Privacy Notice — ClinicOS

1. Introduction

Automated Client System ("the Company," "we," "us," or "our"), the operator of ClinicOS, is committed to protecting the privacy and security of personal information. This Privacy Notice explains how we collect, use, store, share, and protect personal data in connection with the ClinicOS platform ("the Service"), in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and applicable issuances of the National Privacy Commission (NPC).

2. Data Controller Information

Automated Client System
Email: clinicos@automatedclientsystem.com

When a clinic uses ClinicOS to manage patient records, the clinic acts as the Personal Information Controller (PIC) for patient data, and Automated Client System acts as the Personal Information Processor (PIP) processing data on behalf of the clinic.

3. Personal Information We Collect

We collect and process the following categories of personal information:

3.1 Clinic Account Information

Clinic name, address, and contact details
Administrator and staff names, email addresses, and roles
Login credentials (passwords are stored in encrypted/hashed form only)
Billing and payment information

3.2 Patient Information (Processed on Behalf of Clinics)

Patient name, date of birth, gender, and contact information
Medical history, clinical notes, diagnoses, and treatment records
Prescription and medication information
Appointment and scheduling data
Billing and payment records
Consent records

3.3 Usage and Technical Data

IP addresses and device information
Browser type and operating system
Pages visited and features used
Audit logs (user actions within the system for security and compliance)

4. How We Use Personal Information

We process personal information for the following purposes:

Service delivery: To provide, maintain, and improve the ClinicOS platform
Account management: To manage clinic accounts, authenticate users, and process subscriptions
Patient care support: To enable clinics to manage patient records, appointments, and billing (processed on behalf of the clinic as PIC)
Communication: To send service-related notifications, updates, and support responses
Security and compliance: To maintain audit logs, detect unauthorized access, and comply with legal obligations
Service improvement: To analyze usage patterns and improve features (using aggregated, anonymized data only)

5. Legal Basis for Processing

We process personal information based on the following lawful criteria under RA 10173:

Consent: Clinic administrators consent to data processing upon registration. Patient consent is obtained by the clinic as PIC.
Contract performance: Processing necessary to fulfill our service agreement with clinics
Legal obligation: Processing required to comply with applicable laws and regulations
Legitimate interest: Processing necessary for security, fraud prevention, and service improvement

6. Sensitive Personal Information

Patient medical records constitute sensitive personal information under RA 10173. We implement heightened security measures for this data, including encryption at rest and in transit, role-based access controls, and comprehensive audit logging. Clinics, as PICs, are responsible for obtaining proper consent from patients for the processing of their sensitive personal information through the ClinicOS platform.

7. Data Sharing and Disclosure

We do not sell personal information. We may share personal information only in the following circumstances:

Service providers: With trusted third-party service providers who assist in operating the Service (e.g., cloud hosting, payment processing, email delivery), bound by data processing agreements
Legal requirements: When required by law, regulation, court order, or lawful government request
Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate data protection safeguards
With consent: When the data subject or the clinic as PIC provides explicit consent

8. Data Security

We implement reasonable and appropriate organizational, physical, and technical security measures to protect personal information, including:

Encryption of data in transit (TLS/SSL) and at rest
Secure password hashing using industry-standard algorithms
Role-based access controls with principle of least privilege
Comprehensive audit logging of all data access and modifications
Regular security assessments and updates
Multi-tenancy isolation ensuring clinics cannot access each other's data
Two-factor authentication (2FA) available for enhanced account security

9. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and support legitimate business needs. Clinic account data is retained for the duration of the subscription and for a reasonable period after cancellation to allow for account reactivation or data export. Patient data is retained in accordance with the clinic's data retention policies and applicable healthcare record-keeping requirements. Upon request, we will securely delete or anonymize personal information that is no longer needed.

10. Rights of Data Subjects

Under RA 10173, data subjects have the following rights:

Right to be informed: To know what personal information is being collected and how it is processed
Right to access: To obtain a copy of personal information held about them
Right to correction: To request correction of inaccurate or incomplete personal information
Right to erasure or blocking: To request deletion or blocking of personal information under certain circumstances
Right to data portability: To obtain personal information in a structured, commonly used format
Right to object: To object to the processing of personal information under certain circumstances
Right to file a complaint: To file a complaint with the National Privacy Commission

For patient data, requests should be directed to the clinic (as PIC) that manages the patient's records. Clinics can process data subject requests through the ClinicOS platform's built-in data privacy tools. For clinic account holder data, requests can be sent directly to clinicos@automatedclientsystem.com.

11. Cookies and Tracking

The ClinicOS platform uses essential cookies necessary for authentication, session management, and security. Our marketing website may use analytics cookies (such as Google Analytics) and advertising pixels (such as Meta Pixel) to understand visitor behavior and improve our marketing efforts. Referral tracking cookies are used for our affiliate program with a 90-day duration. You can manage cookie preferences through your browser settings.

12. Children's Privacy

ClinicOS is designed for use by healthcare professionals and clinic administrators. We do not knowingly collect personal information from children under 18. Where a clinic stores minor patient records in the system, the clinic as PIC is responsible for obtaining appropriate parental or guardian consent in accordance with RA 10173 and applicable child protection laws.

13. International Data Transfers

Our servers and service infrastructure may be located outside the Philippines. When personal information is transferred internationally, we ensure appropriate safeguards are in place in compliance with the requirements of RA 10173 and NPC issuances regarding cross-border data transfers.

14. Changes to This Notice

We may update this Privacy Notice periodically to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated notice on our website and, where appropriate, by email notification. The "Last updated" date at the top of this notice indicates when it was last revised.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Notice or our data handling practices, please contact:

Data Privacy Officer
Automated Client System
Email: clinicos@automatedclientsystem.com

You may also file a complaint with the National Privacy Commission at www.privacy.gov.ph.