Data Controller
IADEOS YAZILIM VE HİZMET LTD. ŞTİ. ("IADEOS", "we", "us", "our") is the data controller responsible for your personal data collected through iadeos.com (the "Platform").
We are committed to protecting your privacy in accordance with Turkey's KVKK (Law No. 6698) and the EU's GDPR (Regulation 2016/679). By using the Platform you agree to the practices described in this Privacy Policy.
Data We Collect
| Category | Examples | Required? | Retention |
|---|---|---|---|
| Medical (Sensitive) | Hospital invoices, epicrisis reports, SGK documents, diagnosis codes | Yes — core service | 24 hours auto-delete |
| Contact | Email address (for receiving results) | No — optional | 1 year or until deletion request |
| Technical | IP address, browser type, session ID, cookies | Auto-collected | 6 months |
| Analysis Output | SUT comparison results, overpayment amounts | Generated data | 30 days or until deletion request |
We do not collect: government ID numbers, payment card data, social media profiles, or behavioral tracking data for advertising.
How We Use Your Data
- Analyzing uploaded hospital invoices using the LEX-OS AI engine
- Comparing invoice line items against official SGK/SUT price ceilings
- Calculating overpayments and generating refund petition documents
- Maintaining platform security and system integrity
- Fulfilling legal obligations under Turkish law
- Measuring service quality through anonymized, aggregated analytics
Your data is never used for advertising, behavioral profiling, or sale to third parties.
Legal Basis for Processing
| Legal Basis | Applies To | Data Category |
|---|---|---|
| Contract performance (KVKK Art.5/2-c | GDPR Art.6(1)(b)) | Providing the analysis service | Technical, Contact |
| Legal obligation (KVKK Art.5/2-ç | GDPR Art.6(1)(c)) | Statutory reporting requirements | Technical logs |
| Legitimate interest (KVKK Art.5/2-f | GDPR Art.6(1)(f)) | Platform security, fraud prevention | Technical |
| Explicit consent (KVKK Art.6/3 | GDPR Art.9(2)(a)) | Sensitive health data processing | Medical, Financial |
Data Security
| Measure | Detail |
|---|---|
| Encryption at rest | AES-256 on all stored data |
| Encryption in transit | TLS 1.3 on all connections |
| Auto-deletion | Uploaded documents permanently deleted within 24 hours of analysis |
| Access isolation | Each user session runs in an isolated sandbox environment |
| Server location | All servers within the Republic of Turkey |
| Penetration testing | Regular third-party security audits |
Data Sharing
We do not sell, rent, or share your personal data with any third party for commercial purposes.
Data may be disclosed only under the following strictly limited circumstances:
- Court order or lawful request from Turkish law enforcement authorities
- Mandatory disclosure ordered by the Personal Data Protection Authority (KVKK Board)
- Emergency public health reporting obligation
Our AI analysis infrastructure operates within Turkey's borders in an isolated environment. Data transmitted to the inference engine is encrypted and not permanently stored.
Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Uploaded medical documents | 24 hours after analysis | Permanent deletion (unrecoverable) |
| Analysis results | 30 days or upon deletion request | User-initiated or automatic |
| Email address | 1 year or until account deletion | Upon request |
| Technical logs (IP, session) | 6 months | Automatic rolling deletion |
Your Rights
Under KVKK Article 11 and GDPR Articles 15–22, you have the following rights:
| Right | Description |
|---|---|
| Access (Art.15 GDPR) | Request a copy of the personal data we hold about you |
| Rectification (Art.16 GDPR) | Correct inaccurate or incomplete data |
| Erasure (Art.17 GDPR) | Request deletion of your personal data |
| Portability (Art.20 GDPR) | Receive your data in a machine-readable format |
| Restriction (Art.18 GDPR) | Limit how we process your data in certain circumstances |
| Objection (Art.21 GDPR) | Object to processing based on legitimate interest |
| Withdraw consent | Revoke consent for sensitive data processing at any time |
For Turkish residents: the above rights are also guaranteed under KVKK Article 11. Requests are processed free of charge within 30 calendar days.
Cookies
We use strictly necessary cookies only. Analytics cookies require your explicit consent. See our full Cookie Policy for details.
Contact & DPO
| Channel | Details |
|---|---|
| Privacy / DPO Email | kvkk@iadeos.com — Subject: Privacy Request |
| Controller | IADEOS YAZILIM VE HİZMET LTD. ŞTİ. |
| Response time | Within 30 calendar days, free of charge |
| EU Supervisory Authority | Your local Data Protection Authority (if in EEA) |
If you are located in the EEA and believe we have not handled your request appropriately, you have the right to lodge a complaint with your national supervisory authority.