ClinicsRush (“ClinicsRush”, “we”, “us”, or “our”) provides software that helps dermatology and aesthetic clinics collect Google reviews by sending well-timed WhatsApp messages to their patients. This Privacy Policy explains what personal data we handle, why, and the rights available to you. We are committed to handling personal data in line with applicable data protection laws — including India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 where they apply, and equivalent laws in the other regions we serve.
Two kinds of people are described here.“Clinics” are our paying customers who use the ClinicsRush dashboard. “Patients” are the individuals whose contact details a clinic adds so we can send a review request on the clinic's behalf. For patient data, the clinic is the Data Fiduciary and ClinicsRush acts as a Data Processor.
1. Data we collect
From clinics (our customers)
- Account details — name, clinic name, business email, and phone number.
- Authentication data — login credentials managed through our authentication provider.
- Billing information — plan, billing contact, and payment status (card details are handled by our payment processor, not stored by us).
- Usage data — pages visited, features used, and basic device/log information.
About patients (entered by clinics)
- Patient name and WhatsApp/mobile number.
- Visit date and, optionally, the treatment or department, used solely to time and personalise the review request.
- Message delivery status and whether the patient left feedback or clicked through to the review link.
We do not ask clinics to upload clinical records, diagnoses, prescriptions, or medical images, and clinics should not enter such information into ClinicsRush. We only need the minimum contact data required to send a review request.
2. How we use data
- To send review-request messages over WhatsApp at the timing configured by the clinic.
- To route unhappy patients to private feedback instead of a public review.
- To operate, secure, and improve the ClinicsRush service and dashboard.
- To provide customer support and communicate service updates.
- To meet legal, tax, and regulatory obligations.
We process patient data strictly on the clinic's documented instructions and only for the purposes above. We do not sell personal data, and we do not use patient contact details for our own marketing.
3. Legal basis & consent
Under the DPDP Act and similar data protection laws, patient data is processed on the lawful basis established by the clinic — typically the patient's consent or a legitimate use connected to the care relationship. Each clinic is responsible for obtaining the necessary consent from its patients before adding their details to ClinicsRush, and for honouring any withdrawal of that consent. ClinicsRush provides the tools to action deletion and opt-out requests promptly.
4. WhatsApp messaging
Review requests are delivered through the WhatsApp Business Platform. When a message is sent, the recipient's phone number is shared with WhatsApp (Meta) to enable delivery, subject to WhatsApp's own terms and privacy policy. Every message identifies the clinic, and patients can opt out of further messages at any time by replying to stop.
5. Sharing & sub-processors
We share data only with service providers who help us run ClinicsRush, including:
- Cloud hosting and database providers (for storage and application hosting).
- The WhatsApp Business Platform / messaging provider (for delivery).
- Authentication and payment providers.
These sub-processors are bound by contractual obligations to protect personal data and to process it only as instructed. We may also disclose data where required by law or to protect our legal rights.
6. Data storage & transfers
We store personal data on infrastructure operated by reputable cloud providers, and we aim to keep data in a region appropriate for the clinic it belongs to. Where personal data is transferred across borders by us or a sub-processor, we ensure such transfers are permitted under applicable law and protected by appropriate safeguards.
7. Data retention
We retain patient contact data only as long as needed to provide the service to the clinic, or until the clinic deletes it. When a clinic closes its account, associated patient data is deleted or anonymised within a reasonable period, except where we are legally required to retain certain records.
8. Security
We use reasonable technical and organisational measures — including encryption in transit, access controls, and least-privilege practices — to protect personal data against unauthorised access, loss, or misuse. No system is perfectly secure, but we work continuously to safeguard the data in our care and will notify affected parties and the Data Protection Board of India of a personal data breach as required by law.
9. Your rights
Subject to applicable data protection law (such as the DPDP Act), individuals have the right to:
- Access the personal data we hold about them.
- Request correction or updating of inaccurate data.
- Request erasure of their data.
- Withdraw consent and nominate another person to exercise their rights.
- Raise a grievance with us, and escalate to the Data Protection Board of India.
Patients should usually contact the clinic that holds their data. Clinics and patients may also write to us at hello@clinicsrush.com and we will assist or route the request to the relevant clinic.
10. Children
ClinicsRush is a tool for clinics and is not directed at children. Where a clinic adds the contact details of a minor patient, the clinic is responsible for obtaining verifiable consent from a parent or lawful guardian as required by the DPDP Act.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date above and, where appropriate, by notifying clinics through the dashboard or email.
12. Contact & grievance officer
For any privacy question or to exercise your rights, contact our grievance officer at hello@clinicsrush.com. We aim to acknowledge requests promptly and resolve them within the timelines required by law.