CliniqFlow — Intake. Insight. Better care.Sign up

Legal

Security & Data Protection Policy

This policy describes security and data protection measures for CliniqFlow.

Last updated: May 30, 2026

Service provider: Prarthana Bhat, an individual sole proprietor operating under the trade name CliniqFlow (India).

1. Overview

Prarthana Bhat implements administrative, technical, and organizational measures designed to protect information processed through CliniqFlow. No system is completely secure; we cannot guarantee absolute security.

2. Infrastructure

  • HTTPS/TLS encryption for data in transit.
  • Cloud-hosted database and authentication via Supabase.
  • Application hosting via Vercel.
  • Rate limiting via Upstash Redis in production.
  • Error monitoring via Sentry (purpose-limited; no patient content in logs).

3. Authentication and access control

  • Email and password authentication with email verification in production.
  • Multi-tenant isolation via row-level security and application permissions.
  • Role-based access within clinic workspaces.
  • CliniqFlow Support: no access to patient or clinical records.
  • Platform administrators: access for maintenance, security, compliance, and operations; access is logged in audit logs.

4. AI data minimization

Production AI uses restricted mode by default, sending minimized clinical context (age, sex, symptoms, questionnaire responses, intake theme highlights) without direct patient identifiers. Requests to OpenRouter include a zero-retention data policy header; provider compliance is not guaranteed. See AI Disclaimer.

5. Audit logging

We log security-relevant events including PHI access by platform administrators, tenant lifecycle events, billing events, and SOAP review actions. Clinic administrators may export tenant audit logs from compliance settings.

6. Retention and deletion

  • Audit logs: approximately six years.
  • Usage metrics: ninety (90) days.
  • Intake drafts: seven (7) days.
  • Clinical records: until Customer requests deletion, subject to backups.

Deletion requests: Privacy Requests.

7. Incident response

We maintain procedures to detect, contain, investigate, and remediate security incidents. We will notify affected clinic customers without undue delay of confirmed breaches involving personal data we process on their behalf.

8. Customer responsibilities

  • Protect account credentials and revoke access for departed staff.
  • Use secure devices and networks.
  • Configure roles appropriately within your workspace.
  • Obtain required patient consents before submitting health information.

9. Vulnerability reporting

Report security issues to security@cliniqflow.com. Do not publicly disclose vulnerabilities before we have had reasonable time to remediate.

Related policies