Privacy Policy
Last updated: June 2026
1. Who We Are
ClinicGrow ("we", "us", "our") is a software-as-a-service platform for clinic management, operated from the Netherlands. Our platform is used by healthcare clinics ("clinics") to manage patient appointments, communications, and administrative workflows.
Controller: CogniGrow B.V. (operating the ClinicGrow platform), Laan van Waalhaven 470, 2497 GR Den Haag, Nederland
Contact: privacy@clinicgrow.org
2. What Data We Collect
2.1 Clinic Account Data
- Name, email address, and password of clinic staff members
- Clinic name, address, and contact information
- Subscription and billing details (processed by Stripe; we do not store card numbers)
2.2 Patient Data (processed on behalf of clinics)
- Name, phone number, email address
- Appointment history and notes entered by clinic staff
- Medical history fields optionally filled in by the clinic
2.3 Usage Data
- Log data: IP address, browser type, pages visited, timestamps
- AI chat interactions with the booking assistant (to improve the service)
3. Legal Basis for Processing (GDPR)
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the service to registered clinics.
- Legitimate interest (Art. 6(1)(f)): Improving the platform, fraud prevention, security monitoring.
- Consent (Art. 6(1)(a)): Where required, e.g., marketing communications.
- Legal obligation (Art. 6(1)(c)): Complying with Dutch and EU law.
4. How We Use Your Data
- Providing and maintaining the ClinicGrow platform
- Sending appointment confirmation and reminder emails
- Processing payments via Stripe
- Customer support and platform communications
- Detecting and preventing fraudulent or unauthorized access
- Improving AI booking assistant accuracy
We do not sell your data to third parties. We do not use patient data for advertising purposes.
5. Data Processors (Sub-processors)
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU (AWS Frankfurt) |
| Vercel | Application hosting | EU edge nodes |
| Stripe | Payment processing | EU |
| Resend | Transactional email | US (SCCs apply) |
| Anthropic | AI booking assistant | US (SCCs apply) |
SCCs = Standard Contractual Clauses, ensuring GDPR-compliant data transfers to third countries.
6. Data Retention
- Clinic account data: retained while the account is active, deleted within 90 days of account closure upon request.
- Patient data: retained as configured by the clinic; clinics are the data controllers for patient data.
- Log data: retained for up to 12 months for security and debugging purposes.
- Billing records: retained for 7 years as required by Dutch tax law.
7. Your Rights (GDPR)
Under the GDPR, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of your data ("right to be forgotten").
- Portability: Receive your data in a machine-readable format.
- Restriction: Request that we restrict processing of your data.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email privacy@clinicgrow.org. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
8. Cookies
We use the following cookies:
- Strictly necessary: Authentication session cookies (cannot be disabled).
- Functional: Language preference and UI settings.
- Analytics: Anonymised usage metrics (opt-out available in settings).
9. Security
We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest, row-level security in our database, regular vulnerability assessments, and access controls. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered clinic accounts by email of any material changes at least 30 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.
11. Contact
Questions about this policy? Contact our Data Protection Officer at privacy@clinicgrow.org or write to: CogniGrow B.V., Laan van Waalhaven 470, 2497 GR Den Haag, Nederland.