Privacy Policy
This Privacy Policy explains how qiboo.ai ("we", "us", or "our") collects, uses, shares, and protects your personal information when you use the qiboo.ai platform. We are committed to GDPR, KVKK, and CCPA compliance.
Contents
1. Information We Collect
Information you provide directly:
- Account information: Name, email address, password (hashed), professional affiliation, and optional profile details when you create an account.
- Communications: Messages you send through our contact form, support requests, or forum posts.
- Newsletter subscriptions: Email address and subscription preferences.
- Payment information: If you purchase a paid subscription, payment is handled by our Merchant of Record, Paddle (Paddle.com Market Ltd), who processes the transaction and stores your payment details under their own privacy policy. We do not receive or store your full card details.
Information collected automatically:
- Usage data: Pages visited, articles read, search queries, session duration, and feature interactions.
- Device information: IP address, browser type, operating system, screen resolution.
- Cookies and similar technologies: See Section 7 for details.
2. How We Use Your Information
We use your personal information to:
- Operate and maintain the qiboo.ai platform and your account
- Personalize your research feed based on your reading history and preferences
- Send you newsletters, digests, and service updates you have subscribed to
- Respond to your inquiries and provide customer support
- Analyze aggregate usage patterns to improve platform performance and content quality
- Detect and prevent fraud, abuse, and security incidents
- Comply with applicable legal obligations
We do not sell your personal information to third parties. We do not use your data for automated individual decision-making with legal effects.
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and the United Kingdom, we process your data under the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the services you have requested (account management, content delivery).
- Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, platform analytics, and improving our services — where your rights and freedoms do not override these interests.
- Consent (Art. 6(1)(a)): Marketing communications and non-essential cookies — you may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): Where processing is required by applicable law.
For Turkish users, we process data in accordance with the KVKK (Kişisel Verilerin Korunması Kanunu) Law No. 6698, on the basis of explicit consent or legitimate purposes as defined therein.
4. Data Sharing and Third Parties
We may share your data with:
- Service providers: our hosting provider (Hetzner, EU data centres), Paddle (payments and invoicing as Merchant of Record), Google / Gmail (transactional email delivery), and Cloudflare (CDN, security and privacy-respecting, cookieless web analytics). All processors are bound by data processing agreements.
- Law enforcement: Where required by applicable law, court order, or governmental authority.
- Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of that transaction, subject to continued privacy protections.
We do not share your data with advertisers or data brokers.
5. Data Retention
- Account data: Retained for the duration of your account plus 90 days after deletion request.
- Usage logs: Anonymized after 90 days.
- Newsletter subscriptions: Retained until you unsubscribe or request deletion.
- Support communications: Retained for 3 years for quality and dispute resolution purposes.
6. Your Rights
Depending on your jurisdiction, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Restriction: Request that we restrict processing of your data in certain circumstances
- Objection: Object to processing based on legitimate interests
- Withdraw consent: At any time for consent-based processing, without affecting prior processing
- Complaint: Lodge a complaint with your local data protection authority (e.g., CNIL, ICO, KVKK Kurumu)
To exercise any of these rights, contact us at privacy@qiboo.ai. We will respond within 30 days.
7. Cookies and Tracking
We use the following categories of cookies:
- Essential cookies: Required for authentication and platform functionality. Cannot be disabled.
- Analytics: We use Cloudflare's privacy-respecting, cookieless web analytics (no cross-site tracking, no advertising profiles). It does not set cookies and does not store IP addresses for analytics purposes.
- Preference cookies: Remember your language and display settings.
We do not use advertising cookies, third-party tracking pixels, or fingerprinting technologies. You may manage cookie preferences through your browser settings.
8. International Data Transfers
Our infrastructure is hosted on servers within the EU (Hetzner data centres, with Cloudflare providing CDN and security in front). Where data is transferred outside the EEA (e.g., to US-based service providers such as Paddle for payments), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and ensure equivalent protections are in place.
9. Children's Privacy
qiboo.ai is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@qiboo.ai and we will promptly delete such data.
10. Security
We implement appropriate technical and organizational measures to protect your data, including: TLS encryption for all data in transit, encryption at rest for stored data, role-based access controls, and regular security audits. However, no method of transmission over the internet is 100% secure.
11. Practitioner Directory & Self-Published Listings
If you are a practitioner or clinic and choose to create a directory listing, the information you enter — which may include your clinic name, name, city/region/country, website, specialties, bio, photo and, only if you tick the relevant box, your contact phone or email — is processed because you have consented to publish it (GDPR Art. 6(1)(a); KVKK Art. 5(1); and your own act of publication under CCPA). Your phone and email are never shown publicly unless you explicitly opt in per field, and only listings you set to "published" — after our review — are visible to others; drafts remain private to you. You may edit or delete your listing at any time from your account, which removes it from public view immediately, or email directory@qiboo.ai. Deleting your listing withdraws this consent for the future without affecting the lawfulness of processing before withdrawal. We record the version of the Practitioner Listing Agreement you accepted and when, as a record of consent. Curated public-institution entries contain only business names and public websites — no personal data — and any individual concerned may request removal at the address above.
12. Contact & Data Controller
The data controller for qiboo.ai is:
İzmir, Türkiye
Email: privacy@qiboo.ai
Response time: within 72 hours
We may update this Privacy Policy periodically. Significant changes will be notified via email and a notice on the platform. Continued use of qiboo.ai after changes take effect constitutes acceptance of the updated policy.