ClinicRise← Back to homepage

Privacy Policy

Effective 29 April 2026

This policy explains how ClinicRise Ltd(“ClinicRise”, “we”, “us”) collects, uses, stores, and protects personal data when you use our website and the ClinicRise platform.

We act as a data controller for personal data of clinic owners and staff who hold a ClinicRise account. We act as a data processor on behalf of those clinics for the personal data of their clients (your patients).

1. Who we are

ClinicRise Ltd, registered in England & Wales (company no. 17145472). Registered office: 241 Wulfstan Street, London, W12 0AB. ICO registration: ZC126743. Contact for any data-protection enquiry: info@clinicrise.co.uk.

2. What we collect

From clinic accounts

  • Account info: name, email, role, organisation
  • Authentication data managed by our auth provider (Supabase)
  • Usage telemetry (page views, error reports) for product reliability

From your clients (processed on the clinic's behalf)

  • Identity and contact details the clinic enters or imports
  • Photos uploaded for virtual consultation and the AI-derived analysis
  • Appointment, treatment, and clinical-note records the clinic creates
  • Payment metadata (handled by Stripe — we do not store card numbers)

3. How we use it

  • To provide and operate the ClinicRise platform
  • To run AI skin analysis when a clinic or client requests one
  • To send transactional emails (confirmations, results, receipts)
  • To process payments through Stripe Connect on behalf of clinics
  • To detect, investigate, and prevent fraud and abuse
  • To meet our legal obligations (tax, accounting, regulator requests)

4. Lawful bases (UK GDPR Article 6)

  • Contract — processing necessary to provide the service you signed up for.
  • Legitimate interests — keeping the platform secure, improving reliability, preventing abuse.
  • Consent — for optional features (e.g. contributing anonymised photos to improve AI models). You can withdraw at any time.
  • Legal obligation — accounting, tax, and regulator-requested records.

5. Sub-processors

We use a small set of vetted sub-processors:

  • Supabase — database, authentication, file storage (EU region)
  • Vercel — application hosting and CDN
  • Stripe — payment processing (PCI-DSS compliant)
  • Resend — transactional email delivery
  • Google (Gemini API) — AI image analysis for virtual consultations
  • Sentry — error monitoring (PII redacted)

6. International transfers

Where data leaves the UK (e.g. AI inference via Google), we rely on the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision — whichever applies to the destination country.

7. How long we keep it

  • Active account data: for the duration of your subscription
  • Account data after cancellation: 90 days, then deleted or anonymised
  • Financial records: 6 years (HMRC requirement)
  • Backups: rotated within 30 days of deletion

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data erased (subject to lawful retention)
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent for any consent-based processing
  • Lodge a complaint with the ICO (ico.org.uk)

Requests: email info@clinicrise.co.uk. We respond within one calendar month.

9. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is role-restricted, audited, and protected by multi-factor authentication. Photos uploaded for virtual consultation are stored in private buckets accessible only to the clinic and the assigned practitioner.

10. Cookies

We use a minimal set of strictly necessary cookies for sign-in and load balancing. We do not run third-party advertising trackers on the platform.

11. Changes to this policy

We'll post any update at this URL with a revised effective date. Material changes affecting how we use existing data will be notified by email.