Privacy Policy

Last updated: 5 June 2026

Plain-English summary: This policy covers how ClinicPage handles personal data of clinic owners and prospects who visit clinicpage.online, fill out our growth-plan form, or become customers. It does not cover how your clinic's own website handles patient data — that is governed separately by your clinic's privacy policy and (where applicable) a Data Processing Agreement between us.

This Privacy Policy describes how ClinicPage ("we", "us", "our") collects, uses, discloses, retains, and protects personal data when you interact with clinicpage.online, contact us, or use our services. We are headquartered in Kerala, India, and serve clients globally.

1. Who This Policy Applies To

This policy applies to: (a) visitors to clinicpage.online; (b) clinic owners and prospects who submit our growth-plan form, email us, or contact us via WhatsApp; (c) current and former clients with whom we have a service agreement.

It does not apply to the websites we build for our clients. Each clinic site we build has its own privacy policy describing how that clinic handles its patients' data. Where we process patient data on a clinic's behalf as part of operating their site, we do so as the clinic's processor under a Data Processing Agreement (see Section 9).

2. Information We Collect

2.1 Information you provide directly

When you fill out the growth-plan form, message us, or become a client, we collect:

• Name and clinic name
• Email address
• Phone number / WhatsApp number
• City and country (where provided)
• Current website URL (where provided)
• Any other information you choose to share in free-text fields, voice notes, or attachments

For clients, we additionally collect: domain registration details (where we register on your behalf), the contents of your Google Sheet CMS (which you control), and billing information processed via our payment provider.

2.2 Information collected automatically when you visit clinicpage.online

If you accept analytics cookies via our consent banner, Google Analytics 4 (GA4) collects:

• IP address (truncated by Google before analysis)
• Approximate location derived from IP (country and city only)
• Device type, browser, screen size, operating system
• Pages visited, time on page, navigation paths, scroll depth, sections viewed
• Referring source (search engine, social link, direct, etc.)
• User interactions tracked as events (CTA clicks, WhatsApp clicks, phone clicks, form submissions, FAQ expansions, doctor selections)

If you decline or have not yet accepted analytics cookies, no GA4 tracking takes place. Our consent script (consent.js) loads the GA4 tag only after explicit consent — there are no cookieless "Consent Mode" pings.

2.3 Cookies

We use two categories of cookies:

• Strictly Necessary — required for site functionality and to remember your cookie consent choice. These cannot be disabled.
• Analytics — set by Google Analytics 4. Loaded only after your explicit consent. Used to understand site usage and improve our marketing.

You can change your cookie preferences at any time by clicking "Cookie Settings" in the footer.

3. Why We Use Your Information (Purposes and Legal Bases)

We process personal data for the following purposes and on the following legal bases (the legal basis terminology is most relevant to visitors in the EU/UK; other jurisdictions have functionally equivalent concepts):

• Respond to your inquiry and provide your free growth plan — basis: steps to enter into a contract at your request / legitimate interest.
• Perform our services if you become a client — basis: performance of contract.
• Send service emails (delivery, support, renewal, security) — basis: performance of contract / legitimate interest.
• Send occasional non-essential marketing emails about ClinicPage updates — basis: your consent (we ask before adding you, and every email has an unsubscribe link).
• Operate, secure, and improve clinicpage.online — basis: legitimate interest (your interest in a functioning site we operate).
• Analytics via GA4 — basis: your consent.
• Comply with legal obligations (tax, accounting, regulatory) — basis: legal obligation.
• Defend or assert legal claims — basis: legitimate interest.

We do not use your information for automated decision-making that produces legal or similarly significant effects. We do not engage in profiling for behavioral advertising.

4. How We Share Your Information

We do not sell or rent your personal information. We do not share your personal information for cross-context behavioral advertising. We share information only as described below.

4.1 Service providers (subprocessors)

We use the following third-party providers to operate our service. Each is bound by its own privacy policy. A maintained, dated list lives at /subprocessors:

• Hosting: Netlify Inc. (US) and/or Cloudflare Inc. (US). Netlify Privacy · Cloudflare Privacy
• Form delivery: Netlify Forms — handles your growth-plan form submission.
• Image delivery: Cloudinary Ltd. (Israel/US). Cloudinary Privacy
• CMS and content storage: Google Workspace (Google Sheets, Google Apps Script, Gmail). Google Ireland Ltd / Google LLC. Google Privacy
• Analytics: Google Analytics 4 — only after explicit consent. Google Privacy
• Optional scheduling: Cal.com Inc. and/or Calendly LLC — only loaded when you use the booking buttons. Cal.com · Calendly
• Patient reviews widget: SociableKit — embedded on clinic sites only, not on clinicpage.online. SociableKit
• Payment processing: To be confirmed at launch (likely Stripe and/or Razorpay). Their privacy policy will govern card-data handling.
• WhatsApp: Meta Platforms Inc. — only if you click a WhatsApp link to contact us; we do not transmit your data to Meta until you do so. WhatsApp

We may add or change subprocessors with reasonable notice via the Subprocessor List page. Where you are a client and a change materially affects how we process your patient data on your behalf, we will additionally email your designated contact at least 10 days before the change.

4.2 Legal disclosures

We may disclose your information if required by valid legal process, court order, or government request that we reasonably believe is lawful. We may also disclose information to protect our rights, your safety, or the safety of others, or to investigate fraud or breaches of our Terms.

4.3 Business transfers

If ClinicPage is acquired, merges, or sells substantially all of its assets, your information may be transferred to the successor entity, subject to this Privacy Policy.

5. International Data Transfers

We are based in India. Our service providers operate facilities in the United States, the European Union, and elsewhere. When personal data is transferred outside your country of residence, we rely on the following safeguards as applicable:

• EU/UK to India transfers: EU Standard Contractual Clauses (2021 SCCs, Module 2 for Controller-to-Processor) and, for UK data subjects, the UK International Data Transfer Addendum to the EU SCCs.
• EU/UK to US transfers (via our US subprocessors): The EU-US Data Privacy Framework where the provider is certified, plus SCCs as a backup.
• India outbound transfers: India's Digital Personal Data Protection Act 2023 (with 2025 Rules) currently uses a "negative list" approach; no destination countries are restricted at this time.
• Other jurisdictions: Equivalent contractual safeguards where required.

You can request a copy of the cross-border safeguards by contacting us (Section 11).

6. Your Privacy Rights

6.1 Rights under EU/UK GDPR (and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — to processing based on legitimate interest, and to direct marketing at any time
• Right to withdraw consent — at any time, without affecting the lawfulness of prior processing
• Right to lodge a complaint with your local data protection authority

6.2 Rights under CCPA / CPRA (California residents)

Note: California's previous B2B exemption expired on January 1, 2023. Even if you contact us in your capacity as a clinic owner or business decision-maker, you have CCPA/CPRA rights:

• Right to know what categories of personal information we collect, the purposes, and the categories of third parties we share with
• Right to access the specific pieces of personal information we hold about you
• Right to delete personal information, subject to lawful exceptions
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing for cross-context behavioral advertising — note that we do not sell or share personal information for cross-context behavioral advertising; no opt-out is required because no such processing occurs
• Right to limit use of sensitive personal information — we do not use sensitive personal information for the inferred-characteristics purposes that trigger this right
• Right to non-discrimination for exercising any of these rights

6.3 Rights under India's DPDP Act 2023

If you are in India, you have the right to access, correct, complete, update, and erase your personal data, the right to nominate another person to exercise rights on your behalf in case of death or incapacity, and the right to a grievance redressal mechanism.

6.4 Rights under PIPEDA (Canada), Privacy Act 1988 (Australia), Saudi PDPL, UAE PDPL

If you reside in Canada, Australia, Saudi Arabia, or the UAE, you have equivalent rights of access, correction, deletion, and to lodge a complaint with your local regulator, in accordance with applicable law.

6.5 How to exercise your rights

Email us at the contact below (Section 11). We will acknowledge within 7 days and respond substantively within 30 days (or 45 days for CCPA, with possible 45-day extensions where allowed). We may verify your identity before processing requests to protect your data from unauthorized access. If we decline a request, we will explain why and how to escalate.

7. Data Retention

We retain personal data only as long as needed for the purpose collected, plus any periods required by law (tax, accounting, dispute resolution). Typical retention windows:

• Growth-plan form inquiries (non-clients): up to 24 months from last contact, then deleted
• Client account and billing data: duration of relationship + 7 years (tax/audit requirement)
• Client Google Sheet content: while you are a client + 30 days post-termination, then deleted
• GA4 analytics data: 14 months (the GA4 default we configure)
• Email correspondence: 36 months from last reply

8. Data Security

We use commercially reasonable administrative, technical, and organizational measures to protect your data, including encrypted connections (HTTPS), access controls, reputable third-party processors, two-factor authentication on operator accounts, and the principle of least privilege. However, no internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and the relevant regulator(s) in accordance with applicable law.

9. Special Note: When You Become a Client (Controller-Processor)

When you sign up as a client and begin using our service to operate your clinic's website and collect patient inquiries, your relationship with patient personal data is different from your relationship with us about your own data:

• You are the data controller for patient personal data collected through your clinic's site (lead form submissions, WhatsApp inquiries, etc.). Your clinic's site has its own privacy policy describing this.
• We are your data processor for that patient data — we operate the infrastructure that captures and stores it, but you decide why and how it's processed.
• A Data Processing Agreement (DPA) incorporating GDPR Article 28, EU SCCs (Module 2), the UK International Data Transfer Addendum, and equivalent provisions for other jurisdictions, is available on request and is required for clients with EU, UK, or Saudi data subjects.
• HIPAA: We are not a Business Associate, do not sign BAAs, and the service is not configured for Protected Health Information. See Section 13 of our Terms of Service.

10. Children's Privacy

Our services are directed at adult business decision-makers (clinic owners, practice managers). We do not knowingly collect personal data from children under 16. If you believe a child has submitted personal data to us, contact us so we can delete it.

11. Contact and Grievance Officer

For privacy questions, to exercise your rights, or to raise a grievance:

• ClinicPage
• c/o Muhammed Muneer (Grievance Officer for DPDP Act purposes)
• Kochi, Kerala, India

If you are in the EU, UK, or other GDPR-aligned jurisdiction and are not satisfied with our response, you have the right to complain to your local data protection authority.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes — for example, a change to how we use your data, or addition of a new processor that handles your data — will be communicated by email (for clients and subscribers) and by prominent notice on this page. Continued use of the service after the effective date constitutes acceptance.