Privacy policy

Clinic Prep is operated from New Zealand. We provide an AI-powered clinical briefing system for healthcare clinicians. Contact us at [email protected].

• Clinic information: name, timezone, and settings.
• User accounts: name and email of clinic administrators.
• PMS credentials: encrypted at rest, never stored in plaintext.
• Patient appointment data: processed transiently to generate briefings. Raw patient data is not stored.

Identifiable patient data never reaches the AI model. Our pipeline works as follows:

1. 1 De-identification. Patient records are stripped of names, dates of birth, contact details, and identifiers.
2. 2 AI summarisation. De-identified notes are sent to our AI provider, which operates zero-day data retention and does not use API data for model training. Processing takes place on US-based infrastructure.
3. 3 Re-identification. The summary is re-associated with the patient's identity locally on our infrastructure.
4. 4 Delivery. The briefing is delivered to the clinician. Only the AI-generated summary is stored temporarily for delivery.

Patient summaries and audit logs are automatically purged after 24 hours. Clinic and user data is retained while your account is active. You can request deletion of all your data at any time by emailing [email protected] or by deleting your account in the app settings.

We use trusted third-party providers for AI processing (de-identified data only), payment processing, email delivery, DNS and security, and optional messaging delivery. These providers are selected for their security practices and appropriate data handling. AI processing takes place on US-based infrastructure, but only de-identified data is sent.

We do not sell or share your data with third parties for marketing purposes.

We use functional session cookies only (login and CSRF protection). We do not use tracking cookies, advertising pixels, or third-party analytics cookies.

We comply with the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC). For Australian customers, we also comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Our de-identification approach ensures no identifiable health information is sent to third-party services.

You have the right to access, correct, or delete the personal information we hold about you. You can also lodge a complaint with the NZ Privacy Commissioner or the Australian Information Commissioner. Email [email protected] to exercise any of these rights.

We use encryption in transit (TLS) and at rest for sensitive data. PMS credentials are encrypted and only decrypted at the point of use. Access is restricted to authorised systems, and briefing generation is audit-logged.

We may update this policy from time to time. Material changes will be notified via email. For any questions about this policy or your data, contact [email protected].