Privacy Policy

Privacy Policy

Effective: 27 May 2026 · Document: PP-1.2 · Canonical English form. Changelog: §9 added — Physician Selection Assistant (/secim, /find-physician); old §9–10 renumbered to §10–11.

1. Who we are

MedSelect is operated by the founder team at medselect.ai. The data controller for personal data processed via this site is the MedSelect operations entity, reachable at [email protected].

2. What we collect on the marketing site

The marketing surface at medselect.ai sets no tracking cookies. No Google Analytics, no Meta Pixel, no third-party ad tags. We do not measure visitors. The cookie banner you may see is informational.

Clarification on the GA4 connector inside the platform. Our operator portal lets a connected clinic plug their own GA4 property into MedSelect so we can show their site analytics on their dashboard. That connector reads only the clinic's GA4 property — never anything about medselect.ai itself. The clinic remains the data controller (veri sorumlusu) for that GA4 configuration; MedSelect is a processor that displays the aggregated results.

3. What we collect on the platform

When you log into app.medselect.ai (operator portal) or klinik.medselect.ai (physician portal), we process:
  • Account: email, display name, password hash (bcrypt cost 12), optional TOTP secret pointer.
  • Session: an authjs.session-token cookie, hard-expiring after the inactivity window.
  • Audit log: an append-only record of consequential actions you take.
  • Tenant + physician data: the operational data you enter, scoped to your tenant.

4. Legal basis

Under KVKK Madde 5/2 and GDPR Article 6(1)(b/f), we process this data on the basis of (a) the contract between the physician/clinic and MedSelect, and (b) our legitimate interest in running an auditable, KVKK-compliant operations platform.

5. Where data lives

All production data is hosted in the EU (Frankfurt, Hetzner). Email delivery flows through Amazon SES in eu-west-1 (Ireland). We do not transfer personal data to processors outside the EU.

6. Retention

  • User accounts: until the user requests erasure or the engagement ends.
  • Audit log: retained for the lifetime of the platform (legal compliance).
  • Email suppression list: retained as long as needed to honor the bounce/complaint.
  • Magic-link tokens: 15-minute TTL; consumed tokens GC'd after 30 days.
  • Backups: 14 daily snapshots.

7. Your rights (KVKK Madde 11 / GDPR Articles 15–21)

You can:
  • Access — download all your data at /api/account/data-export while signed in.
  • Rectification — edit your account at /admin/account/password.
  • Erasure — destructive flow at /admin/account/delete (soft-deletes account, anonymizes audit entries).
  • Object / restrict — write to [email protected].
  • Complain — to your local data protection authority (in Türkiye: KVKK Kurulu).

8. Security

Append-only audit log with daily SHA-256 integrity chain. Email + password + optional TOTP authentication (no third-party identity providers). Hard bounces and complaints land on an automatic suppression list. Server SSH is key-only with Fail2ban + UFW rate-limit. Daily DB backups, 14-day rolling retention.

9. Physician Selection Assistant (/secim · /find-physician)

MedSelect operates a free, public, LLM-assisted hint surface at /secim (TR) and /find-physician (EN/multilingual) that helps visitors orient themselves toward a specialty area before choosing a clinician. This subsection explains exactly what we do with the text you type into that form, beyond the general posture stated above.

9.1 Nature of the service

The assistant returns a short, narrow list (≤3) of physicians whose voice cards and editorially-reviewed publications align with the described situation. It is a content discovery hint, not diagnosis, treatment recommendation, triage, or automated decision-making in the sense of KVKK Madde 11/1(g) or GDPR Article 22. No legal, medical, financial consequence flows from the output; the visitor decides what to do next.

9.2 Data processed

  • Query text — only stored if the visitor explicitly opts in via the "Sorgu metnimi 30 gün boyunca saklayabilirsiniz" checkbox. Otherwise it is processed in-memory for the LLM call and discarded.
  • Vertical, city, age, browser language — stored as structured metadata for analytics + corpus matching; no free text.
  • IP address — never stored in plaintext. We compute SHA-256(ip + server-secret) and store only that hash, used solely for the 5-queries-per-24-hours rate limit.
  • Recommendation output — stored under a 32-char opaque hash so the visitor can revisit the result.
  • Follow-up email — only stored if the visitor provides one and ticks the consent box, used solely to send the result to that address; never used for marketing without a separate, distinct opt-in.

9.3 PII redaction before LLM

Before the query text reaches the language model, our pre-guardrail layer redacts: TC kimlik numbers (11-digit), TR + intl phone numbers, email addresses, and street address patterns. The redacted form is what the LLM sees, not the raw input.

9.4 Retention

  • Query text (opt-in only): 30 days, then automatically purged by a daily 03:00 cron (text field nulled, structured row preserved for aggregate stats).
  • IP hash: 30 days, then purged.
  • Structured metadata + recommendation hash: retained as aggregate analytics; not linked to any identified person.
  • Follow-up email: purged on request (write to [email protected]) or after 12 months of inactivity.

9.5 Legal basis

Processing of opt-in query text and follow-up email is based on KVKK Madde 5/1 açık rıza (explicit consent) given via the form checkboxes. Aggregate metadata processing falls under KVKK Madde 5/2(f) meşru menfaat for service integrity (rate-limit, abuse detection). Under GDPR Article 6(1)(a) for consent, (f) for the rate-limit IP hash.

9.6 LLM processor

The redacted query text is sent to Anthropic's Claude API. Per the DPA we have on file with Anthropic, prompts and outputs are not used to train models, are retained by Anthropic for ≤30 days for abuse monitoring, and are processed in EU regions where possible. See our public AI Use Policy for the model card and processor list.

9.7 Tabip Odası + medical advertising compliance

Output is rendered with no superlatives, no comparative claims, no before/after imagery, no testimonials, no commercial framing. A post-guardrail layer scans the LLM output for any phrase matching these prohibited patterns (per Tıbbi Deontoloji Tüzüğü + Türk Tabipleri Birliği reklam yasağı) and replaces offending bullets with a neutral note before rendering. The same posture applies to the legal (Türkiye Barolar Birliği reklam yasağı) and financial (SPK Madde 32) verticals when serving those tracks.

9.8 Exercising your rights on selection data

To access, rectify, restrict, or erase data tied to a selection query, send the recommendation hash (the 32-char string in your result page URL) to [email protected]. We will respond within the KVKK Madde 13/2 thirty-day window. If you have no hash, email us a description and the approximate timestamp and we will locate the row.

Full transparency about how the assistant is built, what guardrails apply, and what its limits are is published at /secim/metodoloji (TR) / EN variant.

10. Changes

We will update this page if substantive changes occur. The PP-N.N version label in the date line is bumped on each change.

11. Contact

Data controller: MedSelect operations entity. Contact: [email protected].
    MedSelect — Privacy Policy · Asclepia