Privacy Policy

1. Introduction

Clinxra ("we," "us," or "our") operates the clinical management platform available at clinxra.com and through our mobile applications (the "Service"). This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal information when you use our Service.

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Information

We collect several types of information from and about users of our Service:

• Account Information: Name, email address, phone number, professional credentials, and billing information
• Profile Information: Professional details, clinic information, specialization, and license numbers
• Authentication Data: Username, password (encrypted), and security questions
• Communication Data: Messages, support requests, and feedback you send to us

2.2 Patient Health Information (PHI)

2.3 Technical Information

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, time spent on the platform, click patterns
• Log Data: Server logs, error reports, and performance metrics
• Cookies and Tracking: Session cookies, preference cookies, and analytics data

3. How We Use Your Information

3.1 Service Provision

• Provide, maintain, and improve our clinical management platform
• Process and store patient information as directed by healthcare providers
• Enable appointment scheduling and patient management features
• Generate reports and clinical documentation
• Facilitate communication between healthcare providers and patients

3.2 Account Management

• Create and manage user accounts
• Authenticate users and ensure account security
• Process subscription payments and billing
• Provide customer support and technical assistance

3.3 Legal and Compliance

• Comply with applicable healthcare regulations and laws
• Respond to legal requests and prevent fraud
• Maintain audit trails for regulatory compliance
• Ensure data security and breach notification requirements

4. Legal Basis for Processing (GDPR Compliance)

When applicable, we process personal data based on the following legal grounds:

• Contractual Necessity: To perform our contract with you and provide the Service
• Legitimate Interest: To improve our services, ensure security, and conduct business operations
• Legal Obligation: To comply with healthcare regulations and legal requirements
• Consent: Where you have given explicit consent for specific processing activities
• Vital Interests: To protect the vital interests of patients in emergency situations

5. Information Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do not sell, trade, or otherwise transfer your personal information or patient health information to third parties for commercial purposes.

5.2 Limited Sharing

We may share information only in the following circumstances:

• Service Providers: With trusted third-party vendors who assist in providing our Service (e.g., cloud hosting, payment processing) under strict confidentiality agreements
• Legal Requirements: When required by law, court order, or governmental request
• Emergency Situations: To protect the health and safety of patients in emergency circumstances
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)
• User Direction: When you explicitly authorize us to share information with specific parties

5.3 Healthcare Provider Responsibilities

Healthcare providers using our platform are responsible for:

• Obtaining appropriate patient consents for data processing
• Ensuring compliance with applicable healthcare privacy laws
• Managing access permissions for their staff and associates
• Notifying patients about data sharing practices within their organization

6. Data Security

6.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Multi-factor authentication and role-based access controls
• Infrastructure: Secure cloud hosting with SOC 2 Type II compliance
• Monitoring: 24/7 security monitoring and intrusion detection systems
• Backup: Regular encrypted backups with geographic distribution

6.2 Administrative Safeguards

• Regular security training for all personnel
• Background checks for employees with data access
• Incident response procedures and breach notification protocols
• Regular security audits and vulnerability assessments

6.3 Physical Safeguards

• Secure data centers with biometric access controls
• Environmental monitoring and protection
• Secure disposal of hardware and storage media

7. Data Retention

*Healthcare providers are responsible for determining appropriate retention periods for patient data based on applicable medical record laws and professional requirements.

8. Your Rights and Choices

8.1 Access and Control

• Access: View and download your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Portability: Export your data in a machine-readable format
• Restriction: Limit how we process your information

8.2 Patient Rights

If you are a patient whose information is processed through our platform, you should contact your healthcare provider directly to exercise your rights regarding your health information.

8.3 Communication Preferences

• Opt out of non-essential communications
• Manage notification preferences
• Control marketing communications (we send very limited marketing)

9. International Data Transfers

Our primary servers are located in Jordan. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses for EU data transfers
• Adequacy decisions where available
• Additional security measures for sensitive health data
• Compliance with local data localization requirements

10. Cookies and Tracking Technologies

10.1 Types of Cookies

• Essential Cookies: Required for platform functionality
• Performance Cookies: Help us improve our services
• Functional Cookies: Remember your preferences
• Analytics Cookies: Understand how users interact with our platform

10.2 Cookie Management

You can control cookies through your browser settings. However, disabling certain cookies may limit functionality of our Service.

11. Children's Privacy

Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us immediately.

12. Healthcare-Specific Compliance

12.1 HIPAA Compliance (US)

For US-based healthcare providers, we serve as a Business Associate and comply with HIPAA requirements through:

• Signed Business Associate Agreements (BAAs)
• Administrative, physical, and technical safeguards
• Breach notification procedures
• Staff training on HIPAA requirements

12.2 Other Healthcare Regulations

We also comply with other applicable healthcare privacy laws and regulations in jurisdictions where our users operate.

13. Data Breach Notification

In the event of a data breach affecting personal or health information, we will:

• Notify affected users within 72 hours of discovery
• Report to relevant supervisory authorities as required
• Provide details about the nature and scope of the breach
• Outline steps taken to address the breach and prevent future incidents
• Offer assistance and support to affected individuals

14. Third-Party Services

Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those external services. We encourage you to review the privacy policies of any third-party services you use.

15. Updates to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Providing in-app notifications
• Updating the "Last Updated" date at the top of this policy

Your continued use of the Service after any modifications indicates your acceptance of the updated Privacy Policy.

17. Governing Law

This Privacy Policy is governed by the laws of Jordan. For users in other jurisdictions, we also comply with applicable local privacy laws including GDPR, CCPA, and other relevant data protection regulations.