Privacy Policy

Last updated: March 28, 2026

1. Introduction

Sanady Care ("we", "our", or "us") operates the Sanady Care clinic management platform ("Service"). This Privacy Policy describes how we collect, use, store, and protect information about users of our Service, including clinic supervisors and specialists.

By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and role within your organisation. Authentication is handled by Clerk, Inc.

Clinical and Patient Data

As part of operating a clinic management system, the Service stores patient records, session notes, booking history, treatment plans, and related clinical information on behalf of your clinic (branch). You are the data controller for this information; we act as a data processor.

Session Recordings

With explicit patient consent, audio recordings of therapy sessions may be uploaded to secure cloud storage and processed by an AI transcription service (Groq) to generate summaries. Recordings are stored in a private Supabase Storage bucket.

Children & Minors' Data

Clinics may store records about patients who are minors. We do not knowingly collect data directly from children; such data is provided and controlled by the treating clinic (branch). Minors' data is restricted to authorised staff of the treating branch via role-based access controls and row-level security, and is never sold or shared for marketing. Recording a minor's session requires explicit consent recorded on the patient profile. See our AI Disclaimer and Medical Disclaimer for how AI processes session data.

Usage Data

We collect aggregated usage statistics (booking counts, session counts, revenue totals) to help manage your subscription and provide analytics within the platform.

3. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To authenticate users and enforce role-based access controls
  • To process session recordings and generate AI-powered clinical summaries
  • To send transactional emails (booking confirmations, payment receipts, session review requests)
  • To manage subscriptions and billing
  • To monitor system health and prevent abuse

4. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — database, file storage, and edge functions (hosted in your selected region)
  • Clerk — user authentication and organisation management
  • Groq — AI transcription (Whisper) and text summarisation; audio is processed on Groq's servers and not retained beyond the API call
  • Resend — transactional email delivery
  • Sentry — error monitoring (production only; no personal health data is sent)

5. Data Retention

Patient records, session data, and clinical information are retained for as long as your clinic account is active, or as required by applicable law. We apply the following retention windows:

  • Session recordings — default 30 days, then automatically deleted (configurable at recording time)
  • AI prompts & outputs (transcripts, summaries, insights) — tied to the related session record and deleted with it; any not linked to a record are deleted within 30 days
  • Analytics & usage data — aggregated or anonymised within 90 days; raw event-level data is not retained beyond that
  • Audit logs — 12–24 months, unless a longer period is required for security or legal reasons
  • Notification logs — 90–180 days
  • Backups — encrypted; deleted or rotated within 30–90 days

Upon account termination, we will delete or anonymise your data within 30 days, except where retention is required by law. See our Data Deletion page.

6. Data Security

All data is encrypted in transit (TLS) and at rest. Access to patient data is enforced through row-level security (RLS) policies tied to authenticated organisation roles. Only authorised staff within your clinic can access your branch's data.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Object to or restrict certain processing

To exercise these rights, contact us at privacy@sanady.care.

8. Governing Law

This Privacy Policy is governed by the laws of the State of Qatar, including Law No. (13) of 2016 Concerning the Protection of Personal Data (PDPPL).

9. Contact Us

For any privacy-related questions, please contact us at privacy@sanady.care or visit our support page.

Terms & ConditionsData Processing AgreementAI DisclaimerMedical DisclaimerLabels & MarkingsSupportData Deletion