Privacy Policy

Our contact details

Name: The Clinic App Ltd
Address: Thames House, Roman Square, Sittingbourne, Kent, ME10 4BJ
E-mail: info@theclinicapp.com
Website: www.theclinicapp.com

The type of personal information we collect 

Under the key definitions of the General Data Protection Regulation (GDPR), The Clinic App Ltd. serves the role of ‘Data Processor’, whereas the users of our software are considered ‘Data Controllers’, and finally the patients whose data is held within our software are considered to be the ‘Data Subjects’. 

While we do host the product and manage the storage solutions for the data handled by the products, we do not handle or collect any of the data you enter within the software. We do however collect certain data on the software licence holders. The data is provided to us by you, on our “Start Now” webpage or by email, so we can provide you with the software, collect payment, and keep you up to date on any new features, improvements or fixes. We do not share this information.

We currently collect and process the following information:

• Clinic/Business Name, Email address, postal address, telephone number(s)
• Name of Main Account Holder and email address
• Date of registration, Date of Subscription payment, Subscription details (i.e. number of users and any additional features used, if any), and Date of the termination of the subscription

All of this data is held on a secure, dedicated system that meets the same security standards as outlined in the “Data storage and security” section of this document. We hold this data for as long as your account is active. After that we will keep this information for up to 90 days. We will then delete this information. You may ask us to delete this information sooner when you close your account by sending an email request to info@theclinicapp.com.

Data Storage and security

• Your Billing information. Your payment card details are not held by us. This information is stored securely by our Card Processor, Stripe Inc. You can find their Privacy Policy here: https://stripe.com/gb/privacy
• Your data. Your data is hosted on GoogleCloud. It is stored on a server in one of the 3 main geographical regions, EU, America or Australia, depending on your location. You can find Google Cloud privacy notice here: https://cloud.google.com/terms/cloud-privacy-notice
• Your uploads. All documents and images you upload to your account are stored on GoogleCloud as well. It is stored on a server in one of the 3 main geographical regions, EU, America or Australia, depending on your location. You can find their privacy policy here: https://cloud.google.com/terms/cloud-privacy-notice
• Emails. Emails are sent from The Clinic App via Twilio SendGrid. You can find their privacy policy here: https://sendgrid.com/en-us/policies/security
• Text Messages.Text Messages are sent from The Clinic App via IntelliSMS. You can find their privacy policy here: https://www.intellisoftware.co.uk/company-information

The Clinic App meets the data security requirements outlined within GDPR.

Your data is hosted on Google Cloud Platform in a Google SQL database. You can read more about Google Cloud Platform here: https://cloud.google.com/The data is stored on Google Storage and is automatically backed up and retained for 7 days as a measure facilitating disaster recovery. The data is encrypted at rest and we also implement meticulous security methods outside of the server, like implementing 256-bit SSL encryption to all incoming and outgoing connections, meaning your data is always safe from prying eyes when you use our software, thanks to a high-level encryption method used whenever data is saved. For more information about the encryption at rest please see: https://cloud.google.com/docs/security/encryption/default-encryption

Data Access and Security

In normal circumstances, we do not access your database. In some extreme circumstances, errors may occur within a user’s system that requires escalation to our senior development team. In these cases, they may need to download a copy of the user’s database to troubleshoot the error without the risk of corrupting or altering any live data. In such a case, we will execute the download via a secure, encrypted data transfer method and will implement strict policies on storage and eventual destruction of the data.

Staff that could have access to your data as per the above are trained to execute any data transfer securely as per our policies. All staff only have access to data they require to perform their duties and access to all of our systems is password protected and only shared with the relevant people. Passwords are reviewed and changed regularly and every time a staff member leaves.

Data Transfer & Email Security

While every effort is made to secure the safety of the data while it is stored on our servers, there are cases in which the data can be transferred outside of our system i.e. during the data transfer involved in accessing the software, or when sending emails. 

When a user logs into the software, either via the App or the online booking portal, a dedicated connection is made to one of our dedicated Application servers – these servers solely house the software and no data. A ring-fenced connection is then made from the Application Server to the Data Server, meaning no connections can be made to the databases from any other device. 

When any data is sent to or from the client to the Application Server, these connections use 256-bit end-to-end SSL encryption to ensure the maximum level of data security. In cases where an email is sent from the software to a third party i.e the patient, these emails are sent via SendGrid. You can find out more about SendGrid Security here: https://sendgrid.com/en-us/policies/security

Personal Data breaches

We have implemented robust breach detection, investigation and internal reporting procedures to help us identify whether or not we need to notify the ICO or affected individuals in the case of certain personal breaches. 

Once the severity of the breach is assessed, any data breach will be reported to the ICO within 72 hours. In the case where the breach is likely to result in a high risk to the individual’s rights and freedoms, we will also inform those individuals without delay. We also keep a record of any personal data breach.