LEGAL

Privacy Policy

This policy explains how Qlynic collects, uses, and protects information related to clinics, staff, and patients. We do not sell Personal Data.

Last updated: 2026-02-09 Security focused Applies globally
Ask a question Read terms

Scope & Definitions

This policy covers all services hosted under domains operated by Qlynic. “Clinic Data” means administrative, scheduling, provider, and operational information. “Patient Data” means information entered to manage appointments and related communications.

  • “Provider” — individual offering clinical services.
  • “Appointment Metadata” — time, duration, status.
  • “Transactional Email” — confirmations, reminders, receipts.
  • “PHI / Sensitive Data” — minimal contact & scheduling; no diagnostic records by default.

Information We Collect

Data You Provide
  • Account registration (name, email, password hash).
  • Clinic profile (timezone, address, optional logos).
  • Provider roster & availability.
  • Patient booking details (name, email, chosen slot).
  • Support or feedback submissions.
Data We Generate
  • Booking activity logs (timestamps, action type).
  • Email delivery metadata (sent, bounced).
  • Aggregated analytics (volume, utilization).
  • Fraud / abuse signals (rate limiting).
Collected Automatically
  • IP address (security & anti‑abuse).
  • User agent & device traits.
  • Session tokens (secure, HttpOnly).
  • Minimal cookies (auth / CSRF).
Not Collected By Default
  • Payment card numbers (processed via Stripe).
  • Diagnostic notes / full medical records.
  • Government IDs.
  • Biometric templates.
No selling
We do not sell Personal Data. We use information to run and secure the platform.

How We Use Information

Platform Operations

Scheduling, provider management, reminders, receipts, and system notifications.

Security

Monitoring for abusive patterns, rate limiting, and protecting accounts.

Improvements

Aggregated, de‑identified metrics to tune performance and UX.

Compliance

Meeting tax, accounting, and regulatory obligations (limited scope).

Retention

We retain Personal Data only as long as required for its processing purpose or legal obligations.

  • Account & Clinic Data: Kept while account is active + short grace period unless deletion is requested sooner.
  • Booking Logs: Core audit entries retained for fraud/security, then may be aggregated.
  • Email Events: Delivery metadata purged or anonymized after defined windows.
  • Backups: Encrypted rolling backups on short rotation then expired.

Security Measures

Technical Controls
  • TLS 1.2+ enforced.
  • Password hashing with modern algorithm.
  • Role‑based access segregation.
  • Least‑privilege database roles.
  • Encrypted backups.
Operational Processes
  • Change review & deployment automation.
  • Audit logging (security events).
  • Limited staff access (need‑to‑know).
  • Periodic vulnerability patching.

While no system can guarantee absolute security, we apply layered controls to minimize risk.

International Data Transfers

Data may be processed in jurisdictions where we or our sub‑processors maintain infrastructure. When transferring Personal Data internationally we rely on appropriate safeguards (e.g. Standard Contractual Clauses or equivalent protections).

Patient / Health Data

Qlynic is designed for scheduling & communication—not for full medical records. Clinics should avoid storing diagnostic or extensive health details within free‑text fields.

Children

The platform is not directed to children under 13 (or under the age required by local law for consent). Clinics remain responsible for obtaining any parental/guardian consent where necessary.

Cookies & Tracking

  • Essential: Session authentication, CSRF tokens.
  • Preference: (Optional) locale selection.
  • Analytics: Aggregated performance metrics (no cross‑site tracking).

You can control cookies via browser settings; disabling essential cookies may break sign‑in.

Sub‑processors

We engage specialized providers to deliver parts of the service.

Provider
Purpose
Region
Notes
Stripe
Payment processing
Global / regional routing
Handles card data; we never store card numbers.
Email service
Transactional emails
Regional endpoints
Delivery & minimal event metadata.
Cloud infrastructure
Hosting / DB
Primary + backup regions
Encrypted storage & backups.
Updates
We will update this list when material additions occur.

Your Rights

Global
  • Access your data
  • Request correction
  • Request deletion (subject to legal limits)
  • Portability (structured export)
  • Object or restrict certain processing
Regional Enhancements
  • GDPR / UK: Right to complain to supervisory authority.
  • CCPA / CPRA: Right to know, delete, non‑discrimination.
  • PIPEDA: Right to access and challenge accuracy.

Data Subject Requests

Email support@qlynic.com from the address associated with your account. We may request limited verification.

  • Access / copy: Typically within 30 days.
  • Correction / deletion: Usually within 30 days (backup cycle may apply).
  • Objection / restriction: Evaluated case‑by‑case; we will confirm outcome.

Changes to This Policy

We may update this Privacy Policy for technical, legal, or business reasons. Material changes will be announced. Continued use after the effective date indicates acceptance.

Contact Us

For privacy inquiries or rights requests:

Entity
Qlynic by Gorilla Core LLC
Address
225 11 AVE SE, Calgary, Alberta Canada, (T2G0G3)
More
Terms Support Pricing
© 2026 Qlynic