ClinicOSClinicOS

Privacy Policy

This Privacy Policy (Personal Data Processing Policy) describes how ClinicOS ("we," "us," or "our") collects, uses, and protects your information when you use our AI receptionist platform and related services. By using ClinicOS, you grant your prior, express, and informed authorization for the processing of your personal data as described in this policy, in accordance with Colombia's Law 1581 of 2012 and Decree 1377 of 2013.

Data Controller

1. Information We Collect

We collect information in several categories depending on how you interact with ClinicOS:

a) Account Data

When you create an account, we collect:

  • Full name and email address
  • Clinic or practice name
  • Country of operation
  • Selected subscription plan
  • Authentication credentials (managed by Auth0)

b) Clinic Data

To configure your AI receptionist, we collect:

  • Services offered by your clinic
  • Business hours and scheduling preferences
  • Accepted insurance providers
  • Staff names and roles (optional)
  • Clinic address and contact information

c) AI Interaction Data

Calls handled by our AI receptionist are recorded for quality and scheduling purposes. When patients interact with your AI receptionist, we collect:

  • Call transcripts and conversation logs
  • Appointment requests (patient name, phone, preferred time, reason for visit)
  • Call metadata (duration, timestamps, outcome)

Sensitive data: Some collected data may be health-related, which is considered sensitive data under Article 5 of Colombia's Law 1581 of 2012. This data is collected solely for appointment scheduling purposes and is not mandatory. Data subjects are not required to provide sensitive data.

d) Usage Data

We automatically collect:

  • Page views and navigation patterns
  • Feature usage analytics
  • Device type, browser, and operating system
  • IP address and approximate location

e) Cookies & Tracking

ClinicOS uses the following session cookies to maintain your authenticated state:

  • __clinicos_web_session — marketing site and checkout session
  • __clinicos_dashboard_session — clinic management dashboard session

We do not use third-party tracking cookies. We do not serve ads or share browsing data with advertising networks.

2. How We Use Your Information

We use the information we collect to:

  • Provide and operate the AI receptionist platform
  • Process appointment requests and manage clinic schedules
  • Improve voice recognition accuracy and response quality
  • Process billing and manage subscriptions
  • Send service-related communications (system alerts, billing notices, product updates)
  • Maintain security and prevent fraud
  • Comply with legal obligations

3. Third-Party Data Processors

We share data with the following third-party processors, each under appropriate data processing agreements. We do not sell your personal information to any third party.

  • ElevenLabs — AI voice synthesis and speech processing for the receptionist
  • Twilio — telephony infrastructure and SIP routing for inbound/outbound calls
  • Lemon Squeezy — payment processing and merchant of record for subscriptions
  • Auth0 — identity management and authentication
  • Vercel — frontend application hosting and edge delivery
  • Pantheon — backend infrastructure hosting (Drupal CMS)
  • Meta/WhatsApp — WhatsApp messaging for patient communication (when enabled)

4. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and audit logging
  • HMAC-SHA256 verification on all inbound webhooks
  • Secrets management via encrypted key storage (never hardcoded)
  • Regular security assessments and vulnerability testing
  • Hosting on SOC 2 certified infrastructure

5. Data Retention

  • Account data — retained while your account is active, plus 90 days after account deletion to allow for reactivation or data export.
  • Call logs and conversation transcripts — retained for 12 months from the date of the interaction, then automatically purged.
  • Payment and billing records — retained for 7 years as required by applicable tax law.
  • Usage analytics — retained in aggregated, anonymized form indefinitely for service improvement.

6. International Data Transfers

ClinicOS processes data primarily in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We implement the following safeguards for international transfers:

  • EU/EEA (GDPR) — We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers outside the EEA.
  • Colombia (Ley 1581 de 2012) — The United States was declared a country with an adequate level of data protection by the Superintendencia de Industria y Comercio (SIC) in August 2017. We comply with Colombian data protection law, including Habeas Data rights and cross-border transfer requirements.
  • Brazil (LGPD) — We process data in accordance with Brazil's General Data Protection Law where applicable.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate or incomplete data.
  • Erasure — Request deletion of your personal data, subject to legal retention requirements.
  • Data Portability — Receive your data in a structured, machine-readable format.
  • Opt-Out of Sale — We do not sell personal information. If this changes, you will have the right to opt out.
  • Withdraw Consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@clinic-os.co or use the privacy settings in your dashboard. Under Colombia's Law 1581 of 2012, we will respond to access requests within 10 business days (extendable by 5 days) and rectification, deletion, or opposition requests within 15 business days (extendable by 8 days).

If you believe your rights have not been adequately addressed, you may file a complaint with the Superintendencia de Industria y Comercio (SIC) at www.sic.gov.co.

8. Children's Privacy

ClinicOS is not directed at children under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected data from a child without parental consent, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@clinic-os.co.

9. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email to the address associated with your account before the changes take effect. Non-material changes (such as formatting or clarifications) may be made without notice. Your continued use of ClinicOS after the effective date constitutes acceptance of the updated policy.

10. Contact

For privacy-related inquiries, data requests, or complaints, contact us at privacy@clinic-os.co.

Last updated: March 2026