ccNote Mobile Application

PRIVACY POLICY

Last Updated: February 05, 2026 | Version: 1.0

1. Data Controller

Pursuant to the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the EU General Data Protection Regulation ("GDPR"), and other applicable data protection legislation, your personal data is processed by ccNote Teknoloji A.Ş. ("ccNote", "Company", or "We") as the data controller.

Data ControllerccNote Teknoloji Anonim Şirketi
AddressSanayi Mahallesi Teknopark Bulvarı No: 1/4C İç Kapı No: 112 Pendik/İstanbul, Turkey
Emailinfo@ccnote.ai
Websitehttps://ccnote.ai

2. Scope and Purpose

This Privacy Policy explains how ccNote collects, processes, stores, transfers, and protects personal data of healthcare professionals ("Users") who use the ccNote mobile application ("App"). ccNote is an AI-powered iOS application that converts voice clinical notes into structured medical documentation using advanced language models capable of processing Turkish medical terminology.

NOTE: ccNote is not a medical device and should not be used as a clinical decision support system. The App's outputs are intended solely as a documentation aid.

3. Data We Collect

3.1. Identity and Contact Data

  • Full name, email address, phone number (optional)
  • Username and password (stored as cryptographic hash)
  • Medical specialty and professional title (optional)

3.2. Voice Data (Biometric Data — Special Category)

  • Audio recordings (.m4a format)
  • Recording duration and timestamps
  • Audio level metrics

NOTE: Voice recordings are stored EXCLUSIVELY on the user's device (on-device). Audio files are NEVER transmitted to company servers or third parties.

3.3. Transcription and Text Data

  • Raw transcripts generated via Apple Speech Recognition Framework (on-device)
  • Medical terminology-enhanced transcripts
  • Structured clinical notes (AI-generated)
  • Patient information notes (all user-entered content as-is)

NOTE: User-entered content may contain patient names, national ID numbers, or other personal health information. This information is stored as-is. The User (physician/healthcare institution) bears responsibility for ensuring KVKK/GDPR compliance in processing patient data.

3.4. AI Processing Data

  • Transcript texts are sent to our proprietary open-source language model hosted on servers located within the Republic of Turkey
  • AI-generated structured clinical outputs
  • Medical term matching and correction data

NOTE: AI processing is performed entirely on servers within the borders of the Republic of Turkey. No data is transferred to foreign AI services (Google, OpenAI, etc.).

3.5. Technical and Usage Data

  • Device information (model, OS version)
  • Anonymous app usage statistics
  • Error reports and performance metrics
  • App preferences and language settings

3.6. Payment Data

  • Subscription plan information
  • Payment transaction history (processed via iyzico)

NOTE: Credit card information is NEVER stored by ccNote. Payment processing is handled by PCI DSS-certified payment infrastructure provider iyzico.

3.7. Web Dashboard Data

  • Records and text content accessed via web dashboard
  • Session management data (JWT tokens)

NOTE: Users can access their records via the web dashboard (ccnote.ai) and transfer them to hospital information systems (HBYS). Temporary session data is cleared when the dashboard session ends.

4. Legal Basis for Processing

4.1. Under KVKK

  • Article 5(2)(c): Contractual necessity — account management, service delivery
  • Article 5(2)(a): Explicit legal requirement — traffic logs, tax records
  • Article 5(2)(f): Legitimate interest — security, fraud prevention
  • Article 6(2): Explicit consent — biometric data (voice), health data processing
  • Article 9: Cross-border transfer — explicit consent for Supabase data processing

4.2. Under GDPR (for EU Users)

  • Article 6(1)(a): Consent — for special categories of data
  • Article 6(1)(b): Contract performance — service provision
  • Article 6(1)(c): Legal obligation — regulatory compliance
  • Article 6(1)(f): Legitimate interest — security and service improvement
  • Article 9(2)(a): Explicit consent — health and biometric data processing

5. Data Security Measures

  • Voice recordings stored exclusively on-device using Apple iOS security infrastructure (Data Protection, Keychain)
  • User account data encrypted at rest (AES-256) and in transit (TLS 1.3) via Supabase
  • AI server communication protected with TLS 1.2/1.3 encryption
  • Row Level Security (RLS) policies applied to all database access
  • Passwords hashed with bcrypt/argon2; never stored in plaintext
  • JWT-based authentication and authorization for all API access
  • Web dashboard sessions protected with JWT-based authentication and session-based isolation
  • Regular security audits and vulnerability assessments

6. Data Transfers

6.1. Domestic Transfers (Turkey)

  • iyzico: Payment processing (contractual necessity)
  • Authorized public authorities: When legally required

6.2. International Transfers

User account management utilizes Supabase services operating on AWS infrastructure. Data center is located in the EU (Frankfurt, Germany).

  • Data Processing Agreement (DPA) signed with Supabase
  • Standard Contractual Clauses (SCCs) implemented per GDPR Article 46
  • Data encrypted in transit and at rest

NOTE: Voice recordings and AI processing data are NEVER transferred outside Turkey. International transfer applies only to authentication/account data via Supabase, subject to explicit user consent.

6.3. Third-Party Service Providers

ProviderPurposeData TypeLocation
Apple (iOS)On-device speech recognitionVoice dataOn-device
SupabaseAuthentication, databaseAccount dataAWS EU (Frankfurt)
iyzicoPayment processingPayment dataTurkey
ccNote AI ServerText analysisTranscript textTurkey

7. Data Retention

Data CategoryRetention PeriodLegal Basis
Account dataUntil account deletionContract
Voice recordings (on-device)Until deleted by userConsent
Clinical notes (on-device)Until deleted by userConsent
AI processing logs30 daysLegitimate interest
Web dashboard session dataDuration of sessionContract
Payment records10 yearsTurkish Commercial Code
Traffic logs2 yearsLaw No. 5651
Error reports1 yearLegitimate interest

8. Your Rights

8.1. Under KVKK (Article 11)

You have the right to: learn whether your personal data is processed; request information about processing; learn the purpose of processing; know third parties to whom data is transferred; request correction of incomplete/incorrect data; request deletion or destruction of data; request notification of corrections/deletions to third parties; object to automated processing decisions; and claim compensation for damages due to unlawful processing.

8.2. Under GDPR (for EU Users)

In addition to KVKK rights, EU users have: right of access (Art. 15); right to rectification (Art. 16); right to erasure/"right to be forgotten" (Art. 17); right to restriction of processing (Art. 18); right to data portability (Art. 20); right to object (Art. 21); and rights related to automated decision-making (Art. 22).

8.3. How to Exercise Your Rights

  • Email: info@ccnote.ai with identity verification documents
  • In-App: Settings > Privacy > Data Request
  • Written: Via registered mail or notary to company address

Requests will be processed free of charge within 30 days.

8.4. Account and Data Deletion

Per KVKK Article 7 and Apple App Store Guidelines (5.1.1(v)):

  • You can delete your account from within the app (Settings > Account > Delete Account)
  • All personal data permanently deleted within 30 days of account deletion
  • On-device recordings and notes are under your direct control

9. Children's Privacy

ccNote is designed exclusively for healthcare professionals and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If such collection is identified, the data will be immediately deleted.

10. Data Breach Notification

  • Turkish DPA (KVKK Board) notified within 72 hours
  • Affected users informed within a reasonable timeframe
  • EU supervisory authorities notified per GDPR Article 33 (for EU users)
  • Scope, impact, and remedial measures publicly disclosed

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide in-app notification, email notification, and request renewed consent where necessary. The current version is always available within the App and at ccnote.ai.

12. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the Republic of Turkey. Istanbul Courts and Enforcement Offices have jurisdiction over disputes. Your right to file a complaint with the Turkish Personal Data Protection Board (www.kvkk.gov.tr) and/or relevant EU supervisory authority is reserved.

13. Contact

For any questions regarding this Privacy Policy or your personal data:

Data Protection Officer: info@ccnote.ai

General Inquiries: info@ccnote.ai

Website: https://ccnote.ai/privacy

Explicit Consent Form

I hereby give my explicit consent for the following: