Privacy & security
Private by design.
A clinic's front office handles sensitive information — patients, payments, personnel. ClinicOS is built with that weight in mind. Your practice's data belongs to you — not us.
Core principles
Per-clinic isolation
Your account runs on its own infrastructure — a dedicated database, not a shared pool. No other clinic can see your data, and we cannot accidentally serve your practice's information to another user.
Encrypted at rest
Your notes, voice memos, and OAuth tokens are encrypted at rest. The doctor's private notes receive field-level encryption with a key unique to your account — so even a stolen backup yields ciphertext, not plaintext.
You approve every action
No message is sent, no task is created, no calendar event is added without your explicit approval. ClinicOS drafts. You decide. The approval queue is always in your hands.
We cannot read your notes
Atrium staff (super_admins) can view configuration and metrics. They cannot read your notes, messages, conversations, or office history. This is enforced in code, not just policy.
Your data is yours
Export everything at any time — notes, conversations, contacts, history — as open JSON. Cancel and request immediate deletion; after 90 days we delete automatically. No lock-in.
No training on your data
We do not use your practice's data to train AI models. Not now, not ever without your explicit opt-in. What your office knows stays in your office.
Security practices
How we protect your account in practice.
Authentication & access
You authenticate through a secure identity provider. Access tokens are short-lived (15 minutes); stored in your device's hardware-secured keychain. Multi-factor authentication is available and encouraged.
Encryption in transit
All connections use TLS 1.2 or 1.3. The path from your phone to your account, from your account to AI providers, and from your account to Gmail or Google Calendar — all encrypted.
Connector permissions
When you connect Gmail, Calendar, or QuickBooks, ClinicOS requests only the permissions it actually needs — read for mail and calendar, compose for drafts (sent only with your approval), read-only for your books. No delete access. No broad admin scopes.
AI provider data handling
Your conversation content is sent to AI providers to generate responses. We use providers with enterprise data agreements where possible (Anthropic: zero data retention). Your data is not used for provider model training.
Support access
If you request hands-on support, we ask your explicit consent first. You select the scope, confirm with Face ID, and see a persistent notification while access is active. You can revoke it at any time. Every action taken during a support session is logged and visible to you.
Incident response
If a security incident affects your data, we notify you within 24 hours with specifics. Post-incident review published within 72 hours for significant events.
Your rights
What you can always do with your data.
Subprocessors
A complete list of third-party services that process your data is available in our Privacy Policy. This includes hosting providers, AI inference providers, identity and payment services.
We disclose every subprocessor. Nothing is hidden.
Private by design
What your office knows stays in your office.
Request access and we'll walk you through how ClinicOS protects your account before you commit to anything.