Effective Date: April 25, 2026
As DocOnWay, we handle your personal data and especially your health data with care. This Privacy Policy explains what data we collect, why we process it, with whom we share it, how long we retain it, and how you can exercise your rights when the DocOnWay website, user accounts, booking interfaces, AI-assisted assistant, customer support channels, and related digital services are used.
This policy applies to users, prospective users, persons contacting us, patients creating service requests, and, where necessary, companions, family members, tour operators, hotel representatives, or authorized representatives acting on behalf of a user.
The data controller for your personal data within the scope of this platform is:
Viofun Yazılım Anonim Şirketi
Address: Pınarbaşı Mah. Hürriyet Cad. Akdeniz Üniversitesi Antalya Teknokent
Ar-Ge 2 Uluğbey Binası No:3A/B178, Konyaaltı / Antalya, Turkey
E-mail: privacy@doconway.com or support@doconway.com
If any, DPO / Data Protection Officer Contact: +90 533 055 99 27
After a booking is confirmed and healthcare is delivered, the independent provider may also independently act as a data controller in respect of some of your data. In that case, the provider's own privacy obligations shall also apply.
Depending on the service you use, DocOnWay may collect the following categories of data:
Identity and profile data: full name, year/date of birth, gender, nationality, or necessary identity information related to a passport, account username, and profile preferences.
Contact data: e-mail address, telephone number, WhatsApp number, hotel information, room number (only where necessary), transport or access notes.
Insurance and assistance data, if you choose to share it: insurance company name, policy number, assistance case references, coverage notes, billing preferences, and related coordination records.
Booking and operational data: requested service type, date/time, location, city/region, availability preferences, provider preferences, booking status, no-show information, and support records.
Health and symptom data: complaints, symptoms, summaries of health history shared by the user, medication information, allergy information, texts shared for triage/routing purposes, and, where necessary, photo/file attachments.
Payment and financial data: billing name, payment references, payment status, partial card details or tokenized payment information, transaction identifiers, and refund records. We may not directly store full card data; such data may be processed by authorized payment service providers such as Garanti BBVA.
Technical and usage data: IP address, device type, browser information, language preference, session records, error logs, security incidents, cookie preferences, and traffic/performance information.
Communication and support data: e-mail contents, chat records, WhatsApp or similar support correspondence, call notes, and satisfaction feedback.
Legal and compliance data: consent records, explicit consent records, contract acceptance records, fraud prevention logs, and dispute and complaint files.
We collect data primarily from you. Data may also come from companions or representatives authorized to act on your behalf, integrated providers, payment service providers, institutions such as hotels or assistance/insurers that contact us upon your direction, and automatic records generated through our technical infrastructure.
If you share data on behalf of another person, you agree that you are authorized to do so and that you have informed the relevant person appropriately.
We process your personal data for the following purposes:
To the extent appropriate under applicable law, we rely on the following legal grounds:
Establishment or performance of a contract / contractual necessity: opening accounts, creating bookings, matching providers, providing support, processing payments, and maintaining the service relationship with the user.
Legal obligation: accounting, tax, consumer law, payment records, official authority requests, and security and compliance obligations.
Legitimate interests: platform and account security, prevention of fraud, access logs, system stability, service quality, management of customer support, and establishment/exercise/protection of rights. In such processing, we take care not to prejudice your fundamental rights and freedoms.
Explicit consent: where appropriate, we process special category data such as your health data, especially symptoms, information provided through the AI assistant, or other sensitive information required for provider matching, on the basis of your explicit consent. You may withdraw your explicit consent at any time; however, withdrawal of consent may result in our being unable to provide certain services.
Establishment, exercise, or protection of a right: processing necessary for disputes, complaints, legal defenses, and official proceedings.
In Turkiye, we rely on the conditions under KVKK Article 6 for the processing of special categories of personal data. For EEA/UK/Swiss regimes, we rely on the regimes under GDPR Articles 6 and 9. We treat health data as special category personal data and it is our fundamental principle not to use health data for marketing purposes.
The most sensitive data category for DocOnWay is health data. When you share symptoms, complaints, medical needs, health history, prescriptions, test summaries, or similar health data with us on the platform, we process them in order:
If an AI assistant or automated intake tools are used, these tools are not used to make medical diagnoses but to provide initial information, ask questions, determine the service type, and accelerate the booking flow. Content shared through these tools may be processed by third-party technology suppliers on our behalf in accordance with applicable law and contractual obligations.
Unless you provide separate and explicit permission, we do not use your identified health data for general-purpose model training or for marketing purposes. For security, quality control, support, and dispute management purposes, some communications may be reviewed by limited and authorized teams.
We share your data only to the extent necessary and where an appropriate legal basis exists. Categories of recipients may include:
Independent providers: doctors, clinics, hospitals, laboratories, and other healthcare service providers. Such sharing may be necessary for the performance of the booking and access to healthcare services.
Payment and financial service providers: for payment processing, refunds, fraud prevention, accounting, and invoicing services.
Technology and infrastructure providers: hosting, databases, cloud services, customer support tools, analytics tools, security monitoring, e-mail/SMS/WhatsApp communications, and, where necessary, AI/LLM service providers.
Business partners and institutional referrers: at your request or upon your explicit direction, hotel, travel assistance, insurer, or institutional partner.
Professional advisers: lawyers, auditors, consultants, and risk and compliance specialists.
Competent public institutions and judicial authorities: to the extent legally required or necessary to protect our rights.
Corporate transactions: in transactions such as mergers, acquisitions, investments, restructurings, or transfers of assets, under confidentiality safeguards.
Sharing of your health data is made, to the extent possible, on a need-to-know basis and at the minimum scope required by the task.
Due to our international user base, global technology infrastructures, and cross-border support arrangements, your data may be transferred to, become accessible in, or be stored in countries outside your own country or outside the EEA.
For EEA/UK/Swiss-related processing, where appropriate, we may rely on European Commission adequacy decisions, Standard Contractual Clauses (SCC), transfer derogations necessary for contract performance, or other valid transfer mechanisms. For Turkiye, we aim to act in compliance with the adequacy, appropriate safeguards, standard contracts, binding corporate rules, and limited exceptions regime under KVKK.
Upon your request, we may provide additional information, to the extent applicable, regarding the cross-border transfer safeguards we use.
We retain your data for the period necessary for the purposes for which it is processed and for as long as applicable legal retention obligations require. These periods vary by data type. For example:
When the retention period expires, data is deleted, anonymized, or access to it is restricted.
We apply risk-based technical and organizational measures. These measures may include, depending on the nature of the data and the level of risk, access authorization, role-based access, data minimization, transfer and storage security controls, logging, monitoring, backups, security patching, incident management, contractual supplier controls, and personnel awareness. However, no transmission or storage method over the internet is entirely free from risk.
Depending on your country and applicable data protection law, you may have the following rights:
Your application rights under KVKK Article 11 remain reserved in Turkiye. EEA/UK/Swiss users may also exercise their rights under GDPR. You may submit your applications to privacy@doconway.com or support@doconway.com. We may request additional information to verify your identity.
We distinguish transactional messages from marketing messages. Transactional communications such as booking confirmations, time changes, provider information, and security alerts may form part of the service. For newsletters, campaigns, or similar commercial communications, we aim to obtain the permissions required under applicable law. You may opt out of marketing communications at any time.
The platform is generally designed for adult users. If you share data on behalf of a child or another person you represent, you agree that you possess the necessary legal authority for such sharing. You must not share third-party data without authorization.
The platform may contain links to third-party provider sites, payment pages, or other services. Those third parties are responsible for their own data practices under their own policies. Although providers and partners are selected carefully where possible, we may not have direct control over data processing activities outside the platform.
In the event of suspected unauthorized disclosure, access, loss, or breach of personal data, we operate our internal incident management processes. Where necessary, we may notify the relevant authorities and affected persons in accordance with applicable law.
This Privacy Policy may be updated from time to time. The current version will be published on the platform. Material changes may also be announced by reasonable means.
For questions about this policy or your data rights:
Company Name: Viofun Yazılım Anonim Şirketi
Address: Pınarbaşı Mah. Hürriyet Cad. Akdeniz Üniversitesi Antalya Teknokent
Ar-Ge 2 Uluğbey Binası No:3A/B178, Konyaaltı / Antalya, Turkey
E-mail: privacy@doconway.com
Web: www.doconway.com
We use essential cookies to keep DocOnWay secure and functional. With your consent, we may also use analytics and preference cookies to improve your experience.
Learn more in our Cookie Policy