Legal

Privacy Policy

Last updated: April 17, 2026

1. Introduction

ClinEthix LLC (“we”, “us”, “our”), a limited liability company registered in Wyoming, United States, operates the website clinethix.com and the ClinEthix Guidelines platform (collectively, the “Services”).

We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our Services.

This policy is designed to comply with the General Data Protection Regulation (GDPR) (EU/EEA), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) (US), Law 09-08 on the protection of individuals with regard to the processing of personal data (Morocco), and the EU-U.S. Data Privacy Framework (DPF) principles.

2. Data Controller and Privacy Contact

FieldDetails
EntityClinEthix LLC
JurisdictionWyoming, United States
Contactcontact@clinethix.com

As our processing activities grow, we will appoint a Data Protection Officer (DPO) and update this section accordingly. In the meantime, all privacy inquiries are handled directly by the founder.

3. Data We Collect

3.1 Website visitors

When you browse our website, we may collect:

  • Technical data: IP address (anonymized after collection), browser type, operating system, screen resolution, device type
  • Usage data: pages visited, time spent, referral source, click patterns
  • Communication data: name and email address when you use our contact form or sign up for updates

3.2 Guidelines platform users

When you create an account and use the ClinEthix Guidelines platform, we additionally collect:

  • Account data: name, email, professional role, institution (optional), country
  • Subscription data: plan type, billing cycle, payment method (last 4 digits only – full payment details are processed and stored exclusively by our PCI DSS-compliant payment processor)
  • Query data: medical questions submitted to the platform and the corresponding results returned
  • Usage data: search history, sources consulted, features used, session duration

3.3 Sensitive data and health information

Important: ClinEthix Guidelines is a clinical decision support tool for healthcare professionals. It is NOT designed to process patient health records. No patient-identifiable information (names, dates of birth, medical record numbers, or any Protected Health Information as defined by HIPAA) should be entered into the platform. Users are solely responsible for de-identifying any information before submission.

Medical queries submitted by healthcare professionals may constitute indirect health-related data under GDPR Article 9. We process this data under the following justification:

  • The data relates to the professional activity of the user (a healthcare professional seeking clinical guidance), not to an identified patient
  • Processing is necessary for reasons of public interest in the area of public health (Art. 9(2)(i) GDPR) – specifically, supporting evidence-based clinical practice
  • Additional safeguards are in place: queries are encrypted, access is restricted, and no attempt is made to identify patients from query content

3.4 Data we do NOT collect

  • Patient health records or Protected Health Information (PHI)
  • Biometric or genetic data
  • Social Security numbers or government identifiers
  • Data from minors (our Services are restricted to licensed healthcare professionals and medical students aged 18+)
  • Precise geolocation data

4. Legal Bases for Processing (GDPR)

Under the GDPR, we process your personal data on the following legal grounds:

PurposeLegal basis (GDPR)Details
Providing our ServicesArt. 6(1)(b) – ContractNecessary to deliver the service you subscribed to
Account managementArt. 6(1)(b) – ContractManaging your subscription, credentials, preferences
Processing medical queriesArt. 6(1)(b) + Art. 9(2)(i)Core service delivery + public health interest safeguard
Product improvementArt. 6(1)(f) – Legitimate interestAnonymized analytics to improve accuracy and UX. You can opt out.
Marketing communicationsArt. 6(1)(a) – ConsentOnly with explicit opt-in. Withdraw anytime.
Legal obligationsArt. 6(1)(c) – Legal obligationTax records, regulatory compliance
Security and fraud preventionArt. 6(1)(f) – Legitimate interestProtecting our systems and users

5. How We Use Your Data

  • To provide, operate, and improve our Services
  • To process subscriptions and payments
  • To respond to your inquiries and provide support
  • To send service-related communications (account confirmations, security alerts, subscription changes)
  • To send marketing communications (only with your explicit consent; you can opt out at any time via the unsubscribe link in any email)
  • To analyze anonymized usage patterns and improve the quality, accuracy, and coverage of our clinical decision support tools
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations (tax reporting, regulatory inquiries)

6. Automated Decision-Making (GDPR Art. 22)

The ClinEthix Guidelines platform uses algorithms to match user queries with relevant published guidelines and present structured results. This processing:

  • Does NOT constitute automated decision-making with legal or similarly significant effects under GDPR Article 22
  • Does not make clinical decisions – it provides information that a qualified healthcare professional independently evaluates
  • Does not produce profiles used to make decisions about individuals
  • Does not determine eligibility for services, credit, insurance, or employment

If you believe an automated process has produced an inaccurate result, you can report it to contact@clinethix.com and request human review.

7. Data Sharing

We do not sell, rent, or trade your personal data. Under the CCPA/CPRA, we confirm: we do not sell or share personal information for cross-context behavioral advertising.

We may share data with the following categories of service providers, all of whom are contractually bound by data processing agreements:

Recipient categoryPurposeLocationSafeguards
Payment processorSubscription billingUnited StatesPCI DSS Level 1 compliant
Cloud hosting providerPlatform and data hostingEuropean UnionISO 27001, SOC 2
Analytics providerAnonymous usage statisticsEuropean UnionIP anonymization, no cross-site tracking
Email service providerTransactional and marketing emailsUnited States / EUDPA in place, SCCs

We may also disclose data when required by law, court order, or governmental authority, or to protect our rights or safety.

8. International Data Transfers

ClinEthix LLC is based in the United States. If you are located in the EU/EEA, the United Kingdom, Morocco, or another jurisdiction with data transfer restrictions, your data may be transferred to the United States.

We ensure adequate safeguards for international transfers through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (June 2021 version) with all sub-processors
  • Data Processing Agreements (DPAs) with all third-party service providers
  • Transfer Impact Assessments (TIAs) conducted for each data flow to a third country
  • We may seek EU-U.S. Data Privacy Framework (DPF) certification in the future, and will update this section accordingly
  • Technical measures: encryption in transit (TLS 1.3) and at rest (AES-256), access controls, pseudonymization where feasible

9. Data Retention

Data typeRetention periodJustification
Account dataDuration of the account + 12 monthsReactivation window, then deleted
Query dataDuration of the accountDeleted on account closure or on request
Billing data7 years after last transactionUS tax and accounting obligations (IRS)
Analytics data26 months (anonymized)Product improvement; no personal identifiers
Contact form submissions12 monthsFollow-up and quality assurance
Marketing consent recordsDuration of consent + 3 yearsProof of consent (GDPR accountability)
Security logs12 monthsIncident detection and forensics

After expiry, data is either permanently deleted or irreversibly anonymized. You may request early deletion at any time (subject to legal retention obligations).

10. Cookies and Tracking Technologies

10.1 Cookie categories

CategoryPurposeDurationConsent required
Strictly necessaryAuthentication, security, CSRF protection, load balancingSessionNo (exempt under ePrivacy)
FunctionalLanguage preferences, display settings, cookie consent choice12 monthsNo (user-requested functionality)
AnalyticsAnonymous page views, session counts, feature usage26 monthsYes – opt-in required

10.2 What we do NOT use

  • No advertising or retargeting cookies
  • No cross-site tracking pixels
  • No fingerprinting techniques
  • No third-party social media tracking widgets

10.3 Managing cookies

On your first visit, a cookie consent banner allows you to accept or decline non-essential cookies. You can change your preference at any time by clicking “Cookie Settings” in the footer. You can also manage cookies via your browser settings, though this may affect site functionality.

11. Your Rights

11.1 Under the GDPR (EU/EEA/UK residents)

  • Access (Art. 15) – obtain a copy of your personal data and information about how it is processed
  • Rectification (Art. 16) – correct inaccurate or incomplete data
  • Erasure (Art. 17) – request deletion of your data (“right to be forgotten”), subject to legal retention obligations
  • Restriction (Art. 18) – limit processing while a dispute is resolved
  • Portability (Art. 20) – receive your data in a structured, commonly used, machine-readable format (JSON or CSV)
  • Objection (Art. 21) – object to processing based on legitimate interest, including profiling
  • Withdraw consent (Art. 7) – at any time, without affecting the lawfulness of prior processing
  • Lodge a complaint – with your local Data Protection Authority (e.g., CNIL in France, ICO in the UK)

11.2 Under the CCPA/CPRA (California residents)

  • Right to know – categories and specific pieces of personal information collected, sources, purposes, and third parties with whom it is shared
  • Right to delete – request deletion of personal information we hold about you
  • Right to correct – request correction of inaccurate personal information
  • Right to opt out of sale/sharing – we do not sell or share your data for cross-context behavioral advertising
  • Right to limit use of sensitive personal information – you can restrict how we use sensitive categories
  • Right to non-discrimination – we will not discriminate against you for exercising your rights

To submit a CCPA request, email contact@clinethix.com with the subject “CCPA Request”. We will verify your identity before processing.

11.3 Under Law 09-08 (Morocco residents)

  • Right of access – to your personal data held by us
  • Right of rectification – to correct or update your data
  • Right of opposition – to object to data processing for legitimate reasons
  • Right of deletion – to request erasure of your data

You may file a complaint with the CNDP (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel) at www.cndp.ma.

11.4 How to exercise your rights

ChannelDetails
Emailcontact@clinethix.com
Subject line“Privacy Request – [Your Right] – [Your Name]”
VerificationWe verify your identity via email confirmation before processing
Response timeWithin 30 days (GDPR/Morocco) / 45 days (CCPA)
ExtensionComplex requests may be extended by 60 days (GDPR) or 45 days (CCPA) with notice
CostFree of charge (unless requests are manifestly excessive)

12. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access controls: role-based access, principle of least privilege, multi-factor authentication for administrative access
  • Infrastructure: hosted with ISO 27001 and SOC 2 certified providers
  • Monitoring: automated intrusion detection, anomaly alerts
  • Incident response: documented procedure for breach detection, containment, notification (within 72 hours as required by GDPR Art. 33), and remediation
  • Staff: confidentiality agreements and data protection training for all team members with data access

13. Children’s Privacy

Our Services are designed exclusively for licensed healthcare professionals, medical students (aged 18+), and healthcare institutions. We do not knowingly collect data from individuals under 18. If we become aware of such collection, we will promptly delete the data and terminate the associated account.

14. Do Not Track Signals

Our website does not currently respond to “Do Not Track” (DNT) browser signals, as there is no industry-standard protocol for DNT. However, we do not engage in cross-site tracking, and our analytics respect your cookie consent preference.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • Material changes: notified via email to registered users and a prominent banner on our website at least 30 days before taking effect
  • Minor changes: reflected by the updated “Last updated” date at the top of this page
  • Previous versions of this policy are available upon request

Continued use of our Services after the effective date of changes constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related questions, data access requests, or complaints:

TypeEmailResponse time
Privacy inquiriescontact@clinethix.comWe aim to respond promptly
Data rights requestscontact@clinethix.comWithin 30 days (GDPR) / 45 days (CCPA) as required by law
General inquiriescontact@clinethix.comWe aim to respond promptly

© 2026 ClinEthix LLC – All rights reserved

Privacy Policy  |  Terms of Service  |  Terms of Use – Guidelines

© 2026 ClinEthix