Legal

Privacy Policy

Effective date: May 19, 2026  · Last updated: May 19, 2026

Cliny ("we," "our," or "us") operates as a HIPAA-covered business associate for its clinic customers. This Privacy Policy describes how we collect, use, and protect information when you use our practice management platform at cliny.ai (the "Service").

1. Information We Collect

1.1 Account Information

When you create a Cliny account we collect your name, work email address, and the name of your clinic. If you sign in via Google OAuth, we receive your name and email from Google.

1.2 Protected Health Information (PHI)

Cliny is a platform used by healthcare clinics. When clinic staff use our Service, they may enter patient information that constitutes Protected Health Information under HIPAA, including patient names, dates of service, clinical notes, diagnoses, and treatment records. Cliny processes this data strictly as a Business Associate on behalf of the covered entity (the clinic). We do not use PHI for our own purposes.

1.3 Usage and Technical Data

We automatically collect information about how you use the Service: pages visited, features used, timestamps, IP addresses, browser type, and device information. This data is used to improve the platform and diagnose technical issues.

1.4 Payment Information

Subscription payments are processed by Stripe, Inc. We do not store your credit card number or bank account details. We receive and store billing metadata (plan type, subscription status, last-four card digits) from Stripe.

2. How We Use Your Information

  • To provide, operate, and improve the Cliny platform
  • To authenticate users and enforce role-based access controls
  • To process subscription billing via Stripe
  • To send transactional emails (appointment reminders, invite links, password resets) via SMTP
  • To send SMS appointment reminders via Twilio, Inc.
  • To power AI features (SOAP note generation, treatment summaries) via the Anthropic Claude API — patient data sent to Anthropic is governed by a Data Processing Agreement and is not used to train Anthropic models
  • To respond to support requests and demo inquiries
  • To comply with legal obligations

3. Sub-processors and Third-Party Services

We use the following sub-processors to deliver the Service. Each is bound by data processing agreements consistent with applicable law:

Supabase, Inc.
Database hosting, authentication, and Row-Level Security enforcement
USA
Vercel, Inc.
Application hosting and edge infrastructure
USA / Global CDN
Stripe, Inc.
Subscription billing and payment processing
USA
Anthropic, PBC
AI inference for SOAP note generation and clinical summaries
USA
Twilio, Inc.
SMS appointment reminders
USA

4. HIPAA and Protected Health Information

Cliny acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We:

  • Sign Business Associate Agreements (BAAs) with covered entity clinics prior to processing PHI
  • Encrypt all PHI at rest (AES-256) and in transit (TLS 1.2+)
  • Enforce row-level database security so no clinic can access another clinic's data
  • Maintain an append-only audit log of all PHI access events
  • Limit employee access to PHI on a strict need-to-know basis
  • Will notify affected clinics of any PHI breach within 60 days of discovery, consistent with HIPAA Breach Notification Rule requirements

To request a BAA, email support@cliny.ai.

5. Data Retention

We retain account data for the duration of your subscription plus 90 days after cancellation, during which you may export your data. PHI is retained in accordance with your clinic's legal obligations and applicable state law — we do not delete PHI without clinic instruction. Audit logs are retained for a minimum of 6 years consistent with HIPAA requirements.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate account data
  • Export your clinic's data in a machine-readable format
  • Request deletion of your account (subject to legal retention requirements)
  • Opt out of non-essential communications

To exercise these rights, email support@cliny.ai.

7. Cookies

We use only essential cookies required for authentication (Supabase session tokens) and security. We do not use advertising or third-party tracking cookies. You can disable cookies in your browser settings, but doing so will prevent you from signing in.

8. Children's Privacy

The Service is not directed at individuals under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact us and we will delete it promptly.

9. Changes to This Policy

We will notify you of material changes to this Privacy Policy via email at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions or to exercise your rights:

Cliny
Privacy Officer: support@cliny.ai
General inquiries: support@cliny.ai