Privacy Policy & Data Protection

Last updated: March 11, 2026

At RehaboAI, we take the security of your personal data with the utmost seriousness. This policy has been prepared in accordance with the Turkish Personal Data Protection Law No. 6698 (KVKK), the EU General Data Protection Regulation (GDPR), and other applicable international data protection regulations.

1. Data Controller

Data Controller: RehaboAI
Tax ID: 6530527913
Contact: support@rehaboai.com
Address: Toros Mh. 801.Sk. No.4/4 Konyaaltı/Antalya, Turkey

2. Personal Data We Collect

Data Category	Data Collected	Purpose
Identity Information	Full name, date of birth	Account creation, personalization
Contact Information	Email address	Account management, notifications
Health Information	Height, weight, medical history (anamnesis), pain score	Creating personalized programs
Camera Data	Live camera feed (posture and movement analysis)	AI-powered form analysis — all data is processed on-device, never transmitted to servers
Usage Data	Exercise progress, app usage statistics	Service improvement, progress tracking
Payment Information	Subscription status (payment details are processed by Apple/Google and our secure payment infrastructure)	Subscription management

2.1 Sensitive Personal Data (Health Data)

⚕️ GDPR Article 9 / KVKK Article 6: Medical history (anamnesis), pain scores, and exercise performance data are classified as "special category personal data" (sensitive data). This data is processed only with your explicit consent and on the following legal bases:

Legal basis: GDPR Article 9(2)(a) (explicit consent) and KVKK Article 6/2 (processing health data with explicit consent)
Processing purpose: Creating personalized exercise programs and providing guidance through our AI assistant
Storage: Your health data is stored encrypted and is never shared with third parties
Right to withdraw: You can withdraw your consent at any time

2.2 Camera Data Usage

RehaboAI may use your device's camera for posture analysis and movement form evaluation. Important information about this feature:

Camera data is processed entirely on-device using MediaPipe technology
Image data is never transmitted to our servers and is not stored on your device
Only analysis results (angular measurements, posture scores) may be saved
Camera access is completely optional and can be disabled in app settings

3. Purposes of Data Processing

Creating personalized AI-powered exercise programs
Providing accurate guidance through our AI health assistant
Tracking user progress and generating reports
Managing subscription and payment transactions
Improving and enhancing our software application
Fulfilling legal obligations

4. Data Sharing

Your personal data is never shared or sold for commercial purposes to third parties. Data may only be shared in the following circumstances:

Service providers: Supabase (database), Google Gemini (AI assistant) — solely for service operation
Payment processors: Apple, Google and our secure payment infrastructure — solely for payment transactions
Legal requirement: By court order or legal regulation

5. Data Security

Your data is protected with industry-standard security measures:

TLS/SSL encryption for data transmission
Passwords hashed with bcrypt
Supabase Row Level Security (RLS) for data access control
Regular security audits

6. Cookies

Our website uses the following cookies:

Essential cookies: For session management and site functionality
Preference cookies: To remember your language and theme preferences
Analytics cookies: Anonymous site usage statistics

7. Your Rights Under GDPR

Under the GDPR and KVKK, you have the following rights:

Right to access your personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to automated decision-making
Right to withdraw consent at any time

8. International Data Transfer

Due to the nature of our service, your data may be processed on the servers of our service providers (Supabase — AWS, Google Cloud). These transfers are carried out under industry-standard security measures and data processing agreements.

9. Data Retention

Your personal data is retained as long as your account is active. Upon account deletion, all personal data is permanently deleted within 30 days.

10. Children's Privacy

Our service is not intended for individuals under 18 years of age. Users under 18 must register with parental or guardian consent.

11. Policy Changes

We reserve the right to update this privacy policy. When significant changes are made, we will notify users via email or in-app notification.

12. Contact & Requests

For data protection inquiries and requests:

Email: support@rehaboai.com
Subject: "Data Protection Request"

Data Protection Officer (DPO)

For all inquiries and requests regarding your personal data, you can contact our Data Protection Officer:

Email: dpo@rehaboai.com
Subject: "DPO — Data Protection Request"