Privacy Policy

1 Overview & Key Principles

ClinicalFlow (“we,” “us,” or “our”) provides AI-powered clinical documentation software (“the Service”) as a native desktop application for healthcare providers. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our application and related services.

Our core privacy principles:

Local-first by design — Clinical transcripts, patient notes, dental charts, and all documentation are processed and stored exclusively on your local device. We never have access to this data.
Zero-knowledge architecture — Your application settings and API keys are encrypted on your device using a PIN-derived AES-256-GCM key with PBKDF2 (100,000 iterations). We cannot decrypt this data.
Minimal data collection — We only collect what is strictly necessary to provide account management, licensing, and billing services.
No data selling — We will never sell, rent, or trade your personal information or clinical data to third parties. Period.
Transparency — We clearly disclose every third-party service we use and exactly what data they receive.

2 Information We Collect

2.1 Account Information

When you create a ClinicalFlow account, we collect:

Email address — Used for account authentication, password resets, and essential service communications
Full name — Optional, used for personalizing your experience
Password — Stored as a salted bcrypt hash by our authentication provider (Supabase); we never store or have access to your plaintext password
Authentication tokens — Session tokens stored locally on your device in an encrypted session file

2.2 Billing Information

When you subscribe to a paid plan, our payment processor (Stripe) collects:

Payment method details (credit/debit card number, expiration, CVC)
Billing name and address
Transaction history

Important: ClinicalFlow never stores, processes, or has access to your full credit card number. All payment data is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor.

2.3 Subscription & Licensing Data

We store the following in your account profile to manage your subscription:

Subscription tier (Free, Pro, or Team)
Subscription status (trialing, active, canceled, expired)
Selected plan preference
Trial expiration date
License key (UUID)
Stripe customer and subscription identifiers

2.4 Technical & Usage Data

We may collect limited technical information to diagnose issues and improve the Service:

Application version number
Operating system and version
Crash reports (if you opt in) — these never contain clinical data
Feature usage patterns (aggregate, anonymized)

2.5 Information We Do NOT Collect

To be explicit, ClinicalFlow never collects, transmits, or stores:

Audio recordings from clinical encounters
Clinical transcripts or medical notes
Patient names, identifiers, or any Protected Health Information (PHI)
Dental charts, perio charts, or treatment plans
Your API keys (Deepgram, Anthropic, or any other provider)
Contents of exported documents (PDF, TXT)
Contact lists or address books

3 How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Data Used	Legal Basis
Account management	Email, name, password hash	Contract performance
Authentication & security	Email, session tokens, license key	Contract performance
Billing & subscriptions	Stripe IDs, plan selection, trial dates	Contract performance
Service communications	Email address	Legitimate interest
Product improvement	Anonymized usage analytics, crash reports	Legitimate interest
Legal compliance	Account data, transaction records	Legal obligation

We will never use your information for:

Targeted advertising or ad profiling
Selling to data brokers or third parties
Training AI models on your clinical data
Any purpose not disclosed in this policy

4 Data Storage & Security

4.1 Local Device Storage

ClinicalFlow employs a two-tier encryption system for data stored on your device:

Session data (auth tokens, license key) — Encrypted with an application-embedded key, providing at-rest protection against casual disk reads
Configuration data (API keys, all settings) — Encrypted with your personal PIN using AES-256-GCM with PBKDF2 key derivation (100,000 iterations). This data is inaccessible without your PIN
Clinical data (transcripts, notes, charts) — Stored exclusively on your local file system. We recommend enabling macOS FileVault (or equivalent full-disk encryption) for maximum protection

4.2 Server-Side Security

For the limited account data we do store (email, subscription status, license keys), we employ:

Hosted on Supabase with PostgreSQL database, protected by Row Level Security (RLS) policies
All data transmitted via TLS 1.2+ encryption
Column-level access restrictions — server-side triggers prevent client applications from modifying sensitive fields (subscription tier, billing data, license keys)
Service-role separation between client-facing APIs and administrative functions
Edge Functions running in Deno isolates with scoped permissions

4.3 Security Practices

Passwords hashed with bcrypt (Supabase Auth)
Session tokens with automatic expiration and refresh
Email verification required for account activation
Stripe webhook signature verification for all billing events
No plaintext storage of secrets in application code or databases

5 Clinical Data & Protected Health Information

ClinicalFlow does not store, process, or transmit Protected Health Information (PHI) on our servers. All clinical documentation — including audio recordings, transcripts, SOAP notes, dental charts, perio charts, and patient information — remains exclusively on your local device.

5.1 Local Processing

ClinicalFlow supports fully offline clinical documentation:

Whisper-based transcription runs entirely on your device using a local model — no audio data leaves your computer
Local AI note generation (via Ollama) processes transcripts on your device using locally-hosted language models
Rule-based fallback generates structured notes using deterministic algorithms with no network requests

5.2 Optional Cloud AI Features

ClinicalFlow offers optional cloud-based AI features that you may choose to enable. When enabled:

Deepgram (cloud transcription) — Audio is streamed to Deepgram’s servers for real-time transcription. This requires your own Deepgram API key.
Claude by Anthropic (cloud note generation) — Transcript text is sent to Anthropic’s API for SOAP note generation. This requires your own Anthropic API key.

These features are entirely optional, disabled by default, and clearly labeled in the application. When you use cloud AI features, data is sent directly from your device to the respective provider using your own API keys — ClinicalFlow’s servers are never intermediaries in this data flow.

You are responsible for reviewing the privacy policies and data handling practices of any third-party AI providers you choose to use. We recommend verifying that your use complies with your organization’s HIPAA policies and any applicable Business Associate Agreements (BAAs).

5.3 Data Segregation

Our application enforces strict data segregation between clinical and account data. The encryption boundary is designed so that even if our servers were compromised, no clinical data would be exposed because it was never transmitted to or stored on our infrastructure.

6 Third-Party Services

We use a limited number of third-party services to operate ClinicalFlow. Below is a complete disclosure of each service and what data they receive:

Service	Purpose	Data Shared	Required?
Supabase	Authentication, account database	Email, hashed password, profile data, subscription status	Yes
Stripe	Payment processing	Billing information, transaction data	For paid plans
Resend	Transactional email delivery	Email address, email content (verification, receipts)	Yes
Deepgram	Cloud speech-to-text transcription	Audio stream (via your API key)	No — optional
Anthropic (Claude)	Cloud AI note generation	Transcript text (via your API key)	No — optional
Netlify	Website hosting	Standard web server logs (IP, user agent)	Website only

We carefully vet all third-party services for their security practices, data handling policies, and regulatory compliance. We do not use any advertising networks, social media trackers, or data brokers.

7 HIPAA Compliance

ClinicalFlow is designed with HIPAA compliance in mind. Our architecture fundamentally supports compliance through these measures:

7.1 Local-First Architecture

Because PHI never leaves your device in the default configuration, ClinicalFlow operates outside the scope of traditional HIPAA covered entity obligations for cloud-stored data. You maintain full custody of all clinical information.

7.2 Technical Safeguards

Access controls — PIN-based encryption for application data, separate session authentication
Audit trail — Local activity logging for compliance documentation
Encryption — AES-256-GCM for configuration data, TLS 1.2+ for all network communications
Data integrity — Cryptographic verification of license data and session integrity
Automatic session expiration — Auth tokens expire and require re-authentication

7.3 Administrative Safeguards

Clear documentation of data flows and security architecture
Designated security contact for incident response
Regular review and updates of security practices
Transparent disclosure of all third-party data processors

7.4 Business Associate Agreements

If your organization requires a Business Associate Agreement (BAA), please contact us at the email address provided in the Contact section below. We are committed to supporting healthcare organizations’ compliance requirements.

Note: While ClinicalFlow’s architecture is designed to support HIPAA compliance, each healthcare organization is responsible for conducting their own risk assessment and ensuring their use of ClinicalFlow (including any optional cloud AI features) meets their specific compliance requirements.

8 Your Rights

You have the following rights regarding your personal information:

8.1 Access

You have the right to request a copy of the personal information we hold about you. We will provide this within 30 days of your verified request.

8.2 Correction

You can update your account information (email, name) at any time through the application or by contacting us.

8.3 Deletion

You have the right to request deletion of your account and all associated personal data. Upon deletion:

Your account profile and authentication data will be permanently removed from our servers
Your Stripe customer record will be deactivated and billing data retained only as required by law
Your license key will be revoked
Local data on your device (transcripts, notes, settings) will remain under your control and is unaffected

8.4 Data Portability

All clinical data is already stored locally on your device in standard formats. You can export documents as PDF or TXT at any time, with no vendor lock-in.

8.5 Opt-Out

You may opt out of:

Marketing emails — Unsubscribe link included in every marketing email (note: we cannot opt you out of essential service communications like billing receipts or security alerts)
Analytics — Disable usage analytics in application settings
Cloud AI features — Disabled by default; remove your API keys to fully disable
Crash reporting — Disable in application settings

8.6 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. Exercising these rights will not affect the quality or pricing of our Service.

9 Cookies & Analytics

9.1 Website

Our marketing website (clinicalflow.us) uses:

Essential cookies — Required for basic website functionality (session management, authentication state). Cannot be disabled.
Analytics — We may use privacy-respecting analytics to understand traffic patterns. We do not use Google Analytics, Facebook Pixel, or any advertising trackers.

9.2 Desktop Application

The ClinicalFlow desktop application does not use cookies. It may collect anonymized usage telemetry (feature usage counts, error rates) if you opt in. This telemetry never contains clinical data, patient information, or personally identifiable information.

9.3 Third-Party Cookies

We do not allow any third parties to place tracking cookies on our website or application. Our payment processor (Stripe) may set essential cookies during the checkout process.

10 Data Retention

We retain different categories of data for different periods:

Data Category	Retention Period	Reason
Active account data	Duration of account	Service delivery
Deleted account data	30 days (recovery period), then permanent deletion	Accidental deletion protection
Billing records	7 years after last transaction	Tax and legal compliance
Server access logs	90 days	Security monitoring
Support correspondence	2 years after resolution	Service quality
Local clinical data	You control this entirely	Not applicable — stored on your device

11 International Data Transfers

ClinicalFlow’s infrastructure is hosted in the United States. If you access the Service from outside the United States, your account information (email, subscription data) will be transferred to and processed in the United States.

We rely on the following safeguards for international data transfers:

Standard Contractual Clauses (SCCs) with our data processors
Data Processing Agreements (DPAs) with Supabase and Stripe
Technical measures including encryption in transit and at rest

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: you have additional rights under the General Data Protection Regulation (GDPR). Please see Section 8 (Your Rights) and contact us if you have specific GDPR-related requests.

12 Children’s Privacy

ClinicalFlow is designed for licensed healthcare professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA).

If we learn that we have inadvertently collected personal information from a child under these age thresholds, we will promptly delete that information. If you believe we may have collected information from a child, please contact us immediately.

13 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know — You can request disclosure of the categories and specific pieces of personal information we have collected about you
Right to delete — You can request deletion of your personal information, subject to certain legal exceptions
Right to opt out of sale — We do not sell your personal information. We have never sold personal information and have no plans to do so
Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights
Right to correct — You can request correction of inaccurate personal information
Right to limit use of sensitive personal information — We only use sensitive personal information as necessary to provide the Service

To exercise your CCPA rights, contact us using the information in Section 15 below. We will verify your identity before processing your request.

Do Not Sell or Share My Personal Information: ClinicalFlow does not sell or share personal information as defined by the CCPA/CPRA. We do not use your personal information for cross-context behavioral advertising.

14 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

Material changes — We will notify you by email and/or display a prominent notice in the application at least 30 days before the changes take effect
Minor changes — We will update the “Effective Date” at the top of this page
Version history — We will maintain a change log of significant policy updates

Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the updated terms. If you disagree with any changes, you may close your account at any time.

15 Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Email: privacy@clinicalflow.us
Subject line: “Privacy Inquiry” for general questions, “Data Request” for rights requests, or “BAA Request” for Business Associate Agreement inquiries

We aim to respond to all privacy-related inquiries within 5 business days and to fulfill data access or deletion requests within 30 calendar days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Contents