Privacy Policy
How UDY Digital, operator of DoctorVi, processes personal data of patients and visitors. Prepared under the EU General Data Protection Regulation (GDPR) and, where applicable, Turkey's Personal Data Protection Law (KVKK).
آخر تحديث: 2026-04-27
Controller
UDY Digital
Rissenerstr. 42, 22880 Wedel, Germany
Umut Deniz Yorulmaz
[email protected]
A statutory Data Protection Officer is not legally required.
What we process
Account data: name, email, password (hashed), preferred language. Legal basis: contract performance, Art. 6 (1) (b) GDPR.
Treatment requests & messages: the description you write (which can include health information), the city/budget/date you provide, and any messages or video calls between you and clinics. Health data is special category data under Art. 9 GDPR — we process it on the basis of your explicit consent (Art. 9 (2) (a)) given at the moment you submit a request. You can withdraw consent and have your data deleted at any time.
Reviews & experience reports: if you choose to publish a review, the content and the displayed name are public.
Usage & log data: IP, timestamp, user agent, URL — for security and abuse detection (Art. 6 (1) (f)).
Marketing: only with opt-in consent (Art. 6 (1) (a)). You can unsubscribe in every email.
When clinics see your data
When you publish an open treatment request, clinics matching your criteria can read it and send you offers. They become independent controllers for the data they receive at that point. We share with you which clinic received your data and link to that clinic's own privacy notice when it contacts you.
A patient's direct contact information is shared with a specific clinic only after you accept that clinic's offer or actively start a chat.
Processors and recipients
| Service | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt) |
| Resend, Inc. | Transactional & marketing email | EU / US (SCC) |
| Coolify (self-hosted) | Application hosting | EU (Germany) |
Transfers to third countries (e.g. USA) only happen with appropriate safeguards — Standard Contractual Clauses and supplementary technical measures.
Retention
- Account: while the account exists; up to 30 days after deletion in encrypted backups.
- Treatment requests: while the request is open + up to 24 months as historical record (you can shorten this on request).
- Messages: 12 months after last activity.
- Reviews: until you delete them or moderation removes them.
- Logs: up to 90 days.
- Marketing: until consent is withdrawn.
Your rights
- Access (Art. 15 GDPR)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction (Art. 18)
- Data portability (Art. 20)
- Objection (Art. 21)
- Withdraw consent (Art. 7 (3))
Send requests to [email protected]. You may also lodge a complaint with a supervisory authority — in Schleswig-Holstein: ULD.
Automated processing & AI assistant (Art. 22 GDPR)
DoctorVi uses automated systems to match patient requests with clinics whose specialty, city and price range fit the request, and to draft suggested replies for clinics. These systems do not take final decisions that produce legal effects on you. Match suggestions are non-binding, and any reply you receive from a clinic is reviewed and sent by a human staff member of that clinic.
Where AI is used to draft text, the relevant content is clearly marked. You may at any time request a human review (Art. 22 (3) GDPR) by writing to [email protected].
Security (Art. 32 GDPR)
Technical and organisational measures (TOMs) include:
- TLS 1.2+ encryption in transit; AES-256 encryption at rest.
- Row-Level-Security (RLS) on every multi-tenant table — clinic data is logically isolated.
- Multi-factor authentication for administrative access; principle of least privilege.
- Access and audit logs retained for security incident response.
- Regular dependency and vulnerability monitoring; security patches applied without delay.
- Encrypted, geo-redundant backups (EU only).
Personal-data breach (Art. 33 / 34 GDPR)
We notify the competent supervisory authority within 72 hours of becoming aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR). If the breach is likely to result in a high risk to your rights and freedoms, we notify you directly without undue delay (Art. 34 GDPR).
Children
DoctorVi is intended for users 18+ years of age. Patients under 18 must be represented by a parent or legal guardian.