Privacy Notice

This Privacy Notice explains how Divan Group ("ClinicPro", "we", "us") collects, uses, shares, and protects personal data when you use the ClinicPro platform and websites (the "Service"). For the personal data you provide as a user of the Service, Divan Group acts as the data controller.

Where you use ClinicPro to manage your own clinic's clients, you are the controller of your clients' data and we act as a processor on your behalf.

1. Personal Data We Collect

Account data: name, email, password (hashed), clinic name, role, phone number.
Clinic content: services, staff, schedules, inventory, marketing campaigns, and other operational data you create in the Service.
Client records (processor): client name, contact details, appointment history, notes, consent forms, and other records your clinic uploads.
Support communications: messages, attachments, and metadata when you contact us.
Usage and telemetry: pages visited, features used, performance and error logs.
Device and connection data: IP address, browser type, operating system, device identifiers, and timestamps.

Payment-card details are collected and processed directly by our Merchant of Record, Paddle, and are never stored on our servers.

2. How We Use Personal Data

Provide the Service — create accounts, authenticate users, deliver features (contract performance).
Customer support — respond to questions, troubleshoot issues (legitimate interests).
Security & fraud prevention — monitor for unauthorized access and abuse (legitimate interests, legal obligation).
Product improvement — analyze aggregated usage to improve features and reliability (legitimate interests).
Billing & tax — facilitate payments and meet tax obligations through Paddle (contract performance, legal obligation).
Communications — send transactional emails (e.g. receipts, security alerts). Marketing emails are sent only with your consent and you can opt out at any time.
Legal compliance — comply with applicable laws and respond to lawful requests (legal obligation).

3. Legal Bases (UK/EEA Users)

We rely on the following legal bases under GDPR/UK GDPR:

Performance of a contract — to provide the Service you've subscribed to.
Legitimate interests — for security, analytics, and product improvement, balanced against your rights.
Consent — for marketing communications and non-essential cookies; you can withdraw at any time.
Legal obligation — to comply with tax, accounting, and legal requirements.

4. Sharing Personal Data

We share personal data only with:

Service providers / sub-processors — cloud hosting, database, email delivery, error monitoring, customer support, and analytics providers, all under confidentiality and data-protection terms.
Paddle.com, our Merchant of Record — for sale of the product, subscription management, payment processing, tax compliance, invoicing, and refunds.
Professional advisers — legal, accounting, and audit professionals when reasonably necessary.
Authorities — when required by law, court order, or to protect our rights, safety, or that of others.
Successors — in connection with a merger, acquisition, or sale of assets, subject to equivalent privacy commitments.

We do not sell personal data.

5. International Transfers

Your data may be processed in countries outside your country of residence, including Canada, the United States, and the European Union. Where we transfer personal data from the UK or EEA to a country without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses.

6. Data Retention

We retain personal data only for as long as necessary to provide the Service, comply with our legal obligations (such as tax and accounting), resolve disputes, and enforce our agreements. Account data is typically retained for the life of your account plus a 90-day grace period after closure, after which it is deleted or anonymised. Backups follow our standard rotation schedule and are purged on the same timeline.

7. Your Rights

Subject to applicable law, you may have the following rights with respect to your personal data:

Access — request a copy of personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion in certain circumstances.
Restriction — limit how we process your data in certain situations.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests or for direct marketing.
Withdraw consent — where processing is based on consent.
Complaint — lodge a complaint with your local supervisory authority.

To exercise any of these rights, email us at privacy@clinicpro.io. We will respond within one month, as required by GDPR.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, regular security reviews, and employee training. No system can be guaranteed 100% secure, but we work continuously to safeguard your information.

9. Cookies

We use cookies and similar technologies for the following purposes:

Essential — required for authentication, session management, and core functionality. These cannot be disabled.
Analytics — help us understand how the Service is used so we can improve it. Set only with your consent.
Marketing — used for advertising and campaign measurement. Set only with your consent.

You can manage cookie preferences in your browser settings or, where available, through our in-app cookie controls.

10. Children

ClinicPro is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have collected such data, contact us and we will delete it.

11. Changes to This Notice

We may update this Privacy Notice from time to time. Material changes will be communicated by email or in-app notice. The "Last updated" date at the top of this page reflects the latest revision.