Privacy Policy

1. Who This Policy Applies To

This Privacy Policy applies to:

• visitors of the TavanMind website;
• therapists, clinicians, clinic administrators, vendor administrators, and organization users;
• clinics participating in technical demonstrations, pilot programs, or the Founding Clinics Program;
• users of TavanMind cloud-linked dashboard services;
• users of TavanMind desktop or hybrid workflows, where applicable.

2. Our Role

This Policy does not replace any separate data processing agreement, pilot agreement, clinic contract, consent form, or institutional ethics document that may apply to a specific clinic, organization, or research collaboration.

Depending on how TavanMind is used, TavanMind may act as a technology provider, software vendor, or data processor for clinics and organizations.

TavanMind provides software infrastructure and clinical decision support tools. TavanMind does not independently decide clinical treatment, diagnosis, or patient management.

In most clinical workflows, the clinic or healthcare professional remains responsible for determining:

• which patient data is entered into the system;
• whether patient consent is required;
• what lawful basis applies to the processing;
• how long records should be retained;
• who may access patient records;
• how clinical interpretation and patient communication are handled.

3. Information We May Collect

TavanMind may process different categories of data depending on the product configuration, license type, and whether cloud-linked features are enabled.

3.1 Website and Contact Information

When you use the website, request a demo, contact us, or apply for a pilot program, we may collect:

• name;
• email address;
• clinic or organization name;
• professional role;
• country or region;
• message content;
• demo request details;
• technical contact information.

3.2 Account and Organization Information

For authorized users, TavanMind may process:

• user email address;
• therapist or administrator profile information;
• organization name;
• role and permission level;
• license status;
• seat activation status;
• device activation records;
• account revocation or access status;
• authentication and security metadata.

3.3 Patient and Clinical Data

Depending on the deployment model, TavanMind may process:

• patient profile references;
• direct patient identifiers, where entered by the clinic;
• birth date, age group, gender, or demographic fields needed for clinical comparison or normative workflows;
• cognitive test results;
• reaction time metrics;
• accuracy and error metrics;
• reliability indicators;
• behavioral pattern summaries;
• clinical reports;
• longitudinal trend data;
• session-related notes, goals, interventions, outcomes, and clinical context, where enabled.
• TavanMind is designed to minimize direct patient-identifying data in cloud workflows where possible.

4. Local-First and Cloud-Linked Workflows

TavanMind is designed around a local-first clinical workflow. In many configurations, patient records and assessment activity are centered around the clinic's local desktop environment.

Where cloud-linked features are enabled, selected data may be synchronized to support web dashboard access, therapist or organization administration, report review, longitudinal monitoring, license activation and seat management, and future empirical norm-building where legally and ethically permitted.

Direct patient identifiers should be protected before cloud synchronization where applicable. Assessment metrics may be processed separately from direct identifiers to support reporting and statistical workflows.

5. How We Use Information

We may use information for the following purposes:

• providing access to TavanMind services;
• creating and managing user accounts;
• managing clinic organizations, roles, seats, and license status;
• enabling clinical reports and longitudinal monitoring;
• supporting technical demonstrations and pilot clinic onboarding;
• responding to inquiries and support requests;
• improving usability, reliability, and product quality;
• maintaining security and preventing unauthorized access;
• supporting responsible standardization and validation workflows;
• complying with legal, regulatory, contractual, or security obligations.
• We do not use TavanMind to issue standalone medical diagnoses.

6. Legal Basis for Processing

Where GDPR applies, processing may be based on one or more of the following legal bases:

• performance of a contract;
• legitimate interests, such as operating and securing the service;
• consent, where required;
• compliance with legal obligations;
• processing necessary for healthcare or clinical purposes under the responsibility of qualified professionals, where applicable;
• scientific, statistical, or validation purposes, where permitted and properly governed.
• Where KVKK applies, processing may rely on applicable legal grounds under Turkish personal data protection law, including explicit consent where required, performance of a contract, legal obligations, legitimate interests, or healthcare-related processing under applicable conditions.
• Clinics are responsible for determining and documenting the appropriate legal basis for patient-level clinical use within their own workflow.

7. Sensitive and Health-Related Data

TavanMind may process data that can be considered health-related, clinical, or sensitive depending on how the clinic uses the system.

Users must not enter unnecessary sensitive information into free-text fields. Clinics should limit clinical notes to what is necessary for assessment, documentation, and follow-up.

Where sensitive clinical information is processed, appropriate technical and organizational safeguards should be applied.

8. Encryption and Security

TavanMind uses security measures designed to protect clinical and account data, which may include:

• local-first data handling;
• encrypted transmission;
• client-side protection for direct patient identifiers where applicable;
• role-based access controls;
• organization-level access separation;
• authentication and activation checks;
• reliability and data integrity checks;
• access restrictions for dashboard and administrative areas;
• protected environment variables and server-side handling of privileged keys.
• No system can guarantee absolute security. Users and clinics are responsible for protecting their own devices, passwords, local environments, and authorized access.

9. Data Used for Norm-Building and Validation

TavanMind may support future empirical norm-building and validation workflows. Where data is used for such purposes, it should be handled according to applicable privacy, ethics, consent, contractual, and regulatory requirements.

TavanMind aims to separate direct patient identifiers from assessment metrics where possible. Metrics used for statistical or normative purposes should not be used to identify a patient unless legally and technically authorized.

Participation in pilot or norm-building programs may require separate terms, consent procedures, or data processing agreements.

10. Data Sharing

We may share data only where necessary for:

• operating the service;
• hosting and infrastructure;
• authentication and account management;
• cloud dashboard functionality;
• technical support;
• compliance with legal obligations;
• security monitoring;
• pilot or validation workflows under appropriate agreements.
• We do not sell personal data.
• We do not share patient-identifying data for advertising purposes.

11. Data Retention

Data is retained only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law, contract, clinical documentation requirements, security obligations, or legitimate operational needs.

Clinics may be responsible for determining clinical retention periods for patient records under their own professional and legal obligations.

Account, license, and security logs may be retained for operational, audit, fraud prevention, or compliance purposes.

12. International Transfers

Depending on the deployment, hosting, and infrastructure configuration, data may be processed in jurisdictions outside the user's country.

Where applicable, TavanMind aims to apply appropriate safeguards for international data transfers, including contractual, technical, and organizational protections.

Clinics should evaluate whether their deployment model meets their own local data protection obligations.

13. User and Data Subject Rights

Depending on applicable law, individuals may have rights including:

• the right to learn whether personal data is being processed;
• the right to request information about processing;
• the right to access personal data;
• the right to request correction of inaccurate or incomplete data;
• the right to request deletion or anonymization where legally applicable;
• the right to object to certain processing;
• the right to request restriction of processing;
• the right to data portability where applicable;
• the right to withdraw consent where processing is based on consent;
• the right to lodge a complaint with a competent authority.
• Where the request concerns patient data controlled by a clinic, we may direct the request to the relevant clinic or organization.

14. Cookies and Similar Technologies

TavanMind may use cookies or similar technologies for:

• authentication;
• session management;
• language preferences;
• security;
• dashboard functionality;
• analytics, where enabled.
• We do not use cookies to sell patient data or deliver patient-targeted advertising.

15. Children and Minors

TavanMind may be used in clinical contexts involving minors only under the responsibility of qualified professionals, clinics, parents, guardians, or institutions with appropriate legal authority.

The public website is not intended for children to use independently.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes may be communicated through the website, dashboard, email, or other reasonable means.

The Last updated date indicates the latest revision.

17. Contact

For privacy questions, data requests, or security-related privacy concerns, contact:

• admin@tavanmind.com