2025-01-01
Privacy and Personal Data Protection Policy
Learn how personal data is collected, processed and protected on the Randola platform.
1. Data Controller
Pursuant to the Law on the Protection of Personal Data No. 6698 (KVKK), your personal data is processed by the following Data Controller:
Randola Information Systems Email: info@randola.com Web: www.randola.com
This Privacy Policy explains how personal data is processed for businesses, specialists, employees, clients who book appointments through Randola, business partners, and visitors to our website.
2. Personal Data We Process
Depending on how you use Randola, the following categories of personal data may be processed:
2.1 Identity and Account Information
- First name, last name, gender, date of birth
- National ID number (where required for invoicing and legal obligations)
- Business name, title, or clinic name
- Account credentials (email, password — passwords are stored in an irreversibly encrypted format)
- Account creation and update dates
2.2 Contact Information
- Email address
- Phone number
- Full address, city, district, country
2.3 Business and Organization Information
- Business profile (logo, description, working hours, address, website)
- Branch, room, and resource configuration details
- Specialist profiles (name, specialty, title, biography)
- Staff and employee accounts (name, access permissions, role)
2.4 Appointment and Service Records
- Client name or identifier code (based on business preference)
- Client contact information (phone, email)
- Appointment date, time, duration, and recurrence details
- Associated specialist, room, or service type
- Appointment status (confirmed, cancelled, no-show, etc.)
- Notes and tags entered by the business
Randola is not a healthcare provider and does not make medical diagnoses, treatment decisions, or clinical assessments. Data entered by businesses within their own records (examination notes, anamnesis information, etc.) is the responsibility of the relevant business. Randola acts solely as a Data Processor hosting this data on a technical basis.
2.5 Financial and Billing Information
- Billing name / business name, tax office, tax number
- Billing address
- Subscription plan, payment dates, invoice serial/sequence numbers
- Transaction reference number and result information provided by the payment processor
Randola does not directly store credit or debit card information. All card payments are processed through PCI-DSS compliant third-party payment infrastructure; Randola only receives a summary of the payment outcome.
2.6 Technical Data and Log Records
- IP address and approximate location (city / country level)
- Browser type, operating system, device type
- Session login and logout timestamps
- System log records (error logs, security events)
- Page view information and usage statistics
These data are typically evaluated as anonymous or aggregated statistics and analyzed without being associated with directly identifiable individuals.
2.7 Communication, Support, and Feedback Records
- Support requests, bug reports, and feedback
- Content of messages sent
- Support conversation history with timestamps
2.8 Third-Party Integration Information
Randola may integrate with third-party services such as SMS providers, email services, or calendar applications. In this context:
- SMS / email delivery information (recipient, delivery time, delivery status)
- Technical credentials for integration (API keys, tokens — stored encrypted where possible)
3. Purposes of Processing Personal Data
Your personal data is processed for the following purposes:
- Managing appointment creation, updates, reminders, and cancellations
- Managing user accounts and business profiles
- Providing communication via SMS, email, and push notifications
- Processing subscriptions and invoicing
- Handling technical support requests
- Ensuring platform security, performance, and continuity
- Improving service quality and testing new features
- Fulfilling legal obligations (tax regulations, KVKK, etc.)
- Preventing abuse, fraud, and security threats
- Producing reports, analyses, and anonymous statistics
4. Legal Basis for Processing Personal Data
Your personal data is processed under the following legal bases pursuant to Article 5 of KVKK:
| Legal Basis | Description |
|---|---|
| Performance of a contract | Operations required for the subscription and service agreement (account creation, appointment management, invoicing) |
| Compliance with a legal obligation | Obligations under tax law, Law No. 6563, Law No. 5651 |
| Legitimate interest | Platform security, service quality improvement, fraud prevention |
| Explicit consent | Commercial electronic communications, processing of special categories of personal data |
5. Notifications and Commercial Electronic Communications
Two types of messages may be sent through Randola via SMS, email, and push notification:
Transactional notifications (appointment reminders, confirmations, cancellations, changes): Sent as part of service delivery; no separate consent is required.
Commercial electronic communications (campaigns, announcements, promotions): Sent only with your explicit consent under Law No. 6563 on the Regulation of Electronic Commerce. You may withdraw this consent at any time.
Notification preferences can be managed by the business administrator from the Notification Settings page in the panel.
6. Transfer of Personal Data
6.1 Domestic Transfer
Your personal data may be shared with technical infrastructure providers, payment institutions, and legally authorized public authorities as necessary for service delivery. These transfers are carried out under Article 8 of KVKK.
6.2 International Transfer
Randola partially operates its infrastructure on international cloud service providers. As a result, your personal data may be hosted or processed on servers outside of Turkey (primarily in European Union countries) for the purpose of providing the service.
For international data transfers, measures are applied in accordance with Article 9 of KVKK, including standard contractual clauses, encryption, access controls, and assessment of whether the destination country provides adequate data protection safeguards.
6.3 Sharing with Official Authorities
In cases of legal obligation under applicable legislation, personal data may be shared with legally authorized public institutions and agencies upon their request. In such cases, we aim to notify you in advance unless prohibited by law.
7. Retention Periods
Your personal data is retained for the period necessary for the purpose for which it was collected and in accordance with applicable legal obligations.
| Data Category | Retention Period |
|---|---|
| Account and identity information | While account is active + 3 years after deletion |
| Appointment records | Duration of service relationship + 3 years |
| Invoices and financial records | 10 years as required by tax regulations |
| Technical log records | Maximum 2 years within security requirements |
| Support correspondence | 3 years |
| Commercial communication consent and withdrawal records | 3 years from consent/withdrawal (Law No. 6563) |
Data whose retention period has expired is securely deleted, destroyed, or anonymized.
8. Cookies and Tracking Technologies
The Randola website and platform use cookies and similar tracking technologies to enhance user experience, ensure security, and measure site performance.
Cookie Types
| Type | Description |
|---|---|
| Essential cookies | Required for session management and core platform functionality; cannot be disabled |
| Preference cookies | Remember user preferences such as language and theme |
| Analytics cookies | Used for anonymous visitor statistics and page performance measurement |
| Session cookies | Automatically deleted when the browser is closed |
| Persistent cookies | Stored on the device for a specified period |
You can disable or delete certain cookie categories from your browser settings. However, disabling essential cookies may negatively affect platform functionality.
9. Security Measures for the Protection of Personal Data
Randola applies the following technical and administrative measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
Technical measures:
- HTTPS/TLS encrypted communication protocols
- Encrypted data storage (including passwords)
- Strong password policies and multi-factor authentication option
- Role-based access control (RBAC) — only authorized personnel have access
- Security log monitoring and anomaly detection
- Regular backups and disaster recovery processes
- Periodic security updates and patch management
Administrative measures:
- Privacy and data protection training
- Application of the data minimization principle
- Regular review of access permissions
- Data processing agreements and confidentiality undertakings
No method of data transmission over the Internet or electronic storage can guarantee 100% security. Randola commits to applying reasonable and up-to-date security measures to minimize risks. In the event of a security breach, the necessary notifications will be made to the Personal Data Protection Authority and relevant individuals in accordance with KVKK and applicable legislation.
10. Rights of Data Subjects (KVKK Article 11)
Pursuant to Article 11 of KVKK No. 6698, you have the following rights regarding your personal data:
- Right to be informed: Learning whether your personal data is being processed
- Right of access: Requesting information about your processed data
- Right to rectification: Requesting correction of incomplete or inaccurate data
- Right to erasure / destruction: Requesting deletion of your data when conditions are met
- Right to notification of transfer: Requesting that rectification or deletion be communicated to third parties to whom data has been transferred
- Right to object: Objecting to decisions produced through automated systems that result in outcomes against you, and to processing based on legitimate interest
- Right to compensation: Requesting remedy for damages suffered due to unlawful processing
- Data portability: Receiving your data in a structured format (to the extent applicable)
- Withdrawal of consent: Withdrawing your consent at any time for consent-based processing
To exercise these rights, you may submit a written request to info@randola.com. Applications are responded to within 30 days at the latest pursuant to Article 13 of KVKK and are free of charge.
Where Randola acts as a Data Processor (for example, when a clinic enters data about its own clients), you may need to direct data subject requests to the relevant business.
11. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of the Republic of Turkey. Turkish Courts and Enforcement Offices have jurisdiction over any disputes arising from the application of this Policy.
Your right to file a complaint with the Personal Data Protection Authority (KVKK) under KVKK remains reserved at all times.
12. Policy Changes
Randola may update this Privacy Policy in response to changes in legislation, new service features, or developments in business processes.
When significant changes occur:
- Announcements are made in platform notifications
- An informational email is sent to your registered address
- The "Last updated" date at the top of this page is updated
We recommend reviewing this policy at regular intervals.
13. Contact
For questions, requests, or complaints regarding the processing of your personal data:
Data Protection Officer Randola Information Systems Email: info@randola.com General support: hello@randola.com
You may submit your data subject rights requests to the email address above. Additional documentation may be requested to verify your identity.