Privacy Policy

Salnus Medikal · Last updated: 7 April 2026 · v1.0

1. Data Controller

Salnus Medikal Yazılım ve Cihaz Teknolojileri San. Tic. A.Ş.
VKN: Beşiktaş VD 7411573925 · MERSİS: 0741157392500001
Trade Registry: İstanbul TSM, 357262-5
Address: Nisbetiye, Nisbetiye Cd No:24, 34340 Beşiktaş/İstanbul
Contact: info@salnus.com

2. What Data We Collect

2.1 Corporate Website (salnus.com)

Through contact and demo request forms:

• Identity: Full name
• Contact: Email address, phone number
• Professional: Medical specialty, affiliated institution

2.2 Surgeon Portal (app.salnus.com)

For registered users:

• Account data: Name, email, hashed password, assigned role
• Audit trail: Login timestamps, IP addresses, report generation events
• Usage analytics: Feature interactions, session duration (anonymised)

2.3 Medical Images (DICOM)

DICOM files are loaded, rendered, and analysed locally using WebAssembly-based inference. AI model weights are downloaded once and cached in your browser. No patient imaging data leaves your device at any point during the analysis workflow.

3. Legal Basis for Processing

We process personal data under the following legal bases:

• KVKK Art. 5/2(c): Performance of a contract (account management, service delivery)
• KVKK Art. 5/2(f): Legitimate interest (security monitoring, platform improvement)
• KVKK Art. 5/2(ç): Legal obligation (audit trail retention)
• GDPR Art. 6(1)(b): Contractual necessity (for EU-based users)
• GDPR Art. 6(1)(f): Legitimate interest (for EU-based users)

We do not process special categories of personal data (health data) on our servers. All health-related data processing occurs client-side in your browser.

4. Data Storage and Transfers

4.1 Infrastructure

• Account database: Supabase PostgreSQL, EU-Central (Frankfurt, Germany)
• Website hosting: Vercel (global CDN)
• Contact forms: Formspree
• Analytics: Google Analytics 4 (with consent mode)

4.2 Cross-Border Transfers

Account data is stored in Supabase's Frankfurt (EU) data centre. The European Union has been granted an adequacy decision under KVKK Article 9, meaning transfers to EU infrastructure do not require additional safeguards or explicit consent.

Website analytics (Google Analytics) and form submissions (Formspree) may involve data transfers to the United States. These transfers are conducted under Standard Contractual Clauses (SCCs) maintained by the respective service providers.

5. Cookies and Analytics

We use Google Analytics 4 with consent mode. On your first visit, a cookie consent banner is displayed. Analytics cookies are only activated after you provide explicit consent. If you decline, only essential cookies (session management, language preference) are used.

Essential cookies used:

• salnus_access: Authentication JWT (httpOnly, secure, 15-min expiry)
• salnus_refresh: Session refresh token (httpOnly, secure, 7-day expiry)
• salnus_lang: Language preference (1-year expiry)

6. Data Retention

• Contact form data: 24 months from collection
• Account data: Duration of account activity + 12 months
• Audit logs: 36 months (regulatory requirement)
• Analytics data: 14 months (GA4 default)

Upon account deletion, personal data is erased within 30 days. Anonymised audit records may be retained for compliance purposes.

7. Data Security

• All data in transit encrypted with TLS 1.3
• Passwords hashed with bcrypt (cost factor 12)
• JWT-based authentication with 15-minute access token rotation
• Rate limiting on authentication endpoints
• Client-side DICOM processing eliminates server-side patient data exposure
• Patient IDs pseudonymised via SHA-256 hashing in audit logs

8. Patient Data — Strict Separation

Salnus does not act as a data processor for patient health data. Our client-side architecture means patient imaging data is processed exclusively in the clinician's browser and never reaches our servers. This is a fundamental architectural decision, not a policy limitation.

Generated reports are stored locally in the browser's IndexedDB. Clinicians may export reports as PDF files. Salnus does not have access to report contents.

9. Your Rights

9.1 Under KVKK (Art. 11)

You have the right to:

• Learn whether your personal data is being processed
• Request information about the purpose of processing and whether data is used accordingly
• Know the third parties to whom your data has been transferred
• Request correction of incomplete or inaccurate data
• Request deletion or destruction under KVKK Art. 7
• Object to any adverse outcome resulting from automated processing
• Request compensation for damages arising from unlawful processing

9.2 Under GDPR (for EU-based users)

You additionally have the right to:

• Access your personal data and receive a copy
• Data portability in machine-readable format
• Restrict processing in specific circumstances
• Lodge a complaint with your national supervisory authority

9.3 VERBİS Registration

Salnus currently qualifies for exemption from VERBİS (Data Controllers Registry) registration based on the criteria set by the Personal Data Protection Board: fewer than 10 employees, annual balance sheet below 10 million TL, and no server-side processing of health data. This exemption status will be re-evaluated as the company grows.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users and through a notice on the Platform. Continued use of the Service after changes constitutes acceptance.

11. Contact

For privacy inquiries or to exercise your rights:

Salnus Medikal Yazılım ve Cihaz Teknolojileri San. Tic. A.Ş.
Email: info@salnus.com
Address: Nisbetiye, Nisbetiye Cd No:24, 34340 Beşiktaş/İstanbul
Response time: Within 30 days of receipt.