Privacy Policy
Clinic Roll is a companion suite for Cliniko, built by a practicing osteopath in Brussels. This policy explains what data we handle when you use Clinic Roll (Leave, Notify, ShowUp, Fill, and Post) and how we protect it. We’re GDPR-native and EU-hosted by default — not as a bolt-on.
What we store
To run the service we store the minimum needed:
- Your Cliniko subdomain and API key (encrypted)
- Your email address (for account access and notifications)
- App-specific configuration you save (selected practitioner, block presets, notification recipients, risk thresholds, SMS settings, letter-type templates, letterhead)
- Operational logs (notifications sent, SMS dispatched, appointments risk-scored) — retained 365 days
- Billing records from Paddle (subscription status, dates) — we never see or store your payment details
For Leave, Notify, ShowUp, and Fill we do not store patient records, appointment content, or any clinical data. Patient-identifying data only passes through memory when sending an SMS or email — it is not written to any database we control.
Post (AI-drafted letters) is different by necessity. When you use Post we store the letter drafts and approved letters the practitioner sends — these contain patient-identifying and clinical summary content because that is what a letter is. Approved letters are retained for the medical-record period mandated by your jurisdiction (UK: 8 years; AU: 7; NZ: 10; IE: 8; US: state-dependent). Drafts that are never approved are retained for the same period because they may contain clinical information. Nothing is ever sold or shared beyond the sub-processor list below.
Where your data lives
All persistent data storage is in EU regions: Cloudflare Workers KV and R2 (EU-hosted), Supabase (eu-west-1, Dublin). Cloudflare Workers themselves run at the edge closest to the request. When Post drafts a letter, the clinical content and patient identifiers are sent to Anthropic’s Claude API for the duration of that single request only — this is a cross-border transfer to the US, covered by Anthropic’s standard Data Processing Addendum incorporating UK GDPR and Standard Contractual Clauses. No Anthropic retention of your data: they do not store, train on, or reuse content sent through the Claude commercial API.
Third parties
We rely on the following sub-processors:
- Cliniko — we call your Cliniko account on your behalf using the API key you provide. All reads and writes are scoped to your own account.
- Cloudflare — hosting, edge, Workers KV, and R2 storage. EU-region.
- Supabase — auxiliary database in eu-west-1 (Ireland).
- Resend — transactional email delivery.
- Anthropic (Post only) — AI letter drafting and letterhead OCR via the Claude API. Clinical content from the practitioner-approved notes is sent to Anthropic only when a letter is being drafted; output is the letter body, which the practitioner always reviews before sending. Covered by Anthropic’s standard commercial Data Processing Addendum (UK GDPR + Standard Contractual Clauses for cross-border transfer).
- Paddle — Merchant of Record for subscriptions. Paddle handles all payment details; we receive only subscription status.
- GatewayAPI (ShowUp and Fill, via your own account) — SMS delivery.
- Apple (ShowUp Apple Wallet passes only) — when a patient saves their appointment to Apple Wallet, the pass content (clinic name, appointment date/time, practitioner name, location) and a per-pass push token are transmitted to Apple’s PassKit and APNs services so iOS can display the pass and update it if the appointment changes. No diagnosis or clinical-record content is included. Patients control whether to install the pass; deleting it from Wallet removes Apple’s copy. Cross-border transfers to Apple Inc. (US) rely on Apple’s public Data Processing Addendum and Standard Contractual Clauses.
Your rights under GDPR
You have the right to access, correct, export, or delete your data. Disconnecting from the Account page wipes all your stored configuration and operational logs. For formal GDPR requests, email hello@clinicroll.com and we’ll respond within 30 days.
Cookies
We use a single essential cookie (cr_session) to keep you signed in across the suite. Inside the apps (app.clinicroll.com, leave.clinicroll.com, notify.clinicroll.com, showup.clinicroll.com, fill.clinicroll.com, post.clinicroll.com) there is no tracking and no analytics.
On the public marketing site (clinicroll.com) we use Google Analytics 4 with IP anonymisation enabled to understand aggregate visitor traffic (page views, referrers, country-level location). No personally identifying information is sent to Google. We do not use ad cookies or cross-site tracking.
Contact
Questions about this policy? Email hello@clinicroll.com.