Privacy Policy

clinicpilot ("we", "us") provides software to UK aesthetic and wellness clinics for patient retention and rebooking communications. This Privacy Policy explains what personal data we collect, why, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

For questions about this policy, email dpa@clinicpilot.co.uk.

We act in two distinct roles depending on whose data we are handling:

• For data about clinic staff who sign up to clinicpilot (account holders, team members): we are the data controller.
• For patient data that a clinic uploads or syncs to clinicpilot: the clinic is the data controller and we act as the data processor on the clinic's instructions. A signed Data Processing Agreement (DPA) governs the relationship — see our GDPR & data page.

From clinic staff (controller):

• Name, work email, hashed password (bcrypt), role within the clinic
• Clinic name and configuration (voice tone, opening hours, vertical)
• IP address and browser metadata for security and abuse prevention
• Audit log entries (who took which action and when)

From patients (processor — clinic is controller):

• Patient first name and full name as provided in the clinic's CSV
• Phone number in E.164 format and/or email address
• Treatment type, treatment date, and revenue figure (if supplied)
• Marketing-consent flag, preferred channel, opt-out timestamp
• Conversation transcripts (outbound messages we send and inbound replies)
• Date of birth (only if the clinic enables the birthday flow)

For clinic staff:

• Contract — to provide the clinicpilot service to the clinic that signed up.
• Legitimate interest — for product security, abuse prevention, and improving the platform.

For patients (the clinic determines lawful basis):

• The clinic warrants that it has a lawful basis (typically consent under PECR for marketing texts, or legitimate interest for transactional appointment confirmations) before importing patient records.
• We technically enforce the consent flag on every send: outbound jobs are skipped if consent_marketing is false, and STOP replies opt the patient out instantly.

• To run the retention engine: scheduling, sending, and classifying outbound and inbound messages.
• To draft messages via Anthropic's Claude API (only the patient first name, treatment type, weeks since last treatment, clinic name and voice tone are sent — full names, phone numbers, and emails are never sent to Anthropic).
• To deliver SMS and WhatsApp messages via Twilio.
• To produce ROI dashboards and audit logs for the clinic.
• To bill the clinic for paid plans (after the free pilot).
• To respond to support, security, or compliance enquiries.

We share patient data only with the sub-processors listed on our GDPR & data page: Neon (UK-hosted Postgres), Vercel (application hosting), Anthropic (message drafting only — restricted fields), and Twilio (message delivery). We give 30 days' notice before adding a new sub-processor.

Patient databases sit in Neon's London (lhr1) region. Anthropic's Claude API processes prompts in EU/US infrastructure and does not retain API content for training. Twilio routes messages through its global infrastructure as required to deliver SMS / WhatsApp. Where personal data crosses outside the UK, we rely on the UK's adequacy decisions and / or the UK International Data Transfer Agreement (IDTA) with the relevant sub-processor.

• Clinic staff records persist for the lifetime of the account, plus 90 days post-closure for billing reconciliation.
• Patient records persist for the lifetime of the clinic account; on account closure or upon clinic request, we delete the clinic and cascade-delete all patient records within 30 days.
• Audit log entries are retained for 24 months (security and compliance).
• Backups are kept for up to 30 days and are encrypted at rest.

You have the right to:

• Access the personal data we hold about you
• Have inaccurate data corrected
• Have your data erased (the "right to be forgotten")
• Restrict or object to processing
• Receive your data in a portable format
• Withdraw consent at any time (where consent is the lawful basis)
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any right, email dpa@clinicpilot.co.uk. For patient-data requests, contact your clinic first — they are the controller and we act on their instructions.

• TLS 1.2+ on all connections; database connections use TLS with certificate verification.
• Passwords stored as bcrypt hashes (not plaintext, not reversible).
• Sessions use HTTP-only, Secure, SameSite=Lax cookies signed with a per-deployment secret.
• Twilio webhooks validated via X-Twilio-Signature on every inbound request.
• Database credentials and API keys held as Vercel environment variables — never committed to source control.

We use a small number of strictly-necessary cookies (authentication session, CSRF protection). We don't currently use third-party analytics or advertising cookies. Full detail on our Cookies page.

We will post any material changes to this policy here, with an updated "Last updated" date. For substantive changes affecting how patient data is handled, we will email the clinic owner.