Last updated: 2026-03-29 | Version: 1.0
This Privacy Policy explains how your personal data collected through the Rushly mobile application ("App") is collected, processed, stored, and protected.
Protecting your personal data is among our highest priorities. We act in compliance with all obligations under the Turkish Personal Data Protection Law (KVKK) No. 6698 and the European Union General Data Protection Regulation (GDPR).
As the data controller, you can contact us through the following channels:
Email: support@rushly.com.tr
The following categories of personal data are collected during your use of the App:
a) Data Collected Directly From You:
- Identity and account information: Email address, password (stored hashed with bcrypt, never saved as plain text), profile photo or avatar
- Physical and demographic information: Height, weight, date of birth, gender, activity level, fitness goal, goal weight
- Body measurements: Waist, neck, and hip circumference, body fat percentage, muscle mass, water percentage
- Workout data: Workout plans, session records (difficulty, energy, pain ratings), personal records (weight, reps, estimated 1RM), exercise history
- Nutrition data: Nutrition plans, food logs (meal type, calories, macro and micronutrient values), food photos (in base64 format)
- Progress photos: Photos taken from front, side, and back angles, associated weight and body fat data, notes
b) Data Collected Automatically:
- Health integration data: Step count, active calories, heart rate, sleep data, VO2Max, heart rate variability (HRV), oxygen saturation (SpO2), body fat percentage, and weight information read with your explicit permission from Apple HealthKit or Android Health Connect
- GPS location data: Route recording during activities such as running, cycling, and walking (latitude, longitude, altitude, speed, timestamp)
- Device and technical information: Device type, operating system version, app version, push notification tokens
- Usage statistics: Feature usage counts and timestamps, error reports (collected anonymously via Sentry)
c) Data Collected From Third Parties:
- Apple/Google account information: Apple ID or Google account identifier and verified email address when you use social login
- Subscription data: Subscription status and purchase verification information via RevenueCat
- Barcode food data: Product nutritional values and micronutrient information from the Open Food Facts database
Your collected personal data is processed for the following purposes and legal bases:
- Creating personalized workout and nutrition programs: Performance of contract (KVKK Art.5/2-c, GDPR Art.6/1-b)
- Providing AI-powered coaching and recommendations: Legitimate interest and explicit consent (KVKK Art.5/2-f + Art.5/1, GDPR Art.6/1-f + Art.6/1-a)
- Progress tracking, analysis reports, and goal forecasting: Performance of contract (KVKK Art.5/2-c, GDPR Art.6/1-b)
- Improving app performance and error detection: Legitimate interest (KVKK Art.5/2-f, GDPR Art.6/1-f)
- Fulfilling legal obligations: Legal requirement (KVKK Art.5/2-รง, GDPR Art.6/1-c)
- Sending notifications and communication: Legitimate interest (KVKK Art.5/2-f, GDPR Art.6/1-f)
Body measurements, health integration data (HealthKit/Health Connect), sleep and muscle soreness records, and progress photos are considered special categories of personal data under KVKK and sensitive data under GDPR.
This data is processed solely with your explicit consent (KVKK Art.6/2, GDPR Art.9/2-a). Your health and sensitive data is used exclusively for the purpose of providing services to you.
This data is not shared with any third party other than the service providers specified in this Privacy Policy (Google Gemini, Neon database, Sentry) and is never used for advertising purposes.
You may withdraw your consent to the processing of health data at any time through the App settings or by contacting support@rushly.com.tr. Withdrawal of consent does not affect the lawfulness of data processing activities carried out prior to the withdrawal.
Our App uses the Google Gemini AI model to provide personalized recommendations.
Within AI processing, your profile information, body measurements, workout history, nutrition data, activity records, and AI memories may be used. You can fully control which data categories are shared with AI through the "AI Data Sharing Preferences" section in the App settings. Data in disabled categories is not sent to the AI.
The AI uses your data solely to generate real-time responses. Your data is not permanently stored by the AI model, is not used for model training, and is not included in aggregate data pools. Each request is processed independently.
Google Gemini's own privacy policy and data processing terms also apply. For detailed information, you may refer to Google's privacy policy.
Your personal data is never sold under any circumstances and is never shared with third parties for advertising purposes.
We work with the following trusted third-party service providers to deliver our services:
- Neon (Database): Secure PostgreSQL database hosting for your data
- Railway (Server Infrastructure): Backend application server hosting
- RevenueCat (Subscription Management): Verification and management of subscription purchases through the App Store
- Sentry (Error Tracking): App error detection and performance monitoring; anonymous error reports are collected
- Google Gemini (AI): Workout/nutrition plan creation, food photo analysis, and AI coaching chat
These service providers process your data solely for the stated purposes and within the framework of their confidentiality obligations.
In case of legal obligation or upon request by authorized authorities, your data may be shared with the relevant institutions.
We implement the following industry-standard technical and administrative measures to secure your data:
- Encryption: Your data is protected with AES-256 level encryption
- Password protection: Passwords are hashed using the bcrypt algorithm (12 rounds) and never stored as plain text
- Token security: Password reset tokens are hashed with SHA-256 and verified using timing-safe comparison
- Communication security: All data transmission is encrypted over the HTTPS/TLS protocol
- Webhook security: Third-party webhooks are protected with HMAC-SHA256 signing and timing-safe verification
- Request security: Keyed SHA-256 hash with nonce and timestamp-based request signing; 5-minute clock skew tolerance and nonce replay prevention (Redis/in-memory)
- Server security: HTTP security headers (HSTS, CSP) via Helmet.js, CORS protection, and multi-layered rate limiting are implemented
- Secure storage: Authentication tokens are stored in Secure Store on your device
- Regular audits: Periodic assessments for security vulnerabilities are conducted
Your personal data is retained according to the following periods:
- Active account data: Retained as long as your account is active
- After account deletion: All personal data is permanently deleted within 30 days after you delete your account. During this period, you have the right to recover your account within the first 7 days
- Deleted email records: To prevent free trial abuse, email addresses of deleted accounts are retained indefinitely (in hashed form only)
- Backup data: Database backups are retained for 90 days and then permanently deleted
- Legal obligations: When required by tax, accounting, or other legal requirements, relevant data may be retained for the legally mandated retention period
Premium users can export their personal data in CSV or JSON format. Exportable data includes:
- Workout history and session records
- Body measurements and progress data
- Nutrition records and food logs
- All data (bulk export)
This feature is accessible from the settings section within the App. Your right to data portability is guaranteed under KVKK Art.11 and GDPR Art.20.
You have the following rights regarding your personal data:
- To learn whether your personal data is being processed
- To request information about the processing if it has been processed
- To learn the purpose of processing and whether it is used in accordance with its purpose
- To know the third parties to whom your personal data has been transferred domestically or abroad
- To request correction of incomplete or incorrectly processed personal data
- To request deletion or destruction of your personal data within the framework of KVKK Art.7
- To request data portability (GDPR Art.20)
- To object to an outcome arising against you through the exclusive analysis of processed data via automated systems
To exercise these rights, you can send an email to support@rushly.com.tr or contact us through the in-app support section. Your requests will be resolved free of charge within 30 days at the latest.
Our App is rated 9+ according to App Store age ratings.
We do not knowingly collect personal data from children under 13 without parental or legal guardian consent. In compliance with COPPA (Children's Online Privacy Protection Act) and applicable local regulations, if we determine that a user under 13 has provided personal data without parental consent, we will promptly delete the relevant data.
Parental or guardian consent is recommended for users aged 13-17. Parents may contact support@rushly.com.tr for requests regarding their children's accounts and data.
Your data may be processed and stored in countries where our service providers' servers are located (including the US and Europe).
These international data transfers are carried out within the framework of security measures prescribed by KVKK and GDPR. Standard Contractual Clauses and additional technical security measures are applied to ensure adequate protection of your data.
Whether the countries to which data is transferred provide adequate protection is regularly assessed.
The App may send the following types of push notifications:
- Workout day reminders
- Streak protection notifications
- Weekly summary notifications
- Motivational messages
You can individually enable or disable each of these notifications in the App settings. You can also customize your preferred workout time and days. Notification preferences apply only to push notifications; account security and legal notifications (password reset, terms changes, etc.) are sent regardless of preferences.
This Privacy Policy may be updated from time to time. Each update is tracked with a version number and date.
Minor changes: For corrections that do not substantially alter the scope of service, in-app notifications will be sent. Your continued use of the App after notification constitutes acceptance of the updated policy.
Significant changes: For changes that substantially affect the scope of data processing, sharing conditions, or your rights, advance notice will be provided and explicit re-consent may be required.
The current version of the Privacy Policy is always accessible from the in-app settings section and at rushly.com.tr/legal/privacy.
For questions, suggestions, requests regarding the Privacy Policy, or to exercise your data protection rights, you can contact us through the following channels:
Email: support@rushly.com.tr
In-app support section
Your right to apply to the data controller is reserved. In the event that your application is rejected, found insufficient, or remains unanswered within 30 days, you have the right to file a complaint with the Personal Data Protection Board.