medPlan Logo

Privacy Policy

Effective Date: November 10, 2025

Company: Tymera Software LLC

Platform: medplan.live

1. Introduction & Scope

This Privacy Policy explains how Tymera Software LLC ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use medplan.live ("Platform"). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK).

By using our Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy.

2. Data Controller Information

The data controller responsible for your personal data is:

Company Name: Tymera Software LLC

Address: New Mexico, USA

Email: support@medplan.live

Website: medplan.live

3. Data We Collect

We collect the following categories of personal data:

3.1 Account Information

  • Username: Your unique identifier (required, non-editable after registration)
  • Email address: For account verification and communication (required, non-editable)
  • Password: Securely hashed using bcrypt (never stored in plain text)
  • Name: Your full name (optional, editable)
  • Institution/Clinic name: Your workplace name (required, editable)
  • Phone number: Contact information (optional, editable)

3.2 Subscription & Payment Data

  • Subscription status: Active or inactive
  • Subscription end date: When your subscription expires
  • Stripe Customer ID: For payment processing (handled by Stripe)
  • Payment information: Processed and stored by Stripe (we do not store card details)

3.3 Medical Staff Data

  • Doctor names: Full names of healthcare staff
  • Doctor titles & specialties: Professional information
  • Doctor phone numbers: Encrypted using AES-CBC encryption
  • Doctor email addresses: Contact information (optional)

3.4 Work Schedule Data

  • Work plans: Schedule names, start/end dates
  • Work areas/workplaces: Names and descriptions of work locations
  • Daily schedules: Doctor assignments to work areas by date
  • Rotation plans: Department rotations and assigned doctors
  • Holidays: Custom holiday dates and names

3.5 Leave Request Data

  • Request details: Start date, end date, reason
  • Request status: Pending, approved, or rejected
  • Submission metadata: IP address, browser fingerprint, user agent (for fraud prevention)

3.6 Technical Data

  • Authentication tokens: JWT access tokens (15 min) and refresh tokens (60 days)
  • IP addresses: For security and fraud detection
  • Browser fingerprint: For suspicious activity detection
  • User agent: Browser and device information
  • Session data: Login times and session management

3.7 Communication Data

  • Notifications: In-platform alerts about leave requests and system updates
  • Support communications: When you contact us via email

4. Legal Basis for Processing

Under GDPR Article 6 and KVKK Article 5, we process your data based on the following legal grounds:

Data CategoryLegal BasisGDPR Article
Account info, payment dataContract performanceArticle 6(1)(b)
Doctor data, schedulesContract performanceArticle 6(1)(b)
Security logs, IP, fingerprintLegitimate interestArticle 6(1)(f)
Optional data (phone, name)ConsentArticle 6(1)(a)

5. Purpose of Data Use

We collect and process your data for the following purposes:

  • Account management: Create, maintain, and authenticate user accounts
  • Service delivery: Enable you to create and manage work schedules, rotations, and leave requests
  • Payment processing: Process subscription payments via Stripe
  • Security: Detect and prevent fraudulent activity, unauthorized access, and suspicious behavior
  • Communication: Send important notifications about leave requests and account status
  • Legal compliance: Comply with legal obligations (e.g., payment record retention)
  • Service improvement: Understand how users interact with the Platform to improve functionality

Purpose Limitation: We process your data only for the purposes explicitly stated in this policy. We will not use your data for purposes incompatible with the original purpose (GDPR Article 5(1)(b)).

6. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data is transmitted via HTTPS (TLS 1.2+)
  • Encryption at rest: Doctor phone numbers are encrypted using AES-CBC with 256-bit keys
  • Password protection: Passwords are hashed using bcrypt (cost factor 10)
  • Secure authentication: JWT tokens stored in HTTP-only cookies with secure flags
  • Access control: Data is accessible only to authorized users and personnel
  • Database security: PostgreSQL database with encrypted connections
  • Regular updates: Security patches and updates applied promptly

Data Minimization: We collect only the minimum data necessary to provide our services (GDPR Article 5(1)(c)).

7. Data Sharing and Third Parties

We share your data only in the following limited circumstances:

7.1 Stripe (Payment Processor)

  • We use Stripe to process subscription payments
  • Stripe receives: name, email, payment card information
  • Stripe's privacy policy: stripe.com/privacy

7.2 Hosting & Infrastructure

  • Platform hosted on Vercel (hosting provider)
  • Database hosted on secure PostgreSQL servers
  • These providers have access only to server-level data, not your application data

7.3 No Other Sharing

We do NOT share your data with:

  • ❌ Advertising networks
  • ❌ Analytics services (e.g., Google Analytics)
  • ❌ Social media platforms
  • ❌ Data brokers or marketers
  • ❌ Any other third parties for marketing purposes

8. International Data Transfers

Your data is stored on servers located in the United States. By using our Platform, you consent to the transfer of your data to the United States.

Safeguards: We ensure appropriate safeguards are in place to protect your data in accordance with GDPR Article 46 and KVKK requirements, including:

  • Encryption during transfer and at rest
  • Contractual agreements with service providers
  • Compliance with US data protection standards

9. Your Rights

Under GDPR (Articles 15-22) and KVKK (Article 11), you have the following rights:

1. Right to Access (GDPR Art. 15)

You can request a copy of all personal data we hold about you.

2. Right to Rectification (GDPR Art. 16)

You can update or correct inaccurate data via your profile page or by contacting us.

3. Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

You can request deletion of your account and all associated data. See Section 10 for details.

4. Right to Restriction of Processing (GDPR Art. 18)

You can request that we limit how we use your data under certain circumstances.

5. Right to Data Portability (GDPR Art. 20)

You can request your data in a structured, machine-readable format (CSV or JSON). Contact support@medplan.live to request a data export.

6. Right to Object (GDPR Art. 21)

You can object to processing based on legitimate interest (e.g., security logging).

7. Right to Withdraw Consent (GDPR Art. 7(3))

You can withdraw consent for optional data (e.g., phone number) at any time via your profile.

8. Right to Lodge a Complaint (GDPR Art. 77)

You have the right to file a complaint with a supervisory authority:

  • Turkey: KVKK (Kişisel Verileri Koruma Kurumu)
  • EU: Your local Data Protection Authority
  • USA: Federal Trade Commission (FTC)

To exercise any of these rights, please contact us at: support@medplan.live

10. Data Retention Periods

We retain your data for the following periods:

Data TypeRetention PeriodReason
Access tokens (JWT)15 minutesSecurity best practice
Refresh tokens60 daysSession management
Account dataUntil account deletionService provision
Doctor dataUntil deleted by userService provision
Work plans & schedulesUntil deleted by userService provision
Leave requestsUntil deleted by userService provision
Deleted account data30 days in backupsRecovery & security
Payment records7 yearsLegal requirement (tax law)

Account Deletion Procedure

To delete your account and all associated data:

  1. Contact us at support@medplan.live with your account email
  2. We will verify your identity and process your request within 7 business days
  3. Your account will be immediately deactivated
  4. All data will be permanently deleted within 30 days (except payment records for legal compliance)

Note: Payment transaction records are retained for 7 years to comply with tax and accounting regulations.

11. Children's Privacy

Our service is intended for healthcare professionals and is not designed for individuals under the age of 18 years. We do not knowingly collect personal data from minors. If you are under 18, please do not use this Platform. If we become aware that we have collected data from a minor, we will delete it immediately. Parents or guardians who believe we may have collected information from a minor should contact us at support@medplan.live.

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33)
  • We will notify affected users without undue delay via email and in-platform notification (GDPR Article 34)
  • The notification will include: nature of the breach, likely consequences, and measures taken

We maintain security incident response procedures to detect, respond to, and mitigate data breaches promptly.

13. Automated Decision Making

We do NOT use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (GDPR Article 22).

Suspicious Activity Detection: We do use automated systems to detect suspicious leave request submissions (same device submitting for multiple doctors). However, this is used only to warn you—it does not automatically reject requests. You always have full control over approval decisions.

14. Cookies & Tracking

For detailed information about cookies we use, please see our Cookie Policy. We use only essential cookies for authentication and do not use analytics or advertising cookies.

15. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes:

  • We will update the "Effective Date" at the top of this page
  • We will notify you via email
  • We will display a prominent notice on the Platform

We encourage you to review this Privacy Policy periodically. Continued use of the Platform after updates constitutes acceptance of the revised policy.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Data Controller: Tymera Software LLC

Email: support@medplan.live

Website: medplan.live

Address: New Mexico, USA

We will respond to your inquiry within 30 days as required by GDPR Article 12.

Last Updated: November 10, 2025

By using medplan.live, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, please do not use the Platform.

Back to Home