Privacy Policy

Last updated: 1 July 2026

1. Who we are

MedicsCRM ("we", "us") provides customer relationship management software for medical clinics. We act as a data processor for the patient data our clinic customers store in the platform, and as a data controller for account information belonging to clinic staff who use the service.

2. Data we process

On behalf of clinics we process patient contact details, message history, appointment and treatment records, quotes, payment records and travel details. For clinic staff accounts we process names, email addresses and authentication data. We do not sell personal data to anyone, ever.

3. Legal basis

Clinics are responsible for establishing a lawful basis (typically consent or legitimate interest) for the patient data they enter or receive through connected channels such as WhatsApp. We process this data strictly under our data processing agreement with each clinic.

4. Where data lives

All customer data is stored in the European Union. Data is isolated per clinic using database row-level security so that one clinic can never access another clinic's records, and is encrypted in transit and at rest.

5. Sub-processors

We use a small set of sub-processors to run the service: Supabase (database and authentication, EU region), Vercel (application hosting), Twilio (WhatsApp messaging), OpenAI (AI reply generation) and Stripe (payments). Each is bound by data processing terms.

6. Your rights

Under the GDPR you may request access, correction, export or deletion of your personal data. Patients should direct requests to their clinic; clinic staff may contact us directly at privacy@medicscrm.com. We respond within 30 days.

7. Retention

Data is retained for as long as the clinic maintains an active subscription. When a subscription ends, data is deleted within 90 days, or immediately upon written request.

8. Contact

Questions about this policy: privacy@medicscrm.com.