Skip to main content
Medlife24
Sign In

Last Updated: 30 May 2026

Privacy Policy

Medlife24 Sağlık Teknolojileri Ltd. Şti. ("Medlife24," "we," "us") operates the platform available at medlife24.com (the "Platform"). This Privacy Policy describes the categories of personal data we process, the purposes for which we process them, and the rights available to individuals whose data we hold.

This policy applies to (i) clinics and their authorized representatives who register for accounts on the Platform ("Clinic Users") and (ii) visitors who access the Platform without registering ("Visitors"). Defined terms used in our Terms of Use carry the same meaning here.

1. Identity of the Data Controller

The data controller responsible for the processing of personal data described in this policy is:

Medlife24 Sağlık Teknolojileri Ltd. Şti.
Registered office: Inönü Mah. 234 Sok. No: 30 — 45200 Akhisar/Manisa
Trade registry number: 123456
Contact: privacy@medlife24.com

For matters arising under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), correspondence may be addressed to the contact above.

2. Categories of Personal Data Processed

We process the following categories of personal data:

2.1 Clinic User Data

  • Identification data: full name, position within the clinic, photograph (where voluntarily provided)
  • Contact data: business email address, business telephone number, business address
  • Account data: encrypted authentication credentials, account creation date, login timestamps
  • Clinic operational data: legal entity name, registration numbers, accreditation references (including but not limited to USHAŞ registration numbers), service offerings, pricing information, photographs of the clinic premises

2.2 Visitor Data

  • Technical data: IP address, browser type and version, operating system, device identifiers, referrer URL
  • Usage data: pages accessed, session duration, navigation patterns, search queries entered on the Platform
  • Cookie data: as further described in our Cookie Policy

2.3 Patient Account Data

When a patient registers an account on the Platform, we collect and store the following distinct categories of name data, each serving a specific and limited purpose:

  • Full name— the patient's legal name as provided during registration. Stored to fulfil disclosure obligations under Article 10 of KVKK. Accessible only to platform administrators; never displayed publicly.
  • Display name — a name the patient selects for use within their authenticated dashboard. Shown only to the authenticated patient; not visible to other users or to unauthenticated visitors.
  • Nickname — a unique public handle chosen by the patient. Displayed alongside any reviews the patient submits. Visible to all platform visitors.

The separation of these three fields reflects the principle of purpose limitation under Article 5(1)(b) of the GDPR and Article 4(2) of KVKK: each data point is processed only to the extent necessary for its stated purpose.

2.4 Communications Data

Correspondence between you and Medlife24 (including support requests, complaints, and inquiries submitted through Platform forms or email), together with any attachments.

We do not process patient medical records, clinical histories, prescription information, or other health data of patients. The Platform is a listing service; clinical interactions occur directly between patients and clinics outside the Platform.

3. Legal Bases for Processing

We process personal data on the legal bases set out below.

Processing ActivityLegal Basis (GDPR Art. 6)Equivalent Basis (KVKK Art. 5)
Provision of account servicesPerformance of a contract (6(1)(b))Explicit performance of a contract (5(2)(c))
Verification of clinic registrationLegal obligation (6(1)(c))Compliance with legal obligation (5(2)(ç))
Platform analyticsLegitimate interests (6(1)(f))Legitimate interests (5(2)(f))
Marketing communications (where opted in)Consent (6(1)(a))Explicit consent (5(1))
Fraud prevention and platform securityLegitimate interests (6(1)(f))Legitimate interests (5(2)(f))

Where we rely on legitimate interests, we have conducted a balancing assessment and concluded that those interests are not overridden by the data subject's interests, rights, or freedoms. A summary of these assessments is available on request.

4. Purposes of Processing

Personal data is processed for the following purposes:

  1. creating and administering Clinic User accounts;
  2. displaying clinic listings on the public-facing portions of the Platform;
  3. verifying that Clinic Users meet the eligibility criteria set out in our Terms of Use, including verification against publicly available USHAŞ records;
  4. processing subscription payments and managing billing relationships (payment card data is processed by iyzico Ödeme Hizmetleri A.Ş. and is not retained by Medlife24);
  5. responding to support requests and managing complaints;
  6. detecting, preventing, and addressing fraud, security incidents, and violations of our Terms of Use;
  7. producing aggregated, non-identifying analytics regarding Platform usage;
  8. complying with legal obligations under Turkish law, including obligations arising under the Law on the Protection of Personal Data No. 6698 ("KVKK") and applicable commercial and tax legislation.

5. Disclosure of Personal Data

We disclose personal data only as described below.

Service providers (data processors). We engage the following processors, each of which acts under a written data processing agreement and processes data solely on our documented instructions:

  • Supabase Inc. (database and authentication infrastructure) — hosted in the Frankfurt region (EU)
  • Vercel Inc. (application hosting and content delivery) — processing occurs under EU Standard Contractual Clauses
  • Resend, Inc. (transactional email delivery)
  • iyzico Ödeme Hizmetleri A.Ş. (subscription payment processing) — acts as an independent controller for payment card data
  • Google Ireland Ltd. (Google OAuth authentication) — processing occurs under EU Standard Contractual Clauses
  • Cloudflare, Inc. (bot protection via Turnstile, DNS) — processing occurs under EU Standard Contractual Clauses

Legal disclosures. We may disclose personal data where required to do so by Turkish law, by valid order of a Turkish court or competent administrative authority, or where disclosure is necessary to exercise or defend legal claims.

Corporate transactions. In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred to the relevant counterparty. Affected individuals will be notified in accordance with applicable law.

We do not sell personal data. We do not share personal data with advertising networks. We do not engage in data brokerage of any kind.

6. International Data Transfers

Personal data is primarily processed within the European Economic Area. Where transfers occur to processors outside the EEA, we rely on:

  • the European Commission's Standard Contractual Clauses (Decision 2021/914);
  • adequacy decisions issued by the European Commission, where applicable; or
  • such other transfer mechanism as is recognized under Article 46 of the GDPR.

For transfers governed by KVKK, we rely on Article 9 of KVKK and any explicit consent obtained where required.

7. Retention

We retain personal data for the periods set out below, after which the data is deleted or anonymized:

Data CategoryRetention Period
Active account data (Clinic Users and Patient Accounts)Duration of account, plus 30 days
Inactive account data12 months following last login, then deleted unless required to be retained
Billing and tax records10 years (as required by Turkish Tax Procedure Law No. 213)
Support correspondence3 years from resolution
Server logs90 days
Analytics dataAggregated; no individual-level retention

Where a legal obligation requires longer retention of specific records, we retain only the data necessary to satisfy that obligation.

8. Rights of Data Subjects

Under the GDPR, individuals located in the European Economic Area have the following rights:

  • the right to access personal data we hold about them (Article 15);
  • the right to rectification of inaccurate or incomplete data (Article 16);
  • the right to erasure ("right to be forgotten") in specified circumstances (Article 17);
  • the right to restrict processing in specified circumstances (Article 18);
  • the right to data portability with respect to data provided by the data subject (Article 20);
  • the right to object to processing carried out on the basis of legitimate interests (Article 21);
  • the right not to be subject to decisions based solely on automated processing that produce legal effects (Article 22); and
  • the right to lodge a complaint with a supervisory authority.

Under KVKK, individuals located in Turkey have the rights set out in Article 11 of that law, as further described in our KVKK Compliance Statement.

To exercise any right described in this Section, contact privacy@medlife24.com. We will acknowledge receipt within 7 calendar days and respond substantively within 30 calendar days. Where a request is particularly complex or where we have received multiple requests from the same individual, we may extend this period by a further 60 calendar days, with notice.

We may request reasonable information to verify the identity of the requester before processing a request.

9. Security Measures

We have implemented technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, and destruction. These measures include:

  • encryption of data in transit (TLS 1.3) and at rest (AES-256);
  • role-based access controls and the principle of least privilege;
  • multi-factor authentication for administrative access;
  • regular security testing of the Platform infrastructure;
  • documented incident response procedures;
  • contractual security obligations imposed on our processors.

No system of security is infallible. Where a personal data breach occurs that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk, affected individuals will be notified without undue delay.

10. Cookies and Similar Technologies

The Platform uses cookies and similar technologies. Detailed information about each category of cookie, including identification of the provider, the purpose, and the retention period, is set out in our Cookie Policy.

11. Changes to This Policy

This policy may be amended from time to time. Where amendments materially affect the rights of data subjects, we will provide notice by email to registered Clinic Users at least 30 calendar days before the amendments take effect. Non-material amendments (including correction of typographical errors and clarification of existing provisions) take effect upon posting.

The "Last Updated" date at the top of this policy indicates when the most recent revision was made.

12. Contact

For questions regarding this Privacy Policy or to exercise any right described in Section 8, contact:

Email: privacy@medlife24.com
Postal address: Medlife24 Sağlık Teknolojileri Ltd. Şti., Inönü Mah. 234 Sok. No: 30, 45200 Akhisar/Manisa, Türkiye

Complaints regarding our processing of personal data may also be directed to:

  • the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) at kvkk.gov.tr
  • the relevant supervisory authority in your member state of residence (for EEA-based individuals)