Now serving 9 specialty clinic types$497 setup · First month free
ClinicPulse

Privacy Policy

Last updated · 2026-04-27

1. Introduction

This Privacy Policy explains how ClinicPulse Pty Ltd (“ClinicPulse,” “we,” “us”) collects, uses, shares, and protects information when you use the ClinicPulse platform (“Service”).

This policy applies to information we collect about you as a customer (clinic owner, practitioner, staff member) and about the patients your clinic serves through the Service.

2. Information We Collect

Customer Information. Account details (name, email, clinic name, phone number, billing address), payment information (processed by Stripe — we do not store full card numbers), and usage analytics.

Patient Information. When patients call, message, or interact with your AI Receptionist, we process their phone number, name (if provided), conversation transcripts, appointment details, and other information they share. If your clinic is a HIPAA Covered Entity, this information may include Protected Health Information (PHI) and is governed by an executed Business Associate Agreement.

Technical Information. Browser type, IP address, device identifiers, log data, and cookies as described in Section 5.

3. How We Use Information

We use information to:

  • Provide, maintain, and improve the Service
  • Process payments and manage billing
  • Authenticate users and prevent fraud
  • Train and tune AI scripts within your tenant scope only — your data is not used to train models for other customers
  • Communicate with you about the Service, support, security, and product updates
  • Comply with legal obligations

4. Sharing + Subprocessors

We do not sell personal information. We share information with:

  • Service Subprocessors — vendors who provide infrastructure necessary to deliver the Service:
  • Stripe (billing + payment processing)
  • Twilio (telephony + SMS)
  • Vercel (web hosting)
  • Supabase (database, auth, storage)
  • Third-party AI providers (for AI Receptionist + chat capabilities)
  • Resend (transactional email)
  • Sentry (error monitoring)
  • PostHog (analytics)

A current list of subprocessors with BAA / DPA status is maintained and available on request to privacy@clinicpulseos.com.

We may also share information when legally required (subpoena, court order), to protect rights or safety, or in connection with a merger or acquisition (with notice).

5. Cookies + Tracking

We use essential cookies for authentication and session management, and analytics cookies (PostHog) to understand how the Service is used. You can manage cookie preferences in your browser. Disabling essential cookies will impair the Service.

6. Data Retention

We retain customer data for the duration of your subscription plus 90 days post-cancellation, after which it is deleted from active systems. Backups containing your data are retained for up to 12 months and then purged on rolling rotation.

You may request earlier deletion at any time by emailing privacy@clinicpulseos.com, subject to legal retention obligations.

7. Security

We use industry-standard security practices including encryption at rest, TLS encryption in transit, access controls, and audit logs. However, no system is 100% secure, and we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your login credentials and using strong, unique passwords.

8. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict processing of personal information held about you, including:

  • California (CCPA / CPRA) — right to know, delete, correct, opt out of sale (we do not sell), limit use of sensitive personal information
  • European Economic Area + UK (GDPR / UK GDPR) — rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent
  • Australia (Privacy Act 1988 + APP) — rights of access and correction

To exercise these rights, email privacy@clinicpulseos.com. We will respond within timeframes required by applicable law.

9. HIPAA + Business Associate Agreements

If your clinic is a HIPAA Covered Entity and Protected Health Information will flow through the Service, you must request and execute a Business Associate Agreement (BAA) with ClinicPulse before using the Service to process PHI.

Without a signed BAA, you agree not to use the Service to process PHI. To request a BAA, contact legal@clinicpulseos.com.

10. International Transfers

ClinicPulse is operated by an Australian Pty Ltd. Customer and patient data is stored on US-based infrastructure (Supabase + Vercel). By using the Service, you consent to the transfer and processing of your information in Australia, the United States, and any other jurisdiction where our subprocessors operate.

For EEA / UK customers, we rely on Standard Contractual Clauses (SCCs) for cross-border transfers where required.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children. If a clinic using the Service serves pediatric patients, the clinic is responsible for compliance with applicable child-specific privacy law (e.g., COPPA).

12. Changes

We may update this Policy with notice of material changes via email or in-app notification at least 30 days before they take effect.

13. Contact

ClinicPulse Pty Ltd
Privacy: privacy@clinicpulseos.com
Legal: legal@clinicpulseos.com