Privacy Policy

Effective: 15 May 2026 · Version 2.0

1. Who We Are

dynaimic ("we", "us", "our") is operated by Burak Ozaslan and consists of the dynaimic iOS application (the "App") and its backend services (the "Service"). The Service generates personalised, adaptive AI workouts and helps you track strength training over time. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the App.

For the purposes of the GDPR and Turkish KVKK, dynaimic is the Data Controller.

2. Data We Collect

2.1 Account & Identity

Data	Purpose	Required
Apple ID identifier (via Sign in with Apple)	Authentication	Yes
Email address (real or Apple Private Relay)	Account contact, support replies	Yes
Display name (optional, from Apple ID)	Personalisation	No
User ID (UUID)	Internal account key	Auto-generated

2.2 Profile & Demographic Data

Data	Purpose	Required
Gender	Workout personalisation	No
Date of birth	Age-appropriate recommendations	No
Height	Fitness calculations	No
Timezone	Session scheduling, daily reset	No

2.3 Health & Body Data

2.4 Fitness Profile

Data	Purpose
Fitness goal (e.g., muscle gain, fat loss, strength, general fitness)	Tailored workout generation
Experience level (beginner, intermediate, advanced)	Exercise difficulty matching
Preferred session duration (15–180 minutes)	Workout length optimisation
Preferred routine type (PPL, Upper/Lower, Full Body, etc.)	Program structure
Available equipment (dumbbells, barbell, cables, etc.)	Equipment-appropriate exercises
Selected coach personality	Coach voice and programming style
Unit preferences (metric / imperial)	Display formatting

2.5 Workout & Performance Data

• Workout sessions — date, type, status, duration (start/finish times), source (AI-generated, routine, manual)
• Exercise logs — per-set tracking of weight lifted, reps completed, Rate of Perceived Exertion (RPE), rest duration
• AI-prescribed targets — suggested weights, sets, reps, and progressive overload suggestions
• "How did it feel?" feedback — your Too Easy / Just Right / Crushed Me answers after each session, used to adapt future workouts
• Session ratings & free-text feedback — optional
• Personal records — top lifts by exercise, calculated from your performance history
• Training streaks & XP — frequency, adherence, and rank-progression metrics
• Free-text workout logs — natural language descriptions you provide (e.g., "4 sets bench press 80 kg x 10")

2.6 Routine & Program Data

• Selected routine templates and custom routines you create
• Week-by-week progress tracking within multi-week programs (4–16 weeks)
• Day session completion status and per-day configuration overrides

2.7 Subscription & Purchase Data

Subscription status, purchase history, renewal dates, and free-trial state. We never see your payment card or banking details — those are handled exclusively by Apple. We receive only a signed receipt from Apple confirming the purchase, which is passed to RevenueCat for cross-device subscription state.

2.8 Diagnostics & Performance (Pseudonymised)

To find and fix bugs, the App sends crash reports and performance traces to Sentry. Before sending, your user identifier is hashed with a salted one-way function so the diagnostic record cannot be re-linked to your account. We do not send your name, email, IP address, or any user-typed content to Sentry.

2.9 In-App Analytics (Pseudonymised)

Screen views and basic feature interactions are recorded to understand which parts of the app help users and which don't. Analytics events use the same salted hash as diagnostics — they are not linked to your real identity.

2.10 What we do not collect

• Your precise or coarse location
• Your contacts, address book, or social graph
• Your photos, videos, audio, or microphone input
• Your browsing history or activity in other apps
• Your advertising identifier (IDFA) — dynaimic does not request App Tracking Transparency permission
• Sensitive categories such as race, sexual orientation, religion, biometrics, or political beliefs

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Generate personalised AI workouts	Profile, health data, training history, equipment, goals, body measurements, feedback, personal records	Consent / Contract performance
Progressive overload suggestions	Previous weeks' performance data (weights, reps, RPE)	Contract performance
Exercise matching via semantic search	Muscle groups trained, equipment, goal, experience level	Contract performance
Coach personality & voice	Selected coach, profile, recent session feedback	Contract performance
Parse natural-language workout logs	Free-text input, exercise catalogue	Contract performance
Track body composition trends	Weight, body fat %, measurement dates	Consent
Analytics (muscle heatmap, PRs, streaks, rank)	Workout sessions, exercise logs, XP events	Contract performance
Subscription management	User ID, Apple-issued receipts, subscription tier	Contract performance
Rate limiting & abuse prevention	User ID, subscription tier, daily generation count	Legitimate interest
Authentication & security	Apple ID identifier, JWT tokens, user ID	Legitimate interest
Diagnostics & bug fixing	Pseudonymised crash reports and performance traces	Legitimate interest
Service health monitoring	Aggregated, non-individually-identifiable metrics	Legitimate interest

We do not sell your data. We do not share your data with advertisers or data brokers. We do not use your data to build cross-app or cross-company profiles.

4. Sub-Processors & Third-Party Sharing

4.1 Apple

Sign in with Apple is the sole authentication mechanism for dynaimic. Apple processes your Apple ID identity token to authenticate you. The App Store handles all subscription billing and payment information. Push notifications (if you opt in) and optional Apple Health integration are also Apple services.

Apple's privacy policy: apple.com/legal/privacy.

4.2 Supabase (authentication & database)

We use Supabase for user authentication via Sign in with Apple flows, and to store account data, profile information, workouts, routines, and measurements. Supabase acts as a Data Processor on our behalf.

Supabase privacy policy: supabase.com/privacy.

4.3 RevenueCat (subscription management)

RevenueCat manages your subscription state, free-trial status, and purchase restoration across devices. RevenueCat receives your user identifier and Apple-issued purchase receipts. Payment details never reach RevenueCat or us — only Apple's signed receipts.

RevenueCat privacy policy: revenuecat.com/privacy.

4.4 Sentry (diagnostics)

Sentry receives crash reports and performance traces. We send a salted SHA hash of your user identifier — not your email, name, IP address, or any free-text content you have entered. This allows multiple crashes from the same account to be grouped for triage without re-identifying you.

Sentry privacy policy: sentry.io/privacy.

4.5 AI inference providers (OpenAI)

When you request a workout, parts of your fitness profile, training history, and "How did it feel?" feedback are sent through OpenAI's API to generate the session. We use the API tier that does not use your inputs to train OpenAI's public models. OpenAI may retain API inputs and outputs for up to 30 days for abuse monitoring before deletion.

Data sent per generation request includes: your fitness profile, your last 5 body weight / body fat measurements with trend direction, your last 15 workout sessions with set-level detail, your top 5 personal records, recent session feedback, training-frequency metrics, the selected coach personality, the active routine context, and up to 25 candidate exercises from our catalogue. We do not send your name, email, or payment information to OpenAI.

OpenAI's data usage policy: openai.com/policies/api-data-usage-policies.

4.6 Legal disclosures

We may disclose information if required by law, court order, or governmental request, or if necessary to protect the rights, property, or safety of dynaimic, our users, or the public. When permitted, we will notify you before doing so.

5. Apple HealthKit Data

If you grant dynaimic permission to read from or write to Apple Health, the following specific rules apply:

• We use HealthKit data only to provide the Service — for example, to pre-fill your most recent body weight or to record your completed workouts in the Health app.
• We do not use HealthKit data for advertising or marketing.
• We do not sell or share HealthKit data with any third party.
• We do not store HealthKit data on our servers beyond what is strictly necessary to provide the requested feature.
• You can revoke HealthKit permissions at any time via iPhone Settings → Health → Data Access & Devices → dynaimic.

These restrictions are required by Apple's HealthKit rules and we follow them strictly.

6. Legal Basis for Processing

Under GDPR and KVKK, we process your personal data on the following legal grounds:

• Consent (Article 6(1)(a) GDPR / KVKK m.5/1): Health and body data processing, AI-powered workout generation, sending data to AI providers, optional Apple Health integration.
• Contract Performance (Article 6(1)(b) GDPR / KVKK m.5/2(c)): Providing core App features — workout generation, exercise logging, routine tracking, analytics, subscriptions.
• Legitimate Interest (Article 6(1)(f) GDPR / KVKK m.5/2(f)): Security, rate limiting, diagnostics, service monitoring, fraud prevention.
• Legal Obligation: Tax records and similar regulatory retention.

7. Data Retention

Data Category	Retention Period
Account data	Until account deletion
Profile & fitness preferences	Until account deletion
Body measurements	Until account deletion or manual removal
Workout sessions & exercise logs	Until account deletion
Routine data & progress	Until account deletion
Session ratings & feedback	Until account deletion
Pseudonymised diagnostics	90 days (Sentry default)
Subscription / receipt records	For the duration required by tax law (typically 5–10 years)

When you delete your account, all personal data associated with your account is permanently removed from our active systems within 30 days, except where we are legally required to retain certain records.

8. Data Security

We implement industry-standard technical and organisational measures to protect your data:

• Authentication: Sign in with Apple, JWT-based session management with cryptographic signatures
• Authorisation: Strict user-level access control — you can only access your own data
• Transport security: HTTPS / TLS enforced with HSTS in production
• Security headers: X-Content-Type-Options, X-Frame-Options (DENY), strict Referrer-Policy
• Admin protection: Administrative endpoints secured behind HMAC-validated API keys
• Pseudonymisation: Diagnostics and analytics use salted hashes of user IDs
• Rate limiting: Daily AI generation limits to prevent abuse
• Identifiers: Non-sequential, cryptographically random UUIDs

No system is perfectly secure, but we take reasonable steps to prevent unauthorised access, alteration, or disclosure. If we ever experience a personal data breach that affects you, we will notify you and the relevant supervisory authorities as required by applicable law.

9. Your Rights

Under GDPR, KVKK, and other applicable data-protection laws, you have the following rights:

• Right of Access — request a copy of all personal data we hold about you
• Right to Rectification — correct inaccurate or incomplete personal data
• Right to Erasure ("right to be forgotten") — request deletion of your personal data
• Right to Restrict Processing — limit how we process your data in certain circumstances
• Right to Data Portability — receive your data in a structured, machine-readable format
• Right to Object — object to processing based on legitimate interest
• Right to Withdraw Consent — at any time for consent-based processing (does not affect prior processing)
• Right to Lodge a Complaint — with your local data-protection authority (e.g., the Turkish KVKK Kurumu or any EU supervisory authority)

To exercise any of these rights, email support@dynaimicpt.com from the email associated with your account. We will respond within 30 days.

10. Deleting Your Account

You can delete your account at any time from inside the App:

1. Open the Profile tab
2. Go to Settings → Account
3. Tap Delete Account and confirm

Deleting your account permanently removes your workout history, custom routines, measurements, profile data, and personal records from our active systems within 30 days. This action cannot be undone.

Deleting your dynaimic account does not automatically cancel any active App Store subscription — you must cancel that separately via iPhone Settings → Apple ID → Subscriptions.

If you cannot access the in-app deletion flow, email support@dynaimicpt.com from your account email and we will process the deletion manually within 7 days.

11. Children's Privacy

dynaimic is rated 9+ on the App Store but is designed for use by individuals aged 16 or older (or 13 or older where local law permits, with parental involvement). We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at support@dynaimicpt.com and we will delete it promptly.

12. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including:

• European Union — Supabase infrastructure regions where applicable
• United States — Apple App Store / Apple ID services, RevenueCat, Sentry, and AI providers (OpenAI) operate primarily in the US

For transfers from the EU/EEA or Türkiye, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and each sub-processor's data-processing commitments. See the Data Processing Agreement for the full sub-processor list and transfer mechanisms.

13. Cookies & Tracking

The dynaimic mobile application does not use cookies, web beacons, or browser-based tracking technologies. The App communicates with our backend via authenticated HTTPS requests. We do not integrate advertising trackers, and dynaimic does not request the App Tracking Transparency (ATT) permission because we do not engage in cross-app or cross-website tracking.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make a material change, we will increment the version number, update the effective date at the top of this page, and notify you inside the App the next time you open it. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy. If you do not agree to an update, you may delete your account.

15. Contact Us

If you have questions about this Privacy Policy or about how we handle your data, please reach out:

Email: support@dynaimicpt.com
Operator: Burak Ozaslan
Address: Zümrütevler Mahallesi, Maltepe / Istanbul 34852, Türkiye

16. KVKK Aydınlatma Metni

6698 Sayılı Kişisel Verilerin Korunması Kanunu kapsamında, kişisel verileriniz; Burak Özaslan (veri sorumlusu) tarafından dynaimic uygulamasını sunmak amacıyla, hizmet sözleşmesinin ifası ve açık rızanız temelinde işlenmektedir. KVKK'nın 11. maddesi uyarınca; kişisel verilerinizin işlenip işlenmediğini öğrenme, işleme amacı ve buna uygun kullanılıp kullanılmadığını öğrenme, yurt içinde veya yurt dışında aktarıldığı üçüncü kişileri bilme, eksik veya yanlış işlenmiş olması hâlinde düzeltilmesini isteme, silinmesini veya yok edilmesini isteme, işlenen verilerin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme ve kanuna aykırı işleme nedeniyle zarara uğramanız hâlinde tazminat talep etme haklarına sahipsiniz. Taleplerinizi support@dynaimicpt.com adresine yazılı olarak iletebilirsiniz.