Privacy Policy

Last updated: 28 March 2026 · Effective: 28 March 2026

1. Who We Are

MedFlow is a clinic automation platform operated by MedFlow Ltd ("MedFlow", "we", "us", "our"). Our website is medflowai.io.

Data Controller: MedFlow Ltd
Contact: privacy@medflowai.io
Registered Address: London, United Kingdom

2. What Data We Collect

Clinic Owner & Staff Data

• Name, email address, phone number
• Clinic name, address, and business details
• Login credentials (passwords are hashed using SHA-256 and never stored in plain text)
• Role and permission settings
• Usage data (login times, pages visited, features used)

Patient Data (Processed on behalf of the Clinic)

• Patient name, phone number, email address, country
• Treatment interests and procedure history
• Communication history (WhatsApp, Instagram DMs, email)
• Financial data (quote amounts, deposit status, payment records)
• Booking and appointment records
• Pre-procedure checklist status
• Internal notes added by clinic staff

Technical Data

• IP address, browser type, device information
• Session data and cookies
• Error logs (never containing personal patient data)

3. Why We Collect Data

• Service delivery: To provide the MedFlow platform and its features
• Automation: To power AI-driven patient follow-ups, quote generation, and scheduling
• Communications: To send messages on behalf of clinics via WhatsApp and Instagram
• Account management: To manage subscriptions, billing, and support
• Security: To prevent fraud, unauthorised access, and abuse
• Improvement: To improve our platform and develop new features

4. Legal Basis for Processing

Jurisdiction	Legal Basis
UK GDPR / EU GDPR	Performance of contract (Art. 6(1)(b)), Legitimate interests (Art. 6(1)(f)), Consent where required (Art. 6(1)(a))
Turkey (KVKK)	Performance of contract (Art. 5(2)(c)), Legitimate interests (Art. 5(2)(f)), Explicit consent for special categories (Art. 6)
UAE (Federal Decree-Law No. 45/2021)	Performance of contract (Art. 4), Consent (Art. 4), Legitimate interests (Art. 4)
Saudi Arabia (PDPL)	Performance of contract (Art. 6), Consent (Art. 6), Legitimate interest (Art. 6)

MedFlow acts as a Data Processor for patient data. The clinic is the Data Controller. Our processing of patient data is governed by our Data Processing Agreement.

5. Data Retention

Data Type	Retention Period
Active clinic account data	Duration of subscription + 90 days
Patient data	As directed by the clinic (default: 3 years from last activity, configurable)
Communication logs	As directed by the clinic (default: 2 years)
Financial records	7 years (legal requirement)
Technical/security logs	12 months
Data after account deletion	Permanently deleted within 30 days

6. Who We Share Data With

We share data only with the following sub-processors, all of whom are bound by data processing agreements:

Sub-Processor	Purpose	Location
Supabase Inc.	Database hosting and authentication	EU (Ireland)
Anthropic PBC	AI-powered patient communication analysis	United States
Meta Platforms Inc.	WhatsApp Business API and Instagram DM integration	United States / EU
Stripe Inc.	Payment processing	United States / EU
Vercel Inc.	Application hosting and serverless functions	United States / EU

We never sell personal data. We never share patient data with third parties for marketing purposes.

7. International Data Transfers

Primary data storage is in the EU (Supabase, Ireland). Where data is transferred internationally:

• EU to UK: Covered by EU adequacy decision for the UK
• EU to US: Covered by EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs)
• To Turkey: Covered by SCCs and KVKK Board-approved transfer mechanisms
• To UAE: Covered by SCCs and contractual safeguards under UAE PDPL
• To Saudi Arabia: Covered by SCCs and contractual safeguards under Saudi PDPL

8. Your Rights

Under UK GDPR and EU GDPR

You have the right to: access your data, rectify inaccuracies, erase your data, restrict processing, data portability, object to processing, not be subject to automated decision-making, and withdraw consent.

Under KVKK (Turkey)

You have the right to: learn whether your data is processed, request information about processing, learn the purpose, know third-party recipients, request correction, request deletion, object to automated decisions, and claim damages.

Under UAE PDPL

You have the right to: access your data, correct inaccuracies, request deletion, withdraw consent, and restrict processing.

Under Saudi PDPL

You have the right to: be informed about processing, access your data, request correction, request deletion, withdraw consent, and obtain a copy in a machine-readable format.

9. How to Exercise Your Rights

Contact us at privacy@medflowai.io. We will respond within 30 days (or shorter if required by your local law). Clinic owners can exercise patient data rights directly from the MedFlow dashboard under Settings → Data & Privacy.

10. Cookies

We use only essential cookies for session management. We do not use advertising or tracking cookies. See our Cookie Policy for full details.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email and in-app notification at least 30 days before they take effect.

12. Governing Law

This policy is governed by the laws of England and Wales. We also comply with applicable data protection laws in Turkey (KVKK), UAE (Federal Decree-Law No. 45/2021), Saudi Arabia (PDPL), and the EU (GDPR).

13. Contact

MedFlow Ltd
Email: privacy@medflowai.io
Website: medflowai.io