Our Privacy Policy
This Privacy Policy describes how HaloScape (“we”, “us”, or “our”) collects, uses, stores, discloses, and protects your personal data, including sensitive health information, when you access or use our mobile application, websites (https://haloscape.health/ and https://pro.haloscape.health/) or other digital services (collectively, the “Services”). As a company committed to user privacy, we ensure that the processing of your data is conducted in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA) and related U.S. state privacy laws, as well as other relevant international regulations. This policy reflects our dedication to transparency, data security, and your individual rights as a data subject or user of our health platform.
Our Services are designed to help users access digital healthcare, including personalized wellness assessments, symptom checkers, health tracking features, and other tools that may involve the processing of special categories of personal data such as health data, biometric information, contact and identification details, financial data, and user-uploaded content (including photographs). As such, we take special care to apply high standards of privacy and security by design and by default across all our operations.
This Privacy Policy applies to all individuals who interact with our Services, including mobile app users, website visitors, registered users, healthcare professionals, and any other individuals whose personal data is collected or processed by us. This includes individuals located in the European Economic Area (EEA), the United Kingdom, the United States, and other jurisdictions in which we operate or from which our Services are accessed.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, you should not use our Services.
We may revise this Privacy Policy from time to time to reflect changes in our operations, technology, or legal obligations. When we make material changes, we will notify you by sending an email to your registered address (if available), or by posting a prominent notice on our application or website. Unless otherwise stated, changes will become effective immediately after such notification. We encourage you to review this Privacy Policy periodically to stay informed about how we collect and protect your personal data.
In the course of delivering digital health services through our platform, HaloScape collects and processes a range of personal data, including health-related information, financial identifiers, and usage-based technical data. We only collect data that is necessary for the specific purposes outlined in this Privacy Policy and in compliance with applicable legal frameworks such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and other relevant laws.
We may collect the following categories of personal data from users located in the European Economic Area (EEA), the United Kingdom, and other applicable jurisdictions:
o Identification and contact details, such as your full name, region, email address, phone number and date of birth;
o Health-related information that you voluntarily provide to us with your explicit consent, including but not limited to symptoms, self-reported conditions, physical measurements, lifestyle data, and wellness goals;
o Financial and transactional data, such as payment method information (processed through secure third-party payment processors);
o User-uploaded content, including photographs or images submitted as part of your health profile or consultation.
This data is processed in accordance with Article 6 and, where applicable, Article 9 of the GDPR, with lawful bases including your consent, the performance of a contract, or our legitimate interest in providing and improving our health services.
If you are a U.S.-based user, we may collect and process Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA). This may include, but is not limited to:
o Medical records, diagnoses, lab results, or clinical history shared with us or generated through your use of HaloScape’s services;
o Information related to billing, and reimbursement;
o Any other individually identifiable health information that is created, received, stored, or transmitted in the context of providing healthcare or health-related support services.
All PHI is handled in accordance with HIPAA rules and secured through administrative, physical, and technical safeguards, as further outlined in Section 5 of this Policy.
We may also collect and generate certain data that does not, on its own, identify you as an individual (“Non-Personal Information”). This includes:
o Technical identifiers such as device type, browser version, operating system, language preference, or IP address;
o Behavioral data such as usage statistics, interaction with app features, crash reports, and system diagnostics;
o Aggregated or anonymized health analytics used for statistical modeling, service optimization, and research purposes;
o Pseudonymized data derived from your account, whereby direct identifiers are removed but information remains linkable under secure conditions.
This information is used in a manner that does not re-identify individuals and may be processed to enhance our platform functionality, ensure security, and support algorithmic improvements.
We collect personal data from the following sources:
o Directly from you, when you create an account, complete forms, interact with features, upload content, or otherwise use the HaloScape app and services;
o Automatically, through cookies, device identifiers, and similar tracking technologies deployed on our website and mobile application, in accordance with your preferences and our Cookie Policy;
o From third parties, including healthcare providers, diagnostic laboratories, wellness platforms, or advertising networks, but only with your prior consent or where legally permitted. When applicable, such third parties may act as independent controllers or processors in accordance with our agreements and privacy obligations.
We ensure transparency regarding the categories and sources of personal data we process, and we offer mechanisms for you to manage your data preferences in accordance with applicable laws.
HaloScape processes your personal data in accordance with the principles and lawful bases set out under the General Data Protection Regulation (GDPR). Depending on the nature of the data and the context in which it is collected, we rely on one or more of the following legal bases:
o Your explicit consent, particularly in relation to the processing of special categories of data such as health information, biometric data, and your preferences for receiving marketing communications;
o The performance of a contract, including where processing is necessary to provide you with access to digital health consultations, personalized assessments, or other services offered through the HaloScape platform;
o Compliance with legal obligations, such as the retention of medical records or disclosures required by applicable health, consumer protection, or data protection laws;
o Our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. These may include activities such as service optimization, platform security, analytics, and limited internal research for the development of non-invasive health tools.
We take care to assess the appropriateness of each lawful basis and document our reasoning in line with our accountability obligations under Article 5 and Article 6 of the GDPR.
We process your personal and health data in order to provide the core functionalities of the HaloScape platform. These include:
o Delivering digital healthcare services, including real-time consultations, AI-generated insights, wellness scores, and symptom assessments;
o Creating and maintaining your user account, managing access credentials, and facilitating secure authentication mechanisms;
o Processing payments and billing details in relation to subscription services, premium features, or reimbursable consultations;
o Sending you transactional or operational communications relating to your activity, such as appointment confirmations, service updates, or responses to customer support inquiries.
This data is necessary for the delivery and continuous improvement of our health services, and we implement appropriate technical and organizational safeguards to ensure its confidentiality and integrity.
With your prior and explicit consent, we may also use your personal data for the following secondary purposes:
o Scientific and algorithmic research, including the development and refinement of AI-driven tools designed to detect patterns in health-related data. Wherever possible, we use anonymized or pseudonymized data in this context to preserve your privacy;
o Health education and outreach, including sending optional communications such as health tips, product updates, reminders, or promotional offers related to our services;
o Participation in surveys or user experience studies, where we seek feedback on our services or proposed features.
You have the right to refuse or withdraw your consent for these activities at any time without affecting your access to essential features or care services offered through HaloScape.
We understand that the confidentiality of your personal and health information is critical. HaloScape shares your data only when necessary to deliver our Services, meet our legal obligations, or improve user experience and always in accordance with applicable data protection laws and contractual safeguards.
We engage a range of carefully selected third-party service providers who assist us in the operation, maintenance, and enhancement of the HaloScape platform. These providers may have access to personal data solely for the purposes of delivering specific services on our behalf, under strict contractual and confidentiality obligations.
Examples of such third parties include:
o Cloud hosting and storage providers (e.g., Google Cloud) that securely host our infrastructure and encrypted databases;
o Analytics and performance monitoring tools (e.g., Google Analytics, Meta, TikTok) that help us understand how users interact with our services and identify areas for improvement;
o Natural language processing and AI support services (e.g., OpenAI, Anthropic (Claude)) used to enhance automated features such as symptom explanations or user queries strictly limited to anonymized or pseudonymized data when applicable;
o Payment processors and financial compliance vendors (e.g., Stripe, Apple, Google) for secure billing, refunds, and subscription management;
o Customer support and ticketing systems (e.g., Gmail, Mailchimp) for handling user inquiries and technical support.
All such vendors are bound by GDPR-compliant Data Processing Agreements (DPAs).
HaloScape is committed to ensuring the confidentiality, integrity, and availability of your personal and health data. Given the sensitive nature of the information we process particularly health records and other special categories of personal data we implement robust technical and organizational measures to protect against unauthorized access, loss, misuse, alteration, or destruction of data. Our security approach is guided by international standards and is subject to continuous monitoring and improvement.
We adopt industry-recognized best practices and frameworks to secure data across all stages of its lifecycle collection, transmission, storage, and deletion. The safeguards we implement include, but are not limited to:
o Encryption: All personal and health data is encrypted both in transit (e.g., HTTPS/TLS protocols) and at rest (e.g., AES-256 encryption) to prevent unauthorized interception or access.
o Access Controls: We enforce strict role-based access permissions, ensuring that only authorized personnel with a legitimate business need can access your data. All access is logged and monitored.
o Authentication & Identity Management: Internal systems are secured by multi-factor authentication (MFA), and user-facing systems may offer optional 2FA to enhance account security.
o Monitoring & Testing: Our infrastructure is routinely tested through penetration testing, vulnerability scanning, and third-party audits to identify and address potential weaknesses.
o Data Minimization & Segregation: We ensure that data is only stored for as long as necessary, is separated where appropriate, and is pseudonymized or anonymized when used for research or analytics.
Despite our best efforts, no system is entirely immune from breaches. In the unlikely event of a data breach involving your personal or health information, HaloScape will act swiftly and transparently in accordance with its incident response protocols and applicable laws.
Specifically, we will:
o Notify affected individuals without undue delay if there is a reasonable likelihood that the breach may result in harm or risk to your rights or freedoms;
o Report the breach to the appropriate data protection authority, including the relevant supervisory authority under the GDPR, within 72 hours of becoming aware of the incident, where required by law;
o Notify U.S. authorities or entities, including the U.S. Department of Health and Human Services (HHS), in accordance with HIPAA and applicable state breach notification laws where PHI is involved;
o Document all breach investigations, response measures, and remedial actions in a secure internal register.
We are committed to full cooperation with regulators and affected users in the event of any security incident, and to taking all necessary steps to prevent recurrence.
At HaloScape, we believe in empowering you with meaningful control over your personal and health information. Depending on where you live and which laws apply to your data, you may have specific rights regarding how your information is used, stored, and shared. This section explains your rights and how you can exercise them.
If you are located in the European Union, the European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):
o Right of access You can request a copy of the personal data we hold about you.
o Right to correction (rectification) You can ask us to correct inaccurate or incomplete information.
o Right to deletion (the “right to be forgotten”) You may request that we erase your personal data, subject to legal and contractual obligations.
o Right to restrict processing You may ask us to temporarily limit the processing of your data under certain conditions.
o Right to object You can object to processing based on legitimate interest or direct marketing.
o Right to data portability You can request to receive your data in a structured, commonly used, and machine-readable format, and ask that it be transferred to another provider.
o Right to withdraw consent If processing is based on your consent, you can withdraw it at any time. This will not affect the lawfulness of any processing carried out before withdrawal.
If you are a resident of the United States, your rights may differ depending on federal and state laws:
· Under HIPAA, you may request to access or amend your Protected Health Information (PHI) that we maintain in your medical file.
· Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), you may:
o Request to know what personal information we collect and how we use it
o Request deletion of personal information (subject to exceptions)
o Opt out of the sale or sharing of your personal information
o Limit the use of sensitive personal data, such as health or financial information
Other U.S. states may also grant similar rights, and HaloScape strives to honor these wherever applicable.
You may exercise your rights by submitting a Data Subject Access Request (DSAR) or by contacting us directly. Here’s how:
o Email: Send your request to our privacy team at privacy@haloscape.health
o Response time: We will respond within 30 days if your rights fall under GDPR.
o Verification: For your protection, we may need to verify your identity before fulfilling your request. This helps prevent unauthorized access to your data.
We do not discriminate against users who choose to exercise their privacy rights. Access to our core services will remain unaffected.
HaloScape retains personal and health data only for as long as it is necessary to fulfill the purposes for which it was collected, or to comply with our legal, regulatory, and contractual obligations. We apply retention periods appropriate to the type of data, the context of processing, and the requirements imposed by relevant laws in the jurisdictions where we operate.
The duration for which we retain your data depends on the nature of the information and the reason for its collection. In general:
o Health-related data, including medical or wellness information, may be retained for periods mandated by health, medical, or insurance laws, including laws applicable to healthcare providers and digital health platforms. These retention periods are determined based on regulatory obligations such as those under HIPAA, state-specific health laws, or EU/EEA national regulations.
o Other personal data, such as account credentials, contact details, and service preferences, is retained only for as long as necessary to provide our services or until you request deletion whichever comes first unless we are legally required to retain it for audit, fraud prevention, dispute resolution, or compliance purposes.
We continuously review our data retention practices to ensure that we do not keep personal information longer than required.
When personal data is no longer necessary for the purposes for which it was collected, or when you submit a valid deletion request (subject to legal exceptions), we will securely delete or anonymize the data in accordance with industry-standard methods. This may include irreversible data wiping, cryptographic erasure, or transformation into a format that no longer permits identification of any individual.
Where data is stored in secure backups or archived systems, it will be isolated from active use and deleted in accordance with our retention schedule and technical safeguards.
HaloScape operates in a global digital environment and may process or store your personal data outside of the country in which you reside, including in jurisdictions that may not offer the same level of data protection as your home country. Whenever we transfer personal data internationally and particularly from the European Economic Area (EEA), the United Kingdom, or Switzerland, we implement robust safeguards to ensure that your rights and data remain protected.
For users located in the European Union or other jurisdictions where international transfers are subject to data protection laws, we use Standard Contractual Clauses (SCCs) approved by the European Commission as the primary legal mechanism to authorize the transfer of personal data to countries outside the EEA. Where appropriate, we also conduct Transfer Impact Assessments (TIAs) to evaluate whether additional safeguards are needed to ensure compliance with the GDPR.
In certain cases, transfers may also be based on other legal bases such as the necessity for the performance of a contract or explicit consent, where permitted under applicable law.
HaloScape does not knowingly collect or process personal data from individuals under the age of 18. During account creation, users are required to confirm their date of birth, and our system automatically restricts access for anyone indicating an age below 18. If we become aware that a user under the age of 18 has accessed the platform or provided personal data, we will take immediate steps to block access and delete any associated information in accordance with applicable laws.
Our services are not intended for use by children under the age of 16 in the European Union (or under 13 in the United States) unless verifiable parental or legal guardian consent is obtained in advance. We do not knowingly collect, process, or store personal or health-related data from children under these age thresholds without proper authorization.
If we become aware that we have inadvertently collected personal data from a child without the appropriate consent, we will take prompt steps to delete that information and, where applicable, disable the associated account.
In situations where our services may be used by minors for example, under the supervision of a healthcare provider or parent we require verifiable parental consent before collecting any personal data. This process may involve confirmation via email, identity verification, or use of parental approval systems, depending on the legal jurisdiction and sensitivity of the data involved.
We also apply enhanced safeguards to children’s data, including:
o Limiting data collection to what is strictly necessary
o Restricting access to authorized personnel
o Avoiding behavioral profiling or targeted advertising for children
To exercise these rights, please contact us at privacy@haloscape.health
At HaloScape, we are committed to transparency, accountability, and full compliance with global data protection regulations. This section outlines how you can contact us regarding your privacy rights and provides an overview of the regulatory frameworks that guide our data handling practices.
For users located in the European Union, European Economic Area (EEA), or the United Kingdom, HaloScape has appointed a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and GDPR compliance.
Email: dpo@haloscape.health
Address:
RealWorks Teknoloji A.Ş.
Yildiz Mahallesi, Asariye Cami Cikmazi Sokak, No:5, Besiktas – Istanbul, 34349, Turkiye
If you are dissatisfied with how we handle your personal data, you have the right to escalate your concerns:
· EU/EEA/UK Users: You may contact your national data protection authority or reach out directly to our DPO.
· U.S. Users: You may contact us via the details above or file a complaint with the U.S. Department of Health and Human Services Office.
· Turkish Users: You may file a compliant with the Kisisel Verileri Koruma Kurumu (KVKK).
· Australian Users: You may raise a compliant with the Office of the Australian Information Commisioner (OAIC).
· Other Jurisdictions: Please contact your relevant national or regional data protection authority.
We aim to respond to all privacy-related inquiries promptly and with transparency.
HaloScape uses cookies and similar tracking technologies on our website and mobile application to ensure secure functionality, improve your user experience, analyze usage, and deliver personalized content where permitted by law.
Some cookies are essential for the operation of our services, while others require your consent under applicable data protection laws such as the General Data Protection Regulation (GDPR).
For detailed information about the types of cookies we use, how long they are stored, and how you can manage your cookie preferences, please refer to our Cookies Policy.
Updated on 18.05.2025