Privacy Policy

Last updated: February 17, 2026

1. Data We Collect

We collect the following types of information:

From Clinic Owners and Staff

  • Account information: name, email address, password (hashed)
  • Clinic information: business name, services, hours, location, contact details
  • Chatbot configuration: branding preferences, custom AI instructions

From Patients (Chat Widget Users)

  • Chat messages and conversation history
  • Appointment request details: name, contact number, preferred date/time, service requested
  • Files uploaded during chat (e.g., dental X-rays)
  • Session identifiers (anonymized, stored in localStorage)

2. How We Use Your Data

  • To provide and operate the AI chatbot receptionist service
  • To process and manage appointment requests
  • To send email notifications (appointment confirmations, escalations, password resets)
  • To improve the quality and accuracy of AI responses
  • To ensure security and prevent abuse

3. AI Data Processing

ClinicBot uses Anthropic's Claude API to generate chatbot responses. When a patient sends a message:

  • The message and relevant conversation context are sent to Anthropic's API for processing
  • Anthropic processes the data according to their privacy policy
  • API inputs are not used by Anthropic to train their models
  • We do not send patient data to any other third-party AI providers

4. Data Storage and Security

  • Data is stored in MongoDB with encryption at rest
  • Passwords are hashed using bcrypt (never stored in plaintext)
  • Uploaded files are stored in AWS S3 with access controls
  • All connections use HTTPS/TLS encryption
  • API endpoints are protected with rate limiting and authentication
  • Security tokens (password reset, invitations) are hashed with SHA-256

5. Data Sharing

We do not sell your data. We share data only with:

  • Anthropic (Claude API) — for AI response generation
  • AWS — for file storage (S3) and infrastructure
  • Upstash — for rate limiting (Redis)
  • Email service provider — for transactional emails

We may disclose data if required by law, court order, or to protect our rights and safety.

6. Patient Data Isolation

ClinicBot is a multi-tenant platform. Each clinic's data is strictly isolated:

  • All records are scoped by tenant ID
  • Clinic staff can only access data belonging to their own clinic
  • Patient conversations and appointments are never shared between clinics
  • AI context is limited to the specific clinic's configured information

7. Data Retention

  • Account data is retained while your account is active
  • Conversation history is retained for 12 months after the last message
  • Appointment records are retained for 24 months
  • Upon account deletion, data is permanently removed within 30 days
  • Expired invitation tokens are automatically cleaned up

8. Your Rights Under RA 10173 (Data Privacy Act of 2012)

As a data subject under Philippine law, you have the following rights:

  • Right to be informed — You have the right to know how your data is collected, used, and processed
  • Right to access — You may request a copy of your personal data
  • Right to correction — You may request correction of inaccurate or incomplete data
  • Right to erasure — You may request deletion of your personal data, subject to legal obligations
  • Right to object — You may object to the processing of your personal data
  • Right to data portability — You may request your data in a structured, machine-readable format
  • Right to file a complaint — You may file a complaint with the National Privacy Commission (NPC)

9. GDPR Compliance

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction of processing, data portability, and objection. Our legal basis for processing is consent (for patients using the chatbot) and contract performance (for clinic accounts).

10. Cookies and Local Storage

ClinicBot uses minimal client-side storage:

  • Session cookies — For dashboard authentication (JWT-based, httpOnly)
  • localStorage — For chat widget session persistence (per-tenant, can be cleared by the user)

We do not use tracking cookies or third-party analytics.

11. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If a minor interacts with the chatbot, the parent or guardian of the patient is responsible for providing consent. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via email or through the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact and Complaints

For privacy-related questions or to exercise your rights, contact us at:

You may also file a complaint with the National Privacy Commission (NPC):