Privacy Policy
Last updated: 1 July 2026
1. Who we are
MedicsCRM ("we", "us") provides customer relationship management software for medical clinics. We act as a data processor for the patient data our clinic customers store in the platform, and as a data controller for account information belonging to clinic staff who use the service.
2. Data we process
On behalf of clinics we process patient contact details, message history, appointment and treatment records, quotes, payment records and travel details. For clinic staff accounts we process names, email addresses and authentication data. We do not sell personal data to anyone, ever.
3. Legal basis
Clinics are responsible for establishing a lawful basis (typically consent or legitimate interest) for the patient data they enter or receive through connected channels such as WhatsApp. We process this data strictly under our data processing agreement with each clinic.
4. Where data lives
All customer data is stored in the European Union. Data is isolated per clinic using database row-level security so that one clinic can never access another clinic's records, and is encrypted in transit and at rest.
5. Sub-processors
We use a small set of sub-processors to run the service: Supabase (database and authentication, EU region), Vercel (application hosting), Twilio (WhatsApp messaging), OpenAI (AI reply generation) and Stripe (payments). Each is bound by data processing terms.
6. Your rights
Under the GDPR you may request access, correction, export or deletion of your personal data. Patients should direct requests to their clinic; clinic staff may contact us directly at privacy@medicscrm.com. We respond within 30 days.
7. Retention
Data is retained for as long as the clinic maintains an active subscription. When a subscription ends, data is deleted within 90 days, or immediately upon written request.
8. Contact
Questions about this policy: privacy@medicscrm.com.