Privacy Policy.

Under this Policy, your personal data are processed by İMSA Sağlık Hizmetleri (Halkalı V.D. 474 060 3681), as data controller, within the framework of applicable Turkish data protection law and, to the extent applicable, the EU General Data Protection Regulation (“GDPR”).

For any question, request or application, our contact address is: [email protected]. A corporate postal address is not published in this document; applications are received via the email above.

This Policy covers ONLY personal data relating to people who visit our website. The following matters are OUTSIDE the scope of this Policy and are governed by a separate document, the “Patient & Genetic Data Privacy Notice and Explicit Consent Statement”:

• Patients’ clinical/medical data,
• NGS/genetic sequencing and variant data (special-category health data),
• Evaluation and reporting processes carried out with artificial intelligence (AI),
• The explicit-consent declarations relating to these processes.

For data of this nature, only that separate document applies: Patient & Genetic Data Privacy Notice. In the event of a conflict, that separate document prevails with respect to patient/clinical/genetic data.

During your visit to our website, the following visitor data may be collected:

• (a) Contact/Application Form Data: information you voluntarily enter to submit a preliminary request, such as name, email address, phone number (if provided), institution/company name (if provided) and the content of your message/request.
• (b) Server/Access Logs and IP: technical connection information such as IP address, access date/time, the page/URL requested, referrer, browser type and version, and operating system; these are recorded automatically when you access the site.
• (c) Cookie-based Site-Usage Data: data collected through cookies and similar technologies, such as pages visited, session information and site preferences (see Section 4).

Our website uses cookies and similar technologies. We treat cookies in two categories:

• (1) Strictly necessary (technical) cookies: required for the site’s core functions, session management and security (e.g. WAF/bot protection). These are used on the basis of our legitimate interest in providing the service and system security (applicable Turkish data protection law; GDPR Art. 6(1)(f)) and do not require consent.
• (2) Optional (analytics/performance) cookies: because the analytics tool we use (Cloudflare Web Analytics) is cookieless, no optional/analytics cookies are currently used on our site. If an optional cookie is used in future, it will be placed only on the basis of the consent you give via the cookie banner shown on your first visit (applicable Turkish data protection law; GDPR Art. 6(1)(a)), and you may withdraw your consent at any time.

You can also manage or delete cookies via your browser settings; blocking strictly necessary cookies may limit some site functions. For a detailed list of cookies and their durations: Cookie Policy.

To measure visit trends and usage, our website uses only the Cloudflare Web Analytics tool; no other analytics tool (e.g. Google Analytics) is used.

Cloudflare Web Analytics is a privacy-friendly, cookieless tool:

• It does not place cookies to identify visitors and does not perform device fingerprinting,
• It does not track visitors across sites and does not build personal profiles,
• It produces only aggregate page-view and performance statistics.

Because this tool uses no cookies and collects no identified/identifiable personal data, no separate cookie consent is required for its use.

We use the following service providers (sub-processors) in operating our website. These providers process personal data only to provide services to us, in accordance with our instructions and under contractual confidentiality obligations; they may not use the data for their own purposes:

Some of our infrastructure providers (in particular Cloudflare, which provides CDN/security and cookieless web analytics) may operate their servers or edge network nodes abroad. For this reason, technical data generated during your visit (e.g. IP address) may be processed abroad to a limited extent.

Such transfers are carried out with appropriate safeguards, within the framework of applicable Turkish data protection law and GDPR Chapter V. The transfer abroad of clinical/genetic patient data is not within the scope of this Policy; that matter is governed by the relevant separate patient document.

We retain your visitor data only for as long as the processing purpose requires, subject to the periods prescribed by applicable legislation:

At the end of the period, data are deleted, destroyed or anonymised.

To protect your visitor data, we apply appropriate technical and organisational measures in accordance with applicable Turkish data protection law and GDPR Art. 32. These include:

• TLS/SSL encryption in data transmission,
• Cloudflare WAF / bot protection and DDoS prevention,
• Access to systems on a need-to-know (least-privilege) basis,
• Keeping access logs and regularly reviewing security measures.

We remind you that no transmission or storage of data over the internet is 100% secure; however, we undertake to take reasonable and up-to-date measures to protect your data.

Your visitor data are processed for the following purposes and on the following legal bases:

• Receiving and responding to your contact/application request: legitimate interest (applicable Turkish data protection law; GDPR Art. 6(1)(f)) and/or, where your request relates to a contractual relationship, the conclusion/performance of a contract (GDPR Art. 6(1)(b)). If you voluntarily provide health information in the form: explicit consent (applicable Turkish data protection law; GDPR Art. 9(2)(a)).
• Operating the site, its security and preventing abuse (log/IP, WAF): legitimate interest (applicable Turkish data protection law; GDPR Art. 6(1)(f)).
• Compliance with legal obligations: where required by law (applicable Turkish data protection law; GDPR Art. 6(1)(c)).
• Optional/analytics cookies: explicit consent (applicable Turkish data protection law; GDPR Art. 6(1)(a)).

Under applicable Turkish data protection law and the GDPR, you have the right to learn whether your personal data are processed, to request information, to learn the purpose of processing, to request rectification/erasure/destruction, to object to processing, to withdraw your consent for consent-based processing, and (under the GDPR) the rights to data portability and restriction.

To exercise your rights, you may send your application to [email protected]. We conclude your application within at most 30 days under applicable Turkish data protection law, and as a rule within one month under the GDPR. We may need to verify your identity in order to assess your request.

In addition, if your request is rejected, you reserve the right to lodge a complaint with the competent data protection authority.

We do NOT send marketing or promotional email (commercial electronic messages) to our website visitors. The data you submit via the contact/application form are used only to assess and respond to your request; they are not processed for marketing purposes and are not sold or rented to third parties.

Browsers may send certain signals that automatically communicate your privacy preference to the sites you visit:

• Do-Not-Track (DNT): when enabled in your browser settings, it communicates to the sites you visit a preference that “I do not want my online activity to be tracked”.
• Global Privacy Control (GPC): a newer browser/extension signal that works similarly, automatically communicating that you do not want your personal data sold/shared or to be tracked.

There is not yet a common industry standard for how these signals should be interpreted. Because our website does not track visitors, does not use advertising/tracking cookies and does not sell/share personal data (see Section 5 and 12), no additional action required by these signals currently applies. You can manage your cookie and privacy preferences via your browser settings in any case.

We may update this Policy from time to time. The current version is always published on this page and shown with a “last updated date”. Where material changes are involved, a prominent notice is given on this page where possible. We recommend reviewing this Policy periodically before continuing to use our site.