Privacy Policy

Introduction

Elaheh Salmani Elite Program ("we", "our", "the Program") is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how it is stored and protected, and your legal rights as a client or visitor.

By submitting a registration form or using this website, you confirm you have read and agreed to this Privacy Policy. You may withdraw consent at any time — see Your Rights below.

This policy complies with the EU General Data Protection Regulation (GDPR) and the Malaysian Personal Data Protection Act 2010 (PDPA).

1. Data We Collect

• Identity data: full name, date of birth, biological sex
• Contact data: email address, phone/WhatsApp number, country, Instagram handle
• Physical data: height, weight, blood type, goal weight
• Health data (special category): medical conditions, injuries, surgeries, current medications and supplements — processed under GDPR Article 9 explicit consent
• Fitness data: training background, experience level, current program, goals, dietary restrictions
• Progress photos: front, back, and side physique photos uploaded at registration
• Referral data: how you heard about us, referral name
• Payment data: payment receipt or transaction ID (no card data stored)
• Technical data: standard server access logs (IP address, browser type) retained by our hosting provider
• Cookie data: consent preference stored in your browser's localStorage

2. Why We Collect It

All personal data is collected and used exclusively for:

• Designing and delivering your personalised coaching program
• Coach-client communication via WhatsApp, email, or Instagram DM
• Tracking your progress over the duration of your program
• Delivering supplement guidance (where applicable to your package)
• Responding to your enquiries and support requests

Legal basis for processing (GDPR): Your explicit, freely-given consent via the registration form checkbox (Article 6(1)(a)). Health data is processed under explicit special-category consent (Article 9(2)(a)).

We never use your personal data for advertising, profiling, or selling to third parties.

3. Data Storage

Your data is currently stored as follows:

• Registration submissions: processed via Google Apps Script and stored in a private Google Sheet accessible only to the coach and platform administrator
• Progress photos: stored in a private Google Drive folder accessible only to the coach
• Future infrastructure: moving to Supabase (PostgreSQL, Singapore region) — data transfers covered by Standard Contractual Clauses (SCCs)

All data is transmitted over HTTPS. No personal data is stored on public servers or used for advertising.

4. Third-Party Services

• Google Workspace (Sheets, Drive, Apps Script) — data storage and form processing
• Supabase — future database and file storage (Singapore region, SCCs in place)
• Resend — transactional email delivery
• Cloudflare Pages — website hosting; standard access logs only
• Google Analytics (GA4) — only loaded after you accept cookies via the cookie consent banner. Blocked entirely if you decline.

Each third-party provider is subject to their own privacy policies and data processing terms. We only share the minimum data necessary for service delivery.

5. Progress Photos

Progress photos are among the most sensitive data we hold. They are:

• Stored in a private folder accessible only to your coach
• Never shared publicly, posted on social media, or used in any marketing material without your separate explicit written consent
• Deleted within 7 days of receiving a verified deletion request
• Transmitted over HTTPS at all times

6. Data Retention

Your data is retained for the duration of your active coaching program and for 2 years after your last active session, after which it is permanently deleted. You may request earlier deletion at any time — see Your Rights below.

Progress photos are deleted within 7 days of a verified deletion request regardless of program status.

7. Your Rights

• Access: request a copy of all personal data we hold about you
• Correction: request correction of any inaccurate or incomplete data
• Deletion (Right to be Forgotten): request permanent deletion of your data; we respond within 30 days
• Portability: receive your data in a structured, machine-readable format
• Withdraw consent: withdraw your consent at any time without affecting prior lawful processing
• Object: object to processing in specific circumstances

To exercise any right, contact us via Instagram @elahesalmani_official or email . We will respond within 30 days.

If you are located in the European Economic Area (EEA), you also have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France).

8. Cookies

This website uses a cookie consent banner. Your preference is stored in your browser's localStorage under the key smf_cookie_consent.

• If you accept: Google Analytics (GA4) is loaded to help us understand how visitors use the site. GA4 uses cookies to collect anonymous usage data.
• If you decline: no analytics cookies are set, and GA4 is not loaded. Only your preference is stored (in localStorage, not a cookie).

You can change your cookie preference at any time by clearing your browser's localStorage for this site.

9. GDPR — European Clients

If you are located in the European Economic Area (EEA) or United Kingdom, the following apply:

• Legal basis for processing personal data: explicit consent (GDPR Article 6(1)(a))
• Legal basis for processing health data: explicit special-category consent (GDPR Article 9(2)(a))
• Data transfers outside the EEA (to Singapore via Supabase) are covered by Standard Contractual Clauses (SCCs)
• You have the right to withdraw consent at any time and to lodge a complaint with your national data protection authority

10. PDPA — Malaysian Clients

This program operates under Malaysian law. The Personal Data Protection Act 2010 (PDPA) applies. We collect your data with your consent, use it only for the stated purposes, and allow you to access, correct, or withdraw consent to your data at any time by contacting us as described above.

11. Children's Privacy

This coaching program is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data, contact us immediately for deletion.

12. Changes to This Policy

We may update this Privacy Policy periodically. The "last updated" date at the top of this page reflects any changes. Continued use of our services after changes are posted constitutes acceptance of the updated policy. For material changes, we will notify active clients directly.