2025-01-01

Privacy and Personal Data Protection Policy

Learn how personal data is collected, processed and protected on the Randola platform.

1. Data Controller

Pursuant to the Law on the Protection of Personal Data No. 6698 (KVKK), your personal data is processed by the following Data Controller:

Randola Information Systems Email: info@randola.com Web: www.randola.com

This Privacy Policy explains how personal data is processed for businesses, specialists, employees, clients who book appointments through Randola, business partners, and visitors to our website.


2. Personal Data We Process

Depending on how you use Randola, the following categories of personal data may be processed:

2.1 Identity and Account Information

  • First name, last name, gender, date of birth
  • National ID number (where required for invoicing and legal obligations)
  • Business name, title, or clinic name
  • Account credentials (email, password — passwords are stored in an irreversibly encrypted format)
  • Account creation and update dates

2.2 Contact Information

  • Email address
  • Phone number
  • Full address, city, district, country

2.3 Business and Organization Information

  • Business profile (logo, description, working hours, address, website)
  • Branch, room, and resource configuration details
  • Specialist profiles (name, specialty, title, biography)
  • Staff and employee accounts (name, access permissions, role)

2.4 Appointment and Service Records

  • Client name or identifier code (based on business preference)
  • Client contact information (phone, email)
  • Appointment date, time, duration, and recurrence details
  • Associated specialist, room, or service type
  • Appointment status (confirmed, cancelled, no-show, etc.)
  • Notes and tags entered by the business

Randola is not a healthcare provider and does not make medical diagnoses, treatment decisions, or clinical assessments. Data entered by businesses within their own records (examination notes, anamnesis information, etc.) is the responsibility of the relevant business. Randola acts solely as a Data Processor hosting this data on a technical basis.

2.5 Financial and Billing Information

  • Billing name / business name, tax office, tax number
  • Billing address
  • Subscription plan, payment dates, invoice serial/sequence numbers
  • Transaction reference number and result information provided by the payment processor

Randola does not directly store credit or debit card information. All card payments are processed through PCI-DSS compliant third-party payment infrastructure; Randola only receives a summary of the payment outcome.

2.6 Technical Data and Log Records

  • IP address and approximate location (city / country level)
  • Browser type, operating system, device type
  • Session login and logout timestamps
  • System log records (error logs, security events)
  • Page view information and usage statistics

These data are typically evaluated as anonymous or aggregated statistics and analyzed without being associated with directly identifiable individuals.

2.7 Communication, Support, and Feedback Records

  • Support requests, bug reports, and feedback
  • Content of messages sent
  • Support conversation history with timestamps

2.8 Third-Party Integration Information

Randola may integrate with third-party services such as SMS providers, email services, or calendar applications. In this context:

  • SMS / email delivery information (recipient, delivery time, delivery status)
  • Technical credentials for integration (API keys, tokens — stored encrypted where possible)

3. Purposes of Processing Personal Data

Your personal data is processed for the following purposes:

  • Managing appointment creation, updates, reminders, and cancellations
  • Managing user accounts and business profiles
  • Providing communication via SMS, email, and push notifications
  • Processing subscriptions and invoicing
  • Handling technical support requests
  • Ensuring platform security, performance, and continuity
  • Improving service quality and testing new features
  • Fulfilling legal obligations (tax regulations, KVKK, etc.)
  • Preventing abuse, fraud, and security threats
  • Producing reports, analyses, and anonymous statistics

Your personal data is processed under the following legal bases pursuant to Article 5 of KVKK:

Legal BasisDescription
Performance of a contractOperations required for the subscription and service agreement (account creation, appointment management, invoicing)
Compliance with a legal obligationObligations under tax law, Law No. 6563, Law No. 5651
Legitimate interestPlatform security, service quality improvement, fraud prevention
Explicit consentCommercial electronic communications, processing of special categories of personal data

5. Notifications and Commercial Electronic Communications

Two types of messages may be sent through Randola via SMS, email, and push notification:

Transactional notifications (appointment reminders, confirmations, cancellations, changes): Sent as part of service delivery; no separate consent is required.

Commercial electronic communications (campaigns, announcements, promotions): Sent only with your explicit consent under Law No. 6563 on the Regulation of Electronic Commerce. You may withdraw this consent at any time.

Notification preferences can be managed by the business administrator from the Notification Settings page in the panel.


6. Transfer of Personal Data

6.1 Domestic Transfer

Your personal data may be shared with technical infrastructure providers, payment institutions, and legally authorized public authorities as necessary for service delivery. These transfers are carried out under Article 8 of KVKK.

6.2 International Transfer

Randola partially operates its infrastructure on international cloud service providers. As a result, your personal data may be hosted or processed on servers outside of Turkey (primarily in European Union countries) for the purpose of providing the service.

For international data transfers, measures are applied in accordance with Article 9 of KVKK, including standard contractual clauses, encryption, access controls, and assessment of whether the destination country provides adequate data protection safeguards.

6.3 Sharing with Official Authorities

In cases of legal obligation under applicable legislation, personal data may be shared with legally authorized public institutions and agencies upon their request. In such cases, we aim to notify you in advance unless prohibited by law.


7. Retention Periods

Your personal data is retained for the period necessary for the purpose for which it was collected and in accordance with applicable legal obligations.

Data CategoryRetention Period
Account and identity informationWhile account is active + 3 years after deletion
Appointment recordsDuration of service relationship + 3 years
Invoices and financial records10 years as required by tax regulations
Technical log recordsMaximum 2 years within security requirements
Support correspondence3 years
Commercial communication consent and withdrawal records3 years from consent/withdrawal (Law No. 6563)

Data whose retention period has expired is securely deleted, destroyed, or anonymized.


8. Cookies and Tracking Technologies

The Randola website and platform use cookies and similar tracking technologies to enhance user experience, ensure security, and measure site performance.

TypeDescription
Essential cookiesRequired for session management and core platform functionality; cannot be disabled
Preference cookiesRemember user preferences such as language and theme
Analytics cookiesUsed for anonymous visitor statistics and page performance measurement
Session cookiesAutomatically deleted when the browser is closed
Persistent cookiesStored on the device for a specified period

You can disable or delete certain cookie categories from your browser settings. However, disabling essential cookies may negatively affect platform functionality.


9. Security Measures for the Protection of Personal Data

Randola applies the following technical and administrative measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Technical measures:

  • HTTPS/TLS encrypted communication protocols
  • Encrypted data storage (including passwords)
  • Strong password policies and multi-factor authentication option
  • Role-based access control (RBAC) — only authorized personnel have access
  • Security log monitoring and anomaly detection
  • Regular backups and disaster recovery processes
  • Periodic security updates and patch management

Administrative measures:

  • Privacy and data protection training
  • Application of the data minimization principle
  • Regular review of access permissions
  • Data processing agreements and confidentiality undertakings

No method of data transmission over the Internet or electronic storage can guarantee 100% security. Randola commits to applying reasonable and up-to-date security measures to minimize risks. In the event of a security breach, the necessary notifications will be made to the Personal Data Protection Authority and relevant individuals in accordance with KVKK and applicable legislation.


10. Rights of Data Subjects (KVKK Article 11)

Pursuant to Article 11 of KVKK No. 6698, you have the following rights regarding your personal data:

  • Right to be informed: Learning whether your personal data is being processed
  • Right of access: Requesting information about your processed data
  • Right to rectification: Requesting correction of incomplete or inaccurate data
  • Right to erasure / destruction: Requesting deletion of your data when conditions are met
  • Right to notification of transfer: Requesting that rectification or deletion be communicated to third parties to whom data has been transferred
  • Right to object: Objecting to decisions produced through automated systems that result in outcomes against you, and to processing based on legitimate interest
  • Right to compensation: Requesting remedy for damages suffered due to unlawful processing
  • Data portability: Receiving your data in a structured format (to the extent applicable)
  • Withdrawal of consent: Withdrawing your consent at any time for consent-based processing

To exercise these rights, you may submit a written request to info@randola.com. Applications are responded to within 30 days at the latest pursuant to Article 13 of KVKK and are free of charge.

Where Randola acts as a Data Processor (for example, when a clinic enters data about its own clients), you may need to direct data subject requests to the relevant business.


11. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the Republic of Turkey. Turkish Courts and Enforcement Offices have jurisdiction over any disputes arising from the application of this Policy.

Your right to file a complaint with the Personal Data Protection Authority (KVKK) under KVKK remains reserved at all times.


12. Policy Changes

Randola may update this Privacy Policy in response to changes in legislation, new service features, or developments in business processes.

When significant changes occur:

  • Announcements are made in platform notifications
  • An informational email is sent to your registered address
  • The "Last updated" date at the top of this page is updated

We recommend reviewing this policy at regular intervals.


13. Contact

For questions, requests, or complaints regarding the processing of your personal data:

Data Protection Officer Randola Information Systems Email: info@randola.com General support: hello@randola.com

You may submit your data subject rights requests to the email address above. Additional documentation may be requested to verify your identity.