Privacy Policy for Users

Healthofperson Bilişim Sağlık ve Turizm Hizmetleri Anonim Şirketi (“herein after referred to as “HOP”, the "Company", “We”, and through similar words such as “us”, “our”, etc.) provides a website to offer online international health tourism services by enabling Healthcare Professionals (the “HCP”, “HCPs”) to create their own HCP profiles on HOP, inform patients about treatment processes, fees and other details and by enabling patients to find the HCP for their need, check their services, make a video call with the HCP, accept the offer card about their treatment, review the treatment procedures and the various ancillary services required to provide these services by planning your travel for both treatment and touristic visits (the “Services”).

This Privacy Policy (“Policy”) describes HOP’s practices and policies with regard to the use and processing of Personal Information while providing the Services. This Policy describes the kinds of Personal Information we collect through https://hop.health and/or when possible, our mobile application, Hop Health, that can be downloaded from Google Play Store or Apple Store (collectively the “Platform”), how we use that information, our legal basis for doing so, with whom we share it, your rights, and choices in this regard, and how you can contact us about our privacy practices. This Policy does not apply to third-party sites, products, or services, even if they link to our Services or Platform, and you should consider the privacy practices of those third parties carefully.

By acknowledging this Policy, you are accepting the practices described in this Policy (including new versions of this Policy when and as they go into effect), and the Terms of Use (the “Terms”), which governs this Policy and contains all disclaimers of warranties and limitation of liabilities.

This Policy describes HOP’s data processing activities related to the Users. If you are a Healthcare Professional that provides treatment services via HOP, please refer to the “Privacy Policy for Healthcare Professionals”.

Capitalized words not defined in this Privacy Policy are defined in our Terms. It is of utmost importance to read the Policy provided herein in tandem with the Terms to better grasp the key concepts provided and explained therein.

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Business

for the purpose of the CCPA, refers to the Company as the legal entity that collects Consumers' Personal Information and determines the purposes and means of the processing of Consumers' Personal Information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' Personal Information, that does business in the State of California.

CCPA

means the California Consumer Privacy Act of 2018, and as amended by the California Privacy Rights Act (“CRPA”) (collectively, “California Privacy Laws”).

Company

refers to HOP, a corporation incorporated and validly operating in Turkey having its registered address at Ortabayır Mahallesi Dereboyu Caddesi No:6 İç Kapı No:34 Kağıthane/İstanbul.

For the purposes of the GDPR, the Company is the Data Controller.

Consumer

Consumer, for the purpose of the CCPA, means a natural person who is a California resident. A resident, as defined in the law, includes (i) every individual who is in the USA for other than a temporary or transitory purpose, and (ii) every individual who is domiciled in the USA who is outside the USA for a temporary or transitory purpose.

Data Controller

For the purposes of the GDPR, means the legal person which determines purposes and means of the process of Personal Data alone or jointly with others.

Data Subject

means a natural person who can be identified or rendered identifiable through the personal data related to.

Device

means any device that is suitable to access the Service such as a computer, a cellphone, or a digital tablet and with an internet connection.

Do Not Track (DNT)

(DNT) is a concept that has been promoted by U.S. regulatory authorities, in particular the U.S. Federal Trade Commission (FTC), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.

GDPR

means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); and (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); in each case as may be amended or superseded from time to time.

HCP(s)

means Healthcare Professional as described in the applicable laws.

Personal Information/Personal Data

means any information that relates to an identified or identifiable individual.

For the purposes of the UK & EU GDPR, Personal Data means any information relating to Users such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity.

For the purposes of the CCPA, Personal Information means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with User.

For the purposes of this Policy, term Personal Information may be used in lieu of Personal Data, and vice versa.

Personal Data Breach

means a breach of security whether accidental or on purpose, resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

PDPL

Personal Data Protection Law numbered 6698, enacted on March 24, 2016 and came into force on April 7, 2016 by Republic of Turkey, secondary law derives from it and decisions of the Turkish Personal Data Protection Authority.

Personal Data Protection Legislation

means any applicable personal data protection legislation at the time and place of data processing activity including but not limited to PDPL, CCPA, and GDPR.

Sale of Data

for the purposes of the CCPA, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's personal information to another business or a third party for monetary or other valuable consideration.

Special Categories of Personal Data

means Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and genetic and biometric information, information concerning data subject’s sex life or sexual orientation.

Service Provider

Any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.

For the purpose of the UK GDPR, Service Providers are considered as Data Processors.

Third Party

means any other natural or legal person that is not part of HOP.

Third-Party Services

means any product that Third-Party Service Providers submit to Users for the proper performance of the Platform.

Third-Party Service Provider

means any tool, website or application which a User can benefit.

UK GDPR

United Kingdom General Data Protection Regulation signed into law on 1 Jan 2021. The UK GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (“DPA”). The main provisions of this apply, like the GDPR, from 25 May 2018.

Usage Data

means the data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

Platform

means the website and subdomains, and other media including all of their respective features and content belongs to HOP, accessible from https://hop.health and our mobile application with the same name and function, accessible from App Store or Google Play.

User

refers the individual accessing or using the Platform and Services or other legal entity on behalf of which such individual is accessing or using the Platform and Services, as applicable.

For the purpose of the GDPR, You can be referred to as the Data Subject.

 

 

We collect Personal Information concerning you from certain sources to provide the Services and to manage the Platform. We also obtain information from you and from Third Parties as detailed below.

Please note that if you decline to provide any of the required information requested by the Company, you may not be able to take full advantage of the Services and their features.

a) Platform Users and the Services

We collect information from and about you and your transactions and other interactions with us. This may include, but is not limited to, when you visit our Platform, use the Services, leave comments or feedback about our Services, reach out to us through the support assistant, or otherwise contact us through the Platform, e-mail or any other channels provided by the Company for this purpose.

b) Third Party Integrations (Service Providers)

We benefit from Third-Party Service Providers to provide certain Services on our behalf when the personal data is necessary for them to perform their duties. The Company uses Third Party Service providers to, among other things, manage your video calls with the HCPs, travel planning including reservations for accommodation, and manage your payment regarding the Services we provide. These Service Providers are prohibited from using Personal Information for any other purpose and are contractually obligated to comply with all applicable laws and requirements.

Third-Party Service Providers are bound by their own use and privacy policies, and HOP cannot be held responsible for behaviors of the Third-Party Service Providers that violate any right arising from Personal Data Protection Legislation.

We strongly advise you to read the terms and conditions and privacy policies of any Third-Party Service Providers or web sites that you visit.

c) Translator Services

HOP provides its services across the world. However, languages spoken by the HCPs may not match with the language requirement of the global service provided by the HOP. If the language spoken by the Healthcare Provider (HCP) doesn't match your preferred language for Services, a language barrier might occur. To address this, the Hospital Outreach Program (HOP) or the HCP can arrange a skilled translator to assist in communication with the HCPs.

If you have chosen a different language than the HCPs states that they are competent, HOP or HCP will appoint a translator by itself. We would like to emphasize that, HOP or HCP would not appoint a translator without your prior explicit consent. However, if you have chosen not to receive service from a translator or if you chosen a language that you are unable to communicate, HCP may refuse to provide services or cancel the online meeting by its discretion. Translator is subject to this Policy for the personal data it come to know during the video meeting.

d) Third Party Analytics and Advertisements

We also may use Third Party advertisements, analytics, and tracking tools to better understand who is using the Platform, how people are using the Platform, how to improve the effectiveness of the Services, related content, and our products, and to help us or those Third Parties serve more targeted advertising to you across our media channels. These Third Parties may use technology such as cookies, web beacons, pixel tags, log files, flash cookies, or other technologies to collect and store information. They may also combine information they collect from your interaction with the Platform with information they collect from other sources, which combination may be subject to the Third Party’s control and privacy practices thereupon.

e) Cookies and Automatic Collection Methods

We may also collect information about your online activities on the Platform and your Devices to use Platform over time and across third-party websites, devices, apps, and other online features and services.

This collection includes automatically collected information, and generally does not include Personal Information unless you provide it through our Platform or you choose to share it with us by other means. Methods we use are described below: 

To learn more about the cookies that may be served through our Platform and how Users can control our use of cookies and third-party analytics, please see our Cookie Policy section.

While using our Service, we may ask you to provide us with certain personally identifiable information in connection with the Services which can be used to enable your transaction, manage the registrations, contact and/or identify. Personally identifiable information may include, but is not limited to:

You may also opt-in to submitting information through other methods, including:

b. Information that We Collect Automatically on Our Platform and Services

Our Platform uses cookies and other technologies to function effectively. These technologies record information about your usage of our Platform, including:

While using our Service, in order to provide features of our Platform, we may collect, with your prior permission, photos, files and other information from your Device's contacts, camera, voice recording/photo library, and files.  We use this information to provide features of our Service. The information may be uploaded to the Company's servers and/or a Service Provider's server or it be simply stored on your Device. For example, when you scan your Strip to your Device camera or want to upload a profile photo, we will ask your prior permission to access your Device camera. You can enable or disable access to this information at any time, through your Device settings.

We also may collect information about your online activities on the Platform and connected Devices over time and across third-party sites, devices, apps, and other online features and services. We use web log analysis software (Google Analytics etc.) on our Platform to help us analyze your use of our Platform and diagnose technical issues.

Please note that Google Play Store and Apple App Store have their own privacy policies and practices, which we encourage you to read prior to downloading our mobile application from such platforms.

Please note that HOP does not require your sensitive health information in order to carry out Services. However, the HCP that you have request online meeting may request your sensitive health information, in order to inform you on treatment procedures. Please do not your share your sensitive health information with HOP directly and note that any sensitive data shared with HOP shall be deleted at the soonest periodic data disposal period. However, HOP may require examining your communications with the HCP to supervise usage of the Platform and your experience with the HCP. Therefore, upon your prior consent, HOP may have to process your sensitive personal that is shared by you through HOP communication channels including video calls with the HCP and/or pictures uploaded by you to the Platform for HCP to examine.

a. Our Services

We use the information that we collect/obtain to conduct our business and to provide you with the best possible products, Services, and online experiences. We rely upon several legal grounds to ensure that our use of your Personal Data is compliant with the applicable law. We use Personal Data to facilitate the business relationships we have with our Users, to comply with legal obligations, and to pursue our legitimate business interests and if necessary, based on your prior explicit consent.

Pre-contractual, contractual, and post-contractual business relationships. We use personal information to enter business relationships with prospective Users and to perform the contractual obligations under the contacts that we have with our Users. Examples of how we use information within this condition include:

To fulfil your customer requests, we may receive services from Third Party service providers to handle customer support channel. Please note that any personal data you may share during communication through support channel is subject to this Policy and customer support channel personnel does not require any personal data other than your credentials and contact information. Therefore, please do not share any more information, especially sensitive health information, that is not asked from you by customer support channel personnel. Customer support channel may forward you to an expert that is authorized to solve your problem.

To communicate with you and maintain our legal relationship arising from the contracts between our Users and the Company, and also to fulfill our obligations arising thereof.

Legal and regulatory compliance. We use Personal Data to verify the identity of our Users in order to comply with applicable laws. These obligations are imposed on us by the operation of law, industry standards, and by our financial partners, and may require us to report our compliance to third parties and to submit to third-party verification audits. Examples of how we use information within this condition include:

Legitimate business interests. We rely on our legitimate business interests to process certain Personal Data concerning Users. The following list sets out the business purposes that we have identified as legitimate. In determining the content of this list, we balanced our interests against the legitimate interests and rights of the individuals whose Personal Data we process.

If we need to use your Personal Data in any other way, we will notify you specifically at the time of collection and, if required by the relevant legislation, we will obtain your consent.

b. Marketing and Events-related Communications

We may send Users e-mail marketing communications about HOP and its Services, invite Users to participate in our events or surveys, or otherwise communicate with Users for marketing purposes, provided that we do so in accordance with the consent requirements that are imposed by applicable law. When we collect your business and contact details through our participation at trade shows or other events, we may use the information to follow-up with Users regarding these events, send Users information that Users have requested on our Services, and with your permission, include Users on our marketing information campaigns. The trade shows or other events may be online or in-person.

HOP may share your Personal Data to (i) satisfy any applicable law, regulation, legal process, or governmental request; (ii) enforce this Policy and our Terms and Conditions, including investigation of potential violations hereof; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; (iv) respond to your requests; or (v) protect our rights, property or safety, HCPs, Users and the public; or (vi) fulfill our obligations arising of or in connection with the contracts with HCPs and our Users.

We share Personal Data with a limited number of our Service Providers. We have Service Providers that provide services on our behalf, such as website hosting, data analysis, information technology, and related infrastructure, customer service, e-mail delivery, and auditing services. These Service Providers may need to access Personal Data to perform their services. We authorize such Service Providers to use or disclose Personal Data only as necessary to perform services on our behalf or comply with legal requirements. We require such Service Providers to contractually commit to protect the security and confidentiality of Personal Data they process on our behalf.

We may disclose information in the aggregate form to Third Parties relating to user behavior in connection with the actual or prospective business relationship with those Third Parties, such as advertisers and content distributors.

We may share personal information with Third Parties we work with for our purposes, though in general we do not share personal information about you with Third Parties for Third-Party marketing or advertising purposes. For information about the choices, you have about the online advertising practices described in this section, please see the "Exercising Your GDPR Privacy Rights” and “Exercising Your California Privacy Rights” sections below.

Third Parties are prohibited from using personal information for any other purpose and are contractually obligated to comply with all applicable laws and requirements.

We will encourage our Service Providers to adopt and post transparent privacy policies. However, the use of your Personal Information by our service partners is governed by their privacy policies and is not subject to our control. You acknowledge that we are not responsible for the violations caused by our service partners.

We share Personal Data with Third Party business partners when this is necessary to provide our Services to our Users.

We share Personal Data with Third Parties as necessary to maintain a User account and provide the Services. The use of Personal Data by an authorized third party is subject to the Third Party’s privacy policy.

In the event that we enter into, or intend to enter into, a transaction that alters the structure of our business, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control, or other disposition of all or any portion of our business, assets or stock, we may share Personal Data with Third Parties for the purpose of facilitating and completing the transaction.

We share Personal Data as it is necessary: (i) to comply with applicable law, or payment method rules; (ii) to enforce our contractual rights; (iii) to protect the rights, privacy, safety, and property of HOP, Users or others; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your jurisdiction.

Herein this Policy covers international Personal Data Protection Legislation including but not limited to GDPR and CCPA. However, as a Turkish company, pursuant to Article 10 of the Turkish Personal Data Protection Law numbered 6698 (the “PDPL”), we are under obligation to inform Users about our data processing activity under PDPL. If you are a Turkish resident or Turkish citizen please refer to our “Privacy Policy under PDPL”.

Your Rights and Choices Under the EU GDPR & UK GDPR

HOP undertakes to respect the confidentiality of your Personal Data and to guarantee Users can exercise their rights.

Users have the right under this Policy, and by law if they are within the UK or EU, to:

- Right of Access: Users have the right to obtain confirmation from us as to whether or not Personal Data concerning Users are processed, and, where that is the case, Users have the right to request and get access to such Personal Data.

- Right to Rectification: Users have the right to request rectification by us of inaccurate Personal Data and Users have the right to provide additional Personal Data to complete any incomplete Personal Data.

- Right to Erasure (“Right to be Forgotten”): In certain cases, Users have the right to request from us the erasure of their Personal Data.

- Right to Restriction of Processing: Users have the right to request from us restriction of processing, for a certain period and/or for certain situations.

- Right to Data Portability: Users have the right to receive their Personal Data from us in a structured format and Users have the right to (let) transmit such Personal Data to another controller.

- Right to Object: In certain cases, Users have the right to object to the processing of their Personal Data, including with regards to profiling. Users have the right to object to the further processing of their Personal Data in so far as such data has been collected for direct marketing purposes.

- Right to be Not Subject to Automated Individual Decision-Making: Users have the right to not be subject to a decision based solely on automated processing.

- Right to Filing Complaint: Users have the right to file complaints with the applicable data protection authority on our processing of their Personal Data.

- Right to Compensation of Damages: In case we breach applicable legislation on the processing of Users’ Personal Data, Users have the right to claim damages from us for any damages such breach may cause to Users.

Exercising of Your UK & EU GDPR Data Protection Rights

Users have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. If you are a resident of United Kingdom, you may complain to Information Commissioner’s Office (ICO) regarding your data protection rights. If you are a resident in the European Economic Area (EEA), please contact your local data protection authority in the EEA. However, we would be appreciated to deal with your concerns before you apply to a Data Protection Authority.

You may exercise your rights of access, rectification, cancellation, and opposition by simply contacting us. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.

Your Rights and Choices Under the CCPA

Under this Privacy Policy, and by law if Users are residents of California, Users have the following rights:

Exercising Your CCPA Data Protection Rights

In order to exercise any of their rights under the CCPA, and if Users are a California resident, Users can email us or contact us via [email protected]

The Company will disclose and deliver the required information free of charge within 45 days of receiving your verifiable request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice.

Do Not Sell My Personal Information

We do not sell Personal Information. However, the Service Providers we partner with (for example, our wallet providing partners) may use technology on the Service that "sells" Personal Information as defined by the CCPA.

If Users wish to opt out of the use of their Personal Information for interest-based advertising purposes and these potential sales as defined under CCPA law, Users may do so by following the instructions below.

Platform

Users can opt out of receiving ads that are personalized as served by our Service Providers by following our instructions presented on the Service:

The opt out will place a cookie on your computer that is unique to the browser Users use to opt out. If Users change browsers or delete the cookies saved by their browser, Users will need to opt out again.

Please note that any opt out is specific to the browser Users use. Users may need to opt out on every browser that Users use.

Mobile Devices

Users’ mobile device may give Users the ability to opt out of the use of information about the apps Users use in order to serve Users ads that are targeted to their interests:

Users can also stop the collection of location information from their mobile device by changing the preferences on their mobile device.

"Do Not Track" Policy as Required by California Online Privacy Protection Act (CalOPPA)

Our Service does not respond to Do Not Track signals.

However, some third-party websites do keep track of your browsing activities. If Users are visiting such websites, Users can set their preferences in their web browser to inform websites that Users do not want to be tracked. Users can enable or disable DNT by visiting the preferences or settings page of their web browser.

California Privacy Rights for Minor Users (California Business and Professions Code Section 22581)

California Business and Professions Code section 22581 allow California residents under the age of 18 who are registered users of online sites, services, or applications to request and obtain removal of content or information they have publicly posted.

To request removal of such data, and if Users are California residents, Users can contact us using the contact information provided to Users and include the email address associated with their account.

Be aware that your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.

We are making reasonable efforts to provide Users with an appropriate level of security at the risk associated with the processing of your Personal Data. We take organizational, technical, and administrative measures designed to protect their Personal Data against unauthorized access, destruction, loss, alteration, or abuse. Users’ Personal Data may only be accessed by a limited number of personnel who need access to such information in order to perform their duties. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If Users have a reason to believe that their interaction with us is no longer secure (for example, if Users think their account is compromised), please contact us immediately.

We retain Users’ Personal Data as long as we are providing the Services to Users. We retain Personal Data after we cease providing Services to Users to the extent necessary to comply with our legal and regulatory obligations. We also retain Personal Data to comply with our tax, accounting, and financial reporting obligations, where we are required to retain the data due to our contractual commitments to our financial and business partners, and where data retention is mandated by the payment methods that we support. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.

We also take measures to delete your personal information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of Services requested by or provided to you, the nature and length of our relationship with you, possible re-enrollment with our products or Services, the impact on the Services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.

We are a global business. Personal Data may be stored and processed in any country where we have operations or where we engage service providers. We may transfer Personal Data that we maintain about Users to recipients in countries other than the country in which the Personal Data was originally collected. Those countries may have data protection rules that are different from those of your country. However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that your Personal Data remains protected to the standards described in this Policy. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your Personal Data.

The Services are not directed to individuals under the age of eighteen (18) for California residents and Turkish citizens, and sixteen (16) for United Kingdom citizens, and they shall not provide Personal Data through the Services. If you have reason to believe that anyone minor has provided us with any Personal Information, please contact us.

We may change this Policy from time to time to reflect new services, changes in our Personal Data practices, or relevant laws. The “Last Updated” legend at the top of this Policy indicates when this Policy was last revised. Any changes are effective when we post the revised Policy on the Platform. We may provide you with disclosures and alerts regarding the Policy or Personal Data collected by posting them on our Platform and, if you are a User, by contacting you through HOP e-mail address.

The Services may provide the ability to connect to other sites. These sites may operate independently from us and may have their own privacy notices or policies, which we strongly suggest you to consider. If any linked website is not owned or controlled by us, we are not responsible for its content, any use of the said website, or the privacy practices of the operator of the said website.

HOP focuses on multinational compliance regulations including but not limited to Turkish Data Protection Regulation (“PDPL"), United Kingdom General Data Protection Regulation (“UK GDPR”), General Data Protection Regulation brought by the European Union (“GDPR”), and United States Privacy Laws to make sure privacy is a “go-to” rather than a thing to be worried. You have the right to request further information on our personal data processing activities based on your country's laws.

If Users have any questions or complaints about this Policy, please contact us at [email protected], or at the address of Dereboyu Cad. Ortabayır Mah. Levent Life 1 Residence Levent, İstanbul.