Privacy Policy
1. Who we are
DrPando ("DrPando", "we", "us") is a practice-management application for orthodontists, operated by Kadircan İşbilen, a natural person resident in Türkiye, acting as the data controller in respect of the data described in this policy.
- Data controller: Kadircan İşbilen (natural person, resident in Türkiye)
- Registered address: Talatpaşa, 34513 Esenyurt / Istanbul, Türkiye
- Contact: contact@drpando.com
This Privacy Policy describes how we handle the personal data of doctors and clinic staff who subscribe to and use DrPando. For information about how patient data is handled, see Section 10 below.
2. Personal data we collect
When you use DrPando we collect the following categories of personal data about you (the doctor or staff user):
| Category | Examples |
|---|---|
| Identity data | First name, last name |
| Contact data | Email address, phone number |
| Account data | Account creation date, subscription status, login activity, session tokens |
| Authentication data | Password (irreversibly hashed), password-reset tokens, activation tokens |
| Payment data | Subscription payment records. We do not see or store your card details — these are handled by Apple App Store or Google Play |
| Clinic data | Clinic name(s), address(es), staff accounts you create |
| Technical data | IP address, device type, app version, system logs |
3. How we use your data
- To create and manage your account
- To provide the DrPando service
- To process subscription payments
- To comply with legal obligations (tax, data protection, commercial law)
- To secure the service (prevent unauthorised access, detect abuse, audit access)
- To improve the service and fix bugs
- To respond to your support requests
- With your separate consent: marketing communications
4. Legal basis
We rely on the following legal bases under Turkish Personal Data Protection Law No. 6698 (KVKK) and, where applicable, GDPR equivalents:
- Performance of contract — providing the service you subscribed to, processing payments
- Legal obligation — record-keeping, tax, KVKK
- Legitimate interest — security, abuse prevention, service improvement (balanced against your rights)
- Explicit consent — for marketing communications and any other optional processing
5. Sub-processors and data sharing
To provide the service we share your data with the following processors. Each is bound by appropriate data-processing terms.
| Provider | Service | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, database storage | Germany (EU) |
| Cloudflare, Inc. | Object storage (R2), CDN, DNS, DDoS protection | EU (R2 EU jurisdiction), global CDN |
| Resend, Inc. | Transactional email (account activation, password reset) | United States |
| Apple Inc. | iOS App Store distribution, subscription billing, push notifications | United States / global |
| Google LLC | Google Play distribution, subscription billing, Firebase Cloud Messaging | United States / global |
We do not sell your personal data. We do not share your data with advertising networks.
International transfers: Some of the providers above are located outside Türkiye. Transfers are made on the basis of your consent and/or appropriate contractual safeguards (including Standard Contractual Clauses where required).
6. How we collect your data
- Directly from you — when you register, update your account, enter payment information, or contact support
- Automatically — system logs of your use of the application (logins, IP address, device info, error reports)
7. How long we keep your data
| Data | Retention |
|---|---|
| Account data | While your account is active + 5 years after closure (statutory limitation periods) |
| Patient health data (held in our role as data processor) | At least 5 years post-treatment, or longer if the doctor's professional regulations require, or until the doctor deletes it (subject to retention obligations) |
| Financial records (invoices, subscription history) | 10 years (Tax Procedure Law Art. 253) |
| System logs and security audit data | 2 years |
| Marketing consent records | Until consent is withdrawn + 3 years |
| Activation and password-reset tokens | Until used or expired (maximum 24 hours) |
After the retention period, data is deleted, destroyed, or anonymised under our periodic erasure policy.
8. Your rights
Under KVKK Article 11 (and corresponding rights under GDPR where applicable), you have the right to:
- Know whether we process your personal data
- Request information about how we process it
- Know the purpose of processing and whether it is being used for that purpose
- Know to whom your data has been transferred, in Türkiye or abroad
- Have inaccurate or incomplete data corrected
- Request deletion or destruction of your data, subject to legal retention obligations
- Have corrections or deletions communicated to third parties who received the data
- Object to decisions made solely by automated processing that have legal consequences for you
- Seek compensation if you suffer damage due to unlawful processing
9. How to exercise your rights
- Email: contact@drpando.com (preferably from your account email; for KVKK requests we may require additional identity verification)
- Post: Talatpaşa, 34513 Esenyurt / Istanbul, Türkiye (sent to Kadircan İşbilen)
We will respond within 30 days of receiving a valid request, at no cost (a fee set by the Data Protection Authority may apply if the request requires additional cost).
If you are not satisfied with our response, you have the right to lodge a complaint with the Turkish Personal Data Protection Authority (KVK Kurumu).
10. Patient data (where DrPando acts as a processor)
DrPando is a tool that doctors use to manage their own patients' records. When a doctor enters a patient's data into DrPando, the doctor is the data controller of that data and DrPando acts as the data processor on the doctor's behalf.
This means:
- The doctor is responsible for: providing the patient with a privacy notice, obtaining consent where required, responding to the patient's KVKK requests, and deciding what data to enter into DrPando.
- DrPando is responsible for: keeping the data secure, processing it only on the doctor's instructions, not using it for our own purposes, notifying the doctor of any security incidents, and assisting the doctor in fulfilling their obligations.
DrPando applies technical and organisational security measures including: encryption at rest and in transit, access control, audit logging, regular encrypted backups, and tenant isolation so that one doctor's data is never visible to another.
11. Children
DrPando is intended for use by licensed orthodontic practitioners. Patient data entered into DrPando may include minors; in that case the responsibility for obtaining legal-guardian consent rests with the doctor (the data controller).
We do not knowingly collect personal data about users (doctors) under 18.
12. Security
We use industry-standard security practices including TLS for all network traffic, password hashing, separate access tokens scoped to least privilege, audit logging of sensitive operations, and encrypted off-site backups. No system is completely secure; if we become aware of a breach affecting your personal data we will notify you in accordance with applicable law.
13. Changes to this policy
We may update this policy from time to time. The current version will always be available at drpando.com/privacy-en and inside the DrPando application. For material changes we will notify you by email and/or in-app notification.
Contact: contact@drpando.com