Skip to main content
Legal

Privacy Policy

Last updated: March 13, 2026Effective: March 13, 2026

Healthcare data requires the highest level of care. DocSuite is HIPAA-compliant and designed specifically for medical practitioners. This policy explains exactly what we collect, why, and how we protect it.

1. Who We Are

DocSuite ("DocSuite", "we", "us", or "our") is operated by DocSuite Technologies Inc., a company building AI-powered practice management software for doctors and clinics worldwide. Our registered address is available upon request at legal@docsuite.app.

When you use DocSuite, you are entrusting us with sensitive information about you and your patients. We take that responsibility seriously and commit to handling all data with transparency, security, and care.

2. Information We Collect

2.1 Account and Practice Information

When you register or use DocSuite, we collect:

  • Name, email address, and password
  • Medical license number, specialty, and practice details
  • Clinic name, address, phone number, and logo
  • Billing and payment information (processed securely by Stripe — we never store full card numbers)
  • Profile photo and digital signature (for prescriptions)

2.2 Patient Data (Protected Health Information)

As a healthcare platform, we process Protected Health Information (PHI) on your behalf as a Business Associate under HIPAA. This includes:

  • Patient names, contact details, and demographic information
  • Appointment history and scheduling data
  • Medical notes, diagnoses, and clinical records
  • Prescription data including medications and dosages
  • Patient portal login credentials and portal activity

You remain the data controller for all patient data. We act solely as a data processor and will never use patient PHI for any purpose other than providing the DocSuite service to you.

2.3 Usage and Technical Data

  • IP address, browser type, device information, and operating system
  • Pages visited, features used, and time spent in the platform
  • Error logs and performance data to improve the service
  • Cookie identifiers (see our Cookie Policy for full details)

2.4 Communications

  • Support tickets and messages you send to our team
  • Email and WhatsApp communications sent through the platform
  • Feedback, surveys, and feature requests

3. How We Use Your Information

3.1 To Provide and Improve the Service

  • Create and manage your practice account and website
  • Process appointment bookings and send reminders
  • Generate and store digital prescriptions
  • Operate the patient portal and WhatsApp AI agent
  • Deliver revenue analytics and practice insights
  • Improve AI models and platform features (using anonymised, aggregate data only — never individual PHI)

3.2 To Communicate With You

  • Send transactional emails (account verification, receipts, booking confirmations)
  • Provide customer support and respond to enquiries
  • Send product updates, security alerts, and policy changes (these cannot be opted out of)
  • Send marketing emails about new features or offers (you can unsubscribe at any time)

3.3 For Legal and Compliance Purposes

  • Comply with applicable laws and regulations including HIPAA, GDPR, and local data protection laws
  • Enforce our Terms of Service and prevent fraud or abuse
  • Respond to lawful requests from law enforcement or government agencies

4. How We Share Your Information

We do not sell your personal data or patient data. Ever. We share information only in these limited circumstances:

4.1 Service Providers (Sub-processors)

We use trusted third-party vendors to operate our service. All sub-processors are contractually bound to protect your data and process it only as instructed:

  • Amazon Web Services (AWS) — cloud infrastructure and data storage (US, EU regions)
  • Stripe — payment processing
  • Twilio / Meta — SMS and WhatsApp message delivery
  • Postmark / SendGrid — transactional email delivery
  • Cloudflare — CDN, DDoS protection, and DNS
  • OpenAI / Anthropic — AI features (data is not used to train third-party models; we use API calls only with strict data processing agreements in place)

4.2 Business Transfers

If DocSuite is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the platform before your data is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5. HIPAA Compliance

DocSuite operates as a HIPAA-covered Business Associate. We maintain:

  • A signed Business Associate Agreement (BAA) available to all paying customers upon request
  • End-to-end encryption for all PHI in transit (TLS 1.3) and at rest (AES-256)
  • Access controls, audit logs, and role-based permissions
  • Employee training on HIPAA privacy and security rules
  • Breach notification procedures in compliance with the HIPAA Breach Notification Rule

Enterprise customers receive a formal BAA as part of their contract. Growth and Professional customers may request a BAA by contacting legal@docsuite.app.

6. Data Retention

  • Active accounts: Data is retained for the life of your account
  • Cancelled accounts: We retain account data for 90 days after cancellation, after which it is permanently deleted
  • Patient records: Retained for as long as required by applicable medical record retention laws in your jurisdiction (typically 7–10 years), unless you instruct us otherwise
  • Backups: Encrypted backups are retained for up to 30 days after deletion
  • Billing records: Retained for 7 years for tax and accounting purposes

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your account and associated data ("right to be forgotten")
  • Portability: Request an export of your data in a machine-readable format
  • Restriction: Request that we restrict processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interests or direct marketing
  • Withdrawal of consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email us at privacy@docsuite.app. We will respond within 30 days. We may ask you to verify your identity before processing requests.

8. Data Security

We employ industry-leading security measures including:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for all data at rest
  • Multi-factor authentication (MFA) available for all accounts
  • SOC 2 Type II audited infrastructure
  • Regular penetration testing and vulnerability assessments
  • 24/7 intrusion detection and monitoring
  • Strict employee access controls — minimum necessary access principle

Despite these measures, no system is completely immune to security risks. In the event of a data breach affecting your information, we will notify you as required by applicable law.

9. International Data Transfers

Our primary data infrastructure is located in the United States and European Union. If you are located outside these regions, your data may be transferred to and processed in these jurisdictions. We ensure all international transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children's Privacy

DocSuite is designed for medical professionals and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately at privacy@docsuite.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on the platform at least 30 days before changes take effect. Your continued use of DocSuite after changes are effective constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or concerns: