Back to home
Privacy Policy
Last updated: May 17, 2026
1. Data Controller
Caymaz TechHealth Yazilim Tic. Ltd. Sti. ("ClinicArchitect", "we") processes your personal data under applicable privacy and data protection laws, including the where it applies and for users in Turkey.
Legal name: Caymaz TechHealth Yazilim Tic. Ltd. Sti.
MERSIS: 0203091510500001 | Tax office: Başakşehir | Tax no: 2030915105
Address: Istanbul, Turkey
2. Data We Collect
Through the mobile app and web portal we collect:
• Account data: email, display name, profile photo (via Google/Apple/Firebase sign-in)
• Clinic data: clinic name, address, contact details
• Patient data: name, phone, email, passport number, medical notes (; encrypted at the application layer with AES-256-GCM)
• Usage data: session logs, error reports, in-app activity
• Subscription data: subscription status only (payments are processed by Apple/Google)
• Device data: device model, OS, FCM push token
• Uploaded files: clinic/patient-related images (Cloudflare R2)
• Consent records: which agreements you accepted, version, date, and technical proof (IP address truncated where stored)
3. How We Collect Information
We collect data:
• **Directly from you** — registration, profile settings, clinic setup, patient entry, support messages, consent checkboxes
• **Automatically** — server logs, security events, API usage, push notification tokens, locale preference cookies on the website
• **From third parties** — identity attributes from Firebase Authentication; subscription status from Adapty and app stores (we do not receive payment card numbers)
4. How We Use Your Data
We use collected data to:
• Provide clinic management services
• Enable appointments, patient tracking, and clinical workflows
• Manage mobile app subscriptions (Adapty / store infrastructure)
• Send service-related push notifications (with your device permission)
• Ensure security and prevent fraud
• Provide support and fix issues
• Comply with legal obligations
• Send marketing communications **only if you opt in** (optional)
5. Legal Basis for Processing
Depending on your location and the type of data, we rely on:
• **Contract** — to provide the Service you signed up for
• **Consent** — for optional marketing, and where required for processing entered by your clinic (the clinic is the for patient data)
• **Legitimate interests** — security, fraud prevention, service improvement (balanced against your rights)
• **Legal obligation** — tax, regulatory, or law-enforcement requests
6. Data Security
Patient personal data is encrypted at the application layer using AES-256-GCM before storage. Encryption keys are kept as secure environment variables on production servers and are not stored in the database. Database and API traffic use TLS. Servers are hosted on Hetzner infrastructure.
7. Sharing and Sub-processors
We **do not sell** your personal information. We **do not share** patient data for advertising or unrelated commercial purposes.
We use the following **sub-processors** only to operate the Service. Each maintains their own privacy and data processing terms:
• **Firebase Authentication** (Google LLC, USA) — identity; Google Cloud Data Processing Terms: https://firebase.google.com/support/privacy
• **Adapty Inc.** (USA) — subscription management (anonymous user identifier); Adapty Privacy Policy: https://adapty.io/privacy/
• **Apple App Store / Google Play** — in-app payments (payment details are not shared with us)
• **Hetzner Online GmbH** (Germany, EU) — API and database hosting; Hetzner Privacy Policy: https://www.hetzner.com/legal/privacy-policy
• **Cloudflare, Inc.** (EU region, R2) — file storage; Cloudflare GDPR commitments: https://www.cloudflare.com/gdpr/introduction/
• **Firebase Cloud Messaging** (Google LLC, USA) — push notifications; covered under Google Cloud Data Processing Terms
• Competent authorities when legally required
By accepting our Terms and DPA, you acknowledge we use these sub-processors. Our website does not process direct payments.
8. International Transfers
Your data is primarily processed in the European Union on Hetzner (Germany). Some sub-processors (Firebase, Adapty, Cloudflare) may process data outside the EU/EEA; such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms ensuring an adequate level of protection.
9. Data Retention
Data for active clinic accounts is retained during the subscription period plus 90 days. Upon account deletion request, personal data is removed within 30 days; audit logs may be kept for up to 24 months where required by law. Consent records may be retained to demonstrate compliance for the applicable statutory period.
10. Your Rights and Request Timelines
Where applicable under , , and other laws, you may have rights to access, rectify, erase, restrict processing, object, and data portability.
**How to exercise rights:** email privacy@caymaztech.com or use in-app **Privacy & data** (export / delete account). We may verify your identity before responding.
**Response times (typical):**
• GDPR: within 1 month (extendable to 3 months for complex requests)
• KVKK: within 30 days (extendable to 60 days with notice)
• CCPA/CPRA: within 45 days (extendable to 90 days where permitted)
You may lodge a complaint with your supervisory authority (e.g. KVKK Kurulu in Turkey, your EU DPA, or the California Attorney General).
11. Cookies and Similar Technologies
Our website uses essential cookies (e.g. language preference `NEXT_LOCALE`). We do not use third-party advertising cookies on the marketing site. For details, see our Cookie Policy at `/en/cookies` (or your locale path). You can manage preferences via the cookie banner on first visit.
12. Marketing and Optional Processing
Marketing emails or promotional push messages are sent **only if you opt in** separately. You may withdraw marketing consent at any time in account settings or by emailing privacy@caymaztech.com. Withdrawal does not affect lawfulness of processing before withdrawal.
13. Do Not Sell or Share My Personal Information
**We do not sell personal information.** We do not share personal information for cross-context behavioral advertising.
Because we do not sell or share personal information for such purposes, there is no opt-out mechanism to configure. If our practices change, we will update this policy and provide a compliant opt-out where required.
14. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have rights to know, access, delete, and correct personal information, and to opt out of the **sale** or **sharing** of personal information for cross-context behavioral advertising (see Section 13).
To exercise your rights, contact privacy@caymaztech.com. We will not discriminate against you for exercising your rights.
15. Data Breach Notification
If a personal data breach is likely to result in risk to your rights, we will notify the competent supervisory authority within 72 hours where required (e.g. GDPR, KVKK) and affected individuals without undue delay when the risk is high. Report suspected incidents to privacy@caymaztech.com.
16. In-App Purchases
Subscription plans are offered only via the App Store (Apple) and Google Play. All payment transactions are handled by the store; no payment card data is stored on ClinicArchitect servers.
17. Children's Privacy
ClinicArchitect is not directed at individuals under 18. We do not knowingly collect personal data from children.
18. Updates
This policy may be updated from time to time. Material changes will be communicated by email or in-app notification at least 30 days before they take effect where practicable.
19. Contact
Privacy & data protection: privacy@caymaztech.com
General support: support@caymaztech.com
Caymaz TechHealth Yazilim Tic. Ltd. Sti. — ClinicArchitect