1. Our Role: Controller and Processor

For account, billing and website data we act as a data controller. For patient and clinical data that clinics enter into the Service, we act as a data processor on behalf of the clinic, which remains the controller.

2. Information We Collect

Account data such as name, email, role and clinic details; usage and device data such as log data, IP address and browser type; and content data that clinics and their staff enter, which may include patient personal and health data.

We collect this information directly from you, automatically through your use of the Service, and from service providers who help us operate.

3. How We Use Information

To provide, maintain and secure the Service; to authenticate users and prevent abuse; to process payments; to provide support; and to improve and develop features.

We do not sell personal data, and we do not use patient data for advertising.

4. Legal Bases for Processing

Where GDPR or equivalent laws apply, we rely on performance of a contract, our legitimate interests in operating the Service, your consent where required, and compliance with legal obligations.

5. Sharing and Sub-processors

We share personal data with vetted sub-processors who help us run the Service, such as cloud hosting, email delivery and error monitoring, under contracts that require appropriate safeguards.

We may also disclose data where required by law or to protect rights, safety and security.

6. International Transfers and Data Residency

We host MENA customer data in the AWS Middle East (UAE) region and offer EU hosting (Frankfurt) for customers who require EU data residency.

Where data is transferred across borders, we apply appropriate safeguards, such as approved standard contractual clauses or an adequacy basis, consistent with applicable law.

7. Data Security

We build to SOC 2 controls. The platform is designed to provide measures including encryption in transit and at rest, database-level tenant isolation, role-based access, multi-factor authentication for privileged roles, and audit logging of changes to clinical data. We continue to roll out and verify these controls as we approach general availability.

8. Data Retention

We retain personal data for as long as needed to provide the Service and to meet legal, accounting and security obligations. Clinics control the retention of the patient data they manage, and we delete or return it on termination in line with our agreements.

9. Your Rights

Subject to applicable law, you may request access to, correction, deletion or a copy of your personal data, and you may object to or restrict certain processing.

For patient data held on behalf of a clinic, please contact that clinic, which is the controller; we will assist the clinic in responding.

You also have the right to lodge a complaint with the competent data protection authority in your jurisdiction if you believe your rights have not been respected.

10. Patient and Health Data

Patient data is sensitive personal data and receives heightened protection. We process it only on the documented instructions of the clinic and do not access it except as needed to provide and secure the Service.

11. Cookies

We use strictly necessary cookies to operate the Service and may use limited analytics to understand usage. You can control non-essential cookies through your browser or our cookie settings where offered.

12. Children's Data

The Service is intended for clinic staff and is not directed to children. Where a clinic records data about minor patients, it does so as the controller under applicable law.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified through the Service or by email, and the 'last updated' date above will reflect the latest revision.

14. Contact Us

For privacy questions or to exercise your rights, contact our privacy function, which serves as our Data Protection Officer, at privacy@clinicsflo.com.