1. Veri Sorumlusu (Data Controller)
Veropital A.Ş., headquartered at Ortaköy Mah. Dereboyu Cad. No: 78, 34347 Beşiktaş / İstanbul, processes the personal data of clinic users, clinic staff, and (as a data processor on behalf of clinics) patients who interact with the Veropital platform. Reach our KVKK contact at kvkk@veropital.com.
2. İşlenen Kişisel Veri Kategorileri (Categories of Personal Data)
Identity data (name, surname, TC kimlik for clinic owners as required by tax law), contact data (email, phone, address), professional data (clinic name, specialty, license number where applicable), platform usage data (login times, IP address, browser metadata), payment data (Stripe customer ID — actual card details are stored by Stripe under PCI-DSS, never by Veropital), and patient health data (only as a data processor on behalf of the operating clinic — the clinic is the data controller for its patients).
3. İşleme Amaçları (Purposes of Processing)
(a) Forming and performing the user agreement; (b) subscription, billing, and tax compliance; (c) customer support; (d) technical operation, security, and improvement of the service; (e) sending product updates and content where you have given explicit consent; (f) compliance with legal obligations under tax law (5-year retention), commercial law (10-year retention), KVKK, and where applicable foreign privacy laws (GDPR for EU residents).
4. Hukuki Sebep (Legal Basis)
Personal data is processed under one or more of the following bases set out in Article 5 of KVKK: (a) explicit consent (Article 5/1) where required (e.g. marketing communications); (b) performance of a contract you are a party to (Article 5/2/c); (c) compliance with a legal obligation (Article 5/2/ç); (d) legitimate interests of the data controller proportionate to your fundamental rights and freedoms (Article 5/2/f); (e) processing of special categories such as health data only by health professionals or institutions with the obligation of secrecy under Article 6/3.
5. Aktarım (Data Transfers)
Personal data may be shared with: (a) cloud infrastructure providers (Supabase, hosted in Frankfurt EU; primary patient data resides in EU/Türkiye-aligned regions); (b) payment processors (Stripe Inc., Iyzico A.Ş.); (c) email and messaging providers (Resend, Twilio, Verimor); (d) tax and legal authorities where required by law. Cross-border transfers occur only to the extent strictly necessary, under contractual safeguards aligned with Articles 8 and 9 of KVKK.
6. Saklama Süresi (Retention)
Personal data is retained for as long as the processing purpose requires and the legally mandated minimum periods, including: 5 years for tax-relevant records (Tax Procedural Law), 10 years for commercial records (Commercial Law), the duration of the user agreement plus the limitation period for contractual claims (10 years per the Code of Obligations). After these periods expire, personal data is securely deleted, destroyed, or anonymized in line with our Personal Data Retention and Destruction Policy.
7. Güvenlik Önlemleri (Security Measures)
Technical and organizational measures applied: TLS 1.3 in transit, AES-256 at rest, multi-factor authentication, role-based access control, audit logging of administrative actions, periodic vulnerability assessments, security awareness training for our team, and contractual confidentiality obligations for all personnel and sub-processors. Reported security incidents are notified to the Personal Data Protection Authority (KVKK) and affected data subjects within 72 hours per Article 12 of KVKK.
8. KVKK Madde 11 — Haklarınız (Your Rights)
Under Article 11 of KVKK you have the right to: (a) learn whether your personal data is being processed; (b) request information about the processing; (c) learn the purpose of processing and whether it is being used in line with that purpose; (d) know the recipients of any data transfers; (e) request correction of incomplete or inaccurate data; (f) request deletion or destruction (right to erasure); (g) request notification of corrections, deletions, and destructions to third parties to whom data has been transferred; (h) object to outcomes that disadvantage you arising from automated processing; (i) demand compensation if you suffer damage from unlawful processing.
9. Başvuru (How to Exercise Your Rights)
Submit your application in writing to Veropital A.Ş., Ortaköy Mah. Dereboyu Cad. No: 78, 34347 Beşiktaş / İstanbul, or by email to kvkk@veropital.com using the email address registered with us. We respond to KVKK requests within 30 days at no charge (or for the fee published by the KVKK Authority where applicable). If you are not satisfied with our response, you may complain to the Personal Data Protection Authority (kvkk.gov.tr).
10. Açık Rıza (Explicit Consent)
By creating an account on the Veropital platform you confirm that you have read this information notice. Where explicit consent is required (e.g. marketing communications, processing of special categories of data), we ask separately and you may withdraw consent at any time without affecting the lawfulness of past processing. You can manage consents at any time from Settings → Privacy.