Privacy Policy

1. Who we are

ExperClinic is operated by Mark Guirgis, a sole proprietor based in Ontario, Canada ("ExperClinic," "we," "us," "our"). For the purposes of data protection law, we are the data controller for information about you as a customer (your practice account, billing details, and how you use the Service). We are the data processor for patient information you enter into the platform — you are the controller of that data.

You can reach our privacy inbox at [email protected].

2. What this policy covers

This Privacy Policy describes how we collect, use, share, and protect personal information when you use the ExperClinic website, sign up for an account, and use the Service. It applies to you if you are:

• A practice owner, manager, or staff member who creates or uses an ExperClinic account ("you" / "customer");
• A patient of an ExperClinic customer whose information has been entered into the platform ("patient");
• A visitor to our marketing site at experclinic.com.

3. Information we collect

From you when you sign up and use the Service

• Your practice name, email address, phone number, practice type, and the Google Maps URL of your practice.
• Your practice hours, time zone, and the names and titles of practitioners in your practice.
• Account credentials (your password, stored hashed — never in readable form).
• Billing details through Stripe. Your card number and CVV never touch our servers; Stripe handles payment processing. We receive only a reference ID, subscription status, and billing history.
• Messages you send to us via the Help / Contact Support form, including any files you attach.
• Usage data: what features you use, when you log in, approximate location (from IP), browser and device type, the tab you were last on, and other technical information needed to run the Service.

Patient information you enter or upload

• Patient first and last names, phone numbers, and (if provided) email addresses.
• Appointment details: date, time, practitioner, duration, notes, and status.
• Feedback responses submitted by patients through our feedback form, including which channel they chose (public review or private feedback) and any free-text comment they wrote.
• The content of SMS messages sent between you and patients through the platform.
• Patient opt-out flags (e.g. if a patient has asked not to be contacted).

Automatically from your device

• Your IP address, browser type, operating system, and the pages you visit on our site.
• One essential session cookie that keeps you logged in. See our Cookie Policy for details.

4. Why we collect it and the lawful basis

We use your information to:

• Provide the Service: create your account, send SMS to your patients on your behalf, store their responses, show you your dashboard, and run analytics. Lawful basis: performance of our contract with you (Terms of Service).
• Bill you: process subscription payments. Lawful basis: contract.
• Communicate with you: send account-related email (verification, password reset, trial countdowns, payment issues, help-desk replies). Lawful basis: contract + legitimate interest in keeping you informed.
• Improve and secure the Service: look at anonymized usage patterns, detect abuse, prevent fraud. Lawful basis: legitimate interest in a safe, functional product.
• Comply with law: respond to valid legal requests, enforce our Terms. Lawful basis: legal obligation / legitimate interest.

5. Who we share information with

We share the minimum necessary with the service providers ("sub-processors") that help us run ExperClinic. None of them sell the data, and all are bound by contract to process it only on our instructions.

• Twilio (United States) — SMS delivery and receiving. Processes your patients' phone numbers and the content of messages you send.
• Resend (United States) — Transactional email delivery (welcome, verification, password reset, alerts).
• Stripe (United States, Canada) — Payment processing for subscriptions. Processes your billing details.
• Google Places API (United States) — Looks up your practice's business hours and timezone when you link a Google Maps URL. Only your place ID is sent.
• Railway (United States) — Application hosting and database. Processes all of your practice and patient data at rest.
• Cloudflare (United States, global edge network) — DNS, security, and email routing. May briefly handle unencrypted traffic at the edge before it reaches our servers.

We do not share your data with advertisers. We do not run third-party analytics or tracking pixels. We do not sell your data.

We may share information in limited circumstances: if required by valid legal process (court order, search warrant, subpoena); to protect our rights, our property, or the safety of our users or the public; or in connection with a business sale or merger (in which case we will notify you and give you a chance to delete your account first).

6. International data transfers

Because we use service providers headquartered in the United States and elsewhere, your data — and your patients' data — will be transferred out of Canada (or your country of residence) in the course of being processed. When we transfer personal data out of the European Economic Area, the United Kingdom, or Canada, we rely on appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Processor contracts that require equivalent protection regardless of location;
• Where applicable, your explicit consent.

You can review our sub-processor list and the safeguards in our Data Processing Addendum.

7. How long we keep information

• Active accounts: as long as your ExperClinic account is open.
• After cancellation: within 90 days we will delete your account data, except where we are required to retain specific records for tax, audit, or legal-compliance reasons.
• SMS and message logs: retained for the life of the account so you have access to your conversation history. After account deletion, these are removed.
• Billing records: retained for up to 7 years to comply with Canadian tax law.
• Aggregated or anonymized data: may be retained indefinitely for product analytics. It does not identify you.

8. How we protect information

• All traffic between your browser and our servers is encrypted (HTTPS with modern TLS).
• Passwords are stored as salted bcrypt hashes — we cannot read them.
• Sessions use secure, HTTP-only cookies. Expired sessions are invalidated.
• Rate limits and abuse-detection logic run on sensitive endpoints (signup, login, password reset, support form).
• Our database runs on a managed PostgreSQL service with daily backups. Backups themselves are encrypted.
• Access to production systems is restricted to Mark Guirgis.

No system is perfectly secure. If we discover a data breach that affects your information, we will notify you without undue delay and in any case within 72 hours, in accordance with GDPR, PIPEDA, and equivalent laws.

9. Your rights

Depending on where you live, you have various rights regarding your personal information. Regardless of your location, we will honor the following:

• Access: ask us what information we have about you.
• Correction: ask us to fix inaccurate information. Most of this you can do yourself from your dashboard Settings.
• Deletion: ask us to delete your account and data.
• Portability: ask us to export your practice data in a machine-readable format (CSV).
• Objection / withdrawal of consent: tell us to stop processing your data for specific purposes.

To exercise any of these rights, email [email protected]. We aim to respond within 30 days.

If you are in Canada (PIPEDA)

You can also file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or with your provincial privacy regulator.

If you are in the European Economic Area or United Kingdom (GDPR / UK GDPR)

You have the rights above plus the right to lodge a complaint with your local data protection authority. We do not currently have an EU representative; if you are in the EEA and wish to contact us, use [email protected].

If you are in California (CCPA / CPRA)

You have the right to know what personal information we have, to request its deletion, to correct it, and to opt out of any "sale" or "share" of your information (we don't sell or share in the CCPA sense). We do not offer financial incentives for your data, and we will not discriminate against you for exercising your rights.

10. Children

ExperClinic is a business platform for healthcare practices. It is not designed for or directed at children under 13 (or under 16 in the EEA). If you believe we have inadvertently collected information from a child, contact us and we will delete it.

Some of your patients may be minors. Patient phone numbers and appointment details are handled under the same safeguards as adult patients; you as the practice are responsible for having the necessary consent (from a parent or guardian where applicable) before using SMS with a minor.

11. Cookies

We use one essential session cookie to keep you logged in. We do not use advertising, analytics, or third-party tracking cookies. Our full Cookie Policy has the details.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make a material change, we will email you before it takes effect. The "Last updated" date at the top of this page always reflects the current version.

13. Privacy officer and contact

ExperClinic's privacy officer can be reached at [email protected] for questions about how we handle your data, to request access to your personal information, to request correction or deletion of your information, or to file a privacy complaint. The privacy officer is responsible for responding to Data Subject requests, coordinating breach notification, and overseeing ExperClinic's privacy compliance program.

For general questions about the Service, contact [email protected]. For billing, [email protected]. For anything else, [email protected].