Skip to main content
Medlife24
Sign In

Last Updated: 30 May 2026

KVKK Compliance Statement

Aydınlatma Metni — Law No. 6698 on the Protection of Personal Data

This statement is issued by Medlife24 Sağlık Teknolojileri Ltd. Şti. ("Medlife24") in its capacity as data controller (veri sorumlusu) pursuant to Article 10 of the Law on the Protection of Personal Data No. 6698 ("KVKK") and the Communiqué on Procedures and Principles for Fulfilling the Disclosure Obligation issued by the Personal Data Protection Authority.

This document explains the processing of personal data carried out by Medlife24 in the operation of the platform available at medlife24.com (the "Platform"). For broader information regarding our data practices, including those subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), refer to our Privacy Policy.

1. Identity of the Data Controller

Veri Sorumlusu

Medlife24 Sağlık Teknolojileri Ltd. Şti.
Registered office: Inönü Mah. 234 Sok. No: 30 — 45200 Akhisar/Manisa
MERSIS No: 12345
Trade Registry: 12345
Contact: privacy@medlife24.com

Medlife24 has registered with the Data Controllers' Registry (VERBIS) maintained by the Personal Data Protection Authority. VERBIS registration number: [VERBIS Sicil No, where applicable].

2. Categories of Personal Data Processed

In accordance with Article 3(1)(d) of KVKK, the following categories of personal data are processed:

Identification Data (Kimlik Verisi): Name, surname, position held within the clinic.

Contact Data (İletişim Verisi): Business email address, business telephone number, business address.

Account Data (Müşteri İşlem Verisi): Account credentials (encrypted), login timestamps, account creation date, IP address, browser identifier.

Visual and Audio Data (Görsel ve İşitsel Veri): Photographs of clinic premises voluntarily uploaded by Clinic Users.

Marketing Data (Pazarlama Verisi): Communication preferences for promotional messaging, where explicitly consented to.

Process Security Data (İşlem Güvenliği Verisi): Logs, authentication attempts, security event records.

Financial Data (Finans Verisi): Subscription billing records; payment card data is processed by iyzico Ödeme Hizmetleri A.Ş. as an independent data controller and is not retained by Medlife24.

Legal Action Data (Hukuki İşlem Verisi): Records of correspondence, complaints, and legal notifications where applicable.

The Platform does not process special categories of personal data (özel nitelikli kişisel veri) within the meaning of Article 6 of KVKK. We do not process patient health data, clinical records, or treatment histories.

3. Purposes of Processing

In accordance with Article 4(1) of KVKK, personal data is processed for the following specific, explicit, and legitimate purposes:

  1. creation and administration of Clinic User accounts;
  2. provision of the listing services that constitute the Platform's core functionality;
  3. verification of clinic eligibility against publicly available regulatory records, including USHAŞ records;
  4. processing of subscription payments and management of billing relationships;
  5. communication with Clinic Users regarding their accounts, including notifications of service changes;
  6. responding to support requests, complaints, and information requests;
  7. detection, prevention, and investigation of fraud, security incidents, and breaches of our Terms of Use;
  8. compliance with legal obligations arising under Turkish law, including obligations under the Turkish Tax Procedure Law No. 213, the Turkish Commercial Code No. 6102, and KVKK itself;
  9. production of aggregated, non-identifying analytics for the purpose of improving the Platform; and
  10. where explicit consent has been obtained, delivery of marketing communications.

4. Legal Bases for Processing

Personal data is processed on the legal bases set out in Article 5 of KVKK, specifically:

Processing ActivityLegal Basis under KVKK
Provision of account servicesArticle 5(2)(c) — explicit performance of a contract
Verification of regulatory registrationArticle 5(2)(ç) — compliance with legal obligation
Billing and tax record-keepingArticle 5(2)(ç) — compliance with legal obligation
Platform security and fraud preventionArticle 5(2)(f) — legitimate interests of the data controller
Analytics and Platform improvementArticle 5(2)(f) — legitimate interests of the data controller
Marketing communicationsArticle 5(1) — explicit consent

Where processing is based on legitimate interests under Article 5(2)(f), Medlife24 has carried out an assessment to ensure that such processing does not prejudice the fundamental rights and freedoms of data subjects.

5. Methods of Collection

Personal data is collected by the following methods:

  • electronic submission through forms and account creation interfaces on the Platform;
  • automated collection through cookies and similar technologies (as further described in our Cookie Policy);
  • correspondence sent to Medlife24 by email or other electronic means; and
  • consultation of publicly available regulatory registries for verification purposes.

6. Transfer of Personal Data

6.1 Transfers to Third Parties Within Turkey

Personal data may be shared with third parties domiciled in Turkey for the purposes of operating the Platform. These third parties act as data processors (veri işleyen) under Article 12 of KVKK and process data solely on the basis of written agreements with Medlife24.

6.2 International Transfers

In accordance with Article 9 of KVKK, personal data may be transferred outside Turkey under the following conditions:

  1. where explicit consent has been obtained from the data subject; or
  2. where the transfer is to a country listed as providing adequate protection by the Personal Data Protection Board; or
  3. where, in the absence of an adequacy decision, the data controllers in Turkey and the recipient country have entered into a written undertaking guaranteeing adequate protection and the Personal Data Protection Board has authorized the transfer.

The principal recipients of international transfers from the Platform are:

RecipientCountryPurposeSafeguards
Supabase Inc.United States (EU servers used)Database and authentication hostingEU Standard Contractual Clauses; EU-located processing
Vercel Inc.United StatesApplication hostingEU Standard Contractual Clauses
Resend, Inc.United StatesTransactional email deliveryEU Standard Contractual Clauses

7. Retention of Personal Data

In accordance with Article 7 of KVKK and the Regulation on Deletion, Destruction, or Anonymization of Personal Data, personal data is retained only for so long as is necessary for the purposes for which it was collected, or as required by applicable law. Specific retention periods are set out in our Privacy Policy.

Personal data is destroyed or anonymized in accordance with our internal Personal Data Retention and Disposal Policy upon expiration of the relevant retention period.

8. Rights of the Data Subject under Article 11

Under Article 11 of KVKK, individuals whose personal data is processed by Medlife24 have the right to:

  1. learn whether their personal data is being processed;
  2. request information regarding such processing, if any;
  3. learn the purpose of processing and whether the data is used in accordance with such purpose;
  4. know the third parties, whether domestic or abroad, to whom the data is transferred;
  5. request correction of personal data that is incomplete or inaccurate, and request that such correction be notified to third parties to whom the data has been transferred;
  6. request deletion or destruction of personal data within the framework of the conditions set out in Article 7 of KVKK, and request that such deletion or destruction be notified to third parties to whom the data has been transferred;
  7. object to any adverse consequence arising from automated analysis of processed data; and
  8. seek compensation for damages arising from unlawful processing of personal data.

9. Exercising Rights

9.1 Method of Application

Requests under Article 11 must be submitted in writing in accordance with the Communiqué on the Procedures and Principles for Application to the Data Controller. Acceptable methods of submission include:

  • delivery in person or by notary to the registered address of Medlife24, accompanied by a wet-signed application form;
  • transmission by registered electronic mail (KEP) to the KEP address of Medlife24 at [KEP Address]; or
  • transmission by email from an email address previously notified to Medlife24, to privacy@medlife24.com, with secure electronic signature where required.

9.2 Content of the Application

Applications must include:

  • the applicant's name, surname, and (for written applications) signature;
  • for Turkish citizens, the national identification number (T.C. Kimlik No); for foreign nationals, nationality, passport number, or equivalent identification number;
  • the applicant's residence or business address that will receive the response;
  • the applicant's email address, telephone number, or fax number (optional, for response);
  • the subject of the request, set out clearly; and
  • supporting documentation, where applicable.

9.3 Response Period

Medlife24 will respond to applications within 30 calendar days of receipt, free of charge. Where the application requires additional cost, Medlife24 may charge the fee specified in the tariff published by the Personal Data Protection Board.

9.4 Complaint to the Authority

Where the applicant is dissatisfied with the response, or where Medlife24 fails to respond within the prescribed period, the applicant may file a complaint with the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) within:

  • 30 calendar days of receipt of the response; and
  • in any event, 60 calendar days from the date of the original application.

Complaints may be filed at:

Kişisel Verileri Koruma Kurumu
Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4, 06520 Balgat-Çankaya/Ankara
Website: kvkk.gov.tr

10. Security Measures

In accordance with Article 12 of KVKK, Medlife24 has implemented technical and organizational measures designed to:

  • prevent unlawful processing of personal data;
  • prevent unauthorized access to personal data; and
  • ensure the security of personal data.

These measures include encryption, access controls, regular security testing, employee training on data protection, and the imposition of contractual obligations on data processors. Detailed information regarding security measures is set out in our Privacy Policy.

Where a breach of personal data security occurs, Medlife24 will notify the Personal Data Protection Authority within 72 hours of becoming aware of the breach, in accordance with Decision No. 2019/10 of the Personal Data Protection Board.

11. Amendments

This statement may be amended from time to time to reflect changes in processing activities, legal requirements, or Medlife24's organization. Material amendments will be notified by email to registered Clinic Users at least 30 calendar days before they take effect. The Last Updated date reflects the most recent revision.

12. Contact

Inquiries and requests under this statement may be directed to:

Medlife24 Sağlık Teknolojileri Ltd. Şti.
Email: privacy@medlife24.com
Postal address: [Adres]
KEP: [KEP Address, where established]