GDPR Privacy Notice | BrainViaSpine

1. Introduction

BVS DOCTORS HEALTH & TOURISM IMPORT EXPORT LIMITED COMPANY (hereinafter referred to as "the Company", "we", "us", or "our") operates the BrainViaSpine platform. We are committed to protecting the privacy and security of your personal data.

This Privacy Notice is prepared in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 to inform our international users, particularly those located within the European Union (EU) and the European Economic Area (EEA), about how we collect, process, and safeguard their personal information.

2. Data Controller

The data controller responsible for your personal data is:

Company Name: BVS DOCTORS SAĞLIK VE TURİZM İTHALAT İHRACAT LİMİTED ŞİRKETİ
Trade Name: BrainViaSpine
Tax ID: 1950962794
Registered Address: Mimar Sinan Mahallesi Ziya Gökalp Bulvarı Mimarin Medikal No:28 D:2 Alsancak, Konak, Izmir 35220 – Turkey
Phone: +90 532 174 49 00
Data Protection Contact: privacy@brainviaspine.com

3. Categories of Personal Data We Process

In order to provide specialized neurosurgical coordination services, we process the following categories of data:

A. Identification Data: Full name, date of birth, nationality, passport or ID number, and gender.
B. Contact Information: Email address, telephone number, residential address, and country of residence.
C. Special Categories of Data (Health Data): Detailed medical history, radiological images (MRI, CT, X-ray, etc.), neurosurgical evaluation reports, symptoms, medications, previous surgery records, laboratory results, and physician notes.
D. Financial Data: Payment method details, transaction records (processed through secure payment gateways), billing information, and insurance details.
E. Technical and Usage Data: IP address, browser type and version, device information, operating system, time zone settings, and website interaction logs through cookies.

4. Purposes and Legal Bases for Processing

We process your data under the following legal bases:

Contractual Necessity (Art. 6(1)(b)): To coordinate your medical consultancy, arrange appointments with neurosurgeons, and manage logistics such as accommodation and transfers.
Explicit Consent (Art. 9(2)(a)): For processing sensitive health data (neurosurgery records) to provide medical second opinions and treatment plans.
Legal Obligation (Art. 6(1)(c)): To comply with tax regulations, health legislation, and official reporting requirements in Turkey.
Legitimate Interest (Art. 6(1)(f)): To prevent fraud, ensure cybersecurity, improve our platform performance, and conduct quality assessments.
Vital Interests (Art. 9(2)(c)): In rare cases where processing is necessary to protect the life of the data subject in an emergency.

5. Data Sharing and Recipients

Your data is strictly shared on a "need-to-know" basis with:

Healthcare Providers: Affiliated private hospitals, specialist neurosurgeons, and diagnostic clinics involved in your specific treatment plan.
Logistics Partners: Contracted hotels, VIP transfer companies, and translation services.
Service Providers: Technical infrastructure providers (AWS, Cloudflare), secure payment processors (Stripe/PayPal), and data management tools.
Legal Authorities: When required by Turkish law or international judicial requests.

6. International Data Transfers

BVS Doctors is headquartered in Turkey. When you provide data through BrainViaSpine, your information is transferred to Turkey (a third country under GDPR). Such transfers are:

Necessary for the performance of a contract between the data subject and the controller (Art. 49(1)(b)).
Protected by Standard Contractual Clauses (SCCs) and high-level encryption protocols to ensure a level of data protection equivalent to that in the EU.

7. Data Retention Periods

Medical and Health Records: Retained for a minimum of 20 to 30 years in accordance with Turkish Health Law and for the purpose of long-term medical follow-up.
Financial and Accounting Records: Retained for 10 years as per Turkish Commercial and Tax Codes.
Technical and Communication Logs: Retained for 1 to 2 years.
Marketing Data: Retained until the withdrawal of consent.

8. Your GDPR Rights

As a data subject, you have the following rights:

Right of Access: To request a copy of your personal data.
Right to Rectification: To request correction of inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): To request deletion of your data (subject to legal retention requirements).
Right to Restrict Processing: To limit how we use your data during certain disputes.
Right to Data Portability: To receive your data in a structured, machine-readable format.
Right to Object: To object to processing based on legitimate interests or direct marketing.
Right to Withdraw Consent: To cancel your permission for processing sensitive health data at any time.

9. Data Security

We implement rigorous technical and organizational measures:

End-to-end encryption (TLS 1.3 and AES-256).
Multi-factor authentication (MFA) and Role-Based Access Control (RBAC).
Annual penetration testing and 24/7 security monitoring.
Internal data protection training for all staff members.

10. Data Breach Notification

In the event of a significant data breach, the Company will notify the relevant Supervisory Authority and affected individuals within 72 hours of becoming aware of the breach, in compliance with Articles 33 and 34 of the GDPR.

11. Contact and Exercising Your Rights

To exercise any of your rights or to ask questions regarding your privacy, please contact our Data Protection Contact Point:

Email: privacy@brainviaspine.com
Address: Mimar Sinan Mahallesi Ziya Gökalp Bulvarı Mimarin Medikal No:28 D:2 Alsancak, Konak, Izmir, Turkey
Phone: +90 532 174 49 00

If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA) in the EU/EEA.

12. Updates

This Privacy Notice may be updated to reflect changes in our services or legal requirements. Any significant changes will be announced on our website.