GDPR Privacy Policy
For residents of the European Union and European Economic Area
Last updated: June 4, 2026
This privacy policy explains how DopaLive ("we", "us", "our") collects, uses, shares, and protects your personal data when you use our ADHD coaching platform, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
This policy applies to users residing in the EU/EEA. For users in Turkey, please also refer to our KVKK disclosure and Privacy Policy (Turkish).
1. Data Controller
Data Controller: Elgiz Henden
Brand Name: DopaLive
Email: privacy@dopa.live
Address: Altunizade Mah. Okul Sk. Akar Ap. No 13 İç Kapı No 8 Üsküdar, İstanbul
Website: https://www.dopa.live
EU Representative (Article 27): To be appointed prior to EU launch. Contact details will be published here.
2. Personal Data We Collect
2.1 General Personal Data
Account Data
Name, email address, phone number, profile photo (optional)
Usage Data
Session durations, page views, feature usage, click behavior
Device & Connection Data
IP address, browser type, device type, operating system
Payment Data
Subscription status, plan type, payment history, billing info. Credit card details are processed directly by iyzico and never stored on our servers.
2.2 Special Category Data (Article 9)
Important: As an ADHD coaching platform, we process the following special category data classified as health data under GDPR Article 9. This processing requires your explicit consent.
- ADHD Profile Data: Program onboarding assessment and support needs analysis
- Coaching and Tracking Data: Goals, follow-up notes, appointment information and program progress
- Video Session Metadata: Live one-to-one session date, duration, attendance and meeting link. Audio and video recordings are not stored.
3. Legal Basis for Processing
We process your personal data based on the following legal grounds (Article 6 & 9):
| Purpose | Legal Basis |
|---|---|
| Service delivery, account management | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Health-related data processing (ADHD profile, coaching, follow-up) | Explicit consent (Art. 9(2)(a)) |
| Fraud prevention, security | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies, marketing | Consent (Art. 6(1)(a)) |
| Tax, accounting, legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Program Data and Processing
DopaLive processes onboarding answers, goals, follow-up notes and usage data to provide a personalized program experience.
How It Works
Coaching sessions, follow-up notes and program progress data are used to deliver the service in a way that fits your needs.
Access Controls
Program data is accessible only to authorized people who need it to provide the service. Role-based access control is applied.
Data Minimization
We do not request data that is not needed for the service. You may withdraw consent for consent-based data at any time.
Your Requests
You may contact us about your program assessment and follow-up records atprivacy@dopa.live.
Not Medical Advice
DopaLive does not provide medical diagnosis, treatment or psychotherapy. For medical concerns, please consult a qualified healthcare professional.
5. International Data Transfers
Your personal data is transferred to the following third-party processors located outside the EU/EEA:
| Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Kimlik dogrulama saglayicisi | Authentication | US | EU SCCs + DPA |
| Veri altyapisi saglayicisi | Database | US / EU* | EU SCCs + DPA |
| Video conferencing infrastructure providers | Live one-to-one sessions and appointment infrastructure | US / EU* | EU SCCs + DPA |
| Google LLC (GA4) | Analytics | US | EU SCCs + DPA, IP anonymization |
| iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş. | Payments | US | EU SCCs + DPA |
* Region depends on infrastructure configuration. We are working to ensure EU data residency for EU users.
Transfer Safeguards (Article 46)
- Standard Contractual Clauses (SCCs): All US-based processors operate under EU-approved SCCs (Commission Implementing Decision 2021/914)
- Data Processing Agreements (DPAs): Signed with all sub-processors
- Supplementary Measures: Encryption in transit (TLS 1.2+) and at rest (AES-256), access controls and data minimization
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Health-related data (ADHD profile, coaching, follow-up) | Until account deletion or consent withdrawal |
| Coaching and follow-up records | Until account deletion or consent withdrawal |
| Payment and billing data | As required by tax law (up to 10 years) |
| Authentication data | Until account deletion. Post-deletion: removed within 180 days |
| Analytics data (GA4) | 2 months (user-level), aggregate data longer |
| Cookies | Session cookies: end of session. Analytics/marketing: up to 13 months |
When you delete your account, all personal data is permanently deleted within a reasonable timeframe, except where retention is required by law.
7. Your Rights Under GDPR
As an EU/EEA resident, you have the following rights:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete data
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten")
Right to Restrict Processing (Art. 18)
Request limitation of how we process your data
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing
Right Against Automated Decisions (Art. 22)
Not be subject to decisions based solely on automated processing, including profiling.
Right to Withdraw Consent
Withdraw your consent for health data processing at any time, without affecting the lawfulness of prior processing
How to exercise your rights: Contact us at privacy@dopa.live. We will respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU/EEA DPAs can be found at edpb.europa.eu.
9. Data Security
We implement the following technical and organizational measures to protect your data:
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Authentication: Multi-factor authentication options
- Access control: Role-based access with least-privilege principle
- Data minimization: Data not needed for the service is not requested
- Payment security: Credit card data never touches our servers; processed by iyzico (PCI DSS Level 1)
- Video security: Video calls encrypted with 256-bit TLS and AES-256; no recordings made
10. Data Protection Impact Assessment
Given that DopaLive processes special category health-related data, we acknowledge the requirement for a Data Protection Impact Assessment (DPIA) under GDPR Article 35.
A DPIA will be completed and maintained prior to our EU/EEA launch. The assessment covers risks related to health-related data processing and international data transfers. Results will inform our data protection measures and be made available to supervisory authorities upon request.
11. Children's Privacy
DopaLive active individual services are intended for users aged 18 and above.
- Ages 18+: May use our active individual services directly
- Under 18: May not create an account for active individual services. Future school or youth programs require separate consent, contract and data boundaries.
We do not knowingly collect personal data from users under 18 for active individual services. If we become aware that a user under 18 has provided us with personal data in that context, we will take steps to promptly delete that data.
12. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
For changes affecting the processing of special category data, we will request your explicit consent again.
13. Contact
For questions about this privacy policy or to exercise your data protection rights:
DopaLive Data Protection
Email: privacy@dopa.live
We aim to respond to all data protection requests within 30 days. For complex requests, we may extend this by an additional 60 days with prior notice.
