Privacy Notice (GDPR)
Patient Mobile App
First published: 2026-04-27 · Last updated: 2026-05-27
Data controller: HekimDoktor Sağlık Teknoloji A.Ş.
Scope: This notice covers the data-processing activities of the HekimDoktor patient mobile app(iOS / Android) under the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Our B2B web platform for doctors and clinics (klinik.bio) has a separate privacy notice.
1. Data Controller (GDPR Art. 4(7))
HekimDoktor Sağlık Teknoloji A.Ş.
Esentepe Mah. Akademiyolu Sk. F Blok No: 10/6 İç Kapı No: 116
Serdivan / Sakarya, Türkiye — Sakarya Teknokent
Email: privacy@hekimdoktor.com
Web: hekimdoktor.com
2. Categories of Personal Data
2.1 General Personal Data (GDPR Art. 4(1))
- Identity: name, date of birth, gender
- Contact: email, phone, address
- Transaction: subscription, payment history, appointments
- Security: IP address, device/browser info, login timestamps
- Marketing (optional): newsletter preferences
2.2 Special Categories of Personal Data (GDPR Art. 9)
As a health platform we process the following special-category data on the basis of your explicit consent (GDPR Art. 9(2)(a)):
- Health data: symptoms, diagnoses, medications, lab results, vitals (blood pressure, glucose, etc.)
- Menstrual cycle, pregnancy, women's health
- Mental health, nutrition, exercise, sleep tracking
- Smoking cessation, addiction tracking
- Biometric data read from Apple HealthKit / Google Health Connect on your device with your permission (steps, heart rate, sleep, blood pressure, etc.) — read locally, processed only for features you select.
3. Legal Bases and Purposes (GDPR Art. 6 & Art. 9)
- Contract performance (Art. 6(1)(b)): account creation, authentication, appointments, messaging, prescriptions, doctor-patient records
- Explicit consent (Art. 6(1)(a) / Art. 9(2)(a)): AI-powered health assistant, symptom triage, nutrition recommendations, cross-border data transfers. Via Profile → AI Data Sharing you can approve or revoke each AI provider individually at any time.
- Legitimate interest (Art. 6(1)(f)): service quality and error monitoring via anonymous telemetry (Sentry). No identifiable personal or health data is included. Our interest is balanced against your rights.
- Legal obligation (Art. 6(1)(c)): compliance with applicable law and lawful requests from competent authorities.
- Marketing communication (only with opt-in consent — you may withdraw at any time).
Voice input uses Apple Speech Framework on iOS and Google Speech Services on Android for on-device transcription. Audio is not uploaded — only the resulting text is sent to Anthropic with your consent.
3.1 Nature of AI Content
AI health assistants provide general information only — they are not a substitute for medical diagnosis, treatment, or professional healthcare. In a medical emergency call the emergency number in your country (112 in the EU, 999 in the UK).
Sources used in AI output are listed inside the app under "Medical Information Sources" and include WHO standards, CDC recommendations, EU CosIng databases, and USDA FoodData Central.
4. Recipients and International Transfers (GDPR Art. 13(1)(e), Art. 46)
4.1 AI Service Providers (Apple App Store 5.1.1(i))
The mobile app sends user data to only three external providers, each requiring separate consent via Profile → AI Data Sharing:
| Provider | Purpose | Data shared | Country | Transfer basis |
|---|---|---|---|---|
| Anthropic, PBC (Claude API) | AI chat, health insights, symptom triage, cosmetic ingredient analysis | Message text + profile hints (age range, gender, language) — no full name, no DOB, no contact info | US | Explicit consent (Art. 49(1)(a)) |
| Voyage AI, Inc. | Doctor / specialty semantic search | Search query text only — no user identifier | US | Explicit consent (Art. 49(1)(a)) |
| Functional Software, Inc. (Sentry) | Anonymous crash & performance telemetry | Stack trace, anonymous session id, device/OS — no PII, no health data | EU (Germany) | Within EEA — no transfer |
4.2 Infrastructure & Account Service Providers
| Provider | Purpose | Data shared | Country | Transfer basis |
|---|---|---|---|---|
| Radore Veri Merkezi A.Ş. | Server infrastructure (hosting) | Account & health data, uploaded files | Türkiye | Standard Contractual Clauses (Art. 46(2)(c)) |
| Stripe Payments Europe Ltd. | Payments (international) | Email, payment info, subscription amount | Ireland / US | Contract performance / SCCs |
| Resend, Inc. | Transactional email | Email address + message content | US | SCCs |
| Google LLC (OAuth / FCM) | Sign in with Google; Android push | OAuth id, email, name / device token | US | SCCs |
| Apple Inc. (Sign in with Apple / APNs) | Sign in with Apple; iOS push | OAuth id, relay email / device token | US | SCCs |
| Expo Push Notification Service | Mobile push orchestration | Device token, notification payload | US | SCCs |
| Competent public authorities | Lawful requests only | Data required by applicable law | Various | Legal obligation (Art. 6(1)(c)) |
Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR are in place with all non-EEA processors. Copies are available on request at privacy@hekimdoktor.com.
5. How We Collect Data
- Web and mobile app forms (registration, profile, appointments)
- Cookies and analytics tools (see our Cookie Policy)
- OAuth integrations (Google / Apple)
- Apple HealthKit / Google Health Connect APIs (with your consent)
- Manual entries by doctors into patient files
6. Retention (GDPR Art. 5(1)(e))
- Account data: while active + 30-day grace period after deletion request
- Medical records: 20 years to meet applicable medical liability obligations; anonymised on account deletion
- Login + admin audit logs: 365 days
- AI chat metadata: 90 days
- Consent / revocation records (GDPR Art. 7(1) evidence): 5 years
- Email logs: 180 days · Notification logs: 90 days · Anonymous analytics: 14 months
7. Age and Minors (GDPR Art. 8)
HekimDoktor mobile patient app is designed for users 16 and over (GDPR Art. 8 — where your EU member state sets a lower age limit, that limit applies). We do not knowingly collect data from children under 13. For users 13–15, parental/guardian consent is required for special-category health data.
8. Your Rights (GDPR Art. 15–22)
Under the GDPR you have the right to:
- Access (Art. 15): obtain a copy of the personal data we hold about you
- Rectification (Art. 16): correct inaccurate or incomplete data
- Erasure (Art. 17): request deletion (“right to be forgotten”) where data is no longer necessary or consent is withdrawn
- Restriction (Art. 18): restrict processing while a dispute is resolved
- Portability (Art. 20): receive your data in a structured, machine-readable format
- Object (Art. 21): object to processing based on legitimate interest
- Withdraw consent (Art. 7(3)): withdraw any consent at any time; withdrawal does not affect prior lawful processing
- Automated decisions (Art. 22): not be subject to solely automated decisions with significant legal or similarly significant effects
Exercise these rights by emailing privacy@hekimdoktor.com or directly via account settings (data export, account deletion). We respond within one month as required by GDPR Art. 12(3).
9. Right to Lodge a Complaint (GDPR Art. 77)
If you consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state (Data Protection Authority / DPA). Contact details for all EU DPAs are available on the European Data Protection Board website: edpb.europa.eu.
10. Security (GDPR Art. 32)
- TLS 1.3 encryption in transit
- AES-256-GCM at-rest encryption for sensitive fields
- bcrypt password hashing, role-based access control, admin audit log
- Regular security reviews and penetration tests
11. Cookies (GDPR / ePrivacy Directive)
See our Cookie Policy for details on the cookies and tracking technologies we use and your opt-out options.
12. Updates to This Notice
When this notice changes materially, the kvkkConsentVersion and aiDataConsentVersion flags are bumped; you will be notified and asked to re-consent before continuing to use health-data features.
13. Contact
For GDPR queries and data subject requests: privacy@hekimdoktor.com
First published: 2026-04-27 · Last updated: 2026-05-27. You will be notified and asked to re-consent if this notice changes materially.