Legal

Privacy Policy

How ClinicsRush collects, uses, and protects personal data — including the patient contact details our clinic customers entrust to us.

Last updated: 16 June 2026

ClinicsRush (“ClinicsRush”, “we”, “us”, or “our”) provides software that helps dermatology and aesthetic clinics collect Google reviews by sending well-timed WhatsApp messages to their patients. This Privacy Policy explains what personal data we handle, why, and the rights available to you. We are committed to handling personal data in line with applicable data protection laws — including India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 where they apply, and equivalent laws in the other regions we serve.

Two kinds of people are described here.“Clinics” are our paying customers who use the ClinicsRush dashboard. “Patients” are the individuals whose contact details a clinic adds so we can send a review request on the clinic's behalf. For patient data, the clinic is the Data Fiduciary and ClinicsRush acts as a Data Processor.

1. Data we collect

From clinics (our customers)

About patients (entered by clinics)

We do not ask clinics to upload clinical records, diagnoses, prescriptions, or medical images, and clinics should not enter such information into ClinicsRush. We only need the minimum contact data required to send a review request.

2. How we use data

We process patient data strictly on the clinic's documented instructions and only for the purposes above. We do not sell personal data, and we do not use patient contact details for our own marketing.

3. Legal basis & consent

Under the DPDP Act and similar data protection laws, patient data is processed on the lawful basis established by the clinic — typically the patient's consent or a legitimate use connected to the care relationship. Each clinic is responsible for obtaining the necessary consent from its patients before adding their details to ClinicsRush, and for honouring any withdrawal of that consent. ClinicsRush provides the tools to action deletion and opt-out requests promptly.

4. WhatsApp messaging

Review requests are delivered through the WhatsApp Business Platform. When a message is sent, the recipient's phone number is shared with WhatsApp (Meta) to enable delivery, subject to WhatsApp's own terms and privacy policy. Every message identifies the clinic, and patients can opt out of further messages at any time by replying to stop.

5. Sharing & sub-processors

We share data only with service providers who help us run ClinicsRush, including:

These sub-processors are bound by contractual obligations to protect personal data and to process it only as instructed. We may also disclose data where required by law or to protect our legal rights.

6. Data storage & transfers

We store personal data on infrastructure operated by reputable cloud providers, and we aim to keep data in a region appropriate for the clinic it belongs to. Where personal data is transferred across borders by us or a sub-processor, we ensure such transfers are permitted under applicable law and protected by appropriate safeguards.

7. Data retention

We retain patient contact data only as long as needed to provide the service to the clinic, or until the clinic deletes it. When a clinic closes its account, associated patient data is deleted or anonymised within a reasonable period, except where we are legally required to retain certain records.

8. Security

We use reasonable technical and organisational measures — including encryption in transit, access controls, and least-privilege practices — to protect personal data against unauthorised access, loss, or misuse. No system is perfectly secure, but we work continuously to safeguard the data in our care and will notify affected parties and the Data Protection Board of India of a personal data breach as required by law.

9. Your rights

Subject to applicable data protection law (such as the DPDP Act), individuals have the right to:

Patients should usually contact the clinic that holds their data. Clinics and patients may also write to us at hello@clinicsrush.com and we will assist or route the request to the relevant clinic.

10. Children

ClinicsRush is a tool for clinics and is not directed at children. Where a clinic adds the contact details of a minor patient, the clinic is responsible for obtaining verifiable consent from a parent or lawful guardian as required by the DPDP Act.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date above and, where appropriate, by notifying clinics through the dashboard or email.

12. Contact & grievance officer

For any privacy question or to exercise your rights, contact our grievance officer at hello@clinicsrush.com. We aim to acknowledge requests promptly and resolve them within the timelines required by law.