Privacy Policy

Last updated: April 2026

Clinitraq, Inc. ("Clinitraq," "we," "us," or "our") provides an AI-driven operating system for medical and dental practices. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with our website (clinitraq.ai), our marketing communications, and our software platform (collectively, the "Services"). This policy is intended to satisfy applicable U.S. and EU/UK privacy laws — including HIPAA, the California Consumer Privacy Act (CCPA/CPRA), and the General Data Protection Regulation (GDPR).

1. Scope and Roles

Clinitraq operates in two distinct capacities. When we collect information about prospective customers and website visitors, we act as a data controller for that information. When we process Protected Health Information (PHI) on behalf of a contracted medical or dental practice, we act as a Business Associate under HIPAA and as a data processor under GDPR — and our handling of that PHI is governed by the Business Associate Agreement (BAA) and Data Processing Addendum (DPA) executed with each customer.

2. Information We Collect

Information you provide directly

• Contact information (name, email, phone) submitted through demo requests, signup forms, or sales inquiries
• Practice information (practice name, type, number of locations, current EMR/PMS)
• Account information for users of the Clinitraq.ai platform (login credentials, role, organizational context)
• Communications you send us, including support requests and feedback

Information collected automatically

• Log data (IP address, browser type, device identifiers, pages visited, timestamps)
• Usage data within the Services (features accessed, configuration choices, performance telemetry)
• Cookies and similar technologies, as described below

Information processed on behalf of customers

When operating the Clinitraq.ai platform for a contracted practice, we may process patient-related information including call recordings, transcripts, scheduling data, eligibility responses, and other operational data needed to perform Services. This information is processed under the BAA/DPA and is governed by the customer's own privacy practices, not this Policy.

3. How We Use Information

• To provide, operate, and improve the Services
• To respond to demo requests, sales inquiries, and support tickets
• To send transactional and operational communications (account notices, security alerts, billing)
• To send marketing communications, where permitted by law and subject to your right to opt out
• To monitor for fraud, abuse, and security incidents
• To comply with legal obligations and enforce our agreements

4. Legal Bases (GDPR)

Where GDPR applies, we process personal data on the following legal bases: (i) consent — where you have given consent for a specific purpose; (ii) contract — where processing is necessary to perform a contract with you; (iii) legitimate interests — for our business operations, security, and product improvement, balanced against your rights; and (iv) legal obligation — where required by applicable law.

5. How We Share Information

We do not sell personal information. We share information only as described below:

• Vendor partners and subprocessors: Synergetics.ai (voice agent infrastructure), Astra (call intelligence), GoHighLevel (CRM), NexHealth (EMR/payer gateway), and infrastructure providers (cloud hosting, observability, security tooling). All subprocessors are contractually bound to confidentiality and security commitments at least as protective as ours.
• Customers: If you are an end-user of a practice that uses Clinitraq.ai, your information may be shared with that practice in connection with the Services.
• Legal & safety: When required by law, subpoena, or court order, or where we believe disclosure is necessary to protect rights, safety, or property.
• Business transfers: In connection with a merger, acquisition, or sale of assets, subject to standard confidentiality protections.

6. Cookies and Tracking

We use first-party cookies and similar technologies to operate the website, remember preferences, and measure marketing performance. We use a limited set of analytics tools (such as privacy-respecting page-view counters) to understand site traffic. We do not use third-party advertising trackers on our marketing site. You can control cookies through your browser settings; disabling cookies may affect site functionality.

7. Data Retention

We retain personal information only as long as necessary to fulfill the purposes outlined in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Marketing inquiry data is retained for up to 24 months from last contact unless you request earlier deletion. Customer data within the platform is retained per the term defined in the customer's MSA and BAA/DPA.

8. Your Rights

Depending on your jurisdiction, you may have the right to: access the personal information we hold about you; correct inaccurate information; request deletion ("right to be forgotten"); restrict or object to certain processing; receive a copy of your data in a portable format; and withdraw consent where processing is based on consent. To exercise any of these rights, email privacy@clinitraq.ai. We will respond within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under CCPA).

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our practices include encryption in transit and at rest, access controls and least-privilege provisioning, regular vulnerability assessments, audit logging, and a documented incident response process. Our vendor stack has been reviewed under our security posture, and our PHI-handling components operate under HIPAA / SOC 2 / GDPR-aligned controls.

10. International Transfers

Clinitraq.ai is operated from the United States. If you access the Services from outside the U.S., your information may be transferred to and processed in the U.S. or other countries where our subprocessors operate. Where required by law, we use appropriate safeguards — including Standard Contractual Clauses (SCCs) — for cross-border transfers of EU/UK personal data.

11. Children's Privacy

Our Services are not directed to children under 13. We do not knowingly collect personal information from children under 13 through our marketing site. If we learn we have collected such information, we will delete it. Pediatric medical or dental records processed on behalf of a contracted practice are handled exclusively under the BAA between Clinitraq and that practice.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, provide notice through the Services or by email. Your continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy.

13. Contact Us

For questions about this Privacy Policy or our data practices, please contact us at:

Clinitraq, Inc.
Attn: Privacy
privacy@clinitraq.ai

For HIPAA-related inquiries from contracted practices, please contact compliance@clinitraq.ai.