Clinova
Get started
Clinova

Privacy Policy

Last updated: May 9, 2026

1.Introduction

Clinova ("we", "our", "us") is an AI-powered clinic management platform built by Dr. Ahmed Al Naggar and operated under Blaze-Code. This Privacy Policy explains how we collect, use, and protect your information.

2.Information We Collect

Account information

  • Name, email address, and phone number
  • Clinic name and role (admin, doctor)
  • Encrypted password

Patient data

  • Patient names, contact information, and demographics
  • Clinical records: diagnoses, session notes, treatment plans
  • Medical imaging (X-rays, MRIs) uploaded to the platform
  • Appointment schedules

Google Calendar data

  • When you connect Google Calendar, we access your calendar to create appointment events
  • We store OAuth tokens securely to maintain the connection
  • We only create, read, and delete Clinova-created events. We do not access your personal events

AI interactions

  • Questions asked to the AI clinical assistant
  • AI responses and evidence search queries
  • Token usage for cost tracking

3.How We Use Your Information

  • Provide and operate the clinic management platform
  • Sync appointments to your Google Calendar
  • Power AI clinical decision support with patient context
  • Send transactional emails (invitations, password resets)
  • Track AI usage costs per clinic

4.Data Storage & Security

  • Data is stored on Supabase Postgres (EU servers) with encryption at rest
  • Passwords are hashed with bcrypt
  • Google OAuth tokens are stored in the database and refreshed automatically
  • All connections use HTTPS / TLS encryption
  • JWT-based session authentication with secure, httpOnly cookies

5.Sharing and Disclosure of Your Information

We do not sell, rent, or trade your personal information or Google user data to anyone. We share data only with the limited categories of recipients listed below, and only to the extent necessary to operate the service:

Service providers (sub-processors) we share data with

  • Supabase (Frankfurt, EU) — encrypted database hosting, file storage, and authentication backend for all clinic, patient, and Google OAuth token data
  • Vercel (USA / global edge) — application hosting and serverless function execution for the Clinova web app and API
  • Resend — transactional email delivery (account invitations, password resets, notifications)
  • Google LLC — only when you explicitly connect Google Calendar, calendar event data is sent to Google Calendar APIs to create, update, and delete Clinova-created events
  • Google Gemini, OpenAI, and Anthropic — when you use the AI clinical assistant, the prompts and relevant patient context you submit are sent to these LLM providers to generate responses; these providers process data under zero-data-retention agreements where available
  • Sentry — application error and performance telemetry (no patient PHI is sent to Sentry)

Google user data — limited use disclosure

  • Clinova's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • We do NOT transfer Google user data to third parties except as necessary to provide or improve user-facing features (e.g., creating calendar events you requested), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
  • We do NOT use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do NOT use Google user data to develop, improve, or train generalized AI and/or machine learning models.
  • Humans do NOT read your Google user data unless we have your specific consent, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data is aggregated and used for internal operations in accordance with applicable privacy laws.

Other disclosures

  • Legal compliance — when required by law, court order, or valid government request
  • Safety — to protect the rights, property, or safety of Clinova, our users, or the public
  • Business transfers — in connection with a merger, acquisition, or sale of all or part of our business, with prior notice to affected users

6.Data Retention

We retain your data for as long as your account is active. Upon account deletion or clinic closure, all associated data is permanently deleted within 30 days. Google OAuth tokens and synced calendar event data are deleted immediately when you disconnect Google Calendar from Settings. You may request data export or deletion at any time by contacting us.

7.Your Rights

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Disconnect Google Calendar at any time from Settings
  • Revoke Clinova's access to your Google account at https://myaccount.google.com/permissions
  • Export your patient data

8.Contact

For questions about this Privacy Policy or our handling of Google user data, contact us at:

Dr. Ahmed Al Naggar
Email: Ahmed@blaze-code.com
Website: blaze-code.com

← Back to Clinova