Privacy Policy
Table of Contents
1. Who We Are
Carehub ("Carehub", "we", "our", or "us") is the operator of the carehubs.tech platform — a multi-tenant Software-as-a-Service (SaaS) clinic management and online booking system.
Where Carehub acts as a data controller (for our own direct customers and marketing activities), this Privacy Policy describes our practices. Where Carehub acts as a data processor on behalf of clinics that use our platform, those clinics are the data controllers for their patients' personal and health data — see Section 2.
- General enquiries: [email protected]
- Data Protection Officer: [email protected] — dedicated contact for data subject requests, DPAs, and security questionnaires.
- Security disclosures: [email protected]
2. Scope and Controller vs Processor
Carehub as Data Controller
We are the data controller when we process:
- Account registration and billing data of clinic operators who sign up directly with Carehub.
- Marketing and demo-request data submitted via our website.
- Platform-level technical and analytics data (page views, error logs, performance metrics).
- Communications data when you contact our support team.
Carehub as Data Processor
When a clinic ("the Controller") uses Carehub to manage its patients, Carehub is a data processor acting on the Controller's documented instructions. Patient health records, appointment data, uploaded files, and similar clinic-specific data are controlled by the respective clinic. If you are a patient of a clinic using Carehub, please direct data-subject requests to that clinic in the first instance; they will involve us as required under Article 28 GDPR.
3. Data We Collect
3.1 Account and Staff Data (Controller role)
- Identity: Full name, email address, job title/role.
- Credentials: Hashed passwords managed by Supabase Auth; we never store plaintext passwords.
- Billing: Subscription tier, invoice history. Payment card details are handled exclusively by our payment processor and are never stored on Carehub servers.
- Communications: Support tickets, demo-request form submissions, email correspondence.
3.2 Patient and Clinical Data (Processor role)
On behalf of clinics, we process patient data including but not limited to: patient name, date of birth, contact details, medical history, diagnoses, clinical notes, treatment plans, appointment records, uploaded files (X-rays, documents), and prescription data. The legal basis for this processing is determined by the clinic as data controller. Carehub only processes this data to provide the contracted service.
3.3 Technical and Usage Data
- IP addresses, browser/device type (collected in server logs for security and debugging; retained 30 days).
- Page view events stored in our
page_viewstable for product analytics (no cross-site tracking). - Cookies — see our Cookie Policy for details.
3.4 WhatsApp and Communication Data
When the WhatsApp messaging feature is enabled by a clinic, message dispatch logs (recipient phone number, message status, timestamp, feature type) are stored in our wa_dispatch_log table. This processing is on behalf of the clinic (Processor role).
4. Legal Basis for Processing (GDPR)
| Processing Activity | Legal Basis (GDPR) |
|---|---|
| Providing the SaaS platform to contracted clinics | Art. 6(1)(b) — Contract performance |
| Sending transactional emails (invoices, account notifications) | Art. 6(1)(b) — Contract performance |
| Marketing communications to prospects who requested a demo | Art. 6(1)(a) — Consent (withdrawable at any time) |
| Security logging and fraud prevention | Art. 6(1)(f) — Legitimate interests |
| Product analytics and service improvement | Art. 6(1)(f) — Legitimate interests |
| Legal and regulatory compliance | Art. 6(1)(c) — Legal obligation |
| Processing special-category health data on behalf of clinics | Art. 9(2)(h) — Healthcare provision (clinic as controller); Art. 9(2)(a) — Explicit consent where applicable |
5. How We Use Your Data
- Service delivery: Provisioning clinic accounts, managing appointments, storing clinical notes, sending appointment reminders.
- Authentication and security: Verifying identities, detecting unauthorized access, maintaining audit logs.
- Billing: Issuing invoices, processing subscription payments, sending renewal notices.
- Support: Responding to support tickets, diagnosing technical issues.
- Communications: Sending appointment reminders, email notifications, and (with consent) marketing updates.
- Product improvement: Aggregated, anonymized analytics to understand feature usage and improve the platform.
- Legal compliance: Maintaining records as required by applicable law and responding to lawful requests from authorities.
We do not sell personal data to third parties, use patient health data for advertising, or engage in automated profiling that produces legal effects for individuals.
6. Sub-Processors and Recipients
We use the following sub-processors to deliver the service. Each is bound by data processing agreements (DPAs) or Standard Contractual Clauses (SCCs) where applicable:
| Sub-processor | Role | Data processed | Location |
|---|---|---|---|
| Supabase (via AWS) | Database, authentication, file storage | All clinic and patient data | EU (Frankfurt, eu-central-1) |
| Vercel | Hosting, serverless compute | Request metadata, API payloads | EU (London, lhr1) |
| Resend | Transactional email delivery | Recipient email, message content | US (SCCs in place) |
| Cloudflare | DNS, CDN | IP addresses, request headers | Global edge (SCCs in place) |
| Meta (WhatsApp Business API) | WhatsApp messaging | Phone numbers, message content | US (SCCs in place) |
| Google (Gemini AI) | Optional AI clinical summaries | Clinical note text (when feature enabled) | US (SCCs in place) |
| Google Analytics 4 | Public website usage analytics (landing pages only; consent-gated) | Anonymised IP, page URL, referrer, client ID, session state — only after explicit opt-in via cookie banner | US (EU-US Data Privacy Framework) |
| Microsoft Clarity | Public website heatmaps and session replay (landing pages only; consent-gated) | Anonymised IP, clicks, scrolls, cursor movement, session recording — only after explicit opt-in via cookie banner | US (EU-US Data Privacy Framework) |
We will notify affected controllers of any change to this sub-processor list at least 30 days in advance via email.
7. International Transfers
Some sub-processors are located outside the European Economic Area (EEA). Where this is the case, we ensure adequate safeguards through:
- Standard Contractual Clauses (SCCs) under Commission Decision 2021/914 for transfers to Resend, Cloudflare, Meta, and Google.
- Adequacy decisions where the European Commission has determined that a country provides an adequate level of protection.
Copies of applicable SCCs are available on request by emailing [email protected].
8. Retention Periods
| Data Category | Retention Period |
|---|---|
| Active clinic account and staff data | Duration of the subscription + 90 days post-termination (data export window) |
| Patient and clinical data (processor role) | Determined by the clinic controller; Carehub deletes or returns within 30 days of account closure |
| Billing and invoice records | 7 years (legal obligation under financial regulations) |
| Security and access logs | 30 days |
| WhatsApp dispatch logs | 12 months rolling |
| Marketing consent records | Until consent is withdrawn + 3 years (legal compliance) |
| Support correspondence | 3 years from last interaction |
Clinical records maintained within clinics may be subject to longer national retention requirements (e.g., medical record retention laws). Clinics are responsible for configuring their data management in compliance with applicable national healthcare law.
9. Your Rights
Under GDPR (and equivalent national legislation where applicable), individuals have the following rights:
- Right of access (Art. 15): Obtain a copy of your personal data we hold.
- Right to rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your data where no overriding legal basis exists.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to restriction of processing (Art. 18): Limit how we process your data in certain circumstances.
- Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent: Where processing is based on consent, withdraw at any time without affecting prior lawful processing.
- Right to lodge a complaint: File a complaint with your national supervisory authority (e.g., the ICO in the UK, CNIL in France, or your local EU DPA).
To exercise any right, email [email protected] with your full name, email address, and the specific right you wish to exercise. We will respond within 30 days. If your request concerns data held by a clinic (processor-role data), we will forward it to the relevant clinic controller.
10. Security Measures
Carehub implements the following technical and organisational measures (TOMs) to protect personal data:
- Encryption at rest: All database data is encrypted at rest by Supabase (AES-256).
- Encryption in transit: All communications use TLS 1.2 or higher.
- Row-Level Security (RLS): Supabase RLS policies ensure each clinic can only access its own data.
- Authentication: Staff access requires email/password with Supabase-managed JWT sessions. Passwords are hashed using bcrypt.
- Access control: Role-based access (readonly, clinician, admin, owner, carehub_admin) limits data access to what each role needs.
- Audit logging: All significant data access and modification events are logged with user, timestamp, and IP address.
- Private file storage: Sensitive uploaded files (e.g., payment receipts) are stored in private buckets with presigned, short-lived access URLs.
- Penetration testing: Security reviews are conducted prior to major feature releases.
In the event of a personal data breach that is likely to result in high risk to individuals, we will notify affected data controllers within 72 hours of becoming aware, as required by GDPR Art. 33–34.
11. Children's Data
The Carehub platform is not directed at children under 16. However, clinics (as controllers) may treat paediatric patients; in such cases the clinic is responsible for obtaining appropriate parental or guardian consent in accordance with applicable law. Carehub provides technical safeguards (RLS, access controls) but does not independently verify patient ages or obtain parental consent — this responsibility rests with the clinic.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, sub-processors, or applicable law. We will notify registered clinic operators of material changes by email at least 30 days before the effective date. The "Last reviewed" date at the top of this page indicates when the policy was most recently updated. Continued use of the service after the effective date constitutes acceptance of the revised policy.
13. California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, use, disclose, and sell or share.
- Right to delete personal information we hold about you, subject to lawful exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information. Carehub does not sell personal information and does not share it for cross-context behavioural advertising.
- Right to limit the use and disclosure of sensitive personal information.
- Right to non-discrimination for exercising any of these rights.
To exercise any CCPA right, email [email protected] with the subject line "CCPA Request". We will verify your identity and respond within 45 days.
14. Contact Us
For privacy-related enquiries, data subject requests, or to request a copy of our Data Processing Agreement, Standard Contractual Clauses, or DPIA summary:
- Data Protection Officer: [email protected]
- General support: [email protected]
- Subject line for DPO: "Privacy Request — [your name]"
- Website: carehubs.tech/contact
We aim to acknowledge all requests within 5 business days and resolve them within 30 calendar days (45 days for complex requests, with notice).
You also have the right to lodge a complaint with your local supervisory authority. EU residents may contact their national Data Protection Authority; UK residents may contact the Information Commissioner's Office (ICO); California residents may contact the California Privacy Protection Agency (CPPA).