Clinapse Privacy Policy
Effective Date: May 20, 2026
Last Updated: May 20, 2026
1. Introduction & Scope
Clinapse, Inc. ("Clinapse," "we," "us," or "our") operates a multi-tenant, HIPAA-compliant healthcare practice optimization platform, including the website located at clinapse.com, the web application at app.clinapse.com, and all associated tools, services, and integrations (collectively, the "Platform").
This Privacy Policy explains how we collect, use, disclose, and secure information when you visit our website, register for an account, or use the Platform.
HIPAA & Protected Health Information (PHI) Statement
Clinapse acts as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") when providing services to healthcare providers and practices (our "Clients"), who are Covered Entities.
- Patient Health Data (PHI): Any Protected Health Information (as defined under 45 C.F.R. § 160.103) that we host, process, or transmit on behalf of our Clients is strictly governed by the Business Associate Agreement (BAA) between Clinapse and the healthcare practice, as well as the Client's own Notice of Privacy Practices. This Privacy Policy does not govern or supersede our handling of PHI, which is subject to strict federal HIPAA regulations and BAA contract terms.
- Direct Platform Data: This Privacy Policy applies primarily to the administrative, billing, account management, and marketing data we collect directly from website visitors, practice administrators, healthcare staff members, and advertisers (our "Users").
2. Information We Collect
We collect several categories of information depending on how you interact with Clinapse:
A. Information You Provide Directly to Us
- Account & Profile Information: When you create an account, register for a waitlist, or enroll in a free trial, we collect your name, practice name, business email address, phone number, professional credentials, and login credentials (hashed using Argon2id).
- Credentialing & Verification Data: For healthcare providers completing credentialing, we process professional credentials, licensure, and certification documents. When uploaded, these may be processed via our isolated optical character recognition (OCR) microservice to extract registration details.
- Billing and Payment Information: Subscription payments are processed via our secure third-party payment gateway, Stripe. We collect billing details, subscription plan preferences, and encrypted customer identifiers. Standard credit card details are collected directly by Stripe and are not stored on Clinapse servers.
B. Information Collected Automatically
- Security & Usage Logs: To comply with HIPAA and security audit mandates, our Platform automatically logs every request and system access. Logged data includes:
- Client IP addresses (captured via trust-proxy-aware headers)
- Unique device identifiers (UUIDs)
- Browser type, operating system, and language settings
- Detailed timestamps of login, access, modification, or soft-deletion of records
- Specific patient record accesses (which include
patient_id for HIPAA audit compliance)
- Performance & Diagnostics: We collect system performance data, response times, and error indicators to maintain high availability and troubleshoot issues. Stack traces or raw database contents are strictly excluded from error logs to prevent data leakage.
C. Information from Third-Party Integrations
Clinapse enables healthcare practices to integrate with leading medical, operations, and advertising platforms. Depending on the integrations enabled by your practice, we may ingest:
- Electronic Health Records (EHR): Clinical schedule, demographics, appointments, and patient details retrieved via secure APIs (e.g., athenahealth Developer Portal).
- Communications Platforms: Call detail records (CDRs), phone numbers, and messaging logs from telecommunication partners (e.g., RingCentral) to support messaging workflows.
- Local Search & Advertising Platforms: Google Business Profile (GMB), Apple Business Connect, and Google Ads metrics to compile marketing dashboards and manage business profiles.
- Financial Services: Payout data, transaction status, and payment logs from local card readers or point-of-sale services (e.g., Square).
3. How We Use Your Information
We process personal data (excluding PHI, which is strictly limited by BAAs) for the following business purposes:
| Purpose |
Description |
Legal Basis / Governance |
| Service Provisioning |
Managing practice signups, setting up dedicated tenant databases, executing onboarding wizards, and providing practice optimization tools. |
Contractual Obligation |
| Integrations Management |
Securing OAuth credentials, synchronizing schedules, and fetching external practice metrics (e.g., athenahealth, Square, Google). |
Consent / Client-Initiated |
| System Security |
Rate limiting, preventing brute force attacks, validating file uploads (MIME/size filtering), and enforcing multi-factor authentication (MFA). |
Legitimate Interest / Compliance |
| HIPAA Compliance |
Maintaining immutable, tamper-proof audit trails of Platform activities for a minimum of seven (7) years. |
Federal Legal Mandate |
| Communications & Support |
Sending system updates, security advisories, billing invoices, and responding to customer support inquiries. |
Contractual / Legitimate Interest |
4. How We Share & Disclose Information
We respect your privacy and enforce strict isolation protocols. We do not sell, rent, or trade any personal information, and we never share Patient PHI except as permitted under a signed BAA or required by law.
We may disclose Platform data under the following circumstances:
- Service Providers: We share non-PHI data with trusted operational vendors under strict confidentiality agreements, including:
- Hosting & Infrastructure: Managed secure cloud environments with HIPAA-compliant data centers.
- Email Delivery: Postmark (for transaction receipts, account unlocks, and MFA invites) and MailHog (for local SIT testing).
- Payment Processing: Stripe (for encrypted client billing).
- Legal & Regulatory Compliance: We may disclose information if required to do so by law, court order, subpoena, or to comply with HIPAA, Department of Health and Human Services (HHS) mandates, or state healthcare privacy regulations.
- Business Transfers: If Clinapse is involved in a merger, acquisition, or sale of assets, standard business account information (non-PHI) may be transferred, subject to appropriate privacy and compliance protections.
5. Data Security, Isolation & Retention
Clinapse implements a comprehensive security program designed to meet or exceed HIPAA, HITRUST, and SOC 2 security frameworks:
A. Hybrid Multi-Tenancy & Data Isolation
- Separation of Concerns: Public, non-PHI tables (such as practice user accounts, schedules, and tasks) are stored in shared schemas secured with Row-Level Security (RLS).
- Schema-Level Isolation: All Protected Health Information (PHI) and highly sensitive patient charts are isolated inside dedicated database schemas (
tenant_{client_id}) per healthcare practice, ensuring complete client data boundaries.
- Encryption at Rest: Sensitive columns (such as Social Security Numbers, Dates of Birth, clinical charts, and third-party API credentials) are encrypted at rest using industry-standard AES-256-GCM with dynamic key rotation and versioning.
- Encryption in Transit: All traffic is encrypted using TLS 1.2 or TLS 1.3.
B. Session and Access Controls
- Authentication Security: Practice users must utilize complex passwords (minimum 12 characters, Argon2id hashing, 24-password history, 90-day expiration).
- Multi-Factor Authentication (MFA): Enforced via TOTP (RFC 6238) for all administrator accounts and users accessing patient files.
- Session Expirations: The Platform enforces a 30-minute inactivity timeout, an 8-hour absolute session duration, and restricts active logins to three (3) concurrent sessions.
- System Defense: Global and endpoint-specific rate limiting (
ThrottlerGuard) mitigates brute-force attacks.
C. Data Retention & Soft Deletes
- Audit Trails: Security-related access events, login histories, and data modifications are logged to an immutable schema with a 7-year retention window for legal and HIPAA audits.
- Soft Deletes: Standard business entries and records employ soft-delete structures (
deleted boolean and deleteddatetime timestamps). Permanent hard deletion of records is only executed under authorized compliance protocols.
6. Your Rights & Choices
A. For Practice Administrative Users (Clients)
As a Clinapse account holder, you have control over your administrative data:
- Access & Rectification: You may view and edit your profile details, user rosters, billing preferences, and enabled integrations directly via the Platform's dashboard settings.
- Password and MFA Management: You may update login passwords, initiate password reset flows (subject to verification), and configure or reset TOTP-based MFA.
- Integration Revocation: You may revoke OAuth authorization or disconnect third-party integrations (athenahealth, RingCentral, Square, etc.) at any time.
B. For Patients of Clinapse Clients
- Covered Entity Priority: Clinapse processes patient medical charts and clinical details solely as a Business Associate.
- Patient Rights: Requests to access, amend, restrict, or delete patient health records must be submitted directly to your healthcare provider (the Covered Entity). Clinapse will forward and support the provider in addressing these requests in compliance with HIPAA guidelines.
C. Jurisdictional & State-Specific Rights
Depending on your jurisdiction, state-specific privacy laws (such as the California Consumer Privacy Act/CCPA or state healthcare privacy statutes) may grant you additional rights regarding your business data. These rights generally include the right to know what personal information is collected, request its deletion, and opt out of certain disclosures. Clinapse will honor these rights in accordance with applicable state laws.
7. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our operational workflows, security systems, or legal requirements. When updates occur, we will post the revised version on this page and update the "Effective Date" at the top of this document. We encourage you to review this policy periodically to stay informed about how we protect your information.
8. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or our security frameworks, please contact our Security & Compliance Officer: