Legal

Privacy Policy

Last updated: 23 May 2026

1. Controller

The data controller is Mindie (Türkiye), operator of FindMyPT. Contact: [email protected].

2. What we collect

• Account data: email, hashed password, display name, role (trainer/studio/client). For trainers also: slug, bio, certifications, packages, location.
• Profile media: profile photos, transformation photos, video URLs you submit.
• Usage data: pages visited, classes booked, leads submitted. Used to show analytics and improve the product.
• Cookies: a session cookie for login + a preferences cookie. No third-party advertising cookies.
• Server logs: IP address + user agent for security and rate limiting, retained ≤ 30 days.

3. Why we collect it

• To provide the service (your profile, leads, bookings).
• To send transactional emails (booking confirmation, password reset, etc.).
• To protect the platform from abuse (spam, scraping, fraud).
• To improve product quality through aggregated analytics. We do not sell your data, ever.

4. Legal basis (GDPR & KVKK)

• Contract: account creation and platform use.
• Legitimate interest: abuse prevention, basic analytics.
• Consent: cookies beyond strictly-necessary, marketing emails.
• Legal obligation: invoices, tax records.

5. Sharing

We share data with operational sub-processors strictly to deliver the service:

• Cloudflare R2 (file storage)
• Larksuite SMTP (transactional email)
• Polar.sh (payment processing — only billing-relevant fields)
• OpenRouter (AI assistants — only the text you submit, not stored by us long-term)
• Sentry / Plausible / PostHog (if enabled — anonymized telemetry)

We never share data with advertisers.

6. Retention

Account data persists until you delete your account. Audit logs are kept up to 30 days. Backups expire on a 30-day rolling window.

7. Your rights

Under GDPR/KVKK you can: request access, request correction, request deletion, object to processing, request portability, and lodge a complaint with your local authority. Email [email protected] for any of these.

8. International transfers

Our infrastructure is hosted in the EU. Some sub-processors (e.g. OpenRouter, R2) may process data outside the EU under appropriate safeguards.

9. Security

Passwords are hashed with argon2id. TLS in transit. Access to production data is limited to the operator. We notify affected users within 72 hours of a confirmed personal-data breach.

10. Changes

Material changes will be announced by email. The “Last updated” date above always reflects the current version.