سياسة الخصوصية

1. Who we are

Clinit ("we", "us", "our") is a clinic management software platform operated by Omar Abdelfatah, Cairo, Egypt. This Privacy Policy explains how we collect, use, store, and protect information about you and your clinic when you use our services at clinit.app and doctor.clinit.app.

Contact: privacy@clinit.app

2. Information we collect

Account information: Name, email address, phone number, clinic name, and specialty when you register.

Usage data: Pages visited, features used, session duration, and device type — collected anonymously to improve the product.

Patient data you enter: All clinical records, appointments, invoices, and patient information you input into Clinit. This data belongs entirely to you. We act solely as a data processor on your instructions.

Payment information: Processed by Paymob and Stripe. We never store raw card numbers. Only transaction references and amounts are retained.

3. How we use your information

We use your information to:

• Provide, maintain, and improve the Clinit service
• Send transactional emails (password resets, billing receipts, appointment confirmations)
• Send product updates and new feature announcements (you may unsubscribe at any time)
• Comply with legal obligations, including tax and data retention requirements
• Investigate abuse or violations of our Terms of Service

We never sell your data to third parties. We never use patient data for advertising or AI model training without explicit written consent.

4. Data storage, security, and sub-processors

All data is stored on Supabase PostgreSQL infrastructure hosted in the EU (Frankfurt region). We apply the following technical safeguards:

• Encryption at rest: AES-256 on all storage volumes and database backups
• Encryption in transit: TLS 1.3 enforced on all connections; weak cipher suites rejected
• Access controls: Role-based access controls; staff access to production systems is audited
• Backups: Automated daily encrypted backups with 30-day point-in-time recovery
• Sub-processors: Supabase (EU hosting), Vercel (CDN/serverless), Resend (transactional email), Paymob (payment processing), Stripe (international payments), Firebase (push notifications), Upstash (analytics cache). Full sub-processor list available on request.

5. HIPAA compliance

For clinics operating under US HIPAA jurisdiction or managing Protected Health Information (PHI), we provide Business Associate Agreements (BAAs) at no additional cost. Request via privacy@clinit.app.

All PHI access is logged in our tamper-proof audit trail. Session timeouts are enforced after inactivity. Role-based access ensures minimum necessary information principles.

6. GDPR rights (EU/UK users)

If you are located in the European Economic Area or United Kingdom, you have the following rights under GDPR:

• Right of access: Request a copy of all personal data we hold about you
• Right to rectification: Correct inaccurate personal data
• Right to erasure: Request deletion of your account and all associated data
• Right to portability: Receive your data in a machine-readable format (JSON/CSV)
• Right to object: Object to processing based on legitimate interests
• Right to restrict: Restrict processing while a dispute is resolved

To exercise any of these rights, contact privacy@clinit.app. We will respond within 30 days.

7. Cookies

We use the following cookies:

• Strictly necessary: Session authentication cookie (HttpOnly, Secure, SameSite=Strict). Cannot be disabled without breaking the service.
• Analytics (optional): Anonymous usage analytics to understand feature adoption. Requires your consent via the cookie banner. No cross-site tracking.

You can withdraw analytics consent at any time by clicking "Cookie Settings" in the footer.

8. Data retention

• Active accounts: Data retained for the lifetime of the account
• Cancelled accounts: Data retained for 90 days post-cancellation to allow export or reactivation
• After 90 days: All clinic and patient data is permanently and irreversibly deleted
• Audit logs: Retained for 7 years for compliance purposes
• Backup retention: 30-day rolling window; backups are deleted automatically on schedule

You may request immediate deletion at any time by emailing privacy@clinit.app.

9. Data breaches

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach. Notification will include: the nature of the breach, the categories and approximate number of records affected, likely consequences, and measures taken to address it.

10. Contact & complaints

Privacy enquiries: privacy@clinit.app

Postal address: Clinit, Cairo, Egypt

Data Protection Officer: privacy@clinit.app

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with your local data protection authority (for EU users: your national DPA; for UK users: the ICO at ico.org.uk).