KVKK, GDPR and HIPAA Notice

Under Law No. 6698 on Protection of Personal Data, the data controller is Norya. Data processed: identity and contact (name, email, phone, country), account data (password hash, login records), test texts and generated reports (for performance of the service), payment records (card numbers are not stored; PayTR is used). Legal bases: contract performance, legal obligation, legitimate interest and, where applicable, consent. You have rights of access, rectification, erasure, restriction and objection; you may send requests in writing or by email. You may complain to the Turkish Personal Data Protection Board.

Processing under the EU General Data Protection Regulation (GDPR) is consistent with the data categories and purposes above. Legal bases: contract (Art. 6(1)(b)), legal obligation (6(1)(c)), legitimate interest (6(1)(f)) and consent where applicable (6(1)(a)). If your data is transferred outside the EU (e.g. server location), appropriate safeguards (e.g. standard contractual clauses) apply. You have rights of access, rectification, erasure, restriction, portability and objection, and may lodge a complaint with a supervisory authority in an EU member state. Send requests via our Contact page or [email protected].

Norya is not registered as a HIPAA “covered entity” or “business associate” in the US. The service is offered for users to upload their own lab results and receive plain-language reports; it is not a diagnosis or treatment service. We nevertheless take health-related data seriously: test texts and reports are processed only to provide the service, transmitted over TLS/SSL, protected against unauthorised access and not shared with third parties for advertising or commercial purposes. We retain your data for the minimum necessary period; on account deletion, data is deleted or anonymised except where legal retention applies. For US users this approach is consistent with health data security and privacy expectations.

Across all regions: data minimisation (only necessary data), encryption and secure infrastructure, access controls, account deletion and data rectification/erasure on request. See our Privacy Policy for details.