DopaLive Logo
DopaLive
Home

GDPR Privacy Policy

For residents of the European Union and European Economic Area

Last updated: June 4, 2026

This privacy policy explains how DopaLive ("we", "us", "our") collects, uses, shares, and protects your personal data when you use our ADHD coaching platform, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This policy applies to users residing in the EU/EEA. For users in Turkey, please also refer to our KVKK disclosure and Privacy Policy (Turkish).

1. Data Controller

Data Controller: Elgiz Henden

Brand Name: DopaLive

Email: privacy@dopa.live

Address: Altunizade Mah. Okul Sk. Akar Ap. No 13 İç Kapı No 8 Üsküdar, İstanbul

Website: https://www.dopa.live

EU Representative (Article 27): To be appointed prior to EU launch. Contact details will be published here.

2. Personal Data We Collect

2.1 General Personal Data

Account Data

Name, email address, phone number, profile photo (optional)

Usage Data

Session durations, page views, feature usage, click behavior

Device & Connection Data

IP address, browser type, device type, operating system

Payment Data

Subscription status, plan type, payment history, billing info. Credit card details are processed directly by iyzico and never stored on our servers.

2.2 Special Category Data (Article 9)

Important: As an ADHD coaching platform, we process the following special category data classified as health data under GDPR Article 9. This processing requires your explicit consent.

  • ADHD Profile Data: Program onboarding assessment and support needs analysis
  • Coaching and Tracking Data: Goals, follow-up notes, appointment information and program progress
  • Video Session Metadata: Live one-to-one session date, duration, attendance and meeting link. Audio and video recordings are not stored.

4. Program Data and Processing

DopaLive processes onboarding answers, goals, follow-up notes and usage data to provide a personalized program experience.

How It Works

Coaching sessions, follow-up notes and program progress data are used to deliver the service in a way that fits your needs.

Access Controls

Program data is accessible only to authorized people who need it to provide the service. Role-based access control is applied.

Data Minimization

We do not request data that is not needed for the service. You may withdraw consent for consent-based data at any time.

Your Requests

You may contact us about your program assessment and follow-up records atprivacy@dopa.live.

Not Medical Advice

DopaLive does not provide medical diagnosis, treatment or psychotherapy. For medical concerns, please consult a qualified healthcare professional.

5. International Data Transfers

Your personal data is transferred to the following third-party processors located outside the EU/EEA:

ProcessorPurposeLocationTransfer Mechanism
Kimlik dogrulama saglayicisiAuthenticationUSEU SCCs + DPA
Veri altyapisi saglayicisiDatabaseUS / EU*EU SCCs + DPA
Video conferencing infrastructure providersLive one-to-one sessions and appointment infrastructureUS / EU*EU SCCs + DPA
Google LLC
(GA4)
AnalyticsUSEU SCCs + DPA, IP anonymization
iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş.PaymentsUSEU SCCs + DPA

* Region depends on infrastructure configuration. We are working to ensure EU data residency for EU users.

Transfer Safeguards (Article 46)

  • Standard Contractual Clauses (SCCs): All US-based processors operate under EU-approved SCCs (Commission Implementing Decision 2021/914)
  • Data Processing Agreements (DPAs): Signed with all sub-processors
  • Supplementary Measures: Encryption in transit (TLS 1.2+) and at rest (AES-256), access controls and data minimization

6. Data Retention

Data CategoryRetention Period
Account dataUntil account deletion
Health-related data (ADHD profile, coaching, follow-up)Until account deletion or consent withdrawal
Coaching and follow-up recordsUntil account deletion or consent withdrawal
Payment and billing dataAs required by tax law (up to 10 years)
Authentication dataUntil account deletion. Post-deletion: removed within 180 days
Analytics data (GA4)2 months (user-level), aggregate data longer
CookiesSession cookies: end of session. Analytics/marketing: up to 13 months

When you delete your account, all personal data is permanently deleted within a reasonable timeframe, except where retention is required by law.

7. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights:

Right of Access (Art. 15)

Request a copy of all personal data we hold about you

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete data

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten")

Right to Restrict Processing (Art. 18)

Request limitation of how we process your data

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing

Right Against Automated Decisions (Art. 22)

Not be subject to decisions based solely on automated processing, including profiling.

Right to Withdraw Consent

Withdraw your consent for health data processing at any time, without affecting the lawfulness of prior processing

How to exercise your rights: Contact us at privacy@dopa.live. We will respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU/EEA DPAs can be found at edpb.europa.eu.

8. Cookie Policy

We use the following categories of cookies:

Strictly Necessary

Always active

Session management, security, authentication. Required for the service to function. No consent needed.

Analytics Cookies

Consent required

Google Analytics 4 (GA4) — Helps us understand site usage. IP addresses are automatically anonymized. Not loaded without your consent.

Payment Security Cookies

Consent required

iyzico may process transaction security data for payment security and fraud prevention.

Non-essential cookies are only activated after you give consent via our cookie banner. You can change your preferences at any time through the cookie settings panel on our site.

9. Data Security

We implement the following technical and organizational measures to protect your data:

  • Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Authentication: Multi-factor authentication options
  • Access control: Role-based access with least-privilege principle
  • Data minimization: Data not needed for the service is not requested
  • Payment security: Credit card data never touches our servers; processed by iyzico (PCI DSS Level 1)
  • Video security: Video calls encrypted with 256-bit TLS and AES-256; no recordings made

10. Data Protection Impact Assessment

Given that DopaLive processes special category health-related data, we acknowledge the requirement for a Data Protection Impact Assessment (DPIA) under GDPR Article 35.

A DPIA will be completed and maintained prior to our EU/EEA launch. The assessment covers risks related to health-related data processing and international data transfers. Results will inform our data protection measures and be made available to supervisory authorities upon request.

11. Children's Privacy

DopaLive active individual services are intended for users aged 18 and above.

  • Ages 18+: May use our active individual services directly
  • Under 18: May not create an account for active individual services. Future school or youth programs require separate consent, contract and data boundaries.

We do not knowingly collect personal data from users under 18 for active individual services. If we become aware that a user under 18 has provided us with personal data in that context, we will take steps to promptly delete that data.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.

For changes affecting the processing of special category data, we will request your explicit consent again.

13. Contact

For questions about this privacy policy or to exercise your data protection rights:

DopaLive Data Protection

Email: privacy@dopa.live

We aim to respond to all data protection requests within 30 days. For complex requests, we may extend this by an additional 60 days with prior notice.