Privacy Policy

1. Purpose

This Privacy Policy is incorporated by reference into the PatientBook Terms of Use. The terms "PatientBook," "we," "us," and "our" refer to PatientBook Inc. This Privacy Policy explains our online and offline information practices, the types of information we may collect, how we intend to use, store, protect, disclose, and share that information, and how you can opt out of a use or correct or change such information.

As a healthcare-focused application designed to help medical professionals manage patient information, we are committed to maintaining the highest standards of data protection and privacy in compliance with applicable healthcare regulations including HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), and KVKK (Turkish Personal Data Protection Law).

2. Scope

This Privacy Policy applies to Personal Information and Protected Health Information (PHI) that is processed by PatientBook in the course of our business, including on PatientBook websites (each a "Site"), mobile applications, forums, blogs, and other online or offline offerings (together with any and all future online and offline offerings operated by or on behalf of PatientBook, the "Services"). This Privacy Policy covers all applications, products, and services developed or operated by PatientBook Inc.

All individuals whose responsibilities include the processing of Personal Information or PHI on behalf of PatientBook are expected to protect that data by adhering to this Privacy Policy. This Privacy Policy is intended to meet requirements globally, including those in Europe, North America, Turkey, and other applicable jurisdictions.

By visiting, installing, using, or otherwise accessing the Services, you agree to this Privacy Policy and the Terms of Use of PatientBook, and you give explicit and informed consent to the processing of your Personal Information in accordance with this Privacy Policy. Please do not install or use the Services if you do not agree to this Privacy Policy or Terms of Use.

3. Healthcare Data and Protected Health Information (PHI)

PatientBook is designed specifically for healthcare professionals to manage patient records. We understand the sensitive nature of medical information and implement stringent safeguards to protect it.

3.1 Types of Healthcare Data We Process

When you use PatientBook, the following types of healthcare-related data may be collected and processed:

• Patient demographic information (name, date of birth, contact details)
• Medical history and clinical notes
• Diagnosis and treatment information
• Prescription and medication records
• Laboratory and test results
• Appointment and scheduling data
• Medical imaging references
• Allergy and immunization records
• Insurance and billing information

3.2 Healthcare Provider Responsibilities

As a healthcare provider using PatientBook, you acknowledge that you are the data controller for patient information entered into the system. You are responsible for:

• Obtaining appropriate consent from patients for data collection and processing
• Ensuring accuracy of patient information
• Complying with local healthcare regulations and professional standards
• Maintaining appropriate access controls within your organization
• Reporting any suspected data breaches promptly

4. Types of Personal Information We Collect and How We Use It

The types of Personal Information we may collect (directly from you or from third-party sources) and our privacy practices depend on the nature of your relationship with PatientBook and the requirements of applicable law.

4.1 Information Collected from Healthcare Professionals

• Account registration information (name, email, professional credentials)
• Practice or clinic information
• License and certification details
• Payment and subscription information
• Usage data and preferences

4.2 Automated Data Collection

We or the service providers acting on our behalf may collect certain information automatically, including:

• Device information (type, operating system, unique identifiers)
• Log data (access times, features used, error reports)
• Analytics data to improve our services

Important: Automated data collection does NOT include patient medical records or PHI. Such data is never used for analytics, advertising, or any purpose other than providing the core service.

5. HIPAA Compliance

PatientBook is committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA) for users in the United States.

5.1 Business Associate Agreement

For covered entities subject to HIPAA, PatientBook will enter into a Business Associate Agreement (BAA) upon request. This agreement outlines our obligations regarding the handling of Protected Health Information.

5.2 Administrative Safeguards

• Designated privacy and security officers
• Regular risk assessments and audits
• Workforce training on privacy and security
• Incident response procedures

5.3 Technical Safeguards

• End-to-end encryption for data in transit and at rest (AES-256)
• Unique user identification and authentication
• Automatic session timeout
• Audit controls and access logs
• Data integrity verification

5.4 Physical Safeguards

• Secure data center facilities with 24/7 monitoring
• Access controls and visitor protocols
• Workstation security policies

6. Security of Your Information

The Personal Information and PHI that you provide to PatientBook is stored on servers located in secure facilities and protected by protocols and procedures designed to meet or exceed industry standards for healthcare data protection.

• 256-bit AES encryption for all stored data
• TLS 1.3 encryption for all data transmission
• Regular penetration testing and vulnerability assessments
• Multi-factor authentication support
• Regular security audits by independent third parties
• SOC 2 Type II compliance

7. AI Assistant and Automated Processing

PatientBook includes AI-powered features to help healthcare professionals manage patient information more efficiently.

7.1 How AI Features Work

• AI processing occurs on secure, isolated infrastructure
• Patient data is never used to train AI models
• AI suggestions are advisory only; healthcare professionals maintain full control over patient records
• All AI interactions are logged for audit purposes

7.2 Data Minimization

Our AI features are designed with data minimization principles. We only process the minimum amount of data necessary to provide the requested functionality, and data is not retained beyond what is needed for the immediate task.

8. How We May Disclose Your Information

We do not sell, rent, or trade Personal Information or PHI. We may disclose information only in the following circumstances:

• Service Providers: To trusted third-party service providers who assist in operating our services, bound by strict confidentiality agreements
• Legal Requirements: When required by law, court order, or governmental authority
• Emergency Situations: To prevent imminent harm to individuals or public health emergencies as permitted by law
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with continued protection of PHI
• With Consent: When you have provided explicit consent for specific disclosures

9. International Data Transfer

Personal Information collected by PatientBook may be stored and processed in Turkey, the United States, the European Union, or other countries where we or our service providers maintain facilities.

For transfers of data from the European Economic Area (EEA) or the United Kingdom, we implement appropriate safeguards including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Additional technical and organizational measures

10. Data Retention

PatientBook retains data in accordance with the following principles:

• Active Accounts: Data is retained for as long as you maintain an active account
• Medical Records: In accordance with applicable medical record retention laws (typically 7-10 years after last patient interaction, varying by jurisdiction)
• Account Deletion: Upon account termination, we provide a data export option and delete data within 90 days, unless retention is required by law
• Backup Data: Backup copies are retained for disaster recovery purposes and are deleted according to our backup rotation schedule

11. Your Rights

Depending on your location and applicable law, you may have the following rights:

• Access: Request access to your Personal Information
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data (subject to legal retention requirements)
• Portability: Request a copy of your data in a portable format
• Restriction: Request restriction of processing
• Objection: Object to certain types of processing
• Withdraw Consent: Withdraw previously given consent

To exercise any of these rights, please contact us at privacy@thepatientbook.com.

12. Children's Privacy

PatientBook is designed for use by licensed healthcare professionals and is not directed to individuals under the age of 18. We do not knowingly collect Personal Information from anyone under 18 years of age as a user of the application.

Patient records for minors may be stored by healthcare providers using PatientBook, subject to applicable laws regarding pediatric medical records and parental consent requirements. Healthcare providers are responsible for complying with applicable regulations regarding the treatment and records of minor patients.

13. Data Breach Notification

In the event of a data breach affecting Personal Information or PHI, PatientBook will:

• Notify affected healthcare providers within 72 hours of discovery
• Cooperate with breach investigations and remediation efforts
• Comply with all applicable breach notification laws (including HIPAA Breach Notification Rule)
• Provide documentation and support for affected parties' compliance obligations

14. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what Personal Information is collected and how it is used
• Right to delete Personal Information
• Right to opt-out of the sale of Personal Information (we do not sell Personal Information)
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate Personal Information
• Right to limit use of sensitive Personal Information

Note: PHI governed by HIPAA is exempt from certain CCPA requirements but receives equivalent or greater protections under HIPAA.

15. Changes to This Privacy Policy

PatientBook reserves the right to modify this Privacy Policy at any time. If there are material changes:

• We will notify you via email at least 30 days before changes take effect
• We will post a prominent notice within the application
• The updated policy will be posted on our website with a new effective date
• Your continued use of the Services after changes take effect constitutes acceptance

16. Contact Information

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your rights, please contact us:

For urgent security concerns or to report a potential data breach, please email security@thepatientbook.com.