Privacy Policy / KVKK & GDPR Notice

Effective Date: April 25, 2026

As DocOnWay, we handle your personal data and especially your health data with care. This Privacy Policy explains what data we collect, why we process it, with whom we share it, how long we retain it, and how you can exercise your rights when the DocOnWay website, user accounts, booking interfaces, AI-assisted assistant, customer support channels, and related digital services are used.

This policy applies to users, prospective users, persons contacting us, patients creating service requests, and, where necessary, companions, family members, tour operators, hotel representatives, or authorized representatives acting on behalf of a user.

1. Data controller

The data controller for your personal data within the scope of this platform is:
Viofun Yazılım Anonim Şirketi
Address: Pınarbaşı Mah. Hürriyet Cad. Akdeniz Üniversitesi Antalya Teknokent
Ar-Ge 2 Uluğbey Binası No:3A/B178, Konyaaltı / Antalya, Turkey
E-mail: privacy@doconway.com or support@doconway.com
If any, DPO / Data Protection Officer Contact: +90 533 055 99 27

After a booking is confirmed and healthcare is delivered, the independent provider may also independently act as a data controller in respect of some of your data. In that case, the provider's own privacy obligations shall also apply.

2. Categories of data we collect

Depending on the service you use, DocOnWay may collect the following categories of data:

Identity and profile data: full name, year/date of birth, gender, nationality, or necessary identity information related to a passport, account username, and profile preferences.

Contact data: e-mail address, telephone number, WhatsApp number, hotel information, room number (only where necessary), transport or access notes.

Insurance and assistance data, if you choose to share it: insurance company name, policy number, assistance case references, coverage notes, billing preferences, and related coordination records.

Booking and operational data: requested service type, date/time, location, city/region, availability preferences, provider preferences, booking status, no-show information, and support records.

Health and symptom data: complaints, symptoms, summaries of health history shared by the user, medication information, allergy information, texts shared for triage/routing purposes, and, where necessary, photo/file attachments.

Payment and financial data: billing name, payment references, payment status, partial card details or tokenized payment information, transaction identifiers, and refund records. We may not directly store full card data; such data may be processed by authorized payment service providers such as Garanti BBVA.

Technical and usage data: IP address, device type, browser information, language preference, session records, error logs, security incidents, cookie preferences, and traffic/performance information.

Communication and support data: e-mail contents, chat records, WhatsApp or similar support correspondence, call notes, and satisfaction feedback.

Legal and compliance data: consent records, explicit consent records, contract acceptance records, fraud prevention logs, and dispute and complaint files.

3. From which sources do we collect data

We collect data primarily from you. Data may also come from companions or representatives authorized to act on your behalf, integrated providers, payment service providers, institutions such as hotels or assistance/insurers that contact us upon your direction, and automatic records generated through our technical infrastructure.

If you share data on behalf of another person, you agree that you are authorized to do so and that you have informed the relevant person appropriately.

4. The purposes for which we process data

We process your personal data for the following purposes:

  • to create accounts, manage sessions, and provide platform access;
  • to receive, evaluate, route, and coordinate your booking requests;
  • to identify suitable providers, communicate with providers, and manage appointment processes;
  • to send you transaction messages, confirmations, changes, and support communications;
  • to manage payment, refund, invoicing, accounting, tax, and finance processes;
  • to prevent fraud, misuse, security breaches, and false transactions;
  • to improve platform performance, security, and service quality;
  • to fulfill legal obligations, respond to official requests, and protect our legal rights;
  • where appropriate and to the extent you permit, to send marketing communications;
  • to use information provided through the AI assistant or digital intake tools in booking/routing and support processes.

5. Legal grounds on which we rely for processing

To the extent appropriate under applicable law, we rely on the following legal grounds:

Establishment or performance of a contract / contractual necessity: opening accounts, creating bookings, matching providers, providing support, processing payments, and maintaining the service relationship with the user.

Legal obligation: accounting, tax, consumer law, payment records, official authority requests, and security and compliance obligations.

Legitimate interests: platform and account security, prevention of fraud, access logs, system stability, service quality, management of customer support, and establishment/exercise/protection of rights. In such processing, we take care not to prejudice your fundamental rights and freedoms.

Explicit consent: where appropriate, we process special category data such as your health data, especially symptoms, information provided through the AI assistant, or other sensitive information required for provider matching, on the basis of your explicit consent. You may withdraw your explicit consent at any time; however, withdrawal of consent may result in our being unable to provide certain services.

Establishment, exercise, or protection of a right: processing necessary for disputes, complaints, legal defenses, and official proceedings.

In Turkiye, we rely on the conditions under KVKK Article 6 for the processing of special categories of personal data. For EEA/UK/Swiss regimes, we rely on the regimes under GDPR Articles 6 and 9. We treat health data as special category personal data and it is our fundamental principle not to use health data for marketing purposes.

6. Health data and use of the AI assistant

The most sensitive data category for DocOnWay is health data. When you share symptoms, complaints, medical needs, health history, prescriptions, test summaries, or similar health data with us on the platform, we process them in order:

  • to understand your request,
  • to determine the suitable provider type,
  • to route you to the correct specialty,
  • to coordinate the booking,
  • to conduct safety and support reviews.

If an AI assistant or automated intake tools are used, these tools are not used to make medical diagnoses but to provide initial information, ask questions, determine the service type, and accelerate the booking flow. Content shared through these tools may be processed by third-party technology suppliers on our behalf in accordance with applicable law and contractual obligations.

Unless you provide separate and explicit permission, we do not use your identified health data for general-purpose model training or for marketing purposes. For security, quality control, support, and dispute management purposes, some communications may be reviewed by limited and authorized teams.

7. With whom do we share data

We share your data only to the extent necessary and where an appropriate legal basis exists. Categories of recipients may include:

Independent providers: doctors, clinics, hospitals, laboratories, and other healthcare service providers. Such sharing may be necessary for the performance of the booking and access to healthcare services.

Payment and financial service providers: for payment processing, refunds, fraud prevention, accounting, and invoicing services.

Technology and infrastructure providers: hosting, databases, cloud services, customer support tools, analytics tools, security monitoring, e-mail/SMS/WhatsApp communications, and, where necessary, AI/LLM service providers.

Business partners and institutional referrers: at your request or upon your explicit direction, hotel, travel assistance, insurer, or institutional partner.

Professional advisers: lawyers, auditors, consultants, and risk and compliance specialists.

Competent public institutions and judicial authorities: to the extent legally required or necessary to protect our rights.

Corporate transactions: in transactions such as mergers, acquisitions, investments, restructurings, or transfers of assets, under confidentiality safeguards.

Sharing of your health data is made, to the extent possible, on a need-to-know basis and at the minimum scope required by the task.

8. International data transfers

Due to our international user base, global technology infrastructures, and cross-border support arrangements, your data may be transferred to, become accessible in, or be stored in countries outside your own country or outside the EEA.

For EEA/UK/Swiss-related processing, where appropriate, we may rely on European Commission adequacy decisions, Standard Contractual Clauses (SCC), transfer derogations necessary for contract performance, or other valid transfer mechanisms. For Turkiye, we aim to act in compliance with the adequacy, appropriate safeguards, standard contracts, binding corporate rules, and limited exceptions regime under KVKK.

Upon your request, we may provide additional information, to the extent applicable, regarding the cross-border transfer safeguards we use.

9. Retention periods

We retain your data for the period necessary for the purposes for which it is processed and for as long as applicable legal retention obligations require. These periods vary by data type. For example:

  • account and profile data, for as long as your account remains active and for a reasonable period after closure;
  • booking and support records, for the duration required for service performance, complaint management, and legal defense;
  • financial and accounting records, for the period required under the relevant tax/financial legislation;
  • explicit consent and contract acceptance logs, for as long as the evidentiary obligation continues;
  • cookie preferences, to the extent of the relevant cookie lifetime and consent management records.

When the retention period expires, data is deleted, anonymized, or access to it is restricted.

10. Security measures

We apply risk-based technical and organizational measures. These measures may include, depending on the nature of the data and the level of risk, access authorization, role-based access, data minimization, transfer and storage security controls, logging, monitoring, backups, security patching, incident management, contractual supplier controls, and personnel awareness. However, no transmission or storage method over the internet is entirely free from risk.

11. Your rights

Depending on your country and applicable data protection law, you may have the following rights:

  • to know whether your data is being processed;
  • to request access;
  • to request correction;
  • to request deletion/right to be forgotten;
  • restriction of processing;
  • data portability;
  • the right to object;
  • to stop marketing communications;
  • to withdraw explicit consent;
  • to object to automated decisions that produce legal or similarly significant effects on you;
  • the right to complain to a local data protection authority.

Your application rights under KVKK Article 11 remain reserved in Turkiye. EEA/UK/Swiss users may also exercise their rights under GDPR. You may submit your applications to privacy@doconway.com or support@doconway.com. We may request additional information to verify your identity.

12. Marketing communications

We distinguish transactional messages from marketing messages. Transactional communications such as booking confirmations, time changes, provider information, and security alerts may form part of the service. For newsletters, campaigns, or similar commercial communications, we aim to obtain the permissions required under applicable law. You may opt out of marketing communications at any time.

13. Children and data relating to third persons

The platform is generally designed for adult users. If you share data on behalf of a child or another person you represent, you agree that you possess the necessary legal authority for such sharing. You must not share third-party data without authorization.

14. Third-party links and provider websites

The platform may contain links to third-party provider sites, payment pages, or other services. Those third parties are responsible for their own data practices under their own policies. Although providers and partners are selected carefully where possible, we may not have direct control over data processing activities outside the platform.

15. Breach and incident management

In the event of suspected unauthorized disclosure, access, loss, or breach of personal data, we operate our internal incident management processes. Where necessary, we may notify the relevant authorities and affected persons in accordance with applicable law.

16. Changes to the policy

This Privacy Policy may be updated from time to time. The current version will be published on the platform. Material changes may also be announced by reasonable means.

17. Contact

For questions about this policy or your data rights:
Company Name: Viofun Yazılım Anonim Şirketi
Address: Pınarbaşı Mah. Hürriyet Cad. Akdeniz Üniversitesi Antalya Teknokent
Ar-Ge 2 Uluğbey Binası No:3A/B178, Konyaaltı / Antalya, Turkey
E-mail: privacy@doconway.com
Web: www.doconway.com