Privacy Policy

Privacy built around minimum necessary data.

Last updated: July 9, 2026. Clinic Scout is designed around provider-selection education and consent-first operations. This policy explains what information is collected, how it is used, how payments and analytics are handled, and the data boundaries that protect users and clinics.

Boundary: Clinic Scout is not a medical provider. Public forms and normal support should not receive medical details or PHI.

Partner data boundary

For partner services, the normal record should be business and operational: clinic name, staff contact, service area, agreed scope, billing metadata, approved scripts, routing status, consent proof, and support history. That is enough to run a Revenue Recovery Desk without turning public forms into medical intake. Clinics should keep patient medical data inside their own compliant systems.

If a partner asks for a workflow that could involve PHI, that workflow is not assumed from checkout. It requires a separate scope, legal/compliance review, and an approved handling path before any such data is accepted.

HIPAA, cookies, retention, rights, and security

Clinic Scout partner workflows are not a blanket PHI-processing agreement. Clinic Scout is not acting as a HIPAA covered entity through public partner checkout, public forms, or normal support. PHI is not accepted unless a separate legal/BAA-ready workflow is explicitly scoped and approved.

The partner site may use cookies or similar tools for security, performance, analytics, attribution, and abuse prevention. Typical processors may include Cloudflare, Stripe, Google Analytics, email/support tooling, storage, and internal operations tools. Billing/tax records may be retained up to seven years; partner support, routing, consent, and dispute records may be retained while needed for operations, proof, legal compliance, fraud prevention, or security.

Partners may request access, correction, deletion, export, restriction, or objection by emailing [email protected]. Data may be processed in the United States or countries where processors operate. We use reasonable safeguards, but no online service is risk-free. The partner service is for business users and is not directed to children under 16.

Controller roles, deletion/export, and subprocessors

Partner clinics are independent controllers for their own patient, staff, CRM, medical, advertising, and clinical records. Clinic Scout controls the partner account, checkout, support, consent-routing, reporting, and operational records it creates for its service. Where a future workflow requires a different processing role or PHI handling, that role must be stated in a separate written agreement before the data is accepted.

Deletion/export requests should identify the clinic, staff user, checkout email, portal context, and records requested. We target acknowledgement within 10 business days and completion within 30 days where practical, subject to billing, tax, consent-proof, fraud-prevention, dispute, legal, and security retention. Typical subprocessors may include Cloudflare, Stripe, Google Analytics, email/support tooling, storage, and internal operations systems.

Partner privacy routing addendum: Staff account access, deletion/export requests, billing records, consent evidence, and portal-support records should be requested separately so Clinic Scout can verify the clinic, user, and record type without exposing patient medical context.