Privacy Policy & Protection of Personal Data

1. Introduction

Minasoft ("the Company", "we" or "Minasoft") attaches great importance to the protection of personal data while developing, operating and providing the ZenPACS medical imaging and reporting platform.

This Privacy Policy explains, under Law No. 6698 on the Protection of Personal Data ("KVKK") and related legislation, the purposes and legal grounds for processing personal data, collection methods, transfer conditions and the rights of data subjects. It covers hospitals, imaging centers, healthcare institutions using ZenPACS, their staff, and the patients served.

2. Data Controller

Entity: Minasoft Sağlık Teknoloji Yazılım Danışmanlık Ltd. Şti.

Address: Emrah Mah. General Dr. Tevfik Sağlam Cad. No:2/67 Door No:101/B Keçiören/Ankara, Türkiye

E-mail: info@minasoft.com.tr · Phone: +90 532 587 08 64

ZenPACS uses a multi-tenant architecture. Each healthcare institution is an independent data controller for its own data; Minasoft acts as the data processor in its role as platform provider.

3. Personal Data Processed

Patient data (including special-category health data) and user data are processed:

• Identity: name, surname, national ID, date of birth, gender, patient ID
• Contact: phone, e-mail
• Health data: DICOM images (CT, MR, CR, DX, US, MG, etc.), radiology reports, clinical findings, diagnoses
• Clinical: HL7 order/result messages, referring physician, emergency and comparison notes
• Study metadata: study/series/instance UID, accession number, modality, date/time
• User data: name, title, username, hashed password, role, assigned hospitals, IBAN (radiologists only), access logs (IP, session, last login)

4. Legal Basis for Processing

Personal data is processed based on the relevant articles of the KVKK:

• Art. 5/2(a) Expressly provided by law — keeping medical records as required by health legislation
• Art. 5/2(c) Performance of a contract — user account management and platform access
• Art. 5/2(ç) Legal obligation — audit logs and data retention
• Art. 5/2(f) Legitimate interest — information security and service quality
• Art. 6/3 Special-category data — processing of health data for public-health purposes

5. Collection Methods

• Medical imaging devices: automatically via the DICOM protocol
• Hospital Information Systems (HIS): via HL7 v2 messaging
• Web application: via user input on the ZenPACS interface
• Administrator actions: user creation and authorization
• EdgeServer: automatically via a per-hospital DICOM receiver

6. Data Security Measures

Technical measures:

• All external communication encrypted with HTTPS/TLS
• Passwords hashed with bcrypt, never stored in plain text
• Time-limited access tokens with AES-256-GCM; JWT (HMAC-SHA256) session management
• Parametric queries via SQLC (SQL-injection prevention)
• Row-level data isolation in the multi-tenant architecture
• 6-level role-based access control (RBAC)
• Network segmentation via firewall; controlled DICOM access via pre-signed URLs; TOTP multi-factor authentication
• Administrative: ISO 27001, SPICE Level 2, staff NDAs, annual security training, access revocation on departure

7. Data Retention Periods

• Patient medical records and DICOM images: for the legal retention period (min. 20 years per health legislation), then anonymization/secure deletion
• Radiology reports: for the legal retention period
• Active patient cases: 60 days after closure (configurable)
• User account data: while the account is active + 1 year after contract end
• Audit logs: 365 days · Backups: 3-7 days · Password-reset codes: 3 minutes · Session tokens: 24 hours (web)

8. Transfer of Personal Data

Domestic: clinical data exchange with the HIS over HL7, encrypted metadata transfer from EdgeServer to the Hub via NATS, and backups within the same private network.

International: Patient data and medical images are not transferred abroad. All critical infrastructure is hosted on the company's own servers. Only non-sensitive operational data is used: Mailjet (e-mail addresses only), Cloudflare (DNS only), GitHub (source code/images), Let's Encrypt (TLS). No patient data is transferred through these services.

9. Data Anonymization

ZenPACS provides comprehensive anonymization via the company's Gordion DICOM library: removal of patient identifiers, regeneration of all DICOM UIDs, date shifting, free-text cleaning, removal of vendor tags, and 5 ready-made anonymization profiles. It is configurable at the hospital level and can be optionally applied on export.

10. Rights of the Data Subject

Under Article 11 of the KVKK, data subjects have the right to learn whether their data is processed, request information, learn the purpose, know the third parties to whom data is transferred, request correction/erasure, object to automated analysis, and claim compensation for damages.

• E-mail: kvkk@minasoft.com.tr
• Written application: Emrah Mah. Gen. Dr. Tevfik Sağlam Cad. No:2/67/101/B Keçiören/Ankara (via notary or registered mail)
• Applications are concluded free of charge within 30 days at the latest.

11. Cookie Policy

ZenPACS uses limited cookies: authentication (session), language preference and theme preference (persistent). No analytics, advertising or third-party tracking cookies are used.

12. Policy Changes

This policy may be updated in line with legal requirements, technological developments or service changes. Significant changes are notified via the platform and/or e-mail.

13. Contact

Data Controller: Minasoft Sağlık Teknoloji Yazılım Danışmanlık Ltd. Şti. · KVKK: kvkk@minasoft.com.tr · Security: tech@minasoft.com.tr · General: info@minasoft.com.tr · www.minasoft.com.tr · ISO 27001 | SPICE Level 2