Loading your health companion...

Privacy Notice on Personal Data Processing

Disclosure obligation under KVKK Art.10 · v2.2 — April 2026

1. Identity of the Data Controller

DoctoPal — Co-founders: Taha Ahmet Sıbıç, İpek Özen

Company registration is currently in progress. Upon legal incorporation, data controller title, address, and official contact information will be updated; VERBIS (Data Controllers Registry) registration will be completed.

Web: doctopal.com
Contact: info@doctopal.com

2. Categories of Personal Data Processed

a) Identity Data: Name, email
b) Health Data (Special Category):
- b1) User's own health data: Medications, allergies, chronic conditions, symptoms, age, gender, blood type, vaccine records, smoking/alcohol use, surgical history, pregnancy/breastfeeding status, lab values, supplements
- b2) Family Health History (v2.2 — new explicit category): Health history of your first- and second-degree relatives (mother, father, sibling, grandparent, aunt, uncle, cousin) — condition name, age at diagnosis, age at death (if applicable), free-text notes.
  Purpose: Hereditary risk assessment (breast/colon/prostate cancer, early cardiovascular events, diabetes, Alzheimer's, etc.), early screening recommendations, personalized AI context.
  Legal basis: KVKK Art.6 EXPLICIT CONSENT (within the scope of AI Processing consent). Since this constitutes third-party health data, only what you disclose is stored, at the metadata level; detailed medications/profiles are not kept for third parties.
c) Medical Image/Document Data: Blood test reports (PDF), radiology images, medication photos, prescribing information images
d) Contact Data: Phone number (optional)
e) Transaction Data: AI chat history, interaction check results, SBAR reports, consent records
f) Technical Data: IP address, browser info (security purposes)
g) Financial Data (only for Premium subscription users):
What data: Payment amount, payment status, subscription start/end dates, invoice/receipt information, card mask (last 4 digits only).
What is not processed: Your full card number, CVV, passwords. This information is never stored on DoctoPal servers; it is securely held by our PCI-DSS certified payment infrastructure provider, Iyzico.
Data subject scope: Financial data is processed only for the user who performs the subscription payment (Individual Premium subscriber or Family Premium owner). Family members (invited users) are not parties to the payment; no financial data is processed for them.

3. Processing Purposes and Legal Basis

Special category health data (KVKK Art.6) is processed ONLY based on your EXPLICIT CONSENT. No processing based on legitimate interest or contractual necessity.

AI-powered personalized health information
Drug-herb and drug-drug interaction checking
Medical image/document analysis (blood tests, radiology reports)
Prescribing information and medication photo reading/analysis
SBAR format pre-visit doctor report generation
Medication tracking, vaccine calendar, daily health logging
Service improvement and security
Semantic search (related content suggestions)
Provision of Premium subscription services, payment collection, and invoice issuance (Legal basis: Establishment and performance of contract — KVKK Art.5/2-c; Legal obligation under the Tax Procedure Law — KVKK Art.5/2-ç)

4. Data Collection Method

Data is collected directly through forms on the web interface by the user and automatically during user interaction with the application. DoctoPal does not collect any health data from external sources unless explicitly shared by the user.

5. Third-Party Data Recipients

Supabase Inc. (Ireland / EU)
Purpose: Data storage, user management, database
Data transferred: All user data
Legal basis: Your explicit consent (KVKK Art.9/1)
Anthropic PBC (USA)
Purpose: AI (Claude) text analysis + multimodal image analysis
Data transferred: Anonymized health data + visual files (blood tests, radiology, medication photos)
Legal basis: Your explicit consent (KVKK Art.9/1)
Google LLC (USA)
Purpose: Gemini text-embedding-004 semantic search infrastructure
Data transferred: Anonymized text queries (no identity data, only keyword/term-based search text)
Legal basis: Your explicit consent (KVKK Art.9/1)
Iyzico Ödeme Hizmetleri A.Ş. (Türkiye-based, PCI-DSS certified)
Purpose of transfer: Collection of Premium subscription payments, subscription management, refund processing
Data transferred: Full name, email, card information (not returned to DoctoPal), subscription status, payment history
Legal basis: Performance of contract (KVKK Art.5/2-c)
Cross-border transfer: NONE. Iyzico is established in Türkiye; all payment data is processed within Türkiye.

Important Notice (KVKK Art.9 Compliance)

The legal basis for international data transfers is currently your explicit consent under KVKK Art.9/1. Standard Contractual Clauses (SCC) signing process will be conducted with Anthropic, Google, and Supabase after company registration is complete; the KVKK Board will be notified within 5 business days of signing. Until this process is complete, explicit consent serves as the sole legal basis.

Anonymization: Direct identity information (name, email, national ID, phone, address, user ID) is automatically removed by our system from data transferred abroad. This process is carried out in accordance with the KVKK Generative AI Guide (November 2025) and is logged.

6. Retention Periods

Data Category	Retention Period
Identity data (name, email)	While account is active
Health data	While account is active
Contact data	While account is active
AI chat history	12 months (auto-delete)
Medical images/documents	90 days (raw image deleted, result text retained)
Consent audit log	5 years (KVKK Art.12 — legal obligation)
IP address and access logs	2 years
Payment data and invoices	10 years (Tax Procedure Law Art.253 — legal obligation). Retained for this period even after subscription ends.

After account deletion request: All personal data is permanently deleted within 30 days. Audit logs are retained for 5 years as legally required, but identity information is anonymized.

7. Your Rights (KVKK Art.11)

Under KVKK Law No.6698 Art.11, you have the following rights:

Learn whether your personal data is being processed
If processed, request information about the processing
Learn the purpose of processing and whether data is used accordingly
Know the third parties to whom your data is transferred domestically or internationally
Request correction if personal data is processed incompletely or inaccurately
Request deletion or destruction of personal data under conditions set forth in KVKK Art.7
Request that corrections, deletions, or destructions under items 5 and 6 be notified to third parties to whom your data was transferred
Object to outcomes arising from exclusively automated analysis of processed data (Art.11/1-g)
Claim compensation for damages due to unlawful processing of personal data

Automated Decision Making — Art.11/1-g Special Notice

DoctoPal's AI system automatically analyzes your health data and generates informational content. This is not a diagnosis or treatment decision. You can object to any automated assessment using the "Object" button below each AI response. Your objections are recorded and subject to human review.

8. Application Procedure

To exercise your rights under KVKK Art.13:

Email: Send your request to info@doctopal.com
Identity verification: A copy of national ID or e-government population record may be requested
Timeline: Your request will be resolved FREE OF CHARGE within 30 days
VERBIS: Data Controllers Registry registration will be completed after company incorporation

Filing a complaint with the KVKK Board: If our response is insufficient or if we fail to respond within 30 days, you can file a complaint:

Web: kvkk.gov.tr
Phone: ALO 198

9. User Age Restriction

DoctoPal is designed for users aged 18 and over. By using the service, the user declares and undertakes that they are over 18 years of age. If an account is opened by a user under 18, the account will be closed and data deleted upon detection.

10. Security Measures (KVKK Art.12)

Supabase Row-Level Security (RLS) for data isolation
TLS/HTTPS encrypted communication
Encryption at rest (Supabase infrastructure)
Automatic identity anonymization before AI API calls
Prompt injection protection
Rate limiting
Audit logging (KVKK Art.12)
72-hour breach notification plan
9-layer security architecture

11. Change History

v2.2 — April 2026

Family Health History (§2-b2) explicitly added as a separate sub-category (family_history_entries table)
Metadata-level retention principle clarified for first/second-degree relative health history (no detailed medications/profile kept for third parties)
Hereditary risk assessment and genetic screening recommendations explicitly covered under processing purposes

v2.1 — April 2026

Financial Data category added (for Premium subscription)
Iyzico Ödeme Hizmetleri A.Ş. added as a transferee
Payment data retention period (10 years, Tax Procedure Law Art.253) added
Premium subscription processing purpose added

v2.0 — April 2026

Initial publication
10 sections, compliant with KVKK Art.10
4 main data categories, 3 transferees (Supabase, Anthropic, Google)

This notice is prepared in accordance with KVKK Art.10 and KVKK Board Decision No.2026/347. Your explicit consent is collected SEPARATELY from this notice, for each processing purpose INDIVIDUALLY.

Privacy notice version: v2.2 · Last updated: April 2026

Go to consent settings →