Privacy Policy

1. Introduction

Naksu ("we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect information when you use the Naksu platform, including our website at naksu.app, progressive web application, and all related services (collectively, the "Platform").

This Privacy Policy applies to all Users of the Platform, including fitness coaches ("Coaches"), their clients ("Clients"), and visitors. It should be read in conjunction with our Terms of Service and Cookie Policy.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Bulgarian Personal Data Protection Act, and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

For any questions about how we handle your personal data or to exercise your rights, please contact our Data Protection Officer at the address above.

3. Information We Collect

3.1 Information You Provide Directly

• Account information: Name, email address, password (hashed), and role selection (Coach or Client) when you register.
• Profile information (Coaches): Display name, biography, specialty tags, social media links, profile photo, and professional qualifications.
• Service and product listings: Descriptions, pricing, images, and availability schedules created by Coaches.
• Booking information: Session dates, times, service type, and any notes provided at the time of booking.
• Health and fitness data (Clients): Information you voluntarily share with your Coach, such as fitness goals, dietary preferences, allergies, body measurements, progress logs, and health conditions. This may constitute special category data under the GDPR (see Section 6).
• Meal plan and workout data: Nutritional information, macro targets, food preferences, exercise routines, and performance data.
• Messages: Content of messages exchanged between Coaches and Clients through the Platform's messaging system.
• Payment information: Payment details are processed by Stripe and are not stored on our servers. We receive transaction confirmations, amounts, and partial card details (last four digits) for record-keeping.
• Support communications: Emails, messages, and other correspondence you send to us.

3.2 Information Collected Automatically

• Device information: Browser type and version, operating system, device type, and screen resolution.
• Usage data: Pages visited, features used, time spent on pages, click patterns, and navigation paths.
• Log data: IP address, access times, referring URLs, and error logs.
• Cookies and similar technologies: As described in our Cookie Policy.
• Location data: Approximate geographic location derived from your IP address (used for timezone detection and analytics).

3.3 Information from Third Parties

• Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive your Google password.
• Stripe: Transaction status, payout information, and account verification status for Coaches using Stripe Connect.
• Edamam: Nutritional data for food items used in meal plan creation. This data relates to food products, not personal data.

4. How We Use Your Information

We use your personal data for the following purposes and legal bases:

5. Data Sharing and Disclosure

We do not sell your personal data. We share your information only in the following circumstances:

5.1 Between Coaches and Clients

When a Client books a service or is added to a Coach's client list, relevant information is shared between the Coach and Client to facilitate the coaching relationship. This includes names, email addresses, booking details, and any health/fitness information voluntarily provided.

5.2 Service Providers

We share data with trusted third-party service providers who process data on our behalf:

• Stripe — payment processing and financial account management. Stripe acts as an independent data controller for certain payment data. Stripe's Privacy Policy.
• Cloud hosting providers — infrastructure for data storage and application hosting within the European Economic Area (EEA).
• Email service providers — for sending transactional and marketing emails.
• Analytics services — for understanding Platform usage patterns and performance.

All service providers are contractually bound by Data Processing Agreements (DPAs) to process your data only as instructed by us and to implement appropriate security measures.

5.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such change and any choices you may have regarding your information.

6. Special Category Data (Health Data)

The Platform may process health-related data that constitutes "special category data" under Article 9 of the GDPR. This includes:

• Health conditions, injuries, and medical information shared with Coaches.
• Dietary restrictions related to medical conditions (e.g., diabetes, celiac disease).
• Body measurements and physical fitness assessments.
• Progress tracking data related to health and wellness goals.

We process this data based on your explicit consent (GDPR Art. 9(2)(a)), which you provide when you voluntarily share health information with your Coach through the Platform. You may withdraw this consent at any time (see Section 9), though this may limit the services your Coach can provide.

Important: Coaches who receive health data from Clients may also be independent data controllers for that data. Coaches are responsible for complying with data protection laws in relation to the Client health data they receive and process.

7. Data Storage and Security

7.1 Where We Store Your Data

Your personal data is stored on secure servers within the European Economic Area (EEA). In cases where data is transferred outside the EEA (e.g., to Stripe's US-based infrastructure), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

7.2 Security Measures

We implement industry-standard technical and organizational measures to protect your personal data, including:

• TLS encryption for all data in transit.
• Encryption at rest for sensitive data stored in databases.
• Bcrypt hashing for passwords — we never store passwords in plain text.
• Role-based access controls limiting employee access to personal data.
• Regular security audits and vulnerability assessments.
• Automated backups with encrypted storage.
• CSRF protection, rate limiting, and other application-level security measures.

While we take reasonable precautions to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach in accordance with GDPR requirements (within 72 hours of becoming aware).

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

When data is no longer needed, we securely delete or anonymize it. Anonymized data that can no longer identify you may be retained indefinitely for statistical analysis and Platform improvement.

9. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15) — You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed.
• Right to Rectification (Art. 16) — You can request correction of inaccurate or incomplete personal data. You can also update most information directly through your account settings.
• Right to Erasure / "Right to Be Forgotten" (Art. 17) — You can request deletion of your personal data when it is no longer necessary for the purposes it was collected, you withdraw consent, or the data has been unlawfully processed. Certain data may be retained where we have a legal obligation to do so.
• Right to Restrict Processing (Art. 18) — You can request that we limit how we process your data in certain circumstances, such as when you contest the accuracy of your data or when processing is unlawful but you oppose erasure.
• Right to Data Portability (Art. 20) — You can request to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to have it transmitted to another controller where technically feasible.
• Right to Object (Art. 21) — You can object to processing of your personal data based on legitimate interest, including profiling. You can also object to processing for direct marketing purposes at any time.
• Right to Withdraw Consent (Art. 7(3)) — Where processing is based on your consent (e.g., marketing communications, health data processing), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
• Right Not to Be Subject to Automated Decision-Making (Art. 22) — You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently make such decisions.

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected]. We will verify your identity and respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, and will inform you of any extension within the initial 30-day period.

Exercising your rights is free of charge. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, particularly if they are repetitive.

10. Coaches as Data Controllers

When Coaches collect and process Client personal data through the Platform (including health data, progress tracking, and personal communications), they act as independent data controllers for that data. This means:

• Coaches are independently responsible for ensuring their processing of Client data complies with applicable data protection laws.
• Coaches must have a lawful basis for processing Client personal data.
• Coaches should inform their Clients about how they use their personal data.
• Coaches must respond to Client data rights requests that relate to data the Coach controls.

Naksu provides the technical infrastructure for data processing. Where Naksu processes personal data on behalf of Coaches, we act as a data processor and process data only in accordance with the Coach's instructions and applicable law.

11. International Data Transfers

Your personal data is primarily stored and processed within the EEA. However, some of our third-party service providers may process data outside the EEA. When this occurs, we ensure that appropriate safeguards are in place:

• Adequacy decisions: Transfers to countries recognized by the European Commission as providing adequate data protection.
• Standard Contractual Clauses (SCCs): EU-approved contractual clauses that require the recipient to protect your data to EEA standards.
• EU-US Data Privacy Framework: For US-based providers that have certified under the framework.

You can request a copy of the relevant transfer safeguards by contacting [email protected].

12. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Platform. For detailed information about the types of cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy. You can manage your cookie preferences at any time through the cookie consent banner or your browser settings.

13. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that information as soon as possible. If you believe that a child has provided us with personal data, please contact us immediately at [email protected].

14. Marketing Communications

We may send you marketing communications about new features, tips for growing your coaching business, and Platform updates. We will only send marketing communications where:

• You have given your explicit opt-in consent, or
• You are an existing customer and we are marketing similar services (soft opt-in), in compliance with the ePrivacy Directive.

Every marketing email includes an unsubscribe link. You can also manage your email preferences in your account settings. Opting out of marketing communications does not affect transactional emails (booking confirmations, payment receipts, security alerts) that are necessary for Platform operation.

15. Third-Party Links

The Platform may contain links to third-party websites, services, or Coach social media profiles. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to read the privacy policies of any third-party sites you visit. This Privacy Policy applies solely to information collected through the Naksu Platform.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. If we make material changes, we will notify you by email and/or by posting a prominent notice on the Platform at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top of this page indicates when the Privacy Policy was last revised.

17. Right to Lodge a Complaint

If you believe that we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

If you are located in another EU/EEA member state, you may also lodge a complaint with your local data protection authority. We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority — please contact us first at [email protected].

18. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: [email protected]
• Data Protection Officer: [email protected]
• General support: [email protected]

We aim to respond to all privacy-related inquiries within 5 business days.