Privacy Policy and GDPR/KVKK Notice

1. Data Controller

The data controller responsible for the processing of your personal data is the natural person operating Uzman Takvimi (uzmantakvimi.net) in a sole-trader capacity. Uzman Takvimi is not incorporated as a company; KVKK / GDPR obligations are discharged by this natural person. The controller’s full legal name will be shared on written request to the contact address below (for identity verification of KVKK Art. 11 / GDPR subject requests, for example).

• Brand: Uzman Takvimi (uzmantakvimi.net)
• Postal address: Bostancı Mah. Bostan Sok. 6/10, Kadıköy / İstanbul
• Contact: kvkk@uzmantakvimi.net
• Web: https://uzmantakvimi.net

2. Categories of Personal Data

To provide the service we process the following data:

• Identity and contact data: name, email address, phone number.
• Account security data: bcrypt-hashed password, email verification and password reset tokens, session information.
• Expert profile data: title, biography, specialty, education, experience, certificates, languages, social links, profile photo.
• Calendar and appointment data: availability, created/cancelled appointments, appointment notes (entered by the expert; may contain health data — see Section 3 below), guest client name/email/phone (for guest bookings).
• Intake form responses: answers you submit to expert-defined pre-appointment forms. Depending on the expert’s profession these answers may contain health-related information (see Section 3 below).
• Connected calendar data: events read from third-party calendar providers (Google, Outlook, Apple iCloud) — title, date and time — together with the OAuth/CalDAV credentials for those accounts.
• Subscription and billing data: chosen plan, trial duration, subscription identifiers returned by our payment provider (LemonSqueezy). Full card numbers are never stored on our side; they are processed by LemonSqueezy directly.
• Usage data: sign-in logs, IP address, browser/device information, error logs.

3. Special Category Data (Health Information)

Because the Platform is aimed primarily at experts in the health and psychological counselling sectors, your answers to intake forms and the notes that an expert enters during an appointment may constitute special category personal data — in particular health data — within the meaning of KVKK Article 6 and GDPR Article 9.

The only lawful basis on which we process such data is your explicit consent (KVKK Art. 6(3), GDPR Art. 9(2)(a)). For this reason, before you submit an intake form we ask you to tick a separate confirmation box reading “I give my explicit consent to the processing of my health data”. Without that consent the form will not be saved.

You can withdraw your explicit consent at any time. Send your withdrawal request to kvkk@uzmantakvimi.net; we will action it within 30 days at the latest, deleting or anonymising the relevant intake responses and any notes containing health data. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal took effect.

Answers containing health data are visible only to the expert you booked with and — for storage infrastructure — to our sub-processors (Section 6). They are never used for marketing, profiling, or automated decision-making.

Separately, experts can opt in to the “AI Assistant” feature to have a session’s audio transcribed and summarised. This feature is engaged only when the expert has enabled it and the client gives a per-session consent; in that case the audio and transcript are sent to OpenAI (Whisper) for transcription and to Anthropic for summarisation (Section 6). Neither provider uses your data to train their models.

As a sub-option of the AI Assistant, when the expert opts in on a per-appointment basis, a “meeting bot” automatically joins video appointments (Google Meet / Zoom) during the session and records its audio. The bot runs through our third-party sub-processor Recall.ai (Section 6); the audio is held temporarily in Recall.ai’s Frankfurt (EU) region and then retrieved by us for transcription (Groq whisper-large-v3) and summarisation (Anthropic Claude Haiku 4.5) through the same AI Assistant flow. The bot is dispatched only when the expert has explicitly enabled it for that specific appointment and the client’s AI Assistant consent is on file; the client clearly sees the bot in the meeting’s participant list. Recall.ai, Groq and Anthropic do not use the data you provide to train their models.

As an extension of the same AI Assistant flow, an AI-drafted “follow-up email” derived from the session summary may be generated for the client. The draft is a downstream derivative of the summary; it is never sent to the client until the expert has reviewed and edited it in the dashboard and explicitly approved the send. The draft text is produced by Anthropic (Section 6) from the session summary, and — once the expert sends it — the final email is delivered to the client’s email address through our transactional email provider Resend (Section 6). Drafts containing terms that could amount to diagnosis, prescription, or medication advice are blocked automatically; in addition, no follow-up email draft is generated or sent for sessions whose summary carries a severe risk flag (self-harm, suicidal ideation, threat to third parties, child-safety concern, medical emergency). Because the source material may constitute health data, the lawful basis for this processing is the client’s explicit consent (KVKK Art. 6(3), GDPR Art. 9(2)(a)); the client may opt out of future AI-derived follow-up emails at any time via the RFC 8058 List-Unsubscribe link present in every such email, or by writing to kvkk@uzmantakvimi.net.

4. Purposes and Legal Bases

We process your data under KVKK Article 5 and GDPR Article 6 for the following purposes and on the following legal bases:

• Performance of the contract (KVKK 5/2-c, GDPR 6(1)(b)): account creation, appointment management, subscription billing.
• Compliance with legal obligations (KVKK 5/2-ç, GDPR 6(1)(c)): tax and commercial record-keeping, lawful requests from authorities.
• Legitimate interests (KVKK 5/2-f, GDPR 6(1)(f)): platform security, fraud prevention, service quality improvements, limited usage analytics.
• Explicit consent (KVKK 5/1 and 6/3, GDPR 6(1)(a) and 9(2)(a)): marketing emails, optional cookie preferences, the processing of intake responses that may contain health data, AI Assistant processing of session audio / transcript / summary, and the AI-drafted follow-up email derived from that summary and sent to the client.

5. Retention Periods

• Account and profile data: as long as your account is active; deleted or anonymised within 30 days of your deletion request.
• Appointment and calendar data: deleted together with the account; summary invoice records may be retained for up to 10 years to satisfy tax obligations (Turkish Commercial Code §82).
• Billing and subscription records: kept for the statutory retention period of 10 years.
• Marketing consents and cookie preferences: until consent is withdrawn, otherwise up to 12 months.
• Server and security logs: up to 90 days.
• Support / contact messages (questions, bug reports, complaints, and requests submitted through the contact form): stored in our database so we can handle and resolve them, retained for up to 365 days; resolved (closed) records are deleted within 180 days. These messages are processed under the contact purpose described in Section 11 and are not transferred to any new sub-processor.
• AI Assistant data: session audio is retained for up to 30 days by default; transcripts and summaries are retained for up to 365 days by default. These windows are controlled by environment variables and do not affect the guarantee that data is deleted when the account is deleted.
• AI-drafted follow-up emails: drafts are retained until the expert deletes them or the underlying account is deleted; send records (a digest of the recipient address, send timestamp, and delivery status) are retained for the same period.

6. Sub-processors and International Transfers

We rely on the following sub-processors. Most of them operate from the United States, which means relevant data is transferred internationally. Transfers are made under KVKK Article 9 and GDPR Article 46 (Standard Contractual Clauses / Data Processing Agreement) safeguards.

• Vercel Inc. (USA): application hosting and CDN.
• Neon Inc. (USA): managed PostgreSQL database.
• Resend (USA): transactional email delivery (appointment reminders, password resets, trial notifications and the AI-drafted follow-up emails the expert chooses to send to the client).
• UploadThing (USA): storage for profile photos and user uploads.
• Google LLC (USA): Google Calendar integration (only for the calendar account you choose to connect).
• Microsoft Corporation (USA/EU): Outlook/Microsoft 365 calendar integration, on the same basis.
• Apple Inc. (USA): iCloud calendar integration via CalDAV.
• LemonSqueezy (USA): subscription billing and payment collection; card data is not visible to us.
• OpenAI, L.L.C. (USA): used only when the expert explicitly enables the AI Assistant feature and the client grants consent — session audio is sent to Whisper for transcription. Data sent to OpenAI is not used to train their models.
• Anthropic, PBC (USA): used only under the same conditions (AI Assistant + client consent) to turn the transcript into a session summary and, where the expert requests it, to draft a client-facing follow-up email from that summary. Data sent to Anthropic is not used to train their models.
• Recall.ai, Inc. (USA/EU — Frankfurt region): used only when the expert explicitly enables the “AI Bot to join” option for a specific appointment and client consent is on file, to have a meeting bot join video appointments (Google Meet / Zoom) and record the session audio. The recording is then retrieved by us for transcription and summarisation via Groq and Anthropic. The bot is visible in the meeting’s participant list. Data sent to Recall.ai is not used to train their models.
• Groq, Inc. (USA): used only under AI Assistant + client consent conditions to transcribe session audio with the whisper-large-v3 model. Data sent to Groq is not used to train their models.
• Google LLC — Places API (USA): when an expert edits their address, the address fragments they type are sent to Google for autocomplete suggestions.
• Google Analytics 4 — Google LLC (USA): website traffic analytics on the platform’s public pages. Page visits, anonymised user behaviour (IP addresses are masked via anonymize_ip) and device/browser information are collected. Data is transferred to the United States under the EU-US Data Privacy Framework adequacy decision and Standard Contractual Clauses. Retention: 14 months (GA4 default). Under Google Consent Mode v2 analytics_storage is default-denied; GA4 cookies are only written and data is only sent when the user picks “Accept All” in the cookie notice. Choosing “Essential Only” sends nothing.

Limited Use of Google API data. Information received from the Google Calendar API after an expert connects their Google account (event titles, dates, times, attendee email addresses, Google Meet links) is processed solely to provide the expert-facing scheduling and Google Meet link generation features inside Uzman Takvimi. It is not sold to third parties, not used for advertising, not read by humans (except where required by law, for security investigations, or at the expert’s explicit request), and not used to develop, improve, or train generalised AI or machine-learning models. Uzman Takvimi’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

7. Your Rights

Under KVKK Article 11 and GDPR Chapter III you have the right to:

• Confirm whether your personal data is being processed.
• Request information about that processing.
• Learn the purposes of processing and whether the data is used in line with those purposes.
• Know the third parties (domestic or abroad) to whom data is transferred.
• Request rectification of inaccurate or incomplete data.
• Request erasure (“right to be forgotten”) under KVKK Article 7 and GDPR Article 17.
• Require that rectification, erasure, or restriction be communicated to recipients of your data.
• Object to a decision against you that is based solely on automated processing.
• Claim compensation if you suffer damage due to unlawful processing.
• Receive your data in a structured, commonly used, machine-readable format (data portability).

You can exercise your portability and erasure rights directly via the “Download My Data” and “Permanently Delete My Account” buttons in your account settings. For any other request, please email kvkk@uzmantakvimi.net. We respond within 30 days.

8. Cookies

Our platform uses only essential cookies for session management and security, plus optional cookies (if you accept them) for service improvements and limited analytics. The optional analytics provider is Google Analytics 4 (Google LLC, USA), which is default-denied under Google Consent Mode v2 and only activates if you choose “Accept All”. You can change your preference through the cookie notice at the bottom of the page; to revoke consent, delete the “ut_cookie_consent” cookie in your browser.

9. Data Security

Your data is protected in transit via TLS and at rest via industry-standard access controls. Passwords are stored salted with bcrypt. In the event of an unauthorised access, loss, or disclosure we will notify affected users and the competent authority within 72 hours, as required by KVKK Article 12(5) and GDPR Article 33.

10. Changes

We may update this notice from time to time. Material changes will be announced via in-product notice or email. The effective date is always shown as “Last updated” at the top of this page.

11. Contact

For any privacy- or rights-related question you can reach us at kvkk@uzmantakvimi.net. You also have the right to lodge a complaint with the Turkish Personal Data Protection Authority (KVKK) or, if you are in the EU/EEA, with your local supervisory authority.