Privacy Policy

Effective Date: May 11, 2026 Last Updated: May 11, 2026

1. Introduction

This Privacy Policy ("Policy") describes how FlowFit Gym ("we," "us," "our," or "FlowFit"), operating the FlowFit mobile application and related services (collectively, the "Service"), collects, uses, discloses, and protects your information when you use the Service.

By downloading, accessing, or using FlowFit, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Service.

We are committed to protecting your privacy and complying with applicable data-protection laws, including the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Personal Data Protection Law of Türkiye (KVKK No. 6698), and other applicable privacy regulations.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Email address, password (stored as a salted hash), display name, and authentication credentials.
Profile Information: Age, date of birth, gender, height, weight, profile photo, fitness level, training goals, and dietary preferences.
Training preferences & safety (optional): Intended training days per week, preferred workout split, equipment you have access to, muscle priorities, optional injury or limitation notes, body regions to treat carefully, optional daily readiness scores, and optional set difficulty ratings (RPE) after logged sets — used only to personalize workouts and AI coaching and are not medical diagnoses or treatment plans.
Health and Body Measurements: Body fat percentage, BMI, muscle mass, resting heart rate, and any voluntarily entered biometric data.
Workout Data: Exercise selections, sets, reps, weights, duration, completed sessions, personal records, and training history.
Communications: Information you provide when contacting our support team, including messages, attachments, and feedback.
AI Coach Inputs: Any text, questions, or context you submit to the AI Coach feature for personalized recommendations.

2.2 Information Collected Automatically

Device Information: Device model, operating system and version, unique device identifiers (IDFA on iOS, AAID on Android), language settings, time zone, and crash reports.
Usage Data: App screens viewed, features used, session duration, frequency of use, button taps, and navigation patterns.
Performance Data: App load times, errors, network requests, and diagnostic logs (anonymized where possible).
Approximate Location: General region derived from IP address (we do not collect precise GPS location unless you explicitly enable a feature that requires it).

2.3 Payment and Subscription Information

Payments are processed exclusively through Apple App Store (StoreKit) or Google Play Billing. We do not collect, store, or process your full payment-card details. We receive only a transaction identifier, subscription status, plan tier, renewal date, and currency from the platform.

2.4 Information from Third Parties

If you sign in via Google, Apple, or another OAuth provider, we receive basic profile information (name, email, profile picture) as authorized by you and the third-party provider.

3. How We Use Your Information

We use your information for the following purposes:

Purpose	Legal Basis (GDPR)
Provide and maintain the Service	Performance of contract
Personalize workouts and AI Coach	Performance of contract / Consent
Process subscriptions and billing	Performance of contract
Send service-related notifications	Performance of contract
Improve and optimize the Service	Legitimate interest
Prevent fraud and abuse	Legitimate interest
Comply with legal obligations	Legal obligation
Send marketing (opt-in only)	Consent
Conduct analytics	Legitimate interest / Consent

We do not use your personal data for automated decision-making that produces legal or similarly significant effects without your explicit consent.

4. Sharing and Disclosure

We do not sell your personal data. We share your information only in the following limited circumstances:

4.1 Service Providers (Sub-processors)

We engage trusted third-party providers under strict contractual confidentiality and data-protection obligations:

Firebase / Google Cloud Platform — backend database (Firestore), authentication, storage, and cloud functions (hosted on Google Cloud, region: europe-west1 / EU)
Amazon Web Services (AWS) — AI Coach orchestration (Lambda, region: eu-central-1 / Germany, EU)
Apple App Store / Google Play — subscription processing
AI Model Providers (e.g., Google Gemini, OpenAI, Anthropic) — for AI Coach responses (prompts may be transmitted; we do not allow these providers to train their models on your data where opt-out is available)
Push notification services — Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM)
Crash reporting and analytics (anonymized data only)

A current list of sub-processors is available upon request via support@flowfitgym.com.

4.2 Legal Requirements

We may disclose information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of FlowFit, our users, or the public.

4.3 Business Transfers

If FlowFit is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. You will be notified in advance.

4.4 With Your Consent

For any sharing not described above, we will request your explicit consent.

5. Data Storage, Security, and Retention

5.1 Storage Location

Your data is stored on secure cloud infrastructure operated by Google Cloud Platform (Firebase) within the European Union (europe-west1, Belgium). AI Coach requests may be processed via AWS Lambda in eu-central-1 (Frankfurt, Germany) within the EU/EEA under our agreement with AWS. AI model providers (for example Google Gemini, OpenAI, or Anthropic) may process prompts outside the EU, including in the United States, where applicable under Standard Contractual Clauses. Some metadata may also be processed in the United States by sub-processors (subject to Standard Contractual Clauses).

5.2 Security Measures

We implement industry-standard administrative, technical, and physical safeguards, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Salted password hashing (bcrypt / argon2)
Role-based access control with least-privilege principles
Row-level security policies on all user data tables
Regular security audits and dependency monitoring
Two-factor authentication for administrative access

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5.3 Data Retention and Deletion

We are required to tell you how long we store your user data and how you can delete it. We retain your personal data and health data only for as long as your account is active to provide the Service.

How to Delete Your Data: You have the right to delete your account and all associated data at any time. You can do this in two ways:

In-App: Go to Settings → Delete Account & Data within the FlowFit app and confirm deletion.
Via Email: Send an email to support@flowfitgym.com requesting data deletion.

What happens when you delete your data:

Profile, Health, and Identifiable data: Completely deleted from our active servers within 30 days.
Workout history (anonymized): May be retained for analytics in aggregated form (no longer linked to you).
Payment records: Retained for 10 years to comply with tax laws.
Backups: Encrypted backups are rotated and purged within 90 days.

6. Your Rights

Depending on your jurisdiction, you have the following rights:

6.1 GDPR Rights (EU/EEA/UK Residents)

Right of Access: Request a copy of your personal data.
Right to Rectification: Correct inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your data.
Right to Restriction: Limit how we process your data.
Right to Data Portability: Receive your data in a structured, machine-readable format (JSON).
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful processing.
Right to Lodge a Complaint: File a complaint with your local data protection authority.

6.2 CCPA/CPRA Rights (California Residents)

Right to Know what personal information is collected, used, shared, or sold.
Right to Delete personal information held by us.
Right to Correct inaccurate personal information.
Right to Opt-Out of sale or sharing (we do not sell or share for cross-context advertising).
Right to Non-Discrimination for exercising your rights.
Right to Limit use of sensitive personal information.

6.3 KVKK Rights (Türkiye Residents)

Under Article 11 of KVKK No. 6698, you have the right to learn whether your personal data is processed, request information about processing, learn the purpose of processing, know third parties to whom data is transferred, request rectification or deletion, and seek compensation for damages arising from unlawful processing.

6.4 How to Exercise Your Rights

To exercise any of these rights, email support@flowfitgym.com with the subject line "Privacy Request." We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

You can also delete your account directly within the app: Settings → Delete Account & Data.

7. Children's Privacy

FlowFit is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@flowfitgym.com and we will promptly delete it.

In jurisdictions where the digital age of consent is higher (e.g., 18 in some regions), users below that age must obtain parental consent.

8. Health and Fitness Data — Special Provisions

8.1 Sensitive Data Notice

Body measurements, BMI, body fat percentage, heart rate, and similar health-related data may be considered sensitive personal data under GDPR (Article 9), CCPA, and KVKK. We process this data based on your explicit consent and use it solely to provide the personalized fitness features you request.

8.2 Health Disclaimer

FlowFit is not a medical device. The Service does not provide medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional before beginning any exercise program, especially if you have underlying conditions.

8.3 Apple Health / Health Connect

If you choose to connect FlowFit with Apple Health (iOS) or Health Connect (Android), data flows are governed by the platform's privacy framework.

Data Accessed and Collected: We only access and collect categories you explicitly authorize — specifically steps, heart rate, active energy, blood oxygen (SpO₂), weight, workouts, and sleep-related intervals.

Usage of Health Data: This data is used solely to provide the personalized fitness features you request. Aggregates power in-app Health summaries, and a subset of rolling aggregates (e.g. steps, sleep duration, average heart rate) are included in AI Coach and daily insight prompts to personalize your workout recommendations.

Protection of Health Data: We do NOT sell your Health Data to third parties. We do NOT use your Health Data for advertising, marketing, or cross-context behavioral tracking. Your Health Data is retained only as long as your account is active and is deleted when you request account deletion. You can revoke access at any time through your device settings.

9. AI Coach — Automated Processing Disclosure

The AI Coach feature uses large language models to generate personalized recommendations. When you interact with the AI Coach:

Your prompts and selected profile context (e.g., goals, level) are transmitted to AI model providers.
Responses are generated server-side and returned to your device.
We do not allow AI providers to use your conversations to train their public models, where such opt-out is available.
AI-generated content may contain inaccuracies. Do not rely on it for medical, legal, or safety-critical decisions.

10. Cookies and Similar Technologies

The mobile app does not use traditional browser cookies. It may use:

Local storage and secure key-chain entries to maintain your session
Device identifiers (IDFA/AAID) for crash reporting and analytics, only with your permission (App Tracking Transparency on iOS 14.5+)

If you visit our website (https://flowfitgym.com/), please refer to the website's separate cookie notice.

11. International Data Transfers

If you access FlowFit from outside the European Union, your data may be transferred to, stored, and processed in countries other than your own. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data during international transfers.

12. Third-Party Links and Integrations

FlowFit may contain links to third-party websites or services. This Policy does not apply to those third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via:

An in-app notification
An email to your registered address
A prominent notice on our website

The "Last Updated" date at the top of this Policy reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

14. Data Protection Officer / Contact

For all privacy-related inquiries, requests, or complaints, please contact:

FlowFit Gym — FlowFit Privacy Team Email: support@flowfitgym.com Website: https://flowfitgym.com/ Address: İstanbul, Türkiye

You may also lodge a complaint with the Turkish Personal Data Protection Authority (KVKK) at https://www.kvkk.gov.tr or with your local supervisory authority within the European Union.

This Privacy Policy was prepared in accordance with App Store Review Guideline 5.1.1, Google Play Developer Program Policies, GDPR, CCPA/CPRA, and KVKK No. 6698.