SetuCare LLC, doing business as Klinoa (“Klinoa,” “we,” “us”), respects your privacy. This Privacy Policy explains how we collect, use, and protect information when you use our websites, applications, and services (collectively, the “Service”). For information about how we handle Protected Health Information (PHI), see our HIPAA Notice and our Business Associate Agreement.
01Overview
We collect only the information necessary to operate the Service, bill our customers, and improve the product. We do not sell personal information. We do not use customer data or PHI to train AI models.
02Our role
When clinics use Klinoa to manage patient information, the clinic is the data controller (and HIPAA covered entity); Klinoa is the data processor (and HIPAA Business Associate). For information about the clinic's own privacy practices, contact the clinic directly.
For information collected directly from visitors of klinoa.com or from clinic users interacting with our marketing channels, Klinoa is the controller.
03Information we collect
Account information
Name, email address, phone number, billing address, organization name, and credentials. Provided by you when you sign up.
Customer Data and PHI
Patient records, appointments, intake forms, clinical notes, messages, and any other content uploaded by clinic users in the course of using the Service. PHI is governed by HIPAA and our BAA.
Usage and device data
IP address, browser type, operating system, referring URL, pages viewed, timestamps, and performance metrics. Collected automatically via server logs and analytics.
Payment information
Billing address and payment method tokens are processed by our payment provider, Stripe, Inc. We do not store full card numbers on our systems.
Communications
Email and chat correspondence with our support team, and feedback you submit.
04How we use information
We use information to:
- provide, secure, and maintain the Service;
- process payments and send transactional emails;
- respond to support requests and account inquiries;
- detect and prevent fraud, abuse, and security incidents;
- analyze usage to improve the Service (in aggregate, de-identified form);
- comply with legal obligations and enforce our Terms.
We use AI features (including Anthropic's Claude) to generate clinical note drafts and summaries on customer instruction. AI inputs and outputs are processed under subprocessor BAAs and are not used for model training.
05Legal bases (GDPR)
For users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR/UK GDPR:
- Contract: to provide and bill for the Service.
- Legitimate interests: to secure the Service, prevent fraud, and improve our product.
- Legal obligation: to comply with tax, accounting, and other laws.
- Consent: for optional marketing communications (you may withdraw consent at any time).
07International data transfers
Our infrastructure is hosted in the United States. If you access the Service from outside the US, you understand that information will be transferred to and processed in the US, which may have different data protection laws than your jurisdiction. Where required, we use Standard Contractual Clauses or other lawful transfer mechanisms.
08Data retention
We retain account information for the duration of your subscription plus a reasonable period for billing reconciliation, tax compliance, and legal claims (typically up to seven years).
Customer Data and PHI are retained per the terms of your subscription and BAA. Upon termination, you have thirty (30) days to export your data. After that, data is deleted from production systems within sixty (60) days and from encrypted backups within twelve (12) months.
09Security
We implement administrative, physical, and technical safeguards designed to protect information against unauthorized access, alteration, or destruction. These include encryption at rest (AES-256) and in transit (TLS 1.2+), Postgres row-level security for tenant isolation, append-only audit logs, regular dependency scanning, and role-based access controls. Details are described in our HIPAA Notice.
No system is perfectly secure. Notify us immediately of any suspected unauthorized access at support@setucare.com.
10Your rights
Subject to applicable law, you may have the right to:
- access the personal information we hold about you;
- correct inaccurate information;
- request deletion of personal information;
- restrict or object to certain processing;
- request data portability in a structured, machine-readable format;
- withdraw consent for processing based on consent;
- lodge a complaint with a supervisory authority.
California residents have additional rights under the CCPA/CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of “sale” or “sharing” (we do neither). We do not discriminate against individuals exercising privacy rights.
To exercise rights, email support@setucare.com. For PHI, contact the clinic that holds your record; we will assist them in fulfilling requests as required by HIPAA.
12Children
The Service is not directed to children under 13, and we do not knowingly collect personal information from them. Pediatric clinics may use the Service to manage information about minors as part of providing healthcare services; that processing is governed by HIPAA and the clinic's own consent and privacy practices.
13Do Not Track
Our Service does not respond to Do Not Track browser signals because there is no industry-wide standard for interpreting them. We do not track users across third-party sites.
14Changes to this policy
We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the most recent revision. Material changes will be communicated by email or in-app notice at least thirty (30) days before they take effect.
15Contact
SetuCare LLC dba Klinoa
Austin, Texas, USA
support@setucare.com
For EU/UK data subject inquiries you may also contact our EU representative; details available on request.