Legal

Privacy Policy

This Privacy Policy explains how Clivora collects, uses, stores, and protects personal data — including patient data processed on behalf of healthcare organizations.

Last updated:

1. Introduction

Clivora respects your privacy and is committed to protecting personal data. This policy describes how we handle information when you visit our website, register for an account, and use the Clivora platform.

For patient data uploaded to the platform by healthcare organizations, Clivora acts as a data processor on behalf of those organizations. See our Data Processing Agreement for the details that apply in that role.

2. Data We Collect

We collect the following categories of data:

  • Account data: name, email, phone number, role, organization, password hash.
  • Usage data: pages visited, features used, device, browser, IP address, timestamps.
  • Billing data: plan, invoices, partial payment-method metadata (we never store full card numbers).
  • Support data: messages, attachments, and recordings you share with our support team.
  • Customer Data: clinical and administrative records uploaded by your organization, including patient demographics, appointments, clinical notes, lab results, prescriptions, and payments.

3. How We Use Data

We use personal data to:

  • Provide, secure, and improve the Service.
  • Authenticate users and prevent fraud or abuse.
  • Process payments and manage subscriptions.
  • Communicate with you about your account, product updates, and security notices.
  • Comply with legal, regulatory, and contractual obligations.

We do not sell personal data and we do not use Customer Data to train third-party AI models.

4. Legal Basis for Processing

Where applicable privacy law requires a legal basis, we rely on:

  • Performance of a contract (to provide the Service you subscribed to).
  • Compliance with a legal obligation.
  • Your consent (for optional features such as marketing communications).
  • Our legitimate interests (such as securing the Service and preventing abuse), balanced against your rights.

5. Patient Data Handling

Patient data is among the most sensitive categories of personal data. We process it strictly under the instructions of the healthcare organization that controls it.

  • Patient data is logically isolated per organization through multi-tenant access controls.
  • Access is governed by role-based permissions defined by each organization.
  • All access to patient data is logged for audit purposes.
  • Patient data is encrypted in transit and at rest.

6. Sharing With Third Parties

We share personal data only with trusted service providers that help us operate the Service, such as cloud hosting, email delivery, error monitoring, analytics, and payment processing. These providers are bound by contractual confidentiality and data-protection obligations.

We may also disclose data when required by law, to enforce our agreements, or to protect the rights, safety, and security of our users.

7. Data Retention

We retain personal data for as long as needed to provide the Service, to comply with legal obligations, to resolve disputes, and to enforce our agreements.

Customer Data, including patient records, is retained for the duration of the subscription. After termination, Customer Data is available for export for a limited period (typically 30 days) before secure deletion, unless a longer retention period is required by law.

8. Security Measures

We apply technical and organizational measures designed to protect personal data, including:

  • TLS encryption for all data in transit.
  • Encryption at rest for databases and backups.
  • Role-based access control and least-privilege access for our staff.
  • Audit logging for sensitive operations.
  • Regular backups, vulnerability scanning, and incident-response procedures.
  • Vetting of all sub-processors.

No system is completely secure; we work continuously to strengthen our controls.

9. Your Rights

Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. To exercise these rights, contact us using the details below.

If you are a patient of a healthcare organization that uses Clivora, please contact that organization first — they are the controller of your medical records.

10. Data Deletion Requests

Account holders may request deletion of their account from within the platform or by contacting support. Organization administrators may request deletion of organizational data, including patient records, at any time.

We verify the identity of the requester and complete deletion within a reasonable period, subject to any legal retention obligations.

11. International Data Transfers

Personal data may be processed in countries other than the country in which it was collected. Where this happens, we put in place appropriate safeguards required by applicable law, such as standard contractual clauses, to protect the data.

12. Children's Data

Clivora is intended for use by healthcare professionals. We do not knowingly collect personal data directly from children. Patient records that include minors are processed only at the direction of the treating organization and under appropriate clinical and legal oversight.

13. Changes to This Policy

We may update this Privacy Policy as our practices evolve or as required by law. We will notify account administrators of material changes through the platform or by email.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact our team using the details below.

Need help?

Questions about this document?

Our team is here to help. Reach out and we will respond within two business days.

legal@clivora.appClivora Health, Compliance Team

Related documents

Related documents