Privacy Policy

Welcome to Flavell ("we," "our," or "us"). We provide a B2B Software-as-a-Service (SaaS) clinic management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when clinics ("Data Controllers") and their patients use our application.

By using Flavell, you agree to the collection and use of information in accordance with this Privacy Policy. As a service provider, we process data solely on behalf of the clinics that utilize our software.

We collect different types of data depending on the user's role:

• Clinic Providers/Staff (PII): Full name, email address, phone number, professional titles, license numbers, IP addresses, and user agent data (for security and audit logs).
• Patient Data: Entered by the clinic or the patient, including name, phone number, email address, demographic information (DOB, gender), and physical address.
• System Data: Technical logs, cookies, and usage metrics to monitor and improve platform performance.

Flavell stores highly sensitive health information (PHI) on behalf of clinics. This includes:

• Medical histories, allergies, and blood groups.
• Prescription records, diagnoses, and medication instructions.
• Medical vault files (lab reports, scans, PDF/Image notes).
• Consultation transcripts and symptom descriptions.

We process data strictly to provide and improve the Flavell service. This includes:

• Facilitating appointment scheduling, medical records management, and invoicing.
• Processing real-time communications between clinics and patients.
• Generating clinical notes and automated transcriptions.
• Maintaining comprehensive audit logs for security and compliance purposes.

To deliver advanced features, we utilize sub-processors. Data shared with these providers is strictly limited to the purpose of providing the service:

• OpenAI & DeepSeek: Used for generating clinical notes, AI knowledge base processing, and transcription services. We utilize enterprise agreements to ensure zero data retention policies are enforced where applicable.
• Cloudflare R2: For secure cloud storage of encrypted medical documents.
• Clerk: For secure user authentication and identity management.
• NeonDB (PostgreSQL) & Upstash: For primary database hosting and caching infrastructure.

Video consultations and live chat features are powered by the Stream SDK. While video streams are securely transmitted and processed, Flavell does not record or store raw video feeds unless explicitly initiated by the clinic with patient consent. Network constraints and third-party downtimes are outside our direct control.

We integrate with the Meta WhatsApp Cloud API for automated patient communication and appointment management.

• Clinics must secure explicit opt-in consent from patients before messaging them via WhatsApp.
• All communications are subject to Meta's Commerce and Business Policies.
• Flavell reserves the right to suspend WhatsApp integration for any clinic found violating spam or communication policies.

We retain data for as long as a clinic maintains an active subscription with Flavell. Upon termination of an account, we will provide the clinic with an opportunity to export their data.

Following the export window, all PHI and PII will be securely deleted from our active databases, in accordance with applicable legal retention requirements (e.g., some jurisdictions require health records to be maintained for 7 years).

We implement robust, industry-standard security measures to protect your data:

• Encryption: Data is encrypted both in transit (TLS) and at rest using advanced encryption standards.
• Audit Trails: We maintain strict audit logs tracking IP addresses, user agents, and entity modifications to monitor for unauthorized access.
• Access Control: Role-based access ensures that only authorized personnel within a clinic can view specific patient records.

As Flavell is a Data Processor, patients seeking to exercise their data rights (such as access, rectification, or deletion of their PHI) must direct their requests to the respective Clinic (the Data Controller). Flavell will assist clinics in fulfilling these requests through platform tooling.

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ. We ensure appropriate safeguards are in place for such transfers.

Our software is used by medical professionals to treat patients of all ages, including children under 13. However, Flavell itself does not knowingly collect personally identifiable information directly from children without verifiable parental consent. Clinics are responsible for obtaining parental consent for minors.

We may update our Privacy Policy from time to time. We will notify clinics of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. Continued use of the platform constitutes acceptance of the changes.