Privacy

Privacy Policy

Last updated: 24 June 2026

This policy explains how we collect, use, store and protect your personal data. At Oomi we handle some of the most sensitive information there is, such as health data, so we care about describing what we do in plain and honest language.

1. Introduction and scope

This Privacy Policy covers the personal data processed within the products and services offered by Oomi Clinic ("Oomi", "we"). The data controller is Oomi Clinic.

It applies to our mobile health and nutrition app Oomi Diet (Google Play and the App Store; package name com.oomi.diet, version 0.1.0), our website oomiclinic.com (waitlist and contact form), and the upcoming Oomi Physio and Oomi Mind services. We will update this policy as new services are added.

By using Oomi or interacting with our website, you acknowledge that you have read the data processing activities described here. Processing of special-category health data is additionally subject to your explicit consent, which you may withdraw at any time.

2. Data we collect

The data we collect depends on which service you use. We aim to collect only the data necessary to provide the service.

  • Website (oomiclinic.com): your email address, your optional name, your area of interest, and your optional message (waitlist and contact form).
  • Account and identity (Oomi Diet): your email address and an authentication token. The authentication token is stored securely on your device (expo-secure-store).
  • Special-category health data (KVKK art. 6): your height, weight and weight history; your goals; your nutrition/meal and water logs; your GLP-1 medication and dose information; your lab results; your mood; and your onboarding clinical questionnaire (medical conditions, diabetes, eating-disorder screening, etc.).
  • Health platform data (with your permission): your step count and active calories via Apple HealthKit or Android Health Connect (READ_STEPS, READ_ACTIVE_CALORIES_BURNED; including historical and background read permissions). This data is not used for advertising.
  • Camera (expo-camera): photos you take to scan meals, barcodes or documents.
  • Microphone and audio (RECORD_AUDIO, expo-speech-recognition): audio capture and voice commands for the voice-input feature.
  • Notifications: a push notification token to send reminders and updates (APNs/FCM, expo-notifications).
  • Device and technical data: basic device identifiers and crash/error logs, where applicable.

3. How and why we use data

We process your data only for the purposes below. We do not use your data outside of these purposes.

Our legal bases vary by type of processing: your explicit consent for special-category health data (KVKK art. 6); the establishment and performance of a contract to provide the service to you; and, in limited cases such as service security and improvement, legitimate interest. For processing based on explicit consent, you may withdraw your consent at any time.

  • Provide you with personalized nutrition and health coaching and generate plans.
  • Track your progress and give you feedback.
  • Send reminder and informational notifications.
  • Respond to waitlist requests on the website and share launch updates.
  • Keep the service secure, fix errors and improve the service.

4. AI processing

We use artificial intelligence to generate coaching content and extract meaningful information from your inputs. This processing may take place via OpenAI (L.L.C., USA) infrastructure.

Before sending data to the AI provider, we remove direct identifiers (PII sanitization); the goal is to process the content without making you directly identifiable.

Because this processing takes place in the USA, it constitutes a transfer of data abroad and relies on your explicit consent and appropriate safeguards (see the Transfers abroad section).

5. Sharing and sub-processors

We do not share or sell your data to third parties for marketing purposes. Your health data is never used for advertising.

To provide the service, we share certain data with sub-processors who act on our behalf and on our instructions, under the necessary agreements:

  • OpenAI L.L.C. (USA) — AI content generation and entity extraction.
  • Cloudflare (R2) — image storage.
  • Supabase — database and website data storage.
  • APNs / FCM (Apple and Google) — delivery of push notifications.
  • Hosting provider — running the app and service infrastructure.
  • The full list of sub-processors and the status of data processing/transfer agreements (DPA/SCC) is being confirmed legally; we work with these processors only under the necessary agreements.

6. Transfers abroad

Some of our sub-processors (for example OpenAI) may process data outside Türkiye, primarily in the USA. This constitutes a transfer of data abroad under KVKK art. 9.

Special-category health data we transfer abroad relies on your explicit consent. We carry out such transfers only under the appropriate safeguards required by law and the necessary agreements. You may withdraw your explicit consent at any time, in which case the related processing will stop.

7. How long we keep data

We keep your personal and health data for as long as your account is active and we provide the service to you.

When you delete your account or request deletion, we delete your associated personal and health data within a reasonable period (approximately 30 days). As an exception, we continue to keep data subject to legal retention obligations (for example invoice and payment records that legislation requires us to retain) until the end of the relevant period.

8. Data security

We apply technical and organizational measures to protect your data against unauthorized access, loss and misuse.

  • Encryption in transit (TLS) and at rest.
  • Access controls and authorization.
  • Pseudonymization (using HMAC).
  • Audit logging of access and operations.

9. Your rights

Under KVKK art. 11 and the GDPR, you have the following rights regarding your personal data:

  • Learn whether your data is being processed and, if so, request information about it (access).
  • Request correction of data that is incomplete or processed incorrectly.
  • Request erasure or destruction of your data.
  • Receive your data in a portable format (portability).
  • Object to the processing of your data.
  • Withdraw the explicit consent you have given.
  • Request compensation for damage arising from the processing.
  • To exercise these rights, you can email hello@oomiclinic.com or use Settings > Privacy / KVKK in the app.

10. Account and data deletion

You can delete your account from within the app or request deletion by emailing hello@oomiclinic.com. Deletion covers your account, your associated personal and health records, and your images. Records subject to legal retention obligations are an exception.

For detailed information about the account and data deletion process, see our Account Deletion page (/account-deletion).

11. Children's privacy

Oomi is not directed at people under 18. The app includes a parent/guardian consent flow.

We do not knowingly process data belonging to a minor without appropriate consent. If we become aware of such a case, we delete the relevant data. (The age threshold will be confirmed before launch.)

12. Health and medical disclaimer

Oomi is not a medical device. It does not diagnose and does not recommend treatment or medication. Oomi performs screening and provides information, and refers you to a health professional or physician when needed.

The content Oomi provides is general information and nutritional guidance; it does not replace the medical advice of a physician or health professional. In a medical emergency, please call your local emergency number (112 in Türkiye).

13. Cookies and web analytics

On the oomiclinic.com website, cookies and similar technologies that may be necessary for the site to function and for basic usage measurement may be used.

The use and scope of cookies and the details of any analytics tools will be clarified before launch and, where required, presented in a separate cookie notice. You can manage cookies through your browser settings.

14. Changes to this policy

We may update this policy from time to time. For significant changes we will update the "Last updated" date at the top of the page and, where appropriate, notify you separately.

You can always find the current policy on this page. Continuing to use the service after changes take effect means you accept the updated policy.

15. Contact and data controller

Data controller: Oomi Clinic.

[Full legal entity name and address — to be added before launch]

You can contact us with your questions, requests and KVKK/GDPR rights.

  • Email: hello@oomiclinic.com
  • Web: oomiclinic.com
  • VERBİS registration no: [VERBİS registration no — if any]

For any questions, you can always reach us at hello@oomiclinic.com.