RehaboAI

Privacy Policy

Last updated: April 24, 2026

RehaboAI is committed to protecting your personal data. This policy is prepared in accordance with GDPR, Turkey's Law on the Protection of Personal Data (KVKK No. 6698), and Apple/Google platform requirements.

1. Data Controller

Data Controller: RehaboAI
Tax ID: 6530527913
Contact: support@rehaboai.com
Address: Toros Mh. 801.Sk. No.4/4 Konyaaltı/Antalya, Turkey

2. Data We Collect

Category	Data	Purpose
Identity	Name, date of birth	Account creation, personalization
Contact	Email address	Account management, notifications
Health Information	Height, weight, medical history, pain scores	Personalized rehabilitation program creation
Camera Data	Live camera feed (posture/movement analysis)	AI-powered form analysis — processed on-device only, never uploaded
Health Platform Data	Steps, sleep, heart rate (Apple HealthKit / Android Health Connect)	Tracking rehabilitation progress
Usage Data	Exercise progress, in-app statistics	Service improvement, progress tracking
Advertising ID	IDFA / GAID (subject to user consent)	Personalized ads via Google AdMob (free tier only)
Payment	Subscription status (payment details processed by Apple/Google & RevenueCat)	Subscription management

2.1 Sensitive Health Data

⚕️ Special Category: Medical history, pain scores, exercise performance data, and health platform data are classified as sensitive personal data. This data is processed only with your explicit consent.

Apple HealthKit: HealthKit data is read only on your device. It is never shared with third parties or uploaded to our servers
Android Health Connect: Health Connect data is accessed only within the permissions you explicitly grant
Revocation: You may withdraw consent and revoke health platform permissions at any time in your device settings

2.2 Camera Data

Camera data is processed entirely on-device using MediaPipe technology
Video frames are never uploaded to our servers and are not stored on your device
Only analysis results (angle measurements, posture scores) may be saved
Camera access is entirely optional

2.3 Advertising & Tracking (AdMob / ATT)

Free-tier users see ads served by Google AdMob
iOS: We request your consent under Apple's App Tracking Transparency (ATT) framework before showing personalized ads. If you decline, only contextual (non-personalized) ads are shown
Android: Google's consent management platform is applied for advertising
Premium subscribers see no advertisements

3. How We Use Your Data

Generate personalized exercise and rehabilitation programs
Provide accurate AI-guided coaching and feedback
Track and display your rehabilitation progress
Manage subscriptions and in-app purchases
Improve app features and user experience
Comply with legal obligations

4. Data Sharing

Your personal data is never sold or shared for commercial purposes.

Service Provider	Purpose	Privacy Policy
Supabase (AWS)	Database & authentication	supabase.com/privacy
Google Gemini AI	AI assistant (via Edge Function proxy)	policies.google.com/privacy
Google AdMob	Ad serving (free tier)	policies.google.com/privacy
RevenueCat	Subscription management	revenuecat.com/privacy
100ms (Video)	Physiotherapist video consultations	100ms.live/privacy-policy
Sentry	Crash reporting & performance	sentry.io/privacy
Mixpanel	Anonymous usage analytics	mixpanel.com/privacy-policy

5. Data Security

TLS/SSL encryption for all data in transit
Passwords hashed with bcrypt
Supabase Row Level Security (RLS) for access control
Regular security audits

6. Your Rights

Under GDPR and KVKK, you have the right to:

Know whether your personal data is being processed
Request access to your personal data
Request correction of inaccurate data
Request deletion of your data ("right to be forgotten")
Object to processing based on legitimate interests
Data portability
Withdraw consent at any time without affecting prior processing

7. International Data Transfers

Your data may be processed on servers of our service providers (Supabase on AWS, Google Cloud). All transfers are conducted under industry-standard security measures and data processing agreements.

8. Data Retention

Your data is retained while your account is active. Upon account deletion, all personal data is permanently deleted within 30 days. Request account deletion here.

9. Children's Privacy

Our service is not intended for users under 18. Users under 18 must register with parental or guardian consent.

10. Policy Changes

We reserve the right to update this policy. For material changes, we will notify users via email or in-app notification.

11. Contact

Email: support@rehaboai.com
Subject: "Privacy Request"

Data Protection Officer (DPO)

Email: dpo@rehaboai.com
Subject: "DPO — Data Protection Request"