PRIVACY POLICY

Hamza Sivrikaya — Megin ("Megin", "we", "us") is the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Megin platform (www.megin.ai).

This policy is prepared in accordance with Turkish Law No. 6698 on the Protection of Personal Data (KVKK), the EU General Data Protection Regulation (GDPR) where applicable, and Turkish Law No. 6563 on Electronic Commerce.

We collect the following categories of information:

• Identity & contact information: Full name, email address, phone number, date of birth, gender.
• Financial information: Payment method details (last 4 digits of card, bank name), billing information, subscription plan and history. Full card details are never stored by Megin — they are processed by PayTR under PCI DSS standards.
• Health & fitness data (requires explicit consent): Height, weight, body measurements, body fat percentage, medical history (surgeries, chronic conditions, injuries), progress photos, nutrition logs and photos, workout performance data, personal goals, weekly progress reports.
• Usage & technical data: IP address, browser type and version, operating system, device information, session duration, pages visited, click data, access timestamps, cookie data, push notification subscription details.
• User-generated content: Blog posts (by trainers), client notes, nutrition diary entries.

We use your information for the following purposes:

• Creating and managing your account, authentication, and account security.
• Providing platform services (client management, workout programming, nutrition tracking, measurement tracking, progress reporting).
• Processing subscription payments and billing.
• Creating personalized workout and nutrition programs.
• Sending push notifications and in-app notifications.
• Generating weekly progress reports.
• Fulfilling legal obligations (tax, invoicing, KVKK, e-commerce regulations).
• Measuring and improving platform performance.
• Detecting and preventing fraud, abuse, and security incidents.
• With your explicit consent: sending marketing communications and promotional notifications.
• Statistical analysis (on anonymized data only).

We do not sell your personal data or your clients' data to third parties. Ever.

• Contract performance: Processing necessary to provide platform services and fulfill our subscription agreement.
• Legal obligation: Tax regulations, e-commerce law requirements, data retention mandates.
• Explicit consent: Health data processing, marketing communications, analytics cookies.
• Legitimate interest: Platform security, fraud prevention, service improvement (where not overridden by your rights).

We share your information only in these limited circumstances:

• Payment processor (PayTR): Financial data is shared for payment processing. PayTR operates under PCI DSS standards.
• Infrastructure providers: Supabase (database and authentication), Vercel (hosting). These providers process data under strict confidentiality agreements and appropriate safeguards.
• Trainer-Client relationship: Due to the platform's structure, trainers can only view data belonging to their own clients (tenant isolation).
• Legal requirements: When required by law, court order, or to protect the rights and safety of Megin, our users, or others.
• Business transfers: If Megin is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before that happens.

• Identity & contact data: Duration of membership + 10 years after termination (tax law requirements).
• Financial records: 10 years (tax law).
• Health & fitness data: Duration of membership; deleted within 2 years after membership ends or when consent is withdrawn.
• Progress photos & nutrition photos: Duration of membership; deleted within 30 days after account closure.
• Technical & log data: 2 years.
• Cookies: Session cookies expire when browser closes; persistent cookies last up to 13 months.

After retention periods expire, data is securely destroyed through periodic deletion processes (every 6 months).

We protect your data with the following technical and organizational measures:

• SSL/TLS encryption (all data transmission over HTTPS).
• Database-level Row Level Security (RLS) — each trainer can only access their own data.
• Passwords hashed with bcrypt.
• CSRF, XSS, and SQL injection protections.
• Content Security Policy (CSP) headers, HSTS.
• Timing-safe API authentication.
• Regular security updates and dependency audits.
• Access control matrix (admin, trainer, client roles).
• Data breach response procedures.

• Essential cookies: Required for platform operation (session management, authentication, CSRF protection, language preference). Cannot be disabled.
• Functional cookies: Remember your preferences (language, theme, notification settings).
• Analytics cookies: Anonymously analyze visitor behavior. Only activated with your explicit consent.
• Marketing cookies: Used for targeted advertising. Only activated with your explicit consent.

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete data.
• Deletion: Request that we delete your personal data.
• Portability: Request your data in a machine-readable format.
• Objection: Object to certain processing of your data, including direct marketing.
• Withdraw consent: Withdraw previously given consent at any time.
• Complaint: Lodge a complaint with the relevant data protection authority.

To exercise any of these rights, email us at info@megin.ai with "Privacy Request" in the subject line. We will respond within 30 days.

In the event of a personal data breach, we will notify the relevant data protection authority within 72 hours of discovery. If the breach is likely to adversely affect you, we will notify you as soon as possible.

The platform processes data of individuals under 18 only with parental/guardian consent and authorization, through the "linked member" (parent-child) system. Parents manage their children's data through their own accounts.

We may update this Privacy Policy from time to time. Significant changes (data processing purposes, transfer policy changes) will be communicated to registered users via email and/or in-app notification. Continued use of the platform after changes constitutes acceptance of the updated policy.