Policy
2. Ensure a valid legal basis exists for all processing activities, including obtaining explicit consent for health data and AI processing
3. Implement appropriate technical and organisational measures to protect personal data
4. Maintain records of processing activities in compliance with GDPR Art. 30 and KVKK requirements
5. Conduct Data Protection Impact Assessments where required
6. Respond to data subject requests within the statutory timeframes (30 days)
7. Notify the relevant supervisory authority and affected data subjects in the event of a personal data breach
8. Ensure sub-processors provide sufficient guarantees regarding data protection
9. Review and update this DPA periodically to reflect changes in processing activities

7. Processor Obligations

Sub-processors engaged by dynaimic are contractually required to:

1. Process personal data only on documented instructions from dynaimic
2. Ensure persons authorised to process personal data are bound by confidentiality obligations
3. Implement appropriate technical and organisational security measures
4. Not engage further sub-processors without prior authorisation
5. Assist the controller in responding to data subject requests
6. Delete or return all personal data upon termination of services
7. Make available all information necessary to demonstrate compliance
8. Immediately inform the controller if an instruction infringes data protection law

8. Sub-Processors

The following sub-processors are authorised to process personal data on behalf of dynaimic:

Sub-Processor	Purpose	Data Categories	Location
Apple Inc.	Sign in with Apple, App Store distribution, subscription billing, HealthKit, push notifications	Apple ID identifier, payment data (Apple-handled), HealthKit data (with consent)	United States & global Apple infrastructure
Supabase, Inc.	User authentication tokens, primary application database	Identity, profile, fitness, workout, routine, measurement data	EU and US regions (depending on project configuration)
RevenueCat, Inc.	Subscription state management and restore purchases	User identifier, Apple-issued purchase receipts, subscription tier	United States
Functional Software, Inc. (Sentry)	Crash reports and performance diagnostics (pseudonymised)	Salted hash of user ID, app/OS/device metadata, stack traces	United States & EU regions
OpenAI, L.L.C.	AI workout generation, free-text parsing, exercise embedding	Fitness profile, training history, body measurements, session feedback (no name / email / payment data)	United States

We may engage additional sub-processors from time to time. Material changes to the sub-processor list will be disclosed by updating this DPA and notifying you in-app.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. For transfers from the EU/EEA, the United Kingdom, or Türkiye to third countries, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Each sub-processor's own data-protection commitments and certifications
• Apple's Data Processing Addendum (covering Apple sub-processors)
• OpenAI's Zero Data Retention agreement for API-tier processing (where applicable)

10. Technical & Organisational Security Measures

We implement the following measures to protect personal data:

• Authentication: Sign in with Apple, JWT-based session management with cryptographic signatures
• Authorisation: Strict per-user access control — users can only access their own data
• Transport security: HTTPS / TLS enforced with HSTS in production
• Security headers: X-Content-Type-Options, X-Frame-Options (DENY), strict Referrer-Policy, Content-Security-Policy
• Admin protection: Administrative endpoints secured behind HMAC-validated API keys
• Production safeguards: Authentication cannot be disabled in production; default / weak API keys are rejected
• Pseudonymisation: Diagnostics use salted SHA hashes of user IDs
• Rate limiting: Daily AI generation limits to prevent abuse
• Identifiers: Non-sequential, cryptographically random UUIDs
• Backups: Automated, encrypted database backups with point-in-time recovery
• Access logs: Authentication events and admin actions are logged

11. Data Subject Rights

You have the following rights under GDPR, KVKK, and similar laws:

• Right of access (GDPR Art. 15 / KVKK Art. 11)
• Right to rectification (GDPR Art. 16)
• Right to erasure / right to be forgotten (GDPR Art. 17)
• Right to restriction of processing (GDPR Art. 18)
• Right to data portability (GDPR Art. 20)
• Right to object (GDPR Art. 21)
• Right to withdraw consent (GDPR Art. 7(3))
• Right to lodge a complaint with a supervisory authority (GDPR Art. 77 / KVKK Art. 14)

To exercise these rights, email support@dynaimicpt.com. We will respond within 30 days.

12. Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)
• Notify affected data subjects without undue delay when the breach is likely to result in a high risk (GDPR Art. 34)
• Document all breaches, their effects, and the remedial action taken

13. Data Protection Impact Assessment

We conduct a Data Protection Impact Assessment (DPIA) for processing activities that are likely to result in a high risk to data-subject rights, including AI-based processing of special category (health) data. Our DPIA is reviewed at least annually and whenever processing activities materially change.

14. Data Retention & Deletion

Data is retained for the following periods:

• Account & profile data: Until account deletion
• Health and workout data: Until account deletion or manual removal
• Diagnostics (pseudonymised): 90 days (Sentry default)
• AI inference inputs / outputs: Up to 30 days at the AI provider for abuse monitoring, then deleted
• Subscription / receipt records: Retained as required by tax law (typically 5–10 years)
• Aggregated, non-identifiable metrics: Indefinite

When you delete your account, all personal data associated with your account is permanently deleted from our active systems within 30 days, subject to legal retention obligations.

15. Audit Rights

You may, by reasonable advance written notice and not more than once per year (or in the case of a data breach affecting you), request information to verify our compliance with this DPA. We will respond with summary information appropriate to your interest as a data subject. Audits of our sub-processors are governed by their respective DPAs with us.

16. Liability

Each party is liable for damages arising from its own non-compliance with applicable data-protection law, in accordance with GDPR Art. 82, KVKK, and other applicable statutes. Liability limitations in the Terms of Service apply to the extent permitted by law.

17. Term & Termination

This DPA takes effect when you accept it and remains in force as long as we process your personal data. On termination of your account or the Service:

• We will delete or anonymise your personal data within 30 days, subject to legal retention obligations
• Sub-processors will be instructed to delete data they hold on our behalf, per their DPAs with us
• Sections that by their nature should survive termination (sub-processor relationships, liability, breach-notification obligations for past incidents) continue to apply

18. Contact

For all matters relating to this DPA or your personal data:

Email: support@dynaimicpt.com
Operator: Burak Ozaslan
Address: Zümrütevler Mahallesi, Maltepe / Istanbul 34852, Türkiye

Local supervisory authority for KVKK matters: Kişisel Verileri Koruma Kurumu (KVKK).