Last updated: May 17, 2026
From the people who use Cliniks (you — the clinic staff):
From your patients (entered by you on their behalf): name, age, gender, phone, address, medical complaints, diagnoses, prescriptions, payments.
Each clinic gets its own dedicated database on Turso (AWS ap-south-1, Mumbai). Application servers run on Vercel (Mumbai region). Cloudflare provides bot protection for our public signup and password-reset forms. Resend delivers transactional emails. We do not transfer your patient data outside these providers.
Only to operate Cliniks for you: showing you your data, sending you welcome and payment-receipt emails, resolving support tickets you submit, and keeping the platform secure. We do not sell your data, share it with advertisers, or use patient records to train any AI model.
Within your clinic: anyone with a login you create. Doctors see what their role allows; owners see everything in their clinic. Cliniks staff (the platform operator) can technically access your clinic data through admin tools — we do so only when actively troubleshooting a support ticket you raised, and every such access is logged.
We do not give your data to any third party except where required by Pakistani law (e.g., a valid court order). If we receive such a request, we will notify you unless legally prohibited.
Passwords are stored as bcrypt hashes, never in plain text. Sessions are secured with HttpOnly cookies and a 30-day expiry. The signup and password-reset endpoints have IP/email rate limits and Cloudflare Turnstile bot checks. All traffic uses HTTPS with HSTS. We keep a complete audit log of authentication events and key administrative actions.
We keep your clinic data while your account is active and for 90 days after access ends, to allow restoration if you change your mind. After that the per-clinic database is permanently deleted. Audit logs are retained for one year after the relevant event, in line with reasonable security practice.
You can export your clinic's data as JSON at any time — email admin@cliniks.org from the address on file. You can also request immediate deletion of your clinic database at the same address.
We use a single first-party cookie (ahw_session) to keep you signed in. No advertising, tracking, or third-party analytics cookies.
Material changes to this policy will be emailed to the address on file at least 14 days before they take effect.
For any privacy question or data request, email admin@cliniks.org.