Privacy Policy
Your privacy matters. Omnisio is a health and wellness platform that processes sensitive personal data. We are committed to protecting your information with the highest standards of security and transparency. We never sell your personal data.
1. Data Controller
The data controller responsible for your personal data is:
Oney Finansal Danismanlik Turizm ve Dis Ticaret A.S.
Esentepe mah, Kore Sehitleri cad, Yonca Apt A blok No:1-3, Kat:1, Daire:6
34394 Sisli/Istanbul/Turkiye
Tax ID: 6430768526 · Trade Registry: 386006-5
VERBIS Registration No: 74691528
CEO: Cagatay Can Oney
Email: info@oneyworld.com
Data Protection Officer: dpo@omnisio.app
2. Data We Collect
2.1 Account Information
- Name, email address, phone number
- Date of birth, gender
- Profile photo (optional)
- Authentication credentials (encrypted)
- Subscription tier and payment information
2.2 Health & Wellness Data
- Physical measurements (height, weight, body composition)
- Vital signs (heart rate, blood pressure, SpO2, HRV)
- Sleep patterns and quality metrics
- Physical activity and exercise data
- Nutrition and dietary information
- Menstrual cycle data (if applicable)
- Mood and stress indicators
2.3 Biometric Data
- Heart rate variability (HRV) patterns
- Electrodermal activity
- Movement and gait analysis
- Data from connected wearable devices
2.4 Genetic / DNA Data
Special Category Data: Genetic data is treated with the highest level of protection. Collection requires your explicit, informed, and specific consent. Genetic data is used exclusively for wellness insights and is never used for diagnostic, insurance, or employment purposes.
- DNA analysis results from partner laboratories
- Genetic wellness markers and predispositions
- Nutrigenomics and pharmacogenomics profiles (wellness only)
2.5 Blood Test Data
- Laboratory results uploaded or integrated from partner labs
- Biomarker values and reference ranges
- Historical test comparisons
2.6 Device & Technical Data
- Device type, operating system, app version
- IP address and approximate location
- Usage analytics and feature interaction patterns
- Crash reports and performance data
- Connected wearable device identifiers
2.7 Location Data
- Approximate location for regional health insights (e.g., UV index, air quality)
- Precise location only when explicitly enabled for fitness tracking
3. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and management | Account info | Contract performance |
| Health tracking and insights | Health, biometric, blood test data | Explicit consent |
| AI-powered health analysis and recommendations | All health-related data | Explicit consent |
| Genetic wellness analysis | DNA/genetic data | Explicit consent (specific) |
| Personalized workout and nutrition plans | Health, activity, nutrition data | Contract performance + consent |
| Wearable device synchronization | Biometric, device data | Contract performance |
| Subscription billing and payments | Account, payment info | Contract performance |
| Customer support | Account info, usage data | Legitimate interest |
| App improvement and analytics | Technical, usage data | Legitimate interest |
| Legal compliance | As required | Legal obligation |
4. AI Processing
Omnisio uses artificial intelligence to analyze your health data and provide personalized insights and recommendations. Key points about our AI processing:
- AI analysis is performed to generate wellness insights, not medical diagnoses
- Your data may be processed by our AI infrastructure providers under strict data processing agreements
- AI models do not retain your personal data after processing
- You can request a human review of any AI-generated recommendation
- AI outputs should always be verified with a qualified healthcare provider
5. Data Sharing
We never sell your personal data. We do not sell, rent, or trade your information to third parties for marketing or advertising purposes.
We share data only with:
- AI Infrastructure Providers: For processing health analysis (under strict data processing agreements, data is not retained)
- Partner Laboratories: When you opt in to blood test or DNA analysis services
- Payment Processors: For subscription billing (iyzico for Turkey, Apple/Google IAP globally)
- Cloud Infrastructure: Hosting and storage providers with appropriate security certifications
- Legal Authorities: When required by law or valid legal process
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 2 years after deletion |
| Health & wellness data | Duration of account; deleted within 30 days of account deletion request |
| Genetic / DNA data | Until explicit deletion request; deleted within 30 days |
| Blood test data | Duration of account; deleted within 30 days of request |
| Biometric data | Duration of account; deleted within 30 days of request |
| Payment records | 10 years (Turkish tax law requirement) |
| Usage analytics | 24 months (aggregated and anonymized after 12 months) |
| Support tickets | 3 years from resolution |
7. Data Security
We implement comprehensive security measures to protect your data:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Genetic data stored in isolated, encrypted databases with additional access controls
- Multi-factor authentication for system access
- Regular security audits and penetration testing
- Role-based access controls with principle of least privilege
- Automated threat detection and incident response
8. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
8.1 Universal Rights
- Access: Request a copy of all personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data (see our Data Deletion page)
- Portability: Receive your data in a machine-readable format
- Restriction: Request restriction of processing
- Objection: Object to processing based on legitimate interest
- Withdraw Consent: Withdraw consent at any time without affecting prior processing
8.2 Exercising Your Rights
To exercise any of these rights, contact us at dpo@omnisio.app or through the in-app privacy settings. We will respond within 30 days of receiving your verified request.
9. KVKK Compliance (Turkey)
For the full Turkish-language disclosure required by the Personal Data Protection Law (KVKK), please see our KVKK Aydinlatma Metni.
- Data Controller: Oney Finansal Danismanlik Turizm ve Dis Ticaret A.S.
- VERBIS Registration No: 74691528
- Rights under Article 11: You have the right to learn whether your data is processed, request information, learn the purpose, learn domestic/foreign transfer recipients, request correction, request deletion, object to automated decisions, and claim damages for unlawful processing.
- Application: Submit requests via kvkk@omnisio.app or registered mail to our address
10. GDPR Compliance (EU/UK)
If you are located in the European Economic Area (EEA) or the United Kingdom, the following applies:
- Data Protection Officer: dpo@omnisio.app
- Legal Basis: We process data based on consent (health/genetic data), contract performance (account services), legitimate interest (analytics, security), and legal obligation (tax, regulatory)
- Cross-Border Transfers: Data transferred outside the EEA is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable
- Automated Decision-Making: We do not make decisions with legal or similarly significant effects based solely on automated processing. AI-generated insights are informational only.
- Right to Lodge Complaint: You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated
11. 152-FZ Compliance (Russia)
If you are located in the Russian Federation, the following applies:
- Data Localization: Personal data of Russian citizens is stored and processed on servers located within the Russian Federation in compliance with Federal Law No. 152-FZ
- Roskomnadzor Notification: We have submitted the required notification to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) regarding processing of personal data
- Consent: Processing of personal data is carried out with your written consent. You may withdraw consent at any time by contacting us
- Cross-Border Transfer: Transfer of personal data to countries that do not provide adequate protection requires your additional consent
- Rights: You have the right to access, correct, block, and destroy your personal data by contacting us at support@omnisio.app
12. Genetic / DNA Data Special Provisions
Genetic data receives the highest level of protection in our system.
- Explicit Consent: Separate, specific, and informed consent is required before any genetic data is collected or processed. General consent to our Terms of Service does not constitute consent for genetic data processing.
- Purpose Limitation: Genetic data is used exclusively for wellness insights (nutrigenomics, fitness predispositions, wellness markers). It is never used for diagnostic purposes, insurance assessments, employment decisions, or shared with any party for these purposes.
- Storage: Genetic data is stored in isolated, encrypted databases separate from other personal data. Access requires additional authentication and is logged.
- Deletion: You can request deletion of genetic data at any time. Upon request, all genetic data, including raw files and derived analyses, is permanently destroyed within 30 days. A confirmation of deletion is provided.
- No Re-identification: Once deleted, genetic data cannot be recovered or re-identified from any anonymized datasets.
- Third-Party Labs: Partner laboratories that perform DNA analysis are contractually prohibited from retaining your genetic samples or data beyond the analysis period, and are subject to audit.
13. Health Data Sensitivity
We acknowledge that health data is among the most sensitive categories of personal data. Omnisio processes health data with the following commitments:
- Health data is never used for advertising or marketing profiling
- Health data is never shared with insurers, employers, or any party that could use it for discriminatory purposes
- Anonymized and aggregated health data may be used for research purposes only with your separate consent
- All health data processing is governed by the strictest applicable data protection laws in your jurisdiction
14. Children's Privacy
Omnisio is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal data, please contact us at dpo@omnisio.app.
15. Cookies & Tracking
For detailed information about the cookies and tracking technologies we use, please see our Cookie Policy.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through the app, email, or prominent notice on our website at least 30 days before changes take effect. Continued use of Omnisio after changes become effective constitutes acceptance of the updated policy.
17. Contact Us
For privacy inquiries, data requests, or complaints:
- Data Protection Officer: dpo@omnisio.app
- General Support: support@omnisio.app
- KVKK Requests: kvkk@omnisio.app
- Phone: +90 212 706 68 68
- Mail: Oney Finansal Danismanlik Turizm ve Dis Ticaret A.S., Esentepe mah, Kore Sehitleri cad, Yonca Apt A blok No:1-3, Kat:1, Daire:6, 34394 Sisli/Istanbul/Turkiye