Privacy Policy

1. Data Controller

Pursuant to the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the EU General Data Protection Regulation ("GDPR"), and other applicable data protection legislation, your personal data is processed by ccNote Teknoloji A.Ş. ("ccNote", "Company", or "We") as the data controller.

Data Controller	ccNote Teknoloji Anonim Şirketi
Address	Sanayi Mahallesi Teknopark Bulvarı No: 1/4C İç Kapı No: 112 Pendik/İstanbul, Turkey
Email	info@ccnote.ai
Website	https://ccnote.ai

2. Scope and Purpose

This Privacy Policy explains how ccNote collects, processes, stores, transfers, and protects personal data of healthcare professionals ("Users") who use the ccNote mobile application ("App"). ccNote is an AI-powered iOS application that converts voice clinical notes into structured medical documentation using advanced language models capable of processing Turkish medical terminology.

NOTE: ccNote is not a medical device and should not be used as a clinical decision support system. The App's outputs are intended solely as a documentation aid.

3. Data We Collect

3.1. Identity and Contact Data

Full name, email address, phone number (optional)
Username and password (stored as cryptographic hash)
Medical specialty and professional title (optional)

3.2. Voice Data (Biometric Data — Special Category)

Audio recordings (.m4a format)
Recording duration and timestamps
Audio level metrics

NOTE: Voice recordings are stored EXCLUSIVELY on the user's device (on-device). Audio files are NEVER transmitted to company servers or third parties.

3.3. Transcription and Text Data

Raw transcripts generated via Apple Speech Recognition Framework (on-device)
Medical terminology-enhanced transcripts
Structured clinical notes (AI-generated)
Patient information notes (all user-entered content as-is)

NOTE: User-entered content may contain patient names, national ID numbers, or other personal health information. This information is stored as-is. The User (physician/healthcare institution) bears responsibility for ensuring KVKK/GDPR compliance in processing patient data. The anonymization, masking, or pseudonymization of patient data — including before transmission for AI analysis — is the exclusive responsibility of the user in their capacity as data controller under KVKK/GDPR.

3.4. User's Responsibility on Data Entry

Our system uses our proprietary open-source based language model and/or the Google Gemini API to generate structured clinical notes. Processed data and related responsibilities are as follows:

Transcription texts are sent to our servers located and hosted in Turkey or to the Google Gemini API for artificial intelligence analysis.
Medical term matching and correction data are also processed during this procedure.

NOTE: Users are obligated to anonymize personal health data, patient names, national ID numbers, and other identifying information before uploading any text, audio, or document to the Application. Anonymization is entirely the user's responsibility. ccNote has absolutely no obligation to automatically detect, mask, or remove personal or special category personal data from the information entered by the user.

3.5. Technical and Usage Data

Device information (model, OS version)
Anonymous app usage statistics
Error reports and performance metrics
App preferences and language settings

3.6. Payment Data

Subscription plan information
Payment transaction history (processed via iyzico)

NOTE: Credit card information is NEVER stored by ccNote. Payment processing is handled by PCI DSS-certified payment infrastructure provider iyzico.

3.7. Web Dashboard Data

Records and text content accessed via web dashboard
Session management data (JWT tokens)

NOTE: Users can access their records via the web dashboard (ccnote.ai) and transfer them to hospital information systems (HBYS). Temporary session data is cleared when the dashboard session ends.

4. Legal Basis for Processing

4.1. Under KVKK

Article 5(2)(c): Contractual necessity — account management, service delivery
Article 5(2)(a): Explicit legal requirement — traffic logs, tax records
Article 5(2)(f): Legitimate interest — security, fraud prevention
Article 6(2): Explicit consent — biometric data (voice), health data processing
Article 9: Cross-border transfer — explicit consent for Supabase data processing and Google Gemini API

4.2. Under GDPR (for EU Users)

Article 6(1)(a): Consent — for special categories of data
Article 6(1)(b): Contract performance — service provision
Article 6(1)(c): Legal obligation — regulatory compliance
Article 6(1)(f): Legitimate interest — security and service improvement
Article 9(2)(a): Explicit consent — health and biometric data processing

5. Data Security Measures

Voice recordings stored exclusively on-device using Apple iOS security infrastructure (Data Protection, Keychain)
User account data encrypted at rest (AES-256) and in transit (TLS 1.3) via Supabase
AI server communication protected with TLS 1.2/1.3 encryption
Row Level Security (RLS) policies applied to all database access
Passwords hashed with bcrypt/argon2; never stored in plaintext
JWT-based authentication and authorization for all API access
Web dashboard sessions protected with JWT-based authentication and session-based isolation
Regular security audits and vulnerability assessments

6. Data Transfers

6.1. Domestic Transfers (Turkey)

iyzico: Payment processing (contractual necessity)
Authorized public authorities: When legally required

6.2. International Transfers

User account management utilizes Supabase services. Supabase operates on AWS infrastructure and its data center is located in the EU (Frankfurt, Germany). Artificial intelligence analyses utilize our own servers within Turkey or the Google Gemini API; Google LLC has global data centers.

Data Processing Agreement (DPA) signed with Supabase
Transcription data originating from the user is transferred to international servers when processed by the artificial intelligence model (Google Gemini).
Standard Contractual Clauses (SCCs) implemented per GDPR Article 46
Data encrypted in transit and at rest

NOTE: Voice recordings are NEVER transferred outside Turkey (they remain on-device). International transfer applies to authentication/account data via Supabase and AI text processing (when Google Gemini API is used), subject to explicit user consent.

6.3. Third-Party Service Providers

Provider	Purpose	Data Type	Location
Apple (iOS)	On-device speech recognition	Voice data	On-device
Supabase	Authentication, database	Account data	AWS EU (Frankfurt)
iyzico	Payment processing	Payment data	Turkey
ccNote AI Server	System Functional Services	System Logs	Turkey
Google (Gemini API)	Text analysis and AI processing	Transcript text	International (Global)

7. Data Retention

Data Category	Retention Period	Legal Basis
Account data	Until account deletion	Contract
Voice recordings (on-device)	Until deleted by user	Consent
Clinical notes (on-device)	Until deleted by user	Consent
AI processing logs	30 days	Legitimate interest
Web dashboard session data	Duration of session	Contract
Payment records	10 years	Turkish Commercial Code
Traffic logs	2 years	Law No. 5651
Error reports	1 year	Legitimate interest

8. Your Rights

8.1. Under KVKK (Article 11)

You have the right to: learn whether your personal data is processed; request information about processing; learn the purpose of processing; know third parties to whom data is transferred; request correction of incomplete/incorrect data; request deletion or destruction of data; request notification of corrections/deletions to third parties; object to automated processing decisions; and claim compensation for damages due to unlawful processing.

8.2. Under GDPR (for EU Users)

In addition to KVKK rights, EU users have: right of access (Art. 15); right to rectification (Art. 16); right to erasure/"right to be forgotten" (Art. 17); right to restriction of processing (Art. 18); right to data portability (Art. 20); right to object (Art. 21); and rights related to automated decision-making (Art. 22).

8.3. How to Exercise Your Rights

Email: info@ccnote.ai with identity verification documents
In-App: Settings > Privacy > Data Request
Written: Via registered mail or notary to company address

Requests will be processed free of charge within 30 days.

8.4. Account and Data Deletion

Per KVKK Article 7 and Apple App Store Guidelines (5.1.1(v)):

You can delete your account from within the app (Settings > Account > Delete Account)
All personal data permanently deleted within 30 days of account deletion
On-device recordings and notes are under your direct control

9. Children's Privacy

ccNote is designed exclusively for healthcare professionals and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If such collection is identified, the data will be immediately deleted.

10. Data Breach Notification

Turkish DPA (KVKK Board) notified within 72 hours
Affected users informed within a reasonable timeframe
EU supervisory authorities notified per GDPR Article 33 (for EU users)
Scope, impact, and remedial measures publicly disclosed

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide in-app notification, email notification, and request renewed consent where necessary. The current version is always available within the App and at ccnote.ai.

12. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the Republic of Turkey. Istanbul Courts and Enforcement Offices have jurisdiction over disputes. Your right to file a complaint with the Turkish Personal Data Protection Board (www.kvkk.gov.tr) and/or relevant EU supervisory authority is reserved.

13. Contact

For any questions regarding this Privacy Policy or your personal data:

Data Protection Officer: info@ccnote.ai

General Inquiries: info@ccnote.ai

Website: https://ccnote.ai/privacy

Explicit Consent Form

I hereby give my explicit consent for the following:

ccNote Mobile Application