Privacy Notice & Data Protection (KVKK)
Patient Mobile App
First published: 2026-04-27 · Last updated: 2026-05-27
Data controller: HekimDoktor Sağlık Teknoloji A.Ş.
Scope: This notice covers the data-processing activities of the HekimDoktor patient mobile app (iOS / Android). Our B2B web platform for doctors and clinics (klinik.bio) has a separate privacy notice.
1. Data Controller
Under Law No. 6698 on the Protection of Personal Data (“KVKK”):
HekimDoktor Sağlık Teknoloji A.Ş.
Esentepe Mah. Akademiyolu Sk. F Blok No: 10/6 İç Kapı No: 116
Serdivan / Sakarya — Sakarya Teknokent
Email: kvkk@hekimdoktor.com
2. Categories of Personal Data
2.1 General Data
- Identity: name, date of birth, gender
- Contact: email, phone, address
- Transaction: subscription, payment history, appointments
- Security: IP, device/browser, login timestamps
- Marketing (optional): newsletter preferences
2.2 Special Categories (KVKK Art. 6)
- Health: symptoms, diagnoses, medications, lab results, vitals
- Menstrual cycle, pregnancy, women's health
- Mental health, nutrition, exercise, sleep tracking
- Smoking cessation, addiction tracking
- Biometric data read from Apple HealthKit / Google Health Connect on your device with your permission (steps, heart rate, sleep, blood pressure, etc.) — read locally, processed only for features you select.
- Turkish national ID (only inside doctor-patient files, AES-256 encrypted)
3. Purposes
- Account creation, authentication, account security (contract performance)
- Appointments, messaging, prescriptions, doctor-patient records (explicit consent)
- AI-powered health assistant, symptom triage, nutrition recommendations (explicit consent). The mobile app exposes Profile → AI Data Sharing where each AI provider can be approved or revoked individually.
- Voice input (calorie search, voice symptom note) uses Apple Speech Framework on iOS and Google Speech Services on Android for on-device transcription; the audio is not uploaded — only the resulting text is processed and, with consent, sent to Anthropic.
- Service quality, error tracking (legitimate interest)
- Marketing communication (only with opt-in consent)
- Legal obligations
3.1 Nature of AI Content and Source Citations
The AI health assistants in our mobile app provide general information only and do not replace medical diagnosis, treatment, or professional healthcare. In a medical emergency, call 112 or visit the nearest healthcare facility.
Sources used in AI output are listed inside the app under "Medical Information Sources". They include:
- Republic of Türkiye Ministry of Health clinical guidelines
- Turkish Medical Association (TTB) publications
- World Health Organization (WHO) standards
- US Centers for Disease Control and Prevention (CDC) recommendations
- Cosmetic Ingredient Review (CIR) and EU CosIng databases for cosmetic safety
- USDA FoodData Central and TÜBER (Türkiye Nutrition Guide) for nutrition
4. Categories of Recipients (Cross-border transfers)
4.1 AI Data Flow in the Patient Mobile App (Apple App Store 5.1.1(i))
The mobile patient app sends data to only three external services. Each can be approved or revoked separately via Profile → AI Data Sharing:
| Provider | Purpose | Data shared | Country |
|---|---|---|---|
| Anthropic, PBC (Claude API) | AI chat, health insights, symptom triage, cosmetic ingredient analysis | Your message text + profile hints (age range, gender, language). No full name, no DOB, no contact info. | United States |
| Voyage AI, Inc. | Doctor / specialty semantic search | Search query text only — no user identifier | United States |
| Functional Software, Inc. (Sentry) | Anonymous crash & performance telemetry | Stack trace, anonymous session id, device/OS — no PII, no health data | EU (Germany) |
4.2 Infrastructure & Account Service Providers
| Provider | Purpose | Data shared | Country |
|---|---|---|---|
| Radore Veri Merkezi A.Ş. | Server infrastructure (hosting) | Account & health data, uploaded files | Türkiye (in-country) |
| iyzico Ödeme Hizmetleri A.Ş. | Payments (Türkiye) | Email, payment info, subscription | Türkiye |
| PayTR | Payments (Türkiye) | Email, payment info, subscription | Türkiye |
| Stripe Payments Europe Ltd. | Payments (international) | Email, payment info, subscription | Ireland / US |
| Resend, Inc. | Transactional email | Email address + content | US |
| Google LLC (OAuth) | Sign in with Google | OAuth id, email, name | US |
| Apple Inc. (Sign in with Apple) | Sign in with Apple | OAuth id, relay email, name | US |
| Verimor (SMS) | SMS (OTP, alerts) | Phone + message | Türkiye |
| Expo Push Notification Service | Mobile push orchestration | Device token, payload | US |
| Apple APNs | iOS push delivery | Device token, payload | US |
| Google Firebase Cloud Messaging | Android push delivery | Device token, payload | US |
5. How We Collect Data
- Web and mobile app forms (registration, profile, appointments)
- Cookies and analytics tools
- OAuth integrations (Google / Apple)
- Apple HealthKit / Google Health Connect APIs (with your consent)
- Manual entries by doctors into patient files
6. Retention
- Account data: while active + 30-day grace after deletion
- Medical records: 20 years (Turkish medical liability obligation); anonymised on account deletion
- Login + admin audit: 365 days
- AI chat metadata: 90 days
- AI consent / revocation records (KVKK evidence): 5 years
- Email logs: 180 days · Notification logs: 90 days · Anonymous analytics: 14 months
7. Age and Minors
HekimDoktor mobile patient app is designed for users 13 and over. We do not knowingly collect data from children under 13. For users 13–17, parental/guardian consent is required for processing of special-category health data.
8. Your Rights (KVKK Art. 11)
You may request access, correction, deletion, restriction, or portability of your data at any time via kvkk@hekimdoktor.com. We respond within 30 days as required by KVKK Art. 13.
9. Security
- TLS 1.3 in transit
- AES-256-GCM at rest for sensitive fields
- bcrypt password hashing, role-based access control, admin audit log
10. Cookies
See our Cookie Policy page for details.
11. Updates
When this notice changes, the kvkkConsentVersion and aiDataConsentVersion flags are bumped and you will be asked to re-consent.
12. Contact
For questions and KVKK requests: kvkk@hekimdoktor.com
First published: 2026-04-27 · Last updated: 2026-05-27. You will be asked to re-consent if this notice changes.