PRIVACY AND PERSONAL DATA PROTECTION POLICY - Patient / Client Tracking

1. INTRODUCTION AND PURPOSE

This Privacy and Personal Data Protection Policy (“Policy”) describes how Depar IT Solutions (“we,” “us,” “our,” or “the Company”) collects, processes, stores, and protects your personal data when you use our Praxis-24 application and related services. We are committed to protecting your privacy and ensuring transparency about our data practices.

This Policy applies to all users and visitors of:

The Praxis-24 web application (pro.praxis-24.com)
The Praxis-24 marketing website (praxis-24.com)
Praxis-24 mobile applications (Android and iOS)

2. DATA CONTROLLER

Depar IT Solutions is the data controller responsible for your personal data.

Contact Information:

Email: support@praxis-24.com
Website: praxis-24.com

For matters related to data protection, you can contact us at the email address above.

3. LEGAL BASIS FOR PROCESSING

We process your personal data in accordance with:

EU General Data Protection Regulation (GDPR) 2016/679
Turkish Law No. 6698 on Protection of Personal Data (KVKK)
Turkish Law No. 6563 on Regulation of Electronic Commerce
Turkish Law No. 6502 on Consumer Protection
Other applicable data protection regulations

4. TYPES OF PERSONAL DATA WE COLLECT

4.1 Account and Profile Data

Name and surname
Email address
Phone number
Professional title and qualifications
Business/practice information
Login credentials (encrypted passwords)

4.2 Usage Data

IP address
Device information (type, operating system, browser)
Application usage patterns and features accessed
Log data and session information
Performance and diagnostic data

4.3 Patient/Client Data (Entered by Users)

Important: Healthcare providers using Praxis-24 are independent data controllers for patient/client data they enter. We act as a data processor for this information. Users are solely responsible for:

Obtaining appropriate consent from their patients/clients
Ensuring lawful processing of special category health data
Compliance with healthcare data protection regulations
Accuracy and legitimacy of entered data

4.4 Financial Data

Payment information (processed securely through third-party payment providers)
Billing and invoice details
Transaction history

4.5 Communication Data

Support correspondence
Feedback and survey responses
Marketing communication preferences

5. HOW WE COLLECT YOUR DATA

We collect personal data through:

Direct provision: Information you provide when registering, using our services, or contacting us
Automated collection: Cookies, analytics tools, and application logs
Third parties: Payment processors, analytics providers (with your consent where required)

6. PURPOSE AND LEGAL BASIS FOR PROCESSING

Purpose	Legal Basis	Data Types
Providing and maintaining the service	Contract performance (Art. 6(1)(b) GDPR)	Account data, usage data
User authentication and security	Contract performance and legitimate interests (Art. 6(1)(b)(f) GDPR)	Login credentials, IP address, device data
Customer support	Contract performance (Art. 6(1)(b) GDPR)	Contact data, communication history
Billing and payments	Contract performance and legal obligation (Art. 6(1)(b)(c) GDPR)	Financial data, billing information
Service improvement and analytics	Legitimate interests (Art. 6(1)(f) GDPR)	Anonymized usage data
Marketing communications	Consent (Art. 6(1)(a) GDPR)	Contact information, preferences
Legal compliance	Legal obligation (Art. 6(1)(c) GDPR)	Various data as required
Processing patient/client data on behalf of users	Users’ legal bases (we act as processor)	Health data entered by users

7. DATA SHARING AND TRANSFERS

7.1 Who We Share Data With

We may share your personal data with:

Service Providers (Data Processors):

Cloud hosting providers (data stored on secure servers)
Payment processors
Email service providers
Analytics and monitoring tools
Customer support platforms

All third-party processors are bound by data processing agreements ensuring GDPR compliance.

Legal Requirements: We may disclose data when required by law, court order, or regulatory authorities.

Business Transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred. We will notify you of any such change.

7.2 International Data Transfers

Your data may be transferred to and stored on servers located outside the European Economic Area (EEA) and Turkey. When we transfer data internationally, we ensure appropriate safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission
Transfer to countries with adequacy decisions
Other legally recognized transfer mechanisms

You have the right to request information about international transfers and obtain copies of relevant safeguards.

7.3 No Data Selling

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

8. DATA RETENTION

We retain your personal data only for as long as necessary for the purposes outlined in this Policy:

Active accounts: Data retained while your account is active and for legitimate business purposes
Inactive accounts: Accounts inactive for 3 months may be deleted after notice
After account closure: We provide read-only access to your data for 3 months after subscription termination. After this period, you may request data retrieval (fees may apply as specified in the application)
Legal retention: Some data may be retained longer to comply with legal, accounting, or regulatory requirements
Anonymized data: Aggregated and anonymized data may be retained indefinitely for statistical purposes

9. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data:

9.1 Technical Measures

Encryption of data in transit (TLS/SSL) and at rest
Secure authentication and access controls
Regular security testing and vulnerability assessments
Intrusion detection and prevention systems
Secure backup procedures
Firewall protection

9.2 Organizational Measures

Access limited to authorized personnel on a need-to-know basis
Employee training on data protection
Confidentiality agreements with staff and processors
Data protection impact assessments for high-risk processing
Incident response procedures

9.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours
Inform affected individuals without undue delay if there is a high risk to their rights
Document all breaches and remedial actions taken

10. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance your experience and analyze service usage.

10.1 Types of Cookies We Use

Essential Cookies (No consent required):

Authentication and session management
Security features
Load balancing

Analytics Cookies (Consent required):

Usage statistics and performance monitoring
Understanding user behavior and preferences
Service improvement insights

Marketing Cookies (Consent required):

Personalized content and advertisements
Campaign effectiveness measurement

10.2 Cookie Management

You can control cookies through:

Browser settings (most browsers allow you to refuse cookies)
Our cookie consent banner (shown on first visit)
Cookie preference center (accessible in your account settings)

Disabling essential cookies may affect service functionality.

For detailed information, please see our Cookie Policy.

11. YOUR RIGHTS UNDER GDPR

As a data subject, you have the following rights:

11.1 Right of Access (Art. 15 GDPR)

You can request confirmation of whether we process your personal data and obtain a copy of such data.

11.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

11.3 Right to Erasure / “Right to be Forgotten” (Art. 17 GDPR)

You can request deletion of your personal data when:

Data is no longer necessary for the purposes collected
You withdraw consent (where processing is based on consent)
You object to processing and there are no overriding legitimate grounds
Data has been unlawfully processed
Erasure is required for legal compliance

11.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request restriction of processing when:

You contest the accuracy of the data
Processing is unlawful but you prefer restriction over erasure
We no longer need the data but you need it for legal claims
You have objected to processing pending verification of legitimate grounds

11.5 Right to Data Portability (Art. 20 GDPR)

You can request to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

11.6 Right to Object (Art. 21 GDPR)

You can object to processing based on:

Legitimate interests (Art. 6(1)(f))
Direct marketing (absolute right)
Scientific/historical research or statistical purposes

11.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

11.8 Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

11.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

EU/EEA: Your local data protection authority
Turkey: Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu – KVKK)

12. HOW TO EXERCISE YOUR RIGHTS

To exercise any of your rights, please contact us at:

Email: support@praxis-24.com
Subject line: “Data Subject Rights Request”

Your request must include:

Full name and contact information
Description of the right you wish to exercise
Identity verification documents (to prevent unauthorized disclosure)
Specific data or processing activities concerned (if applicable)

Response Time: We will respond to your request within 30 days. If your request is complex or we receive multiple requests, we may extend this period by 60 days, and we will inform you of such extension.

Fees: We do not charge fees for most requests. However, if your request is manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act on the request.

13. SPECIAL PROVISIONS FOR HEALTHCARE DATA

13.1 Dual Data Controller Relationship

When you use Praxis-24 to process patient/client health data:

You are the data controller for patient/client data you enter
We are the data processor acting on your instructions

13.2 Your Obligations as a Healthcare Provider

You must:

Obtain valid consent or establish another legal basis for processing health data
Comply with healthcare-specific regulations (e.g., medical confidentiality laws)
Implement appropriate safeguards for special category data
Inform patients about data processing and their rights
Ensure data accuracy and legitimacy
Not process data beyond the scope of patient consent

13.3 Our Obligations as Processor

We:

Process health data only on your documented instructions
Ensure confidentiality of personnel with access to data
Implement appropriate technical and organizational security measures
Assist you in responding to data subject requests
Notify you of any data breaches affecting health data
Delete or return data upon termination of services (as instructed)
Make available information necessary to demonstrate compliance

13.4 Data Processing Agreement

By using our services to process health data, you agree to the data processing terms in our User Agreement, which constitutes our Data Processing Agreement (DPA) under GDPR Article 28.

14. CHILDREN’S PRIVACY

Praxis-24 is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you are under 18, please do not use our services or provide any personal data.

If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete such information promptly.

15. CHANGES TO THIS POLICY

We may update this Policy from time to time to reflect changes in:

Our data practices
Legal or regulatory requirements
Service features or functionality

Notification of Changes:

Material changes will be notified via email or prominent notice in the application
The “Last Updated” date at the top of this Policy will be revised
Continued use of services after changes constitutes acceptance
For material changes affecting your rights, we may request renewed consent

We encourage you to review this Policy periodically.

16. THIRD-PARTY LINKS AND SERVICES

Our services may contain links to third-party websites, applications, or services not operated by us. We are not responsible for the privacy practices of third parties. We encourage you to read the privacy policies of any third-party services you access.

17. DATA PROTECTION OFFICER

Given the nature and scope of our processing activities, we have not appointed a formal Data Protection Officer. However, data protection inquiries can be directed to our support team at support@praxis-24.com.

18. GOVERNING LAW AND JURISDICTION

This Policy is governed by and construed in accordance with:

EU General Data Protection Regulation (GDPR) for EEA users
Turkish Law No. 6698 on Protection of Personal Data (KVKK) for Turkish users
Other applicable data protection laws based on your location

For disputes related to data protection:

EU/EEA users may bring claims before courts in their member state
Turkish users: Antalya Courts and Enforcement Offices have jurisdiction

19. CONTACT US

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Depar IT Solutions Email: support@praxis-24.com Website: praxis-24.com

We are committed to addressing your concerns and will respond to all legitimate requests within the timeframes required by applicable law.

Acknowledgment: By using Praxis-24 services, you acknowledge that you have read, understood, and agree to this Privacy and Personal Data Protection Policy.