Privacy Policy

1. Controller

For data-protection requests (access, deletion, etc.): [email protected]. A Data Protection Officer is not legally required.

2. Data we process

a) Account & contract data

On registration we collect: name, email, password (hashed), clinic name, location, role. Legal basis: contract performance, Art. 6 (1) (b) GDPR.

b) Usage & log data

When you visit the service, our hosts automatically process IP address, timestamp, user agent and URL. Legal basis: legitimate interest (security, abuse detection), Art. 6 (1) (f) GDPR.

c) Patient data — processed on behalf of clinics

Clinics use ClinicVi to manage patient inquiries, appointments and communications. We process patient data — including health data within the meaning of Art. 9 GDPR — solely on instruction of the clinic (Art. 28 GDPR). The clinic is the controller toward patients. We sign a Data Processing Agreement (DPA) with every clinic.

d) Marketing communication

If you opted in, you receive product updates by email. Legal basis: consent, Art. 6 (1) (a) GDPR. You can withdraw consent at any time using the unsubscribe link or by emailing us.

3. Processors and recipients

Transfers to third countries (USA) only happen with appropriate safeguards in place — Standard Contractual Clauses and supplementary technical measures.

4. Retention

• Account & contract data: duration of contract + up to 10 years for tax/commercial-law retention (§§ 147 AO, 257 HGB).
• Usage & log data: up to 90 days for security and debugging.
• Patient data (processor role): per clinic instructions; clinical retention obligations follow the clinic's applicable law.
• Marketing: until consent is withdrawn.

5. Your rights

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Withdraw consent (Art. 7 (3) GDPR)

Send requests to [email protected]. You also have the right to lodge a complaint with a supervisory authority — in Schleswig-Holstein: ULD.

6. Cookies

Details of the cookies we use, their purpose and lifetime, are in our Cookie policy. Non-essential cookies are only set with your consent.

7. Automated processing & AI assistant (Art. 22 GDPR)

ClinicVi includes an AI assistant that helps clinics draft replies to patient requests. Final replies are reviewed and sent by a human staff member of the clinic; no solely automated decision producing legal effects on patients is taken by the platform. You may at any time request a human review under Art. 22 (3) GDPR.

8. Security (Art. 32 GDPR)

Technical and organisational measures (TOMs):

• TLS 1.2+ in transit; AES-256 encryption at rest.
• Row-Level-Security (RLS) on every multi-tenant table — clinic data is logically isolated.
• Multi-factor authentication for administrative access; principle of least privilege.
• Access and audit logs retained for security incident response.
• Regular dependency and vulnerability monitoring.
• Encrypted, geo-redundant backups (EU only).

9. Personal-data breach (Art. 33 / 34 GDPR)

A personal-data breach likely to result in a risk to the rights and freedoms of natural persons is notified to the competent supervisory authority within 72 hours of becoming aware of it (Art. 33 GDPR). Where a high risk is likely, we notify the affected clinic or — acting as processor — the controller without undue delay (Art. 33 (2) / Art. 34 GDPR).

10. Changes

We update this notice as processing or legal requirements change. The current version is always available on this page.