Privacy Policy

Last updated: May 2026

AAFC (Aesthetic Archive for Clinics) is operated by EDECA Yazılım Ticaret ve Sanayi Limited Şirketi ("EDECA", "we", "us", or "our"), a Turkish limited company based in Akhisar, Manisa, Türkiye. The Service is represented and clinically supervised by Atilla Cengiz, MD (founder and medical director). This privacy policy explains how we collect, use, store, and protect personal data processed through the AAFC mobile application and related services.

This policy complies with:

• Turkish Personal Data Protection Law (KVKK, Law No. 6698)
• EU General Data Protection Regulation (GDPR)
• Apple App Store and Google Play Store privacy requirements

1. Data Controller

The data controller for personal data processed through AAFC is the clinic or medical professional using the application ("Clinic User"). EDECA acts as a data processor on behalf of the Clinic User for technical storage and infrastructure services.

Clinic Users are responsible for:

• Obtaining patient consent before entering patient data
• Complying with applicable medical confidentiality laws
• Responding to patient data requests

EDECA is responsible for:

• Providing secure technical infrastructure
• Implementing appropriate security measures
• Notifying data breaches

2. Data We Collect

2.1 Patient Data (entered by Clinic Users)

• Patient names, birth dates, phone numbers, cities, and notes
• Visit records, clinical notes, and treatment history
• Patient photographs (before/after, progress tracking)
• Medical documents (treatment cards, consent forms, barcodes)
• Parent/guardian information for minor patients

This data is classified as Special Category Personal Data under KVKK Article 6 and GDPR Article 9 (health data), requiring enhanced protection and explicit patient consent.

2.2 Clinic User Data

• Email address, full name, and role (admin, doctor, assistant)
• Clinic information (name, logo, doctor name, clinic address)
• Login timestamps and security logs

2.3 Technical Data

• Device identifiers, operating system version
• App version, crash reports, and anonymized diagnostic logs
• IP addresses (for security and fraud prevention)

2.4 Data We Do NOT Collect

• We do not collect location data
• We do not use tracking cookies or advertising identifiers
• We do not sell or rent data to any third party

3. Legal Basis for Processing (GDPR/KVKK)

We process personal data on the following legal bases:

• Patient data: Explicit consent (KVKK Art. 6/1, GDPR Art. 9(2)(a)) obtained by the Clinic User from the patient before data entry
• Clinic User data: Performance of a contract (service delivery) and legitimate interest (security and fraud prevention)
• Technical data: Legitimate interest in maintaining and improving the service

4. How We Use Your Data

• Provide patient archiving and visit management
• Generate before/after comparison collages and PDF reports
• Enable secure cloud backup and cross-device synchronization
• Manage clinic users, roles, and access permissions
• Send service-related emails (password reset, security alerts)
• Detect and prevent security threats and unauthorized access
• Comply with legal obligations

5. Data Storage, Security, and International Transfers

5.1 Storage

All data is stored on Supabase infrastructure (AWS servers, primarily in Europe). Data is encrypted at rest (AES-256) and in transit (TLS 1.3).

5.2 Security Measures

• Role-based access control (only authorized clinic users access clinic data)
• Encrypted authentication and session management
• Regular security audits and vulnerability scanning
• Automatic backup with 30-day retention

5.3 International Transfers

Data may be transferred outside of Türkiye or the European Economic Area when processed by our infrastructure providers. We ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs) with Supabase
• Encryption of data in transit and at rest

6. Data Retention

• Active accounts: Data is retained for as long as the account is active and the service is used.
• Inactive accounts: After 12 months of inactivity, the Clinic User is notified; data may be deleted after an additional 30 days.
• Account deletion request: Data is deleted within 30 days of a confirmed deletion request. Backups are purged within 90 days.
• Legal retention: Certain data may be retained longer if required by Turkish medical recordkeeping laws (typically 20 years for medical records).

7. Your Rights

Under KVKK Article 11 and GDPR Articles 15-22, you have the right to:

• Access your personal data and receive a copy
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten")
• Restrict processing in certain circumstances
• Object to processing based on legitimate interests
• Data portability (receive data in structured, machine-readable format)
• Withdraw consent at any time (for consent-based processing)
• Lodge a complaint with the Turkish Data Protection Authority (KVKK Kurumu) or your local supervisory authority

To exercise these rights, contact us at support@aafclinic.com. We will respond within 30 days.

8. Account Deletion

Clinic Users can request account and data deletion by:

• Emailing support@aafclinic.com with the subject "Account Deletion Request"
• Including the registered email address and clinic name
• Confirming the request via the verification email we send

We will confirm deletion within 30 days.

Patient data deletion requests should be directed to the responsible Clinic User. EDECA will support Clinic Users in fulfilling such requests.

9. Third-Party Services

We use the following processors who support our service:

• Supabase (Database, storage, authentication) - AWS EU / USA - supabase.com/privacy
• Resend (Transactional email delivery) - EU / USA - resend.com/legal

These processors are contractually bound to protect your data and use it only for the purposes we instruct.

10. Children's Privacy

AAFC is designed for medical professionals and is not intended for use by individuals under 18. Clinic Users who enter minor patient data are responsible for obtaining parental/guardian consent as required by applicable law.

We do not knowingly collect data directly from children. If you believe we have, contact us at support@aafclinic.com.

11. Cookies and Analytics

The AAFC mobile application does not use cookies, advertising identifiers, or third-party analytics tools. Our website (aafclinic.com) may use essential cookies for functionality.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to individuals, we will notify the Turkish Data Protection Authority within 72 hours and affected users without undue delay, as required by KVKK and GDPR.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to Clinic Users at least 30 days before they take effect. The "Last updated" date above always reflects the current version.

14. Contact

EDECA Yazılım Ticaret ve Sanayi Limited Şirketi

Represented by: Atilla Cengiz, MD (founder and medical director)

Address: Hürriyet Mah. 210. Sk. No: 37 İç Kapı No: 1, Akhisar / Manisa 45240, Türkiye

Tax ID (VKN): 2050264942

Email: support@aafclinic.com

Website: https://aafclinic.com

For KVKK-related complaints in Türkiye, you may contact:
KVKK Kurumu — https://kvkk.gov.tr

For GDPR-related complaints in the EU, you may contact your local Data Protection Authority.

© 2026 EDECA Yazılım Ticaret ve Sanayi Limited Şirketi. All rights reserved.