This translation is provided for information purposes only. The binding and authoritative version of this document is the Turkish text.

PATIENT PRIVACY NOTICE (About the KRATS Platform)

Effective: 17 May 2026

This notice is provided to you by the healthcare facility ("Clinic") that is providing your services. The Clinic is the Data Controller. KRATS is the software platform vendor and acts as Data Processor.


1. WHAT IS KRATS, AND WHAT IS THIS NOTICE FOR?

KRATS is the clinic management software your healthcare provider uses for patient records, appointments, billing, etc. Clinic personnel (doctors, nurses, secretaries) maintain your records via the KRATS software.

This notice describes what personal data is processed within KRATS software. It complies with KVKK Art. 10 (Turkey) and GDPR Art. 13/14 (EU).

ROLE DISTINCTION — IMPORTANT:

  • Clinic = Data Controller → Determines how and why your data is processed, primary legal responsibility lies with the Clinic.
  • KRATS = Data Processor → Provides technical storage, encryption, backup per Clinic's instructions. KRATS will NEVER use patient data for its own marketing, sales, AI training, etc.

1.5 WHERE IS YOUR DATA STORED? (Local-First Architecture)

SHORT ANSWER: Your data stays primarily on the Clinic's own device, encrypted. Data sent to the cloud is minimal and uses zero-knowledge encryption — only the Clinic holds the key.

🏥 Primary Storage: Clinic's Device (Local)

  • All your health data (diagnoses, clinical notes, imaging, lab results, medications, vital signs, etc.) is stored on the Clinic's own computer/server
  • The database is encrypted with SQLCipher AES-256 — even if the device is stolen, data cannot be read
  • KRATS software works without internet connection (local-first)
  • If the Clinic closes or KRATS subscription ends, data remains on the Clinic's device

☁️ Secondary Storage: Cloudflare R2 Backup (Zero-Knowledge)

  • Cloudflare R2 cloud storage is used for backup only
  • Backups are encrypted with the Clinic's own master keyeven KRATS cannot read these backups
  • "Zero-knowledge architecture" — neither the cloud provider (Cloudflare) nor KRATS can see your data
  • Backups exist only to recover if the Clinic's device fails

❌ Does NOT Go to the Cloud:

  • Your medical imaging (DICOM) files → stay local
  • Your audio recordings → deleted instantly after transcript, never reach cloud
  • Lab reports → stay local
  • Clinical photographs → stay local
  • The original of your patient record → stays local

✅ Sole Cloud Exception: AI Clinical Summary (Opt-in)

  • Only if the Clinic activates this feature AND you provide explicit consent
  • Anonymised text (national ID, phone, email filtered out) is sent to OpenAI or Anthropic
  • Anonymised text is not retained by AI providers (no-training, no log retention defaults)
  • Without your consent, NO data is sent to AI

COMPARISON — vs. Traditional Cloud SaaS:

AspectTraditional Cloud SaaSKRATS (Local-First)
Where is the dataOn the provider's cloud serverOn the Clinic's own device
Can the provider read your dataYes (technically)No (zero-knowledge encryption)
If internet is downDoesn't workContinues to work
If provider goes bankruptData access issueData is at the Clinic
If cloud is breachedAll customer data at riskOnly encrypted backup — cannot be opened


2. DATA PROCESSED IN KRATS

The Clinic stores the following personal data via KRATS:

A) Identity & Contact

  • Name, surname, national ID (or passport), date of birth, gender
  • Phone, email, address

B) Emergency Contact (Third Party)

  • Name and phone of person to contact in emergencies
  • (This is a third party's personal data — the Clinic is obligated to inform that person about the privacy notice.)

C) Health Data (Special Category — KVKK Art. 6 / GDPR Art. 9)

KRATS stores the following health data:

  • Vital signs: Blood pressure, pulse, temperature, respiratory rate, SpO2, weight, height, BMI, pain score
  • Diagnoses: ICD-10 codes, clinician-written diagnosis text, active chronic problems
  • Clinical notes: Anamnesis (medical history), examination notes, appointment notes
  • Medications: Name, active ingredient, dose, frequency, route, start/end dates
  • Medical imaging (DICOM): If the Clinic performs imaging — X-ray, MRI, CT, ultrasound files are uploaded to the software
  • Laboratory reports: Test results (PDF or digital files)
  • Prescription files
  • Other clinical documents: Consultation reports, surgical reports, treatment protocols; some aesthetic/dermatology clinics may upload clinical photographs (e.g., before/after) in this category — the Clinic obtains separate explicit consent for this
  • Audio recordings (optional): During anamnesis, the clinician may record voice via microphone — this audio is instantly converted to text (Whisper model) and the audio file is deleted. Clinician obtains your explicit consent before using this feature

D) Appointment & Encounter Records

  • Appointment dates/times/reasons/status, clinician, encounter dates and outcomes

E) Branch-Specific Form Data

  • Each clinical branch (aesthetic, physiotherapy, radiology) defines custom forms

F) KVKK Consent Status Record

  • A flag indicating the Clinic has provided you the privacy notice

G) Audit (Activity Log)

  • Who, when, from which device accessed your data (hash-chain protected)

KRATS Does NOT Process ❌

  • Biometric data (facial recognition, fingerprints) — KRATS does not use biometrics for authentication
  • Genetic data
  • Sexual life / orientation
  • Religion, belief, political opinion
  • Trade union membership
  • Criminal conviction / security measure records
  • Location (GPS) tracking

3. WHY IS YOUR DATA PROCESSED? (Legal Bases)

DataLegal Basis
Identity, contact, diagnoses, clinical notes, medications, imaging, labKVKK Art. 6/3 (healthcare provision) + Art. 5/2-c (contract) / GDPR Art. 9(2)(h), 6(1)(b)
AI clinical summary (optional feature)KVKK Art. 6/2 (explicit consent) / GDPR Art. 9(2)(a)
Clinical photographsExplicit consent
Audio recordings (anamnesis transcript)Explicit consent
Billing / financial recordsKVKK Art. 5/2-a (Turkish Tax Procedure Law) / GDPR Art. 6(1)(c)
Transfers to authoritiesKVKK Art. 5/2-ç (legal obligation) / GDPR Art. 6(1)(c)
Marketing (by Clinic)KVKK Art. 5/1 (opt-in consent) / GDPR Art. 6(1)(a)

4. WHO RECEIVES YOUR DATA?

A) Within Turkey

  • Clinic personnel (doctors, nurses, secretaries — authorised)
  • Official authorities (court, prosecutor, KVKK Authority, SGK, Ministry of Health) — upon lawful request
  • e-Nabız / MBYS (Ministry of Health system)this feature is currently INACTIVE. Code module exists but has not been deployed to customer environments. If activated in the future, this notice will be updated and separate explicit consent obtained.
  • Accountant / legal counsel — for Clinic's contract / legal processes

B) International Transfers — What Data, Under What Conditions?

IMPORTANT REMINDER: KRATS operates local-first — most of your patient data stays on the Clinic's device, never leaving Turkey. International transfers occur only in the following specific, limited use cases:

🔒 AUTOMATIC BACKUP (Cloudflare R2 — US/EU)

  • What is sent: Backup encrypted with the Clinic's own key (zero-knowledge)
  • Why: Recovery if the Clinic's device fails or is lost
  • What Cloudflare sees: Nothing readable — only encrypted bytes
  • What KRATS sees: Nothing — the key is at the Clinic, even KRATS cannot decrypt
  • Safeguard: EU-US Data Privacy Framework + Standard Contractual Clauses (SCC) + AES-256

🤖 AI CLINICAL SUMMARY (OpenAI or Anthropic — US) — OPT-IN

  • Sent only if the Clinic activates this feature AND you provide explicit consent
  • What is sent: Anonymised clinical text only (national ID, phone, email automatically filtered)
  • What is NOT sent: Your name, identity, photos, DICOM images, audio recordings
  • What AI does: Provides suggestions to the clinician; data is NOT used for model training (no-training default)
  • Safeguard: EU-US DPF + contractual no-training + no log retention

🖥️ KRATS LICENCE / ACCOUNT OPERATIONS (Cloudflare Workers — US/EU)

  • What is sent: Clinic admin account verification (clinic admin data — NOT patient data)
  • Why: Licence token verification
  • Patient data NOT sent — this channel is for clinic subscription management only

📧 TRANSACTIONAL EMAIL (Resend — US) — For Clinic Admin

  • What is sent: Clinic admin email + transaction type (e.g., "your invoice is ready")
  • Patient data NOT sent

🐞 ERROR MONITORING (Sentry — US) — OPT-IN

  • Only if the Clinic opts in to this feature
  • What is sent: Anonymised error trace — personal data automatically filtered (before_send hook)
  • Data subject-identifiable information NOT sent

🚫 NEVER LEAVES TURKEY / GOES ABROAD

  • ❌ Your DICOM medical imaging files
  • ❌ Your laboratory report files
  • ❌ Your prescription files
  • ❌ Your clinical photographs (aesthetic, dermatology)
  • ❌ Your audio recordings (deleted instantly after transcript anyway)
  • ❌ Your full identity (national ID + name + address together)
  • ❌ Your full patient record

5. SOURCE OF YOUR DATA

  • Directly from you (form filling, verbal at clinic)
  • Entered by clinician during examination (vitals, diagnoses, notes)
  • From medical devices (e.g., scale, blood pressure monitor — manual or integration)
  • Lab / radiology reports (uploaded by Clinic)
  • From your emergency contact (when you provide it)

6. RETENTION PERIOD

DataPeriod
Patient record (all clinical data)20 years (Turkish Patient Rights Regulation Art. 16) from last action
Billing / financial10 years (VUK Art. 253, Commercial Code Art. 82)
Audio recordingsDeleted instantly after transcript (not stored permanently)
AI clinical summary metadata (anonymised)2 years
Audit log5 years
Marketing preferencesUntil withdrawal/3 years

After retention expires, data is deleted / destroyed / anonymised (KRATS Retention-Erasure Policy).


7. YOUR RIGHTS (KVKK Art. 11 / GDPR Art. 15-22)

You have the following rights:

RightDescription
InformationLearn whether your data is processed
AccessRequest a copy of your data
RectificationCorrect inaccurate/incomplete data
Erasure / "right to be forgotten"Subject to statutory retention obligations
Restriction / objectionObject to specific processing
Information about transfersLearn where your data is transferred
Object to automated decisionsObject to AI clinical summary (NO automated diagnosis — AI only suggests to clinician)
CompensationIf unlawful processing causes damage
Withdraw consentAt any time, for future processing
Lodge complaintIf response is inadequate or absent

Where to Submit?

Your Data Controller is the CLINIC — please submit your request first to the Clinic providing your healthcare service. The Clinic must respond within 30 days (KVKK Art. 13 / GDPR Art. 12).

If your request is specifically about the KRATS platform (e.g., cloud backup deletion, KRATS account closure) or you cannot reach the Clinic, you may contact KRATS directly; we will forward your request to the Clinic:

KRATS Contact:

Supervisory Authorities:


8. DATA SECURITY (KRATS MEASURES)

KRATS applies measures pursuant to KVKK Art. 12 and ISO/IEC 27001:2022:

  • SQLCipher AES-256 encryption of Clinic's local database (encrypted even if device stolen)
  • TLS 1.2+ for all internet traffic
  • Zero-knowledge Cloudflare R2 backup — even KRATS cannot read backups
  • bcrypt cost 12 password hashing
  • PII regex masking in AI calls (national ID, phone, email anonymised)
  • Audit log + hash chain — tamper-evident access history
  • Annual penetration testing
  • 72-hour breach notification procedure
  • Personnel KVKK/GDPR training (KRATS 2-person team)

9. KRATS CONTACT INFORMATION

KRATS acts as Data Processor for the Clinic's patient data. KRATS's legal identity:

FieldInformation
Legal NameKRATS Yazılım Faaliyetleri (Sole Proprietorship)
BrandKRATS
Tax/National ID4120238564
VERBİS Application No.1778852213
AddressAkarca Mah. 313 Sk. Dımlıoğulları Apt. B Blok No: 18/1, Anamur / Mersin, Turkey
KEPhatice.gucuk@hs03.kep.tr
Phone+90 850 346 86 01
Emailsupport@kratsonline.com

10. CLINIC CONTACT INFORMATION

(This section is completed by the Clinic — Clinic is the Data Controller and has its own VERBİS registration and privacy notice.)

FieldInformation
Clinic name__________________________
Data Controller / VERBİS No.__________________________
Clinic address__________________________
Clinic contact__________________________
Clinic DPO / Contact Person__________________________

11. CHILDREN'S DATA

For children under 13, parental/guardian explicit consent is obtained by the Clinic. KRATS provides system support; responsibility lies with the Clinic.


12. COOKIES

The KRATS website (kratsonline.com) uses cookies. Details: Cookie Policy


13. CHANGES

When this notice is updated, the Clinic may re-present it to you. The current version is always at kratsonline.com/privacy-patient.

Versions:

  • v1.0 — 17.05.2026 — Initial draft
  • v2.0 — 17.05.2026 — Post-code-audit real inventory (DICOM, audio recording, AI X-ray, e-Nabız, vitals, medications, PatientFile details) added. Fabricated categories removed.