Privacy Policy

Your privacy and the security of healthcare data are our top priorities. Learn how we protect your information and comply with international privacy regulations.

Last Updated: January 1, 2025

Introduction

ClinicGateway ("we," "our," or "us") is committed to protecting your privacy and the confidentiality of healthcare information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our clinic management system and website.

As a healthcare technology provider, we understand the critical importance of data privacy and security. We comply with applicable healthcare privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and United Arab Emirates (UAE) data protection laws.

By using ClinicGateway's services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

Information We Collect

Healthcare Data (Protected Health Information - PHI)

When you use ClinicGateway as a healthcare provider, we collect and process Protected Health Information (PHI) on your behalf, including:

  • Patient Demographics: Names, dates of birth, addresses, phone numbers, email addresses, and emergency contact information
  • Medical Records: Medical history, diagnoses, treatment plans, medications, allergies, lab results, and clinical notes
  • Insurance Information: Insurance provider details, policy numbers, and billing information
  • Appointment Data: Appointment schedules, visit history, and provider assignments
  • Billing Information: Payment records, invoices, and financial transactions
  • Clinical Documentation: Progress notes, prescriptions, referrals, and medical imaging data

Website and Account Data

When you visit our website or create an account, we collect:

  • Account Information: Name, email address, phone number, clinic name, and role
  • Usage Data: IP address, browser type, device information, pages visited, and time spent on pages
  • Communication Data: Messages sent through contact forms, support requests, and email communications
  • Marketing Data: Newsletter subscriptions, demo requests, and marketing preferences

Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to collect information about your browsing behavior. See our Cookies and Tracking Technologies section for more details.

How We Use Your Information

Healthcare Data Usage

We use PHI solely for the purpose of providing our clinic management services, including:

  • Managing patient records and medical histories
  • Facilitating appointment scheduling and reminders
  • Processing billing and insurance claims
  • Generating clinical reports and analytics
  • Enabling communication between healthcare providers and patients
  • Ensuring continuity of care across multiple clinic locations

We do not use PHI for marketing purposes or sell patient data to third parties.

Website and Account Data Usage

We use website and account data to:

  • Provide and maintain our services
  • Process your requests and respond to inquiries
  • Send important service updates and notifications
  • Improve our website and user experience
  • Analyze usage patterns and optimize performance
  • Send marketing communications (with your consent)
  • Detect and prevent fraud or security threats

Data Sharing and Disclosure

Healthcare Data Sharing

We share PHI only in the following circumstances:

  • With Your Authorization: When you explicitly authorize us to share information with specific parties
  • For Treatment Purposes: To facilitate patient care and treatment coordination
  • For Payment Processing: To process insurance claims and billing
  • For Healthcare Operations: To support clinic management and administrative functions
  • As Required by Law: When required by court orders, subpoenas, or legal obligations
  • For Public Health: To report communicable diseases or public health threats as required by law

Service Providers

We work with trusted third-party service providers who assist in operating our platform, including:

  • Cloud Infrastructure: Supabase and other cloud providers for secure data hosting
  • Email Services: Resend and similar providers for transactional and marketing emails
  • Communication Platforms: WhatsApp Business API for patient communications
  • Analytics Services: Google Analytics and similar tools for website analytics (anonymized data only)

All service providers are bound by strict confidentiality agreements and are required to comply with applicable privacy regulations.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control.

Healthcare-Specific Privacy Protections

HIPAA Compliance

ClinicGateway is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. As a Business Associate, we:

  • Execute Business Associate Agreements (BAAs) with covered entities
  • Implement administrative, physical, and technical safeguards to protect PHI
  • Maintain comprehensive audit logs of all PHI access and modifications
  • Provide breach notification as required by HIPAA regulations
  • Ensure minimum necessary access to PHI based on user roles
  • Support patient rights under HIPAA, including access, amendment, and accounting of disclosures

Patient Data Security

We employ multiple layers of security to protect patient data:

  • Encryption: All PHI is encrypted in transit (TLS/SSL) and at rest (AES-256)
  • Access Controls: Role-based access controls ensure users only access data necessary for their role
  • Authentication: Multi-factor authentication and secure password policies
  • Audit Trails: Comprehensive logging of all system access and data modifications
  • Backup and Recovery: Regular automated backups with secure off-site storage
  • Network Security: Firewalls, intrusion detection, and regular security assessments

Medical Records Retention

We retain medical records in accordance with applicable healthcare regulations and your clinic's retention policies. Typically, medical records are retained for a minimum of 6-10 years, depending on jurisdiction and record type.

International Compliance

United Arab Emirates (UAE) Data Protection

As a UAE-based healthcare technology provider, we comply with UAE Federal Law No. 45 of 2021 on the Protection of Personal Data. This includes:

  • Obtaining explicit consent for data processing
  • Implementing appropriate technical and organizational measures
  • Respecting data subject rights
  • Reporting data breaches to relevant authorities
  • Ensuring data is processed lawfully and transparently

General Data Protection Regulation (GDPR)

For users in the European Economic Area (EEA), we comply with GDPR requirements, including:

  • Lawful Basis: Processing data based on legitimate interests, consent, or legal obligations
  • Data Minimization: Collecting only necessary data for specified purposes
  • Purpose Limitation: Using data only for stated purposes
  • Storage Limitation: Retaining data only as long as necessary
  • Data Subject Rights: Supporting access, rectification, erasure, portability, and objection rights

Cross-Border Data Transfers

When transferring data across borders, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) for GDPR compliance
  • Adequacy decisions where applicable
  • Encryption and security measures during transfer
  • Compliance with local data protection laws

Your Privacy Rights

Depending on your location and applicable laws, you may have the following rights:

Access Rights

You have the right to request access to your personal information and receive a copy of the data we hold about you.

Correction Rights

You can request correction of inaccurate or incomplete information. For healthcare data, corrections must comply with medical record regulations.

Deletion Rights

You may request deletion of your personal information, subject to legal and regulatory retention requirements. Healthcare records may be subject to mandatory retention periods.

Data Portability

You have the right to receive your data in a structured, commonly used, and machine-readable format and to transmit it to another service provider.

Opt-Out Rights

You can opt out of marketing communications at any time by clicking the unsubscribe link in emails or contacting us directly.

Objection Rights

You may object to certain types of data processing, including direct marketing and processing based on legitimate interests.

Restriction Rights

You can request restriction of processing in certain circumstances, such as when you contest the accuracy of data.

To exercise these rights, please contact us at privacy@clinicgetway.com. We will respond to your request within 30 days.

Cookies and Tracking Technologies

Types of Cookies We Use

  • Essential Cookies: Required for the website to function properly (e.g., authentication, security)
  • Analytics Cookies: Help us understand how visitors interact with our website (e.g., Google Analytics)
  • Functional Cookies: Remember your preferences and settings
  • Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness

Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may affect website functionality. Most browsers allow you to:

  • View and delete cookies
  • Block cookies from specific sites
  • Block all third-party cookies
  • Clear cookies when you close your browser

Third-Party Tracking

We use third-party services that may track your activity across websites, including:

  • Google Analytics: Website analytics and usage statistics
  • Social Media Platforms: Facebook, Twitter, LinkedIn for social sharing and advertising

These services have their own privacy policies. We encourage you to review them.

Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: All data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit
  • Access Controls: Role-based access controls and principle of least privilege
  • Authentication: Multi-factor authentication, strong password requirements, and session management
  • Network Security: Firewalls, intrusion detection systems, and DDoS protection
  • Regular Audits: Security assessments, penetration testing, and vulnerability scanning
  • Employee Training: Regular security awareness training for all staff
  • Incident Response: Comprehensive incident response plan and breach notification procedures

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

Data Retention

Healthcare Data

We retain healthcare data in accordance with applicable regulations and your clinic's retention policies:

  • Medical Records: Typically 6-10 years from last patient contact, or as required by law
  • Billing Records: Typically 7 years for tax and audit purposes
  • Clinical Documentation: Retained per medical record retention requirements

Website and Account Data

We retain website and account data for as long as necessary to provide services and comply with legal obligations:

  • Account Information: Retained while your account is active and for a reasonable period after closure
  • Marketing Data: Retained until you opt out or request deletion
  • Analytics Data: Aggregated and anonymized data may be retained indefinitely

Upon request, we will delete your data in accordance with applicable laws and regulations, subject to legal retention requirements.

Children's Privacy

ClinicGateway is designed for use by healthcare providers and is not intended for direct use by children under 18. However, we process information about pediatric patients as part of our healthcare services.

When processing information about minors:

  • We comply with applicable laws regarding children's privacy
  • Parental consent is obtained when required by law
  • We implement additional safeguards for pediatric data
  • Access to pediatric records is restricted to authorized healthcare providers

If you believe we have collected information from a child without proper consent, please contact us immediately at privacy@clinicgetway.com.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Posting the updated policy on our website with a new "Last Updated" date
  • Sending an email notification to registered users
  • Displaying a prominent notice on our website or application

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our services after changes become effective constitutes acceptance of the updated policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Officer

Email: privacy@clinicgetway.com

General Inquiries: info@clinicgetway.com

Support: support@clinicgetway.com

Address: Dubai, United Arab Emirates

For healthcare-specific privacy concerns or to exercise patient rights under HIPAA, please contact your healthcare provider or our Privacy Officer.

Questions About Privacy?

Our privacy team is here to help. Contact us if you have any questions about how we protect your data.

Contact Us Privacy Officer