Privacy Policy
Last updated: 17 May 2026
Athleap ("Athleap," "we," "us," or "our") is operated by Cankan Celik, an individual sole proprietor based in Türkiye. This Privacy Policy explains what data we collect when you use the Athleap mobile application (the "App") or this website, how we use it, who we share it with, and the rights you have over your data.
If you have any questions, email us at info@athleap.app.
1. Who is the data controller
The data controller for personal data collected through Athleap is the operator named above, contactable at info@athleap.app.
Athleap is operated from Türkiye. Your personal data is processed under Turkish data protection law (the Personal Data Protection Law No. 6698 / KVKK), and, where applicable, the EU General Data Protection Regulation (GDPR) for users in the European Economic Area.
2. What data we collect
We collect only what we need to deliver the app's training, coaching, and tracking features.
Account & identity: email address (required for sign-in), display name (optional), and the OAuth identifier returned by Google or Apple if you sign in with one of them (an immutable per-account ID, plus your email and, for Google, your name).
Profile and body data (optional): height, weight, age, gender, estimated body fat percentage, unit preference (kg or lbs).
Training background: years of lifting experience, training style, primary goal; injury history (body regions, severity, notes, residual limitations, contraindicated movements); sport context (main sport, level, season, equipment access).
Training programs and performance: programs you build or that Otto generates (exercises, sets, reps, prescribed loads, rest periods), workout logs (actual weights, reps, timestamps), one-rep-max estimates.
Check-ins: daily entries for the wellness fields you choose to track. The default set includes bodyweight, protein, sleep duration, steps, mood, energy, and soreness.
AI coaching: during the beta, your conversations with Otto (the in-app AI coach) are stored on your device only — not on our servers. We log aggregate AI usage metadata (number of generations, success/error status) for reliability, but we do not log conversation content. If we change this in a future version, we will update this policy and notify you.
Device and technical data: platform, app version, and OS version are collected by the app stores' standard reporting, not by us. We do not embed analytics or telemetry SDKs (no Sentry, PostHog, Mixpanel, Google Analytics, Firebase Analytics, or similar) in the app.
3. How we use your data
- Deliver the app's core features (programs, workouts, check-ins, AI coaching).
- Personalize Otto's output (e.g., avoiding exercises you flagged as contraindicated).
- Authenticate you and keep your sessions secure.
- Communicate with you about service updates and support requests you initiate.
- Comply with legal obligations.
We do not sell your personal data, share it with advertisers, or use it to train third-party AI models without your knowledge.
4. Who we share your data with
| Processor | Purpose | What we share | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, edge functions | All app data | United States |
| Anthropic, PBC | Powers Otto (Claude Sonnet model family) | Profile snapshot, conversation messages, program structure | United States |
| Google LLC (Gemini) | Structures AI responses into JSON | Same as above (program content only) | United States |
| Apple Inc. / Google LLC (OAuth) | Sign in with Apple / Google | Email, OAuth identifier, name (Google only) | Per provider |
| FAL (fal.ai) | AI API routing | Same payload as Anthropic | United States |
We do not share your training data, check-ins, or profile information with anyone outside this list.
5. International data transfers
Our database is hosted in the United States. AI processing happens in the United States. If you are in the European Economic Area, the United Kingdom, or another region with data export restrictions, your data is transferred to the United States on the basis of (a) the Standard Contractual Clauses our processors provide, and (b) your explicit consent at signup.
6. How long we keep your data
We keep your account data for as long as your account is active. When you delete your account (Section 8), all your data is removed from our database within 30 days. Some technical logs may persist in Supabase's standard log retention (typically 7 days) and are not under our direct control.
7. Your rights
Under KVKK, GDPR, and similar laws, you have the right to access, correct, delete, export, object to or restrict the processing of, and withdraw consent for the personal data we hold about you. You also have the right to lodge a complaint with a supervisory authority (in Türkiye: KVKK; in the EU: your national data protection authority).
To exercise any of these rights, email info@athleap.app. We respond within 30 days.
8. Deleting your account
You can delete your account at any time from inside the app: Settings → Danger zone → Delete account (type "DELETE" to confirm).
Deletion is a hard delete. Your authentication record is removed from Supabase Auth, and every related row in our database (profile, programs, workout logs, check-ins, AI usage logs, injury notes) is cascaded to deletion via foreign-key constraints. No anonymized historical records or backups are retained.
You can also email info@athleap.app and we'll delete your account within 30 days.
9. Minimum age
Athleap is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has provided personal data to Athleap, please contact info@athleap.app and we will delete the account and associated data.
10. Security
We use Supabase's managed Postgres, which provides encryption at rest and in transit (TLS 1.2+). Database access is restricted by Row-Level Security — every user can read and write only their own data, enforced by the database itself. Passwords are hashed by Supabase Auth; we do not store them.
If we become aware of a breach affecting your data, we will notify you within 72 hours, as required by GDPR and KVKK.
11. Cookies on this website
This website uses only strictly necessary cookies (preferences, anti-CSRF tokens). We do not use third-party analytics cookies, advertising trackers, or fingerprinting.
12. Changes to this policy
We will update the "Last updated" date and notify active users via in-app message or email at least 14 days before material changes take effect.
13. Contact
Cankan Celik · Operator of Athleap · info@athleap.app
For KVKK-specific requests, please reference "KVKK Data Subject Request" in your subject line.