Privacy Notice (KVKK)
Effective date: 2026-04-27 · Data controller: HekimDoktor Sağlık Teknoloji A.Ş.
⚠️ This is a summary in English. The legally binding text is the Turkish version. View Turkish original →
1. Data Controller
HekimDoktor Sağlık Teknoloji A.Ş.
Esentepe Mah. Akademiyolu Sk. F Blok No: 10/6 İç Kapı No: 116
Serdivan / Sakarya — Sakarya Teknokent
Email: kvkk@hekimdoktor.com
2. Data We Process
General personal data: name, email, phone, address, payment history, IP, browser.
Special category data (Turkish KVKK Art. 6 — equivalent to GDPR Art. 9):
- Health data (symptoms, diagnoses, prescriptions, lab results, vitals)
- Menstrual cycle, pregnancy, women's health
- Mental health, nutrition, exercise, sleep tracking
- HealthKit / Google Fit biometric data
- Turkish national ID (TC Kimlik) — only on doctor's patient records, AES-256 encrypted
3. Purposes
- Account creation, authentication, account security (contract performance)
- Appointments, messaging, prescriptions, doctor-patient records (explicit consent)
- AI-powered health assistant, symptom triage, nutrition recommendations (explicit consent)
- Service quality, error tracking (legitimate interest)
- Marketing (only with opt-in consent)
4. Categories of Recipients (Cross-border transfers)
We share data with service providers in the following categories. Cross-border transfers require your explicit consent at sign-up (Turkish KVKK Art. 9).
| Recipient category | Data shared | Country |
|---|---|---|
| AI service provider | Health text for AI processing | Outside Türkiye |
| Payment processor | Email, payment info, subscription amount | EU + outside Türkiye |
| Cloud storage provider | Lab reports, patient documents, voice notes | EU / outside Türkiye |
| Error monitoring provider | Technical error logs, system context | Outside Türkiye |
| Email delivery provider | Email address + content | Outside Türkiye |
| OAuth providers | OAuth identifiers, email, name | Outside Türkiye |
| SMS providers | Phone + message body | Türkiye + outside (fallback) |
| Mobile health platform APIs | Vitals, steps, sleep, BP | via your device |
| Push notification provider | Device token + payload | Outside Türkiye |
| Hosting infrastructure provider | Application data (PostgreSQL) | Outside Türkiye |
| Authorized public authorities | Information requested by law | Türkiye |
You may request the up-to-date list of our service providers under KVKK Art.11 by emailing kvkk@hekimdoktor.com. All providers have signed data processing agreements pursuant to KVKK Art.12.
5. Retention
- Account data: while active + 30-day grace period after deletion request
- Medical records: 20 years (Turkish medical liability + social security retention obligation); anonymized on account deletion, not erased
- Login + admin audit logs: 365 days
- AI chat metadata: 90 days
- Email logs: 180 days
- Notification logs: 90 days
- Anonymous analytics: 14 months
- Registration IP/UA: anonymized after 12 months
6. Your Rights (KVKK Art. 11 / GDPR-equivalent)
You have the right to:
- Know whether your data is being processed
- Request information about the processing
- Know third parties to whom your data is transferred
- Request correction of inaccurate data
- Request deletion (subject to legal retention obligations above)
- Object to automated decision-making
- Request damages for unlawful processing
To exercise these rights: kvkk@hekimdoktor.com, or use the data export and account deletion options in your account settings.
7. Security (KVKK Art. 12)
- TLS 1.3 in transit
- AES-256-GCM at-rest encryption for sensitive fields (TC Kimlik, MFA secrets)
- bcrypt password hashing
- Role-based access control + admin audit logging
8. Cookies
See our Cookie Policy.
9. Updates
When we update this notice we change the kvkkConsentVersion field; you will be asked to re-consent before continuing to use health-data-processing features.
10. Contact
Questions and data subject requests: kvkk@hekimdoktor.com
Effective date: 2026-04-27. You will be asked to re-consent if this notice changes.