Privacy Policy

Section 1

Who We Are

Klinica (operating at klinica.space) is a Software-as-a-Service (SaaS) platform that provides clinic management, online booking, patient management, and scheduling tools for healthcare professionals.

For the purposes of GDPR, Klinica acts as:

Data Controller — for personal data we collect directly (e.g., account registration data for clinic administrators).
Data Processor — for patient and clinical data entered by clinics using our platform. The clinic remains the Data Controller for their patients' data.

Section 2

What Data We Collect

We collect different types of personal data depending on your role:

For clinic administrators and staff:

Full name and email address (for account creation and login)
Clinic name and subdomain preferences
Subscription and billing contact details (not payment card data — handled by Paddle.com)
IP address and browser/device information (for security and fraud prevention)
Usage logs and activity records within the platform

For patients (processed on behalf of the clinic):

Name, date of birth, gender, and contact information
Appointment history and scheduling data
Clinical notes and medical records entered by the clinic

Section 3

How We Use Your Data

We use the data we collect for the following purposes:

Providing the service: Operating your clinic management platform, enabling online bookings, and managing patient records.
Account management: Creating and maintaining your clinic account, including authentication and access control.
Communications: Sending essential service notifications, onboarding emails, trial expiry reminders, and security alerts.
Billing: Managing your subscription and processing payments through our payment partner.
Security: Detecting and preventing fraudulent activity, unauthorized access, and abuse.
Legal compliance: Meeting our obligations under applicable laws and regulations.
Service improvement: Analyzing anonymized, aggregated usage data to improve platform features — we never use patient data for this.

We never sell your data. We do not use your data or your patients' data for advertising, profiling, or any commercial purposes beyond providing the Klinica service.

Section 4

Lawful Basis for Processing

Under GDPR Article 6, we rely on the following lawful bases:

Contractual necessity (Art. 6(1)(b)): Processing required to fulfil our contract with you (providing the platform).
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement.
Legal obligation (Art. 6(1)(c)): Compliance with applicable laws (e.g., tax records, data breach reporting).
Consent (Art. 6(1)(a)): Where we explicitly request your consent (e.g., marketing communications). You may withdraw consent at any time.

For patient data processed on behalf of clinics, the clinic bears responsibility for establishing the appropriate lawful basis under healthcare law.

Section 5

Who We Share Data With

We do not sell, rent, or share personal data with third parties for their own purposes. We share data only with:

Hetzner Online GmbH (Germany): Cloud infrastructure provider hosting our servers. ISO 27001 certified. All data stays in the EU.
Paddle.com: Payment processing for subscriptions (acts as Merchant of Record). We share only billing contact details — no medical or patient data is shared.
Transactional email service: For sending system notifications. Only the recipient email address and minimal content are shared.
Law enforcement or regulators: Only when legally required and to the minimum extent necessary.

All third-party processors are bound by data processing agreements and are required to implement adequate security measures.

Section 6

How We Protect Your Data

Security is fundamental to our platform design. Key measures include:

AES-256 encryption at rest for all stored data, including database backups.
TLS 1.3 encryption in transit for all communication between your browser and our servers.
Strict tenant isolation: Each clinic has its own dedicated database. There is no shared database between clinics by design.
ISO 27001 certified infrastructure hosted entirely in Germany with Hetzner Online GmbH.
Bcrypt password hashing — passwords are never stored in plain text.
Comprehensive audit logging for all sensitive operations.
Regular security reviews and prompt patching of critical vulnerabilities.

Section 7

Data Retention

We retain personal data for as long as necessary to provide our services and comply with legal obligations:

Active accounts: Data is retained for the duration of your subscription.
After account termination: You have 30 days to export your data. After that, all personal data is permanently deleted, including from backups.
Billing records: Retained for 7 years to comply with tax and accounting obligations.
Security logs: Retained for 90 days for security monitoring purposes.

Section 8

Your Rights Under GDPR

As an EU resident, you have the following rights over your personal data:

Right of Access (Art. 15)

Request a copy of the personal data we hold about you.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restrict (Art. 18)

Request that we limit how we use your personal data in certain circumstances.

Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format to transfer to another service.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

To exercise any of these rights, contact us at privacy@klinica.space. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority at any time.

Section 9

Cookies and Tracking

Klinica uses essential cookies required for the platform to function (session management, CSRF protection, authentication). We do not use advertising cookies or third-party tracking pixels.

Session cookies: Required for authenticated access to the platform. Deleted when you close your browser.
CSRF tokens: Security tokens to protect form submissions.
Preference cookies: Storing your UI preferences (e.g., language, display settings).

We do not use Google Analytics, Facebook Pixel, or any advertising tracking technologies on our platform.

Section 10

Children's Privacy

The Klinica platform (for clinic administrators) is not intended for use by persons under 18 years of age. We do not knowingly collect personal data from children for account registration purposes.

Note: Clinics may store records for minor patients (with parental/guardian consent). In such cases, the clinic is the Data Controller and is responsible for ensuring appropriate consent and legal basis under applicable healthcare law.

Section 11

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

Email notification to the address associated with your account.
A prominent notice within your Klinica dashboard.

Continued use of Klinica after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree, you may terminate your account before the changes take effect.

Section 12

Contact Us

For any privacy-related questions, data subject requests, or concerns, please contact us:

Klinica — Privacy Team
Email: privacy@klinica.space
Web: klinica.space

For urgent data protection matters or to report a security concern, email us directly. We aim to respond to all enquiries within 5 business days.

You may also contact the relevant data protection supervisory authority in your country if you believe your rights have been violated.

Table of Contents