Legal & Policies

Transparency is fundamental to clinical trust. Read how ClinStreams handles your data and what governs your use of the platform.

Privacy Policy

Effective Date: 1 January 2025  ·  Last Updated: April 2025

Summary: ClinStreams collects only the data needed to run a clinical management platform. We never sell your data. All patient information is processed under strict HIPAA and GDPR-compliant safeguards. Institutions own their data and may request deletion at any time.

1. About This Policy

This Privacy Policy describes how ClinStreams ("we", "us", or "our") collects, uses, stores, and protects information when you use the ClinStreams platform — including the mobile application, web application, and any associated services (collectively, the "Service").

By registering an institution or user account, you acknowledge that you have read and understood this policy.

2. Information We Collect

Account & Institution Data

  • Institution name, email address, country, phone number, and address collected at registration.
  • User name, email address, role, and department assignment.
  • Hashed passwords (never stored in plain text).
  • Device identifiers for push notifications and session management.

Clinical & Patient Data

  • Patient demographic information entered by authorised clinical staff.
  • Clinical notes, tasks, medical records, and discharge summaries created within the platform.
  • Handover sessions and associated patient lists.
  • Voice recordings submitted for AI-assisted note transcription (processed transiently and not retained after transcription).

Usage & Audit Data

  • Audit logs capturing user actions (logins, record access, data modifications) for compliance and security review.
  • Device type, operating system, and app version for diagnostic purposes.
  • IP addresses and session tokens for authentication security.

Billing Data

  • Subscription plan and payment status. Payment card details are handled exclusively by Stripe and are never stored on ClinStreams servers.

3. How We Use Your Information

  • Service Delivery: To provide clinical workflow features including patient management, handovers, notes, tasks, and records.
  • AI Features: Patient data within your institution's account is processed by our AI engine solely to generate summaries, suggestions, and discharge notes for your clinical team.
  • Authentication & Security: To verify user identity, detect suspicious login activity, manage session tokens, and enforce role-based access control.
  • Billing: To manage subscriptions, invoices, and plan upgrades via Stripe.
  • Compliance & Auditing: To maintain audit logs that institutions can review for regulatory compliance.
  • Platform Improvement: Aggregated, anonymised usage analytics to improve product features. No individual patient data is used for this purpose.
  • Communications: To send transactional emails (password reset, account notifications). We do not send unsolicited marketing to clinical users.

4. Data Ownership & Institutional Control

Your institution owns all patient and clinical data entered into ClinStreams. We act as a data processor on your behalf. As the data controller, your institution is responsible for ensuring that data entered into the platform complies with applicable laws in your jurisdiction.

Super Admins have full access to manage users, roles, departments, and data within their institution. The platform enforces strict multi-tenant data isolation — no institution can access another institution's data.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your data. We share limited data only with the following trusted sub-processors:

  • Stripe — Payment processing. Governed by Stripe's own privacy policy and PCI-DSS compliance.
  • AI Infrastructure Providers — Clinical text (notes, patient data) is sent to our AI provider solely to generate summaries and suggestions. Data is processed under a data processing agreement and is not retained for model training.
  • Cloud Hosting Provider — Infrastructure hosting (data stored in encrypted form). Physical access is controlled by the hosting provider's enterprise security programme.

We may disclose data if required by law, court order, or to protect the safety of users or the public.

6. Security

We implement industry-standard technical and organisational measures to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Passwords are hashed using bcrypt with a per-user salt.
  • Refresh tokens use rotation — reuse of a revoked token invalidates all sessions.
  • Role-based access control ensures users can only access resources appropriate to their clinical role.
  • Rate limiting and account lockout protect against brute-force attacks.
  • Sensitive fields (e.g. medical record content) are encrypted at rest using AES-256.

Despite these measures, no system is completely immune to security incidents. We will notify affected institutions without undue delay in the event of a data breach as required by applicable law.

7. Data Retention

  • Patient and clinical data is retained for as long as the institution's account is active.
  • Upon account deletion, data is purged from active systems within 30 days and from backups within 90 days.
  • Audit logs are retained for a minimum of 2 years to meet healthcare regulatory requirements.
  • Voice recordings submitted for transcription are deleted immediately after the transcription is returned.

8. HIPAA & GDPR

HIPAA (US): ClinStreams is designed to operate as a Business Associate under HIPAA. Covered entities using ClinStreams to process Protected Health Information (PHI) should ensure a Business Associate Agreement (BAA) is in place. Contact us to request a BAA.

GDPR (EU/EEA): If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right to access, correct, or erase your data.
  • Right to restrict or object to processing.
  • Right to data portability.
  • Right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@clinstreams.com.

9. Children's Privacy

ClinStreams is a professional clinical platform intended exclusively for healthcare institutions and their authorised staff. It is not designed for use by individuals under 18. We do not knowingly collect personal information from minors.

10. Changes to This Policy

We may update this Privacy Policy periodically. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will notify Super Admin users by email at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance.

11. Contact Us

ClinStreams Privacy Team

privacy@clinstreams.com

clinstreams.com/contact

Terms of Service

Effective Date: 1 January 2025  ·  Last Updated: April 2025

Summary: ClinStreams is a professional healthcare platform. By using it, you agree to use it lawfully, protect patient data, and accept our subscription terms. We provide the Service "as-is" and are not liable for clinical decisions made using the platform.

1. Acceptance of Terms

By registering an account or using the ClinStreams platform, you ("User" or "Institution") agree to be bound by these Terms of Service ("Terms"). If you are registering on behalf of a healthcare institution, you represent that you have the authority to bind that institution to these Terms.

If you do not agree to these Terms, do not register or use the Service.

2. Nature of the Service

ClinStreams provides clinical workflow management tools including patient management, note-taking, task management, handovers, medical records, AI-assisted summaries, and administrative features.

Important: ClinStreams is a workflow and documentation tool. AI-generated summaries, suggestions, and discharge notes are intended to assist qualified healthcare professionals — they do not constitute medical advice and must be reviewed and validated by a licensed clinician before clinical use. ClinStreams is not responsible for clinical decisions made based on AI-generated content.

3. Eligibility & Accounts

  • You must be a licensed healthcare professional, administrator, or authorised staff member of a registered healthcare institution.
  • Institutions are responsible for all actions taken by their registered users.
  • You are responsible for maintaining the security of your credentials. Do not share your password.
  • You must notify ClinStreams immediately if you suspect unauthorised access to your account.
  • ClinStreams reserves the right to suspend or terminate accounts that violate these Terms.

4. Acceptable Use

You agree not to:

  • Use the Service for any purpose other than legitimate clinical and administrative work within your institution.
  • Enter false, fabricated, or misleading patient data.
  • Attempt to access, modify, or delete data belonging to another institution.
  • Reverse engineer, decompile, or attempt to extract the source code of the Service.
  • Use automated scripts or bots to scrape or stress-test the platform.
  • Transmit malware, viruses, or any code designed to disrupt or damage the Service.
  • Violate any applicable law, regulation, or professional obligation in your jurisdiction.

5. Subscriptions & Billing

Plans: ClinStreams offers a free tier and paid plans (Starter, Pro). Plan details, limits, and pricing are published on our Pricing page.

  • Paid plans are billed monthly in advance via Stripe.
  • You may upgrade or downgrade your plan at any time through the in-app Billing section.
  • Downgrading to a plan that cannot accommodate your current user count will require reducing users first.
  • A 14-day free Pro trial is available once per institution and does not require a payment method.
  • Subscriptions auto-renew unless cancelled before the next billing cycle.
  • No refunds are issued for partial months except where required by applicable law.

6. Data & Confidentiality

You are solely responsible for ensuring that all patient data entered into ClinStreams complies with applicable healthcare privacy laws (including HIPAA and GDPR where applicable).

You must obtain all necessary patient consents required by your jurisdiction before entering their data into the platform.

ClinStreams staff do not access patient data unless explicitly requested by your institution for support purposes, and only to the minimum extent necessary.

7. AI Features

ClinStreams provides AI-powered features including note structuring, patient summaries, treatment suggestions, and discharge summaries. By using these features, you acknowledge:

  • AI outputs are generated aids and must be reviewed by a qualified clinician before acting on them.
  • AI features are only available on paid plans (Pro and above).
  • Voice recordings submitted for transcription are processed in real time and are not stored after the transcription is returned.
  • ClinStreams makes no representations or warranties regarding the clinical accuracy of AI-generated content.

8. Intellectual Property

All platform software, user interfaces, branding, and documentation are the exclusive intellectual property of ClinStreams. You are granted a limited, non-exclusive, non-transferable licence to use the Service for your institution's internal purposes.

You retain all rights to the clinical data you enter. By using the Service, you grant ClinStreams a limited licence to process that data solely to provide the Service and as described in our Privacy Policy.

9. Disclaimers & Limitation of Liability

The Service is provided "as is" and "as available". ClinStreams does not warrant that the Service will be uninterrupted, error-free, or meet your specific requirements.

To the maximum extent permitted by law, ClinStreams is not liable for:

  • Any clinical or medical decisions made using information from the platform.
  • Loss of data due to user error, accidental deletion, or circumstances outside our control.
  • Indirect, incidental, consequential, or punitive damages arising from use of the Service.

Our aggregate liability shall not exceed the total fees paid by your institution in the 12 months preceding the claim.

10. Termination

  • You may close your institution's account at any time through the platform settings.
  • We may suspend or terminate access for violation of these Terms, non-payment, or other legitimate reasons, with reasonable notice where practicable.
  • Upon termination, your data will be retained for 30 days to allow export, then permanently deleted in accordance with our Privacy Policy.

11. Governing Law

These Terms are governed by applicable law. Any dispute arising from these Terms shall first be attempted to be resolved through good-faith negotiation. If unresolved, disputes shall be subject to the jurisdiction of the courts applicable to the institution's registered location, subject to mandatory consumer protection laws.

12. Changes to These Terms

We may update these Terms from time to time. Material changes will be communicated to Super Admin users by email at least 14 days in advance. Continued use after the effective date constitutes acceptance of the revised Terms.

13. Contact

ClinStreams Legal

legal@clinstreams.com

clinstreams.com/contact