1. Data Controller
Veropital A.Ş. acts as data controller under applicable privacy law and processes personal data of our users in accordance with the relevant regulations. Our address: Ortaköy Mah. Dereboyu Cad. No: 78, 34347 Beşiktaş / Istanbul. Reach our data protection representative at kvkk@veropital.com.
2. Personal Data We Process
To deliver and improve our services we may process the following categories of data: identity information (name, surname, date of birth), contact information (email, phone, address), clinic-user professional information (specialty, clinic name), platform usage data (session logs, IP address, browser metadata), and customer support tickets. Patient data is processed on the platform but remains the responsibility of the operating clinic; for that data the clinic acts as controller and Veropital as processor.
3. Purposes of Processing
Your personal data is processed for the following purposes: forming and performing the user agreement, subscription and billing management, customer support, technical operation and improvement of the platform, fulfilling legal obligations, and — where you give explicit consent — sending product updates and content. The legal bases are performance of contract, legal obligation, legitimate interest, and explicit consent under the relevant articles of KVKK and Article 6 of the GDPR.
4. Data Transfers
Your personal data may be shared with vetted sub-processors (cloud infrastructure providers, payment services, email delivery services) to the extent strictly necessary to deliver the service. All sub-processors operate under contractual commitments aligned with KVKK and the GDPR. Cross-border transfers happen only when adequate-protection requirements are met under Article 9 of the KVKK and the corresponding chapters of the GDPR. All patient data is held inside Türkiye, in privacy-aligned data centers.
5. Retention
Data is retained for as long as the processing purpose requires. During an active subscription and after termination, data is held for the periods required by tax law (5 years) and commercial law (10 years). After these periods data is deleted, destroyed, or anonymized. When a clinic-user closes their account, patient data is fully exported (CSV/SQL) within 30 days and then deleted.
6. Security Measures
We apply industry-standard measures to protect data: TLS 1.3 in transit, AES-256 at rest, multi-factor authentication, role-based access control, comprehensive audit logging, annual independent penetration tests, and security procedures aligned with ISO 27001. In the event of a data breach, we notify the supervisory authority and affected data subjects within 72 hours under Article 12 of the KVKK and the equivalent obligations under GDPR Article 33.
7. Your Rights
As a data subject you have the right to: confirm whether your data is being processed, request information about that processing, learn the purposes, learn about domestic and international transfers, request correction of inaccurate data, request deletion or destruction, request notification of corrections to third parties to whom data was transferred, object to automated decision-making, and seek compensation in case of harm. Address requests in writing to kvkk@veropital.com — we respond within 30 days at the latest.
8. Cookies
We use only the minimum cookies required for session management, security, and performance improvement. No marketing or third-party tracking cookies are set. For a full cookie list and how to disable them, please refer to your browser settings.
9. Children's Data
Veropital's services are not directed at children under 18. We do not knowingly collect data from anyone under 18. If clinic-users process data relating to minor patients, that processing is entirely the clinic's responsibility, and parental or guardian consent must be obtained by the clinic.
10. Updates to This Policy
This policy may be updated as legislation evolves or our services change. Material changes are announced to registered users by email, and the last-updated date appears at the top of this page. Continued use of the services after changes take effect constitutes acceptance of the updated policy.