Loading your health companion...
The security of your health data is our top priority. Here are the security layers that keep you safe.
All your health data is encrypted in transit with TLS 1.3 and at rest with industry-standard AES-256. With Supabase Row Level Security (RLS) policies, every user can access only their own data — even our own engineers cannot read your records without your permission.
Full compliance with Turkey's Law No. 6698 (KVKK) and the EU's GDPR. You can export all of your data at any time, and deleting your account permanently erases every piece of personal information. Sensitive health data is processed only with your explicit consent and you can revoke it whenever you want.
Our 5-layer AI safety system protects every response: emergency keyword detection, drug–herb interaction checks, contraindication scanning, dosage limit enforcement, and a transparency score on every output. The AI never makes a medical diagnosis — it provides information, and each answer is delivered with a reliability score so you know how confident the system is.
Secure session management is powered by Supabase Auth. You can sign in with Google or Facebook OAuth, or email and password — your password is never stored in plain text. Cloudflare Turnstile bot protection blocks automated attacks before they reach your account.
We run on Vercel's edge network with a Supabase PostgreSQL database hosted in the EU. Built-in DDoS protection, automatic daily backups, and isolated serverless functions keep the platform stable and resilient against attacks.
Every API endpoint requires authentication and is scoped to the logged-in user. Rate limiting (10 requests/minute on sensitive endpoints) blocks abuse, and all admin actions are logged in an audit trail you can request at any time.
We collect only what is necessary for the service to work. Your data is retained while your account is active and is permanently erased when you delete your account. AI requests are anonymized — your name, email, ID, phone, and address are stripped before being sent to any external model.
All user inputs are sanitized at the API boundary. We protect against XSS, SQL injection, prompt injection, and other OWASP Top 10 threats with both library-level guards and our own AI-specific filters.
Real-time error monitoring and performance tracking with Sentry catches issues before they affect you. Security events are reported instantly to our team, and personal data is scrubbed from logs to keep your information private.
International data transfer per KVKK Article 9
DoctoPal processes user data with the following service providers:
Compliant with KVKK Generative AI Guide (November 2025)
Anonymization process:
Re-identification risk assessment:
The data set sent to AI (age range + gender + medication list + allergies) cannot be used to directly identify an individual because:
Steps we follow in case of a data breach, per KVKK Article 12:
KVKK Board Contact
ALO 198
kvkk@kvkk.gov.tr
Notification deadline: 72 saat / 72 hours
DoctoPal Security
security@doctopal.com
contact@doctopal.com
Found a security vulnerability? Please report it to us.
security@doctopal.com