Scope & Definitions This policy covers all services hosted under domains operated by Qlynic. “Clinic Data” means administrative, scheduling, provider, and operational information. “Patient Data” means information entered to manage appointments and related communications. “Provider” — individual offering clinical services. “Appointment Metadata” — time, duration, status. “Transactional Email” — confirmations, reminders, receipts. “PHI / Sensitive Data” — minimal contact & scheduling; no diagnostic records by default.
Information We Collect Data You Provide Account registration (name, email, password hash). Clinic profile (timezone, address, optional logos). Provider roster & availability. Patient booking details (name, email, chosen slot). Support or feedback submissions. Data We Generate Booking activity logs (timestamps, action type). Email delivery metadata (sent, bounced). Aggregated analytics (volume, utilization). Fraud / abuse signals (rate limiting). Collected Automatically IP address (security & anti‑abuse). User agent & device traits. Session tokens (secure, HttpOnly). Minimal cookies (auth / CSRF). Not Collected By Default Payment card numbers (processed via Stripe). Diagnostic notes / full medical records. Government IDs. Biometric templates. No selling We do not sell Personal Data. We use information to run and secure the platform.
Legal Bases (EEA / UK) For users in the EEA / UK we rely on: Contract: To deliver core booking and reminder functionality. Legitimate interests: Prevent abuse, improve reliability, and secure the platform. Consent: Optional marketing communications (separately requested). Legal obligation: Compliance with applicable laws and lawful requests.
How We Use Information Platform Operations Scheduling, provider management, reminders, receipts, and system notifications. Security Monitoring for abusive patterns, rate limiting, and protecting accounts. Improvements Aggregated, de‑identified metrics to tune performance and UX. Compliance Meeting tax, accounting, and regulatory obligations (limited scope).
Retention We retain Personal Data only as long as required for its processing purpose or legal obligations. Account & Clinic Data: Kept while account is active + short grace period unless deletion is requested sooner. Booking Logs: Core audit entries retained for fraud/security, then may be aggregated. Email Events: Delivery metadata purged or anonymized after defined windows. Backups: Encrypted rolling backups on short rotation then expired.
Security Measures Technical Controls TLS 1.2+ enforced. Password hashing with modern algorithm. Role‑based access segregation. Least‑privilege database roles. Encrypted backups. Operational Processes Change review & deployment automation. Audit logging (security events). Limited staff access (need‑to‑know). Periodic vulnerability patching. While no system can guarantee absolute security, we apply layered controls to minimize risk.
International Data Transfers Data may be processed in jurisdictions where we or our sub‑processors maintain infrastructure. When transferring Personal Data internationally we rely on appropriate safeguards (e.g. Standard Contractual Clauses or equivalent protections).
Patient / Health Data Qlynic is designed for scheduling & communication—not for full medical records. Clinics should avoid storing diagnostic or extensive health details within free‑text fields.
Children The platform is not directed to children under 13 (or under the age required by local law for consent). Clinics remain responsible for obtaining any parental/guardian consent where necessary.
Cookies & Tracking Essential: Session authentication, CSRF tokens. Preference: (Optional) locale selection. Analytics: Aggregated performance metrics (no cross‑site tracking). You can control cookies via browser settings; disabling essential cookies may break sign‑in.
Sub‑processors We engage specialized providers to deliver parts of the service. Provider Purpose Region Notes Stripe Payment processing Global / regional routing Handles card data; we never store card numbers. Email service Transactional emails Regional endpoints Delivery & minimal event metadata. Cloud infrastructure Hosting / DB Primary + backup regions Encrypted storage & backups. Updates We will update this list when material additions occur.
Your Rights Global Access your data Request correction Request deletion (subject to legal limits) Portability (structured export) Object or restrict certain processing Regional Enhancements GDPR / UK: Right to complain to supervisory authority. CCPA / CPRA: Right to know, delete, non‑discrimination. PIPEDA: Right to access and challenge accuracy.
Data Subject Requests Email support@qlynic.com from the address associated with your account. We may request limited verification. Access / copy: Typically within 30 days. Correction / deletion: Usually within 30 days (backup cycle may apply). Objection / restriction: Evaluated case‑by‑case; we will confirm outcome.
Changes to This Policy We may update this Privacy Policy for technical, legal, or business reasons. Material changes will be announced. Continued use after the effective date indicates acceptance.
Contact Us For privacy inquiries or rights requests: Entity Qlynic by Gorilla Core LLC Address 225 11 AVE SE, Calgary, Alberta Canada, (T2G0G3) Email support@qlynic.com