Privacy Policy
Last updated April 1, 2026
Legal

Privacy Policy

Effective April 1, 2026

Overview

The Clinic (“The Clinic,” “we,” “our,” or “us”) provides a clinical operations platform used by licensed healthcare providers to manage appointments, medical records, billing, and communications. This Privacy Policy explains what information we collect, how we use it, and the rights you have over your data when you interact with our websites, applications, and related services (the “Services”).

If you are a patient whose records are managed inside The Clinic by a healthcare provider, that provider is the controller of your health information and their own privacy notice applies. We process that information on their behalf as a service provider, business associate, or processor as defined under applicable law.

Information We Collect

We collect the following categories of information:

  • Account data — name, email, phone, role, clinic affiliation, authentication credentials, and preferences.
  • Clinical data — patient demographics, visit notes, prescriptions, diagnostic results, imaging metadata, and other protected health information (PHI) entered into the platform by authorized users.
  • Operational data — appointment schedules, billing records, insurance claims, and workflow metadata.
  • Device and usage data — IP address, browser type, device identifiers, pages visited, and interactions with the Services, collected through cookies and similar technologies.
  • Support data — information you share when you contact us for help, including transcripts and attachments.

How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Services;
  • Authenticate users, enforce access controls, and prevent fraud or abuse;
  • Process transactions, including subscription billing and claims processing, where applicable;
  • Deliver appointment reminders, clinical notifications, and service announcements on behalf of providers;
  • Perform aggregated, de-identified analytics to monitor performance and plan capacity;
  • Comply with legal, regulatory, and contractual obligations.

Protected Health Information

When we process Protected Health Information (PHI) on behalf of a covered entity, we act as a Business Associate under the U.S. Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. A signed Business Associate Agreement (BAA) governs our PHI handling. In other jurisdictions, we enter into a Data Processing Addendum (DPA) that reflects equivalent obligations.

We will not use or disclose PHI except as permitted or required by the underlying provider agreement, the BAA/DPA, or applicable law. We limit internal access to PHI to personnel who need it to operate the Services, and we log access for audit review.

Sharing and Subprocessors

We share information only as necessary to provide the Services. Our categories of recipients include:

  • Cloud infrastructure providers that host the platform, bound by contractual confidentiality and security obligations;
  • Communications providers for email, SMS, WhatsApp, and voice delivery at the direction of the provider;
  • Payment processors for subscription billing and, if enabled by the provider, patient payments;
  • Analytics and error-monitoring providers, configured to exclude PHI wherever possible;
  • Professional advisors and authorities where required by law or to protect rights and safety.

A current list of subprocessors is available on request at dpo@theclinic.com.

International Transfers

The Clinic operates data-residency regions in the Gulf Cooperation Council (GCC), the European Union, and the United States. Each customer's production data is stored in the region configured for their tenant. When data must move across regions — for example, for global support, disaster-recovery testing, or where a subprocessor operates in another region — we use appropriate safeguards, including EU Standard Contractual Clauses, UK International Data Transfer Addendum, and equivalent mechanisms recognized under UAE Federal Decree-Law No. 45 of 2021 and KSA Personal Data Protection Law.

Your Rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal data, object to certain processing, or withdraw consent. Patients should direct these requests to the healthcare provider that maintains their record. Workforce users may contact us directly at dpo@theclinic.com.

We will respond within the timelines required by applicable law, typically within thirty (30) days. We may need to verify your identity before acting on a request.

Retention

We retain personal data for as long as an active subscription exists, plus the period required by applicable law or the customer agreement. After termination, customer data is returned or deleted in accordance with the DPA, usually within ninety (90) days, unless longer retention is required for legal or regulatory reasons. Backups are purged according to our disaster-recovery schedule.

Security

We maintain an information-security program aligned with ISO/IEC 27001 and SOC 2 Trust Service Criteria. Measures include encryption in transit (TLS 1.2+) and at rest (AES-256), network isolation, role-based access controls, quarterly vulnerability scans, annual penetration testing, and formal incident-response procedures. No system is perfectly secure, but we work to minimize risk and to notify affected parties promptly if an incident occurs.

Children's Privacy

The Services are intended for use by licensed healthcare organizations and their authorized personnel. They are not directed at children, and we do not knowingly collect information directly from children. When a pediatric record is entered by a provider, it is processed on the provider's legal basis and subject to their privacy notice.

Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced in-product or by email at least thirty (30) days before taking effect. The “Last updated” date at the top of this document always reflects the current version.

Contact

Questions about this Privacy Policy, or requests related to your personal data, may be directed to our Data Protection Officer at dpo@theclinic.com. You may also write to us at The Clinic, Attn: Data Protection Officer, Dubai Internet City, Dubai, United Arab Emirates.