RecapMedica — Privacy Policy (Final Draft v1.0)

Effective Date: 20.08.2025 Legal Entity / Controller: NOTRINO RESEARCH BİLGİ TEKNOLOJİLERİ ARAŞTIRMA GELİŞTİRME LİMİTED ŞİRKETİ ("Notrino", "we", "us", "our") Registered Address: ÜNİVERSİTELER MAH. İHSAN DOĞRAMACI BLV. ARGE VE EĞİTİM MERKEZİ NO: 13 ÇANKAYA/ ANKARA Service Names: RecapMedica websites, web apps, desktop/mobile apps, and related services (the "Services").

This Privacy Policy explains how we collect, use, disclose, transfer, and protect information about identifiable individuals ("Personal Data") when you visit our Sites/Apps or use the Services. Where we process health-related information on behalf of healthcare providers, we do so under a data processing agreement (DPA) compliant with KVKK/GDPR and, when applicable, a Business Associate Agreement (BAA) under HIPAA.

Who this Policy is for — Healthcare providers (our "Customers") and their staff; visitors to our Sites/Apps; and other individuals whose Personal Data may be processed in connection with the Services. Customers are responsible for their own patient-facing privacy notices and for obtaining all legally required consents and authorizations.

1) Key Definitions

  • Customer: A healthcare provider or organization that purchases or trials the Services.
  • Customer Data: Audio/video recordings, transcripts, PHI/health data, and any other data uploaded to or generated through the Services by or for the Customer (excluding Notrino Technology).
  • PHI: "Protected health information" under HIPAA (45 CFR §160.103).
  • Special Category Data: Personal data revealing health or other special categories under GDPR/KVKK.
  • Usage Data: Telemetry, logs, and analytics generated by the operation of the Services.
  • De‑Identified Data: Data derived from Customer Data that cannot reasonably identify an individual and meets de‑identification standards (e.g., HIPAA de‑identification, GDPR/KVKK anonymization).

2) Who We Are; Roles

  • For KVKK/GDPR purposes, Customer is typically the controller of patient data; Notrino acts as processor. For our own business operations (e.g., account administration, billing, product analytics), Notrino may act as controller.
  • For HIPAA accounts, Notrino acts as a Business Associate to Covered Entities/Business Associates under a BAA.

3) What We Collect

3.1 Data you provide

  • Account and profile information (name, role, contact details, credentials).
  • Content captured or uploaded through the Services (e.g., clinical conversation audio/video, transcripts, notes, attachments).
  • Support inquiries and correspondence.

3.2 Data collected automatically

  • Device and connectivity data (IP address, device identifiers, OS/browser, app version).
  • Usage Data (events, feature and performance metrics, crash/diagnostics logs).
  • Cookies and similar technologies (see §12 Cookies).

3.3 Data from third parties

  • Subprocessors that provide infrastructure, storage, speech-to-text, or analytics.
  • EHR systems or practice-management systems integrated by the Customer.

Children — The Services are intended for professional use by healthcare providers. We do not knowingly collect Personal Data directly from children under 13. Customers remain responsible for any pediatric PHI processed via the Services.

Purpose Examples Legal Basis
Provide the Services Transcription, summarization, structured notes, coding assist Performance of a contract (Art. 6(1)(b)); for special categories, Art. 9(2)(h) via controller’s legal basis; processor role
Security & abuse prevention Authentication, access control, auditing, incident response Legitimate interests (Art. 6(1)(f)); legal obligations
Support & communications Responding to tickets, product updates Contract (6(1)(b)) / Legitimate interests
Billing & account management Subscriptions, invoicing, collections Contract / Legal obligations
Service improvement Quality, accuracy, model evaluation; UX analytics Legitimate interests; and (for any personal data where consent or additional safeguards are required) based on Customer instructions and/or consent

When acting as processor, we rely on the Customer’s lawful basis and instructions. Where required (e.g., for model improvement with personal data), we will implement opt‑in, opt‑out, or alternative safeguards as directed by the Customer or applicable law.

5) Data Residency (Region Selection) & International Transfers

Your region choice. During onboarding, Customers select a primary data residency region (e.g., Türkiye, EU/EEA, United States). We store and process Customer Data at rest in the selected region and do not move it outside that region except:

  • At the Customer’s instruction (e.g., cross‑region disaster recovery) or as necessary to provide the Services;
  • Where required by law, or to protect vital interests; or
  • For limited support/maintenance scenarios, in which case remote access from another country constitutes a transfer and will occur only with appropriate safeguards and strict access controls.

GDPR/KVKK transfers. If Customer selects EU/EEA or Türkiye, any access or onward transfers to other countries will comply with applicable transfer mechanisms (e.g., adequacy decisions, standard contractual clauses (SCCs), binding corporate rules (BCRs), or Board‑approved undertakings/standard contracts under KVKK). We maintain a current list of subprocessors and transfer safeguards in our Data Processing Addendum and Trust Page.

HIPAA. HIPAA does not prohibit storage of ePHI outside the U.S. when there is a valid BAA and the Security Rule’s risk analysis/management requirements are met. For U.S. healthcare Customers we offer U.S. data residency by default; if a Customer requests a non‑U.S. region, we will document additional safeguards in the BAA and risk assessment.

Summary: Region selection is a core privacy‑by‑design control. We will honor your selected region and disclose any cross‑border access in this Policy and in the DPA/BAA, including the safeguards used.

6) How We Use Information

  • To provide, secure, operate, and improve the Services;
  • To create De‑Identified Data and Usage Data for analytics, benchmarking, and service quality;
  • To communicate about updates, security alerts, and administrative matters;
  • To comply with legal obligations and enforce agreements.

We do not sell Personal Data. We do not use PHI for advertising.

7) Sharing & Disclosures

  • With subprocessors who support hosting, storage, speech processing, analytics, customer support; each bound by confidentiality and data‑protection terms.
  • With EHRs or integrations configured by the Customer.
  • For corporate transactions (merger, acquisition) subject to continued protections.
  • For legal compliance or to protect rights, safety, or security.

A current list of material subprocessors and their regions is available in our Trust/Privacy resources and DPA schedule.

8) Retention

We retain Personal Data for as long as necessary to fulfill the purposes described, to comply with law, and to resolve disputes. For Customer Data, retention follows Customer configuration and instructions. Backups are deleted on standard cycles.

9) Security

We implement administrative, physical, and technical measures appropriate to risk, including:

  • Encryption in transit and at rest;
  • Least‑privilege access control and MFA;
  • Network segmentation and logging/monitoring;
  • Secure development and vulnerability management;
  • Incident response and breach notification consistent with GDPR/KVKK/HIPAA requirements.

10) Your Rights

KVKK/GDPR (data subjects): You may request access, correction, deletion, restriction/objection, and portability, and lodge a complaint with a supervisory authority. To exercise rights, contact us as set out in §15. Where we act as processor, please direct requests to your healthcare provider (the controller); we will assist the controller in responding.

HIPAA (patients of U.S. Customers): Requests to access or amend PHI should be directed to your healthcare provider; we support providers in fulfilling HIPAA rights.

11) Marketing & Communications

We may send service, transactional, or security emails. You can opt out of non‑essential marketing communications at any time. We do not use PHI for marketing.

12) Cookies & Similar Technologies

We use cookies and similar technologies to remember preferences, maintain sessions, and measure product performance. You can control cookies via your browser settings. Some features may not work without certain cookies.

Our Sites/Apps may contain links to third‑party websites or services. Their privacy practices are governed by their own policies.

14) Changes to This Policy

We may update this Policy from time to time. Material changes will be notified via the Services or by email where appropriate. The "Last updated" date will reflect the latest version.

15) Contact Us

Controller / Data Protection Contact (Türkiye): NOTRINO RESEARCH BİLGİ TEKNOLOJİLERİ ARAŞTIRMA GELİŞTİRME LİMİTED ŞİRKETİ ÜNİVERSİTELER MAH. İHSAN DOĞRAMACI BLV. ARGE VE EĞİTİM MERKEZİ NO: 13 ÇANKAYA/ ANKARA Email: legal@notrino.com

Annexes & Linked Documents (Informative)

  • Data Processing Addendum (KVKK/GDPR) — roles, transfer mechanisms (adequacy, SCCs/BCRs, undertakings), subprocessors, security measures, and data subject request handling.
  • Business Associate Agreement (HIPAA) — permitted uses/disclosures, safeguards, breach notification, subcontractors, and return/destruction of PHI.
  • Trust/Security Page — current architecture summaries, encryption, availability, incident response, and subprocessor registry.

Region‑by‑Region Notes (Informative)

  • Türkiye (KVKK): Cross‑border access/transfer (including remote support) requires an applicable mechanism (e.g., adequacy decision, Board standard contracts/undertakings, BCRs) and transparency in this Policy and the DPA.
  • EU/EEA (GDPR): Transfers outside the EEA rely on adequacy decisions, SCCs, BCRs, or derogations where appropriate.
  • United States (HIPAA): ePHI may be stored outside the U.S. with a valid BAA and appropriate risk management; we provide U.S. residency by default for HIPAA customers and document additional safeguards for any non‑U.S. residency choice.