Privacy Policy & KVKK Information Notice

How FlowPital collects, uses and protects your personal and health data.

Effective / Last updated: 15 July 2026

Privacy by design. FlowPital is a health-tracking and clinical follow-up application connecting patients and their care team, across all medical specialties. It is built around three commitments: data minimization (we collect only what care requires), isolation of your health data (it is technically walled off and readable only by you and your authorized care team), and granular, revocable consent. This notice satisfies our obligations under the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the EU General Data Protection Regulation ("GDPR"), and, where applicable, the U.S. Health Insurance Portability and Accountability Act ("HIPAA").

1. Data controller

Launch-blocking legal-identity placeholders. The Turkish service operator and data controller is Ridet Software Ltd. Şti. (İstanbul, Türkiye); its group service provider is Ridet Software LLC (Wyoming, USA). The following must be inserted before public launch: [TBD — full registered address], [TBD — MERSİS / trade-registry number], [TBD — tax office and tax number], [TBD — authorized representative], and [TBD — verified privacy-request address]. Until then, no claim of complete legal compliance is made.

The data controller ("veri sorumlusu") responsible for your personal data is Ridet Software Ltd. Şti. (İstanbul, Türkiye), with group service provider Ridet Software LLC (Wyoming, USA) (together, "Ridet", "we", "us", "our"). For all privacy matters, including the exercise of your rights, you may contact our Data Protection Officer (DPO) / KVKK data-controller representative at privacy@flowpital.com. Where FlowPital processes data on behalf of a treating clinician or health institution, that clinician or institution may act as an independent or joint controller for the clinical record; in those cases we process the data as their processor under a data processing agreement, in addition to acting as controller for the operation of the service itself.

2. Categories of data we process

3. Purposes of processing

We process your data only to deliver and safeguard care coordination:

Our processing of ordinary personal data relies on the performance of the service agreement with you, your consent, our legitimate interests in operating a safe service, and compliance with legal obligations (KVKK Art. 5; GDPR Art. 6).

Your health data is special-category personal data and is processed on the basis of your explicit consent (KVKK Art. 6; GDPR Art. 9(2)(a)) and, where care is provided, for the purposes of medical diagnosis, the provision of health care or treatment, and the management of health-care systems by or under the responsibility of a health professional bound by professional secrecy (GDPR Art. 9(2)(h)). Where U.S. HIPAA applies, your health data is handled in the context of treatment, payment and health-care operations, and FlowPital acts as a business associate under a Business Associate Agreement with the covered entity. You may withdraw your explicit consent at any time (see Section 9); withdrawal does not affect the lawfulness of processing before withdrawal.

5. Data minimization & health-data isolation

We design every screen and data flow to collect the minimum data necessary for the clinical purpose at hand. Your health data is kept in an isolated data domain, logically separated from identity and technical data, and access is governed by strict authorization rules that deny by default: a patient's health record is technically readable only by that patient and their authorized care team. No advertising, profiling, or secondary commercial use of your health data ever takes place.

6. Who can access your data

No one else can read your health data. Access by our engineering/support staff is limited, logged, and permitted only for legitimate maintenance or security purposes under strict controls.

7. Processors & international transfers

Cross-border transfer control. Patient-context AI processing must remain disabled unless ALLOW_CROSS_BORDER_PHI_PROCESSING=true is enabled after a documented KVKK Article 9 assessment, processor agreement, transfer register, required notification and applicable patient notice/consent process. The required records are currently [TBD — Firebase region], [TBD — Google/Firebase DPA and transfer mechanism], [TBD — OpenAI agreement/mechanism], [TBD — Google AI agreement/mechanism], and [TBD — Anthropic agreement/mechanism].

FlowPital's infrastructure is provided by Google Firebase / Google Cloud Platform (authentication, Cloud Firestore database, Cloud Functions, Storage and Cloud Messaging), acting as our data processor under Google's Data Processing Terms. These providers may process data on servers located outside Türkiye and the EEA. Any international transfer is protected by appropriate safeguards, including the European Commission's Standard Contractual Clauses, and, for KVKK, undertakings/adequate-protection commitments and, where required, your explicit consent to the transfer. We select processors that support encryption in transit and at rest and healthcare-grade compliance commitments.

8. Retention

We retain your data only as long as necessary for the purposes above and to meet clinical-record and legal retention obligations. Product defaults (see RETENTION_POLICY in the domain package): non-clinical personal/account data is wiped within 30 days of a verified deletion request (and immediately on in-app deletion where possible); clinical records are retained for 20 years after deletion request (Türkiye institutional medical-archive practice), then destroyed or anonymized by a scheduled job; immutable audit logs are retained for 20 years for integrity evidence. Ambient visit audio follows the tenant retention setting (none / until note approval / fixed days). When you withdraw consent or exercise erasure, we delete or anonymize data unless we are legally required to keep it.

9. Your rights

Under KVKK Art. 11 and GDPR Arts. 15–22 you have the right to:

How to exercise them: send a request to privacy@flowpital.com, or use the in-app Settings → Privacy controls. Patients also accept a separate health-data explicit consent (KVKK Art. 6). We verify your identity and respond within 30 days (KVKK) / without undue delay and within one month (GDPR), free of charge in ordinary cases.

10. Security measures

11. AI suggests, the clinician decides

FlowPital never makes an autonomous medical decision. Any AI-generated suggestion, summary or draft is advisory only. It is presented to your clinician with its reasoning, evidence and uncertainty/limits stated. The clinician alone selects, approves and prescribes; a care plan cannot become approved without an explicit human review gate. AI outputs are used to support and strengthen (never to replace) the clinical judgment and the trust between you and your doctor.

12. Children

FlowPital is intended for use by adults and by clinicians. Where care involves a minor, the account is operated under the responsibility of a parent, legal guardian or the treating institution, and processing of the minor's health data proceeds on the appropriate legal basis and consent. We do not knowingly create accounts for children to use independently.

13. Breach notification

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (the Turkish Personal Data Protection Authority, "KVK Kurumu", and/or the relevant EU authority) and, where required, affected individuals, without undue delay and in line with the statutory timeframes (GDPR Art. 33/34; KVKK Board decisions). Under HIPAA, breach notification rules apply to your affected health data.

14. Contact & complaints

Data controller & DPO / KVKK Veri Sorumlusu: privacy@flowpital.com. You also have the right to lodge a complaint with a supervisory authority: in Türkiye, the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, kvkk.gov.tr); in the EU, your local data protection authority.

15. Changes to this notice

We may update this notice to reflect changes in law or in the service. We will post the revised version here and update the "Last updated" date; material changes affecting health-data processing will be communicated to you and, where required, re-consented.