Data Protection & Privacy Notice

Controller & Contact

Data Controller HemoAI Digital Health Technologies

Contact privacy@hemoai.org

Reach us for privacy enquiries, data requests or feedback via email or the support portal.

Categories of Data

• Hemogram & Laboratory Parameters: User-entered blood test values, date, notes.
• Profile Data: Name, age, gender, language, notification preferences (optional).
• App Usage Data: Reminders, goals, premium subscription status.
• Technical Logs: Device model, anonymised crash reports, performance metrics.

Purpose & Legal Basis

• Provide educational health insights, trends and comparisons (Explicit consent).
• Send reminders and motivational nudges you opt in to (Contract performance).
• Offer backup / restore functionality (Explicit user request).
• Run security, debugging and product analytics (Legitimate interest, minimal scope).

Security Measures

• AES‑256 encryption at rest on device; TLS 1.2+ for cloud sync.
• Backup passwords are user-managed and never stored in plain text.
• No third-party selling or profiling; external processors require explicit consent.
• Access to sensitive records is limited to authenticated sessions and authorised devices.

Retention & Deletion

Data is retained while your account remains active. Deleting your account permanently removes hemogram records and backups. Inactive accounts are anonymised after 24 months of inactivity.

Your Rights

• Access and receive a copy of your data (GDPR Art. 15 / KVKK Art. 11).
• Request rectification or completion of inaccurate information (Art. 16).
• Erase your data (“right to be forgotten”) (Art. 17).
• Restrict or object to processing and request portability (Art. 18 & 20).
• Opt-out of automated decision making and profiling.

Submit requests to privacy@hemoai.org. We respond within 30 days. Unresolved complaints can be escalated to the KVKK (Turkey) or your local EU Data Protection Authority.

International Transfers

Data may be processed on servers located in the EU or Turkey. Cross-border transfers occur only with adequate safeguards and, where required, Standard Contractual Clauses or explicit consent.