Privacy Policy

This Privacy Policy explains what data ClinicPulse collects, how we use it, who we share it with, your rights, and how we protect it. We treat your data, and your patients' data, like the sensitive healthcare information it is.

1. Scope + Who We Are

ClinicPulse is a Practice OS for specialty clinics. ClinicPulseos.com (ClinicPulse) is a DBA of RKS GROUP WA PTY LTD ("ClinicPulse," "we," "us," "our"). This Policy applies to: (a) clinic owners and operators using the Service, (b) end users (patients, members) whose data flows through the Service on a clinic's behalf, and (c) website visitors at clinicpulseos.com. Where you operate as a HIPAA-covered entity, we act as a Business Associate per a separately executed BAA.

2. Data Controller + Contact

For data you provide directly to us (account, billing, configuration), ClinicPulse is the data controller. For patient data you process via the Service on behalf of your clinic, you are the data controller and we are the data processor / Business Associate. Privacy questions, requests, or complaints go to support@clinicpulseos.com.

3. Information We Collect

From you (the clinic owner / operator)

• Account info: name, email, phone, business address, payment details (processed and stored by Stripe; we don't store full card numbers)
• Clinic info: specialty, locations, providers, business identifiers, NPI / equivalent licensing
• Configuration: AI scripts, recall workflows, branding, integrations
• Usage logs: features used, timestamps, device, browser, IP address, performance telemetry
• Communications with us: support emails, demo-call notes, onboarding-call recordings (with your consent)

From your end users (patients / members), on your behalf

• Contact info: name, phone, email
• Communication content: call recordings, transcripts, web chat messages, SMS, social DMs
• Appointment data: bookings, no-shows, cycle dates, refill schedules
• Protected Health Information (PHI): where you've executed a BAA with us and configured the Service to collect it
• Inferred attributes: qualification status, intent classification, lifecycle stage (used to power workflows)

From website visitors

• Standard server logs (IP, user agent, timestamps), aggregated analytics, and any information submitted via demo-call / onboarding-call forms

4. How We Collect Information

• Directly from you: when you sign up, configure your account, or contact us
• From your end users: when they call, message, or submit forms via channels you've connected to the Service
• Automated collection: usage logs and telemetry generated as you use the Service
• From integrations you enable: e.g., Zapier, your PMS, your CRM. Only the data you configure to flow flows

5. How We Use Information

• Deliver the Service: AI Receptionist, recall workflows, scheduling, the Practice OS, the Patient Growth Suite, reporting
• Improve the Service: aggregated, anonymized analytics on AI conversation quality, recall conversion rates, feature usage
• Communicate with you: product updates, billing, support, security alerts
• Comply with legal obligations: tax records, lawful subpoenas, fraud prevention, AML / KYC where applicable
• Protect our Service and users: abuse detection, rate limiting, account-takeover prevention

What we don't do: sell your patient data, sell your clinic data, train external AI models on your patient data, share your data with advertisers, or use patient data for marketing to anyone other than the clinic that owns it.

6. Legal Bases for Processing (GDPR / Australian Privacy Principles)

• Contract: processing necessary to deliver the Service you've subscribed to
• Legitimate interest: securing the Service, improving features in aggregated form, fraud prevention
• Consent: for optional analytics cookies, marketing emails to clinic owners (you can withdraw at any time)
• Legal obligation: tax records, regulatory compliance, lawful requests from authorities
• Vital interest / public interest: rarely applicable, only in emergency safety scenarios

For end-user (patient) data, your clinic determines the legal basis as the data controller. We process per your instructions and the BAA where applicable.

7. AI Training + Your Data

We use a mix of vendor LLMs (e.g., OpenAI, Anthropic) and our own configurations to power AI features. Your patient conversations are not used to train external models. We've enabled enterprise privacy controls with our LLM vendors that exclude your data from their training pipelines. For HIPAA customers, BAAs are in place with all sub-processors handling PHI. We may use anonymized, aggregated patterns (e.g., "30% of refill recalls in our system convert within 7 days") to improve recall workflows industry-wide; this never includes any identifiable data from any clinic.

8. Sharing + Disclosure

We share data only with:

• Sub-processors who help deliver the Service (see Section 9)
• Integrations you enable (Zapier, Make, your PMS, marketing tool). You control what flows; we facilitate the connection
• Professional advisors (auditors, lawyers, accountants) under confidentiality, where reasonably necessary
• Legal authorities when required by valid subpoena, court order, or applicable law. We notify you where legally permitted
• Successor in interest in the event of merger, acquisition, or sale of substantially all assets, on notice to you

We don't sell, rent, or trade your data. We don't share patient data with advertisers under any circumstance.

9. Sub-Processors

Current sub-processors:

• Twilio (US) — telephony, SMS. BAA in place
• Stripe (US) — payments. BAA not applicable (no PHI; payment data only)
• AWS (US, AU regions) — hosting, storage, compute. BAA in place
• OpenAI (US) — LLM inference for select AI Receptionist functions. BAA in place; enterprise privacy controls excluding training
• Anthropic (US) — LLM inference for select AI Receptionist functions. BAA in place; zero-retention configuration
• Google Cloud (US, AU regions) — analytics, search indexing where applicable. BAA in place where PHI is involved
• SendGrid / Postmark (US) — transactional email. BAA in place where PHI may be referenced
• Sentry (US) — error monitoring. PHI scrubbing configured at the SDK layer

We may add or change sub-processors with 30 days' email notice. Current list always available at support@clinicpulseos.com.

10. Data Retention

We retain your data for as long as your account is active plus a 90-day post-cancellation export window. During the export window, you can download your data in a machine-readable format. After 90 days, we delete or anonymize, except where law requires longer retention (e.g., billing records, audit logs typically retained for 7 years; HIPAA-required logs per applicable rule). Aggregated, anonymized analytics may be retained indefinitely as they don't identify any individual or clinic.

11. International Data Transfers

ClinicPulse is operated from Australia. Your data may be processed in Australia, the United States, and other jurisdictions where our sub-processors operate. For transfers from the EU/UK, we rely on Standard Contractual Clauses (SCCs). For transfers from California, we comply with the CCPA / CPRA. For transfers from Australia, we comply with the Australian Privacy Principles (APPs). We have implemented technical and organizational measures (encryption in transit and at rest, access controls, audit logs) appropriate to the level of risk.

12. Your Rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA / CPRA, Australian Privacy Principles, others), you may have the right to:

• Access the data we hold about you
• Correct inaccurate or incomplete data
• Request deletion (subject to legal retention obligations)
• Export your data in a machine-readable format (data portability)
• Object to certain processing or withdraw consent
• Restrict processing in certain circumstances
• Lodge a complaint with a supervisory authority (e.g., the Office of the Australian Information Commissioner, your state attorney general, or your EU DPA)

For end-user (patient) rights requests, contact your clinic first; we'll work with the clinic to fulfill the request as required by law and the BAA. For your own data, email support@clinicpulseos.com. We respond within 30 days. We do not retaliate against accounts that exercise their rights.

13. Cookies + Tracking

We use minimal cookies: session authentication, remembered preferences, and aggregated analytics. We don't use third-party advertising trackers. We don't use cross-site tracking pixels. You can decline non-essential cookies in your browser without breaking core functionality. We do not use Google Analytics for any patient-facing flow; for clinic-owner dashboards, we use first-party analytics.

14. Children's Data

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13 except as part of pediatric care provided through a clinic that has executed a BAA, where parental consent is obtained by the clinic per HIPAA / state law. If you believe a child under 13 has provided us with information without parental consent, contact support@clinicpulseos.com and we'll investigate and delete as appropriate.

15. Security Measures

We employ industry-standard administrative, technical, and physical safeguards:

• Encryption at rest with AES-256
• Encryption in transit with TLS 1.3 (TLS 1.2 minimum on all endpoints)
• Audit logs on every PHI access
• Role-based access controls; least-privilege principle
• Multi-factor authentication on all production access
• Annual penetration tests by third-party security firms
• Quarterly internal security reviews
• Signed confidentiality agreements with all personnel and sub-processors
• Breach detection and incident response plan tested quarterly

No system is impenetrable. If we suffer a security incident affecting your data, we'll notify you per Section 16.

16. HIPAA / BAA Framework

Where you are a HIPAA-covered entity, we operate as your Business Associate under a separately executed BAA. The BAA governs PHI handling, breach notification timelines (we notify within 24 hours of confirmed breach), sub-processor flow-down, and your rights to audit. Patient (end-user) rights under HIPAA (access, amendment, accounting of disclosures) are routed through your clinic; we provide tooling and reporting to fulfill them within HIPAA-required timeframes.

17. Breach Notification

In the event of a personal data breach affecting your data, we notify you without undue delay and within 24 hours of confirmation for PHI breaches per the BAA. Notice will include: the nature of the breach, categories and approximate number of records affected, the likely consequences, and the measures taken or proposed. We support you in any further notification you must make to end users or supervisory authorities.

18. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by email to your account address at least 30 days before taking effect. Continued use after the effective date constitutes acceptance. Prior versions are archived and available on request.

19. Contact

Questions about your privacy, want to exercise a right, or report a concern? Email support@clinicpulseos.com. We respond within one business day. For formal complaints, you may also contact the Office of the Australian Information Commissioner (OAIC), your state attorney general, or your local data protection authority.