GDPR Compliance

ClinicsSaaS is fully compliant with the General Data Protection Regulation (GDPR) and respects data subject rights.

Our GDPR Compliance Framework

Lawful Basis for Processing

We process data only with explicit consent or based on contractual necessity for service delivery.

Data Subject Rights

Users can access, rectify, erase, restrict, or port their data at any time.

Data Protection by Design

Privacy and security are integrated into all our development and operations processes.

Data Processing Agreements

We maintain signed DPA agreements with all data processors and sub-processors.

Your Data Subject Rights (Articles 12-23)

Right to Access

Request a copy of all personal data we hold about you in a structured, machine-readable format.

Right to Rectification

Correct or update any inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your data (subject to legal retention requirements).

Right to Restrict Processing

Limit how we use your data in certain circumstances.

Right to Data Portability

Receive your data in a portable, machine-readable format and transfer it to another service provider.

Right to Object

Opt-out of marketing communications and certain types of processing at any time.

Our Data Processing

Legal Basis: We process data based on: (1) Explicit user consent, (2) Contractual necessity for service delivery, (3) Compliance with legal obligations (healthcare regulations)

Processing Duration: Data is retained for the duration of service subscription plus 12 months afterward, unless longer retention is required by law.

International Transfers: Transfers to non-EU countries (e.g., USA) are protected by Standard Contractual Clauses (SCCs) or other adequate safeguards approved by GDPR.

Data Processors: Sub-processors include cloud hosting providers (AWS), analytics services (Google), and payment processors (Stripe) - all with signed Data Processing Agreements.

Data Subject Request Procedures

For Data Subject Access Requests

  1. 1Submit request to [email protected] with proof of identity
  2. 2We verify the request within 3 business days
  3. 3Data is compiled and encrypted for secure delivery
  4. 4Provided within 30 days (up to 60 days for complex requests)

For Data Deletion Requests

  1. 1Submit erasure request via account settings or email
  2. 2Review request for legal/contractual hold requirements
  3. 3Delete data from active systems within 30 days
  4. 4Retain only data required for legal compliance (audit logs, tax records)

For Data Breach Notification

  1. 1Detect and document the breach
  2. 2Notify affected users within 72 hours (per GDPR Article 33)
  3. 3Notify ICO/relevant supervisory authority
  4. 4Provide detailed breach assessment and mitigation measures

Our Data Protection Officer

ClinicsSaaS maintains a dedicated Data Protection Officer (DPO) who oversees all GDPR compliance matters.

Email: [email protected] (Subject: GDPR Request)
WhatsApp: +91 8140036379

Right to Lodge Complaints

If you believe we have violated your GDPR rights, you have the right to lodge a complaint with your local data protection authority:

  • EU: Contact your national data protection authority (DPA) - found at edpb.europa.eu
  • UK: Information Commissioner's Office (ICO) at ico.org.uk
  • Other jurisdictions: Contact your local supervisory authority