Privacy Policy for SofClinic

1. Our Role: Controller vs. Processor

Because SofClinic serves both Medical Clinics (our clients) and Patients (end-users), our legal responsibilities differ based on the user:

As a Data Controller: We act as a Data Controller for the personal data of Clinic Owners, administrative staff, and website visitors (e.g., account creation data, subscription information).

As a Data Processor: We act as a Data Processor for Patient Data (e.g., medical records, visit notes, booking details, prescription photos). The Medical Clinic is the Data Controller. We only process this data on behalf of the Clinic and in accordance with their instructions and our service agreements.

2. Information We Collect

We collect information across three main categories based on how you interact with our platform:

A. Information from Clinic Owners & Staff (B2B)

Account Information: Name, email address, phone number, clinic name, and assigned role (Owner, Doctor, or Receptionist).

Financial Information: Subscription tier, manual payment records, and billing details.

Operational Data: Clinic expenses, shift closings, daily cash summaries, and staff schedules.

B. Information from Patients (B2C)

Booking Information: Full name, phone number, gender, date of birth, and appointment date/time/location.

Verification Data: One-Time Passwords (OTPs) sent via WhatsApp to verify contact information.

Health & Clinical Data: Medical history, diagnoses, visit types (Examination vs. Follow-up), vitals, prescription photos, and treatment notes entered by the attending doctor.

Payment Data: Methods of payment (Cash, Visa, Insurance) and insurance provider details tagged at the reception.

C. Automatically Collected Information

System Logs & Audit Trails: IP addresses, browser types, timestamps, and specific actions taken within the platform (e.g., login attempts, appointment cancellations).

Cookies & Tracking: We use standard web technologies (like cookies and local storage) to maintain user sessions, remember language preferences (Arabic/English), and ensure platform security.

3. How We Use Your Information

We use the collected data for the following purposes:

To Provide the Service: Facilitating the patient booking process, managing clinic queues, and maintaining accurate medical and financial records for the clinics.

Automated Communications: Sending WhatsApp OTPs for phone verification, automated appointment status links, cancellation notices, and Google Review reminders after completed visits.

Security & Integrity: Authenticating users via JSON Web Tokens (JWT), enforcing strict role-based access controls, and preventing fraudulent bookings or unauthorized access.

Platform Analytics: Analyzing aggregated, anonymized usage data to improve system performance, calculate revenue trends, and optimize our software.

4. Data Architecture & Security

We take medical data security very seriously. SofClinic utilizes a highly secure, isolated architecture:

Tenant Isolation: Every clinic operates on its own isolated database (Tenant DB). Patient data from one clinic is entirely separated from patient data in another clinic.

Role-Based Access Control (RBAC): Access to sensitive information is strictly governed by user roles. For example, Doctors and Receptionists cannot access clinic financial analytics, ensuring business intelligence is restricted solely to the Owner.

Encryption: Passwords and OTP codes are securely hashed (using bcrypt) before storage in the database. Data in transit is encrypted using standard protocols (HTTPS/SSL).

5. Sharing Your Information

We do not sell, rent, or trade personal or medical data to third parties. We only share data under the following circumstances:

With Third-Party Service Providers: We use trusted infrastructure partners to operate our service, including:

Messaging Providers: WAHA (WhatsApp integration) for sending OTPs and automated reminders.

Email Providers: Resend for password resets and system notifications.

Cloud Infrastructure: Redis for session data caching and secure cloud servers to host our databases.

Legal Compliance: If required by law, subpoena, or Egyptian legal authorities, we may disclose information to comply with legal obligations.

6. Data Retention

Clinic Data: We retain Clinic Owner and Staff data for as long as the tenant's account is active.

Patient Data: Because we are the Data Processor, patient medical records and booking histories are retained according to the retention policies of the specific Medical Clinic. If a clinic deletes its account, we initiate a secure deletion protocol for their isolated database, with optional secure backups provided to the clinic owner.

7. Your Privacy Rights

Depending on your relationship with us, you have specific rights regarding your data:

Clinic Owners/Staff: You can access, update, or correct your personal information directly within the SofClinic platform settings.

Patients: If you wish to access, correct, or delete your medical records or booking history, you must contact the Medical Clinic directly, as they are the legally responsible Data Controller of your health information. We will assist the clinic in fulfilling your request in accordance with our technical capabilities.

8. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our technology or legal requirements. We will notify Clinic Owners of any material changes via the Platform Admin Console or by email. Continued use of the service after changes indicates acceptance of the updated policy.

9. Contact Us

If you have questions about this Privacy Policy, our data practices, or need technical support regarding data privacy, please contact us at:

Email: [email protected]

Website: www.sofclinic.com