Privacy Policy, KVKK Information Notice, Cookie Policy, Consent Texts and Application Form

Last updated: 24 September 2025
Scope: This package concerns the processing of personal data of website visitors, prospective patients/patients, contact-form users, and recipients of commercial communications.

1) PRIVACY POLICY (WEBSITE)

1.1. Data Controller

Company Name: Hoi Sağlık Hizmetleri Turizm İnşaat Sanayi ve Ticaret A.Ş

Address: Ataköy 2–5–6. Kısım Mah. Rauf Orbay Cad. No:4 Yalı Ataköy C Blok Daire: 36

MERSİS/Company No.: 0463093931200001

Email: info@hairofistanbul.com

KEP: hoiturizm@hs01.kep.tr

Phone: +90 530 688 42 47

Website: https://www.hairofistanbul.com

At Hair of Istanbul, we value your privacy. This Privacy Policy explains what personal data we collect when you use our website, for which purposes and legal bases we process it, with whom we may share it, how long we retain it, and your rights.

1.2. Categories of Data Collected

Identity: name, surname, year/date of birth (in forms), country.
Contact: email, phone, address/country, WhatsApp number.
Transaction Security: IP address, session information, log records, device/browser information.
Marketing/Profile: preferences and interests (via cookies/pixels), campaign interactions.
Health Data (special category): hair-loss status, procedure suitability information, images (only if provided by you and processed under the information notice and separate explicit consent).
Visual/Audio: photos/videos you share upon request, call recordings (if a call center is used).

1.3. Purposes of Processing and Legal Bases

Purpose	Example Activities	KVKK Legal Basis
Inquiry and appointment management	Contact and appointment forms, WhatsApp correspondence	KVKK Art. 5/2-c (establishment/fulfilment of contract), 5/2-f (legitimate interests)
Treatment/health services	Pre-assessment, diagnosis, treatment, care processes	KVKK Art. 6/3 (health data processed by persons under confidentiality obligations)
Customer relations and satisfaction	Feedback, support requests	Art. 5/2-f (legitimate interests)
Compliance with legal obligations	Invoicing, record-keeping, notifications to authorities	Art. 5/2-ç (legal obligation)
Security and fraud prevention	Log records, access control	Art. 5/2-f (legitimate interests)
Marketing/analytics/retargeting	Cookies, ad pixels, campaign reports	Art. 5/1 (explicit consent)
Sharing visuals (before/after)	Publication on website and social media	Arts. 5/1 and 6/2 (separate explicit consent)

Note: Health data is not processed or shared for marketing purposes; it may be used for content creation only with your explicit consent and, where applicable, anonymisation.

1.4. Methods of Collection

Website forms, email, phone/call center, WhatsApp, live chat.
Cookies, pixels, SDK/analytics tools.
Documents and records you provide during clinic application (physical/electronic).

1.5. Disclosures/Transfers of Data

Service providers (processors): hosting, cloud, CRM, ticketing, call center, SMS/email, marketing automation, analytics (e.g., Google), advertising platforms (Google, Meta, etc.), security.
Group companies and partners: HOI Holding, overseas affiliates, contracted hotel/transport/interpreter suppliers (including domestic and cross-border transfers).
Public authorities: as required by request and legislation.
International transfers: Pursuant to KVKK Art. 9, to countries with adequate protection; if not adequate, via Board-approved undertakings/binding corporate rules/standard contracts or your explicit consent. WhatsApp and some cloud/analytics services may store data on servers abroad.

1.6. Retention Periods

Contracts and financial records: under applicable legislation (e.g., Turkish Commercial Code and tax laws, up to 10 years).
Medical records: minimum periods stipulated under health legislation (relevant rules determine retention times).
Marketing data: until withdrawal of consent or your objection, limited to what is necessary.
Visitor logs: reasonable periods for security and legal compliance.

At the end of the period, data is deleted, destroyed, or anonymised.

1.7. Your Rights (KVKK Art. 11)

To learn whether your personal data is processed,
To request information regarding processing activities,
To learn whether it is used in line with its purpose,
To know third parties to whom it is transferred domestically/abroad,
If incomplete/inaccurate, to request correction and notification to third parties,
To request deletion/destruction,
To object to results against you arising from analyses by automated systems,
To claim compensation in case of damage.
For the application procedure, see Section 5: “Data Subject Application Form”.

1.8. Third-Party Links

Our site may contain links to third-party websites. We are not responsible for the content and privacy practices of those sites. Please review their policies.

1.9. Security

Your personal data is protected by administrative and technical measures, including access control, encryption, log management, segregation, staff authorization and training.

2) KVKK INFORMATION NOTICE (WEBSITE VISITOR, PROSPECTIVE PATIENT/PATIENT)

This notice is provided by the data controller Hoi Sağlık Hizmetleri Turizm İnşaat Sanayi ve Ticaret A.Ş pursuant to the Personal Data Protection Law No. 6698 (“KVKK”) regarding the processing of your personal data.

2.1. Data Processed and Purposes

Identity/Contact: carrying out inquiry and appointment processes; planning communication activities.
Health data (special category): diagnosis, treatment, medical evaluation and care; planning and financing of health services.
Finance/Accounting: invoicing, payment processes.
Visual/Audio: only for conducting treatment and operation processes or upon your explicit request/permission.
Marketing/Analytics: only with explicit consent.

2.2. Legal Bases

KVKK Arts. 5/2-c, ç, e, f (contract, legal obligation, establishment/exercise of rights, legitimate interests).
KVKK Art. 6/3: Health data may be processed by health professionals or authorised institutions/organisations for diagnosis, treatment and care purposes.
Explicit consent (Arts. 5/1, 6/2): for marketing, profiling, retargeting, public sharing of visuals, and international transfers where applicable.

2.3. Transfers

Domestic: competent public authorities/organisations, insurance companies (if any), contracted hospitals/health institutions, laboratories, hotels and transportation providers, interpreters, finance and IT service providers.
International: to countries with adequate protection; otherwise via Board-approved mechanisms or with your explicit consent.

2.4. Method of Collection

Electronic (website, email, CRM, call center, messaging apps) and physical environments.

2.5. Retention Periods

As stipulated by applicable legislation; otherwise for periods reasonably connected to the stated purposes.

2.6. Rights and Applications

See Section 5 for your rights.

3) COOKIE POLICY

3.1. What Are Cookies?

Cookies are small text files placed on your device to improve your website experience, analyse site performance, and present content in line with your preferences.

3.2. Types of Cookies We Use

Strictly Necessary Cookies: required for the site to function.
Functional Cookies: remember preferences and customisations (may require consent).
Performance/Analytics Cookies: traffic and usage analysis (consent-based).
Advertising/Marketing Cookies and Pixels: retargeting and measurement (consent-based).

For non-essential cookies, your explicit consent is obtained. You can change your preferences at any time via the Cookie Settings panel.

3.3. Third-Party Tools

Tools such as Google Analytics/Ads, Meta (Facebook/Instagram) pixels, and WhatsApp widgets may be used. These tools may involve international data transfers. Please review the respective third-party policies for details.

3.4. How Can You Manage Cookies?

You can manage them via your browser settings and through our Cookie Settings (Accept/Reject/Customise) panel on the site.

4) CONSENT TEXTS

The consents below must be collected via separate checkboxes and must be independent from services that are not strictly necessary.

4.1. Commercial Communication Consent (Law No. 6563 and IYS)

“I consent to receiving commercial communications from Hoi Sağlık Hizmetleri Turizm İnşaat Sanayi ve Ticaret A.Ş via SMS, email and phone calls for campaigns, promotions, surveys and satisfaction communications. I understand that I can withdraw this consent at any time via the IYS system.”

Channels (tick separately): SMS [ ] | Email [ ] | Call [ ] | WhatsApp [ ]

4.2. Marketing/Analytics Cookies Explicit Consent

“I consent to the use of non-essential analytics and marketing cookies, and to the processing and international transfer of my data for advertising/measurement purposes. I have been informed that I can withdraw my consent via the Cookie Settings panel.”

4.3. International Data Transfer Explicit Consent (Where Necessary)

“I have been informed and I consent to the processing/transfer of my personal data on servers located abroad for the provision of [●] services. I understand that I can withdraw my consent at any time.”

4.4. Consent for Publishing Visuals (Before/After)

“With/without revealing my identity ([please select]), I consent to the use of before/after photos and videos related to my treatment on Hair of Istanbul’s website and social media for promotional/case-sharing purposes. I have been informed that I can withdraw my consent at any time and request the removal of publications from the date of withdrawal onward.”

Note: Processing health data for marketing purposes requires separate and freely given explicit consent. Lack of consent does not prevent access to services.

5) DATA SUBJECT APPLICATION FORM (KVKK Art. 13)

Application Channels

Email: info@hairofistanbul.com (If you have a Registered Email/KEP, please apply via KEP)
Post: Ataköy 2–5–6. Kısım Mah. Rauf Orbay Cad. No:4 Yalı Ataköy C Blok Daire: 36 (indicate “KVKK Application” on the envelope)
Wet-ink signed petition or secure electronic signature/mobile signature

Identity Verification: We do not request copies of ID/driving license; verification is performed appropriately depending on the nature of the application.

Response Time: Applications are concluded within 30 days at the latest. If the process entails an additional cost, the fee set by the Authority’s tariff may be charged.

5.1. Application Content (Sample Template)

Name-Surname: [……………………………………………]
Contact (email/phone): [………………………]
Identity verification method: […………………..]
Type(s) of request:
- [ ] To learn whether my data is processed
- [ ] To request information
- [ ] To learn whether it is used for its purpose
- [ ] To learn third parties to whom it is transferred
- [ ] To request correction
- [ ] To request deletion/destruction
- [ ] Objection (to results of automated processing)
- [ ] Claim for compensation
Description of request: [……………………………..]
Date/Signature: [……………………………..]

6) FREQUENTLY ASKED QUESTIONS (Summary)

How can I withdraw my cookie consent?

You can update it at any time via the Cookie Settings link in the footer of our site.

Do I have to communicate via WhatsApp?

No. Email/phone options are available. Please note that using WhatsApp may involve international data transfers.

Why are my images requested?

They are requested only for pre-assessment and medical planning or, if you have explicit consent, for case-sharing.

What happens if I withdraw my consent? Marketing-related processing will be stopped; records that must be retained due to legal obligations will continue to be stored.

7) MANAGEMENT AND CHANGES TO THE TEXT

If changes are made to this policy and the notices, the effective date will be updated and the latest version will be published on our website.

WARNING / LEGAL NOTICE

These texts are templates prepared for general compliance purposes. Due to sectoral/operational differences (e.g., health legislation, clinical record retention periods, international transfer mechanisms, IYS procedures), we recommend reviewing them with your legal counsel.