ClinixAI ("we," "us," "our") operates the ClinixAI platform accessible at app.clinixai.pro (the "Platform"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you access or use our Platform and related services.

ClinixAI is a software-as-a-service (SaaS) healthcare management platform. We are NOT a healthcare provider, medical institution, hospital, clinic, or medical practitioner. We do not diagnose, treat, cure, or prevent any disease or medical condition. We provide software tools that assist healthcare professionals and patients in managing healthcare-related information and workflows.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Platform.

2.1 Information You Provide Directly

• Account Information: Name, email address, password (encrypted), phone number, CNIC (national identity number), role selection
• Profile Information: Date of birth, gender, blood group, address, emergency contact details
• Health Information: Medical records, allergies, chronic conditions, prescriptions, lab results, symptom journals, health timelines (collectively, "Health Data")
• Professional Information (for healthcare providers): License numbers (e.g., PMDC), specializations, qualifications, hospital affiliations, schedules
• Communication Data: Messages sent through the platform, appointment notes, chatbot conversations
• Payment Information: Billing details processed through our third-party payment processor (Stripe). We do not store full credit card numbers on our servers.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, click patterns, session duration
• Device Information: Browser type, operating system, device type, screen resolution
• Network Information: IP address, approximate geographic location
• Cookies and Similar Technologies: Session cookies, authentication tokens (see our Cookie Policy)

2.3 Information from Third Parties

• Google OAuth: If you sign in using Google, we receive your name and email address from Google
• Healthcare Providers: Doctors and hospitals using the platform may enter health data about patients

We use your information for the following purposes:

• Service Delivery: Providing, maintaining, and improving the Platform functionality
• Account Management: Creating and managing your user account, authentication, and authorization
• Healthcare Workflow: Facilitating appointments, prescriptions, lab results, messaging between patients and providers
• AI-Powered Features: Operating AI chatbot assistants and health analysis tools (see Section 7 for AI-specific disclosures)
• Communications: Sending OTP verification, appointment reminders, system notifications, and security alerts
• Security: Detecting, preventing, and responding to fraud, abuse, security incidents, and technical issues
• Legal Compliance: Complying with applicable laws, regulations, and legal processes
• Analytics: Understanding usage patterns to improve user experience (in aggregate, anonymized form)

If you are located in the European Economic Area (EEA), UK, or other jurisdictions with similar data protection laws, we process your data under the following legal bases:

• Consent: You have given explicit consent for processing your personal data, including Health Data, for specific purposes
• Contract Performance: Processing is necessary for the performance of a contract (our Terms of Service) to which you are a party
• Legitimate Interests: Processing is necessary for our legitimate interests (e.g., security, fraud prevention, service improvement) that are not overridden by your rights
• Legal Obligation: Processing is necessary to comply with a legal obligation to which we are subject
• Vital Interests: In emergency situations, processing may be necessary to protect the vital interests of a data subject

Special Category Data: Health Data constitutes special category data under GDPR Article 9. We process Health Data based on your explicit consent and, where applicable, for the provision of health or social care services.

5. Data Sharing and Disclosure

We may share your information with:

• Healthcare Providers: Doctors, hospitals, pharmacies, and labs that you interact with through the Platform, solely for the purpose of delivering healthcare services
• Service Providers: Third-party providers who assist in operating the Platform (e.g., cloud hosting via AWS, payment processing via Stripe, email delivery services). These providers are contractually bound to protect your data.
• Legal Requirements: When required by law, court order, or governmental authority
• Safety: To protect the rights, property, or safety of ClinixAI, our users, or the public
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)

We do NOT sell your personal data or Health Data to any third party. We do NOT use your Health Data for advertising purposes.

We implement industry-standard security measures including:

• Encryption of data in transit (TLS/SSL) and at rest
• Password hashing using bcrypt with salt rounds
• HTTP-only, secure session cookies
• Rate limiting on authentication endpoints
• Input sanitization to prevent injection attacks
• Role-based access control (RBAC) ensuring users only access data they are authorized to view
• Regular security audits and vulnerability assessments
• Soft-delete mechanisms to prevent accidental permanent data loss

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Platform at your own risk.

The Platform includes AI-powered features, including but not limited to chatbot assistants, health analysis tools, and automated suggestions. Regarding these features:

• Not Medical Advice: AI-generated content is NOT medical advice, diagnosis, or treatment. It is provided for informational and organizational purposes only.
• Accuracy: AI systems can and do make mistakes. AI outputs may be inaccurate, incomplete, outdated, or inappropriate. You must NOT rely solely on AI outputs for health decisions.
• Human Oversight: Always consult a qualified healthcare professional for medical advice, diagnosis, or treatment. AI tools are meant to supplement, not replace, professional medical judgment.
• Data Usage: AI features may process your Health Data to generate responses. This data is processed in accordance with this Privacy Policy and is not used to train external AI models.
• No Liability: ClinixAI shall not be liable for any actions taken or not taken based on AI-generated outputs.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention requirements
• Right to Data Portability: Request your data in a structured, commonly used, machine-readable format
• Right to Restrict Processing: Request restriction of processing under certain circumstances
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise any of these rights, please contact us at privacy@clinixai.pro. We will respond within 30 days.

9. Data Retention

• Account Data: Retained for the duration of your account and up to 3 years after account deletion for legal and compliance purposes
• Health Data: Retained in accordance with applicable healthcare data retention laws (typically 7-10 years depending on jurisdiction)
• Usage Data: Anonymized and aggregated after 12 months
• Communication Data: Retained for the duration of the relevant healthcare relationship

When data is no longer needed, it is securely deleted or anonymized in accordance with our data destruction procedures.

10. International Data Transfers

Your data may be processed in countries other than your country of residence. We ensure that any international transfers comply with applicable data protection laws through appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by relevant authorities.

11. Children's Privacy

The Platform is not intended for use by individuals under the age of 16 without parental or guardian consent. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without appropriate consent, we will take steps to delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform and, where appropriate, sending you a notification. The "Last Updated" date at the top of this policy indicates when it was last revised. Continued use of the Platform after changes constitutes acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: