Privacy Policy

This Privacy Policy explains how Qlynic (“Qlynic”, “we”, “us”) collects, uses, protects, and shares information related to clinics, staff, and patients when you use our platform.

Last updated: 2025-11-30 Applies globally Security focused

Scope & Definitions

This policy covers all services hosted under domains operated by Qlynic. “Clinic Data” means administrative, scheduling, provider, and operational information. “Patient Data” means information entered to manage appointments and related communications. “Personal Data” means any information relating to an identified or identifiable natural person.

“Provider” – individual offering clinical services.
“Appointment Metadata” – time, duration, status (booked, rescheduled, cancelled).
“Transactional Email” – confirmations, reminders, receipts.
“PHI / Sensitive Data” – only minimal contact & scheduling; no diagnostic records stored by default.

Information We Collect

Data You Provide

Account registration (name, email, password hash).
Clinic profile (branding, timezone, address, optional logos).
Provider roster & availability (names, working hours, vacations).
Patient booking details (name, email, chosen slot).
Support or feedback submissions.

Data We Generate

Booking activity logs (timestamps, action type).
Email delivery metadata (sent, bounced, opened if enabled).
Aggregated analytics (volume, provider utilization, reminder success).
Fraud / abuse signals (repeated failed authentication, rate limiting).

Data Collected Automatically

IP address (security & anti‑abuse).
User agent & device traits.
Session tokens (secure, HttpOnly).
Minimal cookies (auth session / CSRF).

Not Collected By Default

Payment card numbers (processed via Stripe).
Diagnostic notes or medical records.
Government IDs.
Biometric templates.

Legal Bases (EEA / UK)

For users in the EEA / UK we rely on the following GDPR (and UK GDPR) bases:

Contract: To deliver core booking and reminder functionality.
Legitimate interests: To prevent abuse, improve reliability, and secure the platform (balanced against user privacy, with opt‑outs where feasible).
Consent: Optional marketing communications or beta feature tracking (separately requested).
Legal obligation: Compliance with applicable laws and responding to lawful requests.

How We Use Information

Platform Operations

Scheduling, provider management, reminders, receipts, and system notifications.

Security

Monitoring for abusive patterns, rate limiting, and protecting accounts.

Improvements

Aggregated, de‑identified metrics to tune performance and UX.

Compliance

Meeting tax, accounting, and regulatory obligations (limited scope).

We do not sell Personal Data.

Retention

We retain Personal Data only as long as required for its processing purpose or legal obligations. Typical lifecycles:

Account & Clinic Data: Kept while account is active + short grace period (e.g. 90 days) for reactivation unless deletion is requested sooner.
Booking Logs: Core audit entries retained (minimum) for fraud/security (e.g. 12–24 months), then may be aggregated.
Email Events: Delivery metadata purged or anonymized after defined windows (e.g. 180 days).
Backups: Encrypted rolling backups (short rotation; typically 30 days) then expired.

Security Measures

Technical Controls

TLS 1.2+ enforced.
Password hashing with modern algorithm (e.g. PBKDF2 / Argon2).
Role‑based access segregation.
Least‑privilege database roles.
Encrypted backups.

Operational Processes

Change review & deployment automation.
Audit logging (security events).
Limited staff access to production data (need‑to‑know).
Periodic vulnerability patching.

While no system can guarantee absolute security, we apply layered controls to minimize risk.

International Data Transfers

Data may be processed in jurisdictions where we or our sub‑processors maintain infrastructure (e.g. US, Canada, EU). When transferring Personal Data internationally we rely on appropriate safeguards (e.g. Standard Contractual Clauses, equivalent contractual protections).

Patient / Health Data

Qlynic is designed for scheduling & communication—not for full medical records. Clinics should avoid storing diagnostic or extensive health details within free‑text fields. If you require enhanced PHI controls, contact us to discuss configuration options.

Children

The platform is not directed to children under 13 (or under the age required by local law for consent). Clinics remain responsible for obtaining any parental/guardian consent where necessary for appointments involving minors.

Cookies & Tracking

Essential: Session authentication, CSRF tokens, load balancer affinity.
Preference: (Optional) theme / locale selection.
Analytics: Aggregated performance metrics (no cross‑site tracking) – may be disabled for strict environments.

You can control cookies via browser settings; disabling essential cookies may break sign‑in.

Sub‑processors

We engage specialized providers to deliver parts of the service. Each is reviewed for security & compliance.

Stripe

Payment processing

Global / regional routing

Handles card data; we never store card numbers.

Email service (e.g. SES)

Transactional emails

Regional endpoints

Delivery & minimal event metadata.

Cloud infrastructure

Hosting / DB

Primary + backup regions

Encrypted storage & backups.

We will update this list when material additions occur.

Your Rights

Global

Access your data
Request correction
Request deletion (subject to legal limits)
Portability (structured export)
Object or restrict certain processing

Regional Enhancements

GDPR / UK GDPR: Additional rights to complain to supervisory authority.
CCPA / CPRA: Right to know, delete, and non‑discrimination; we do not “sell” data.
PIPEDA (Canada): Right to access and challenge accuracy, safeguards for sensitive info.

Data Subject Requests

To exercise rights, email privacy@your‑domain.example from the address associated with your account. We may request limited verification. Response timelines:

Access / copy: Typically within 30 days.
Correction / deletion: Usually within 30 days (deletions may require backup cycle completion).
Objection / restriction: Evaluated case‑by‑case; we will confirm outcome.

Changes to This Policy

We may update this Privacy Policy for technical, legal, or business reasons. Material changes will be announced (e.g. dashboard notice or email). Continued use after the effective date indicates acceptance.

Contact Us

For privacy inquiries or rights requests:

Qlynic (Replace with legal entity)
123 Sample Street, Suite 200
City, Region, Country
privacy@your-domain.example

If you are in the EEA/UK and believe we have not addressed a concern you may contact your local supervisory authority.