Privacy Policy

Last updated: February 2026

1. Data Controller

The data controller responsible for processing personal data through the Clinika OS platform is lopes2tech, a company incorporated and operating under Swiss law. Contact: privacy@lopes2tech.ch

2. Data We Collect

We collect the following categories of personal data:

  • Account information: name, email address, password (hashed)
  • Clinic information: clinic name, phone number, address, timezone
  • Appointment data: client names, contact details, appointment times, services booked
  • Usage data: access logs, browser type, device type (for security purposes)

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract performance: to provide the Clinika OS service as agreed
  • Legitimate interests: security, fraud prevention, service improvement
  • Legal obligation: compliance with Swiss nDSG and EU GDPR requirements
  • Consent: for marketing communications (if applicable)

4. Data Storage and Security

All clinic and patient data is stored exclusively on servers located in Switzerland (Supabase, Swiss-hosted instance). We use industry-standard encryption (TLS in transit, AES-256 at rest) and row-level security policies to ensure clinic data isolation.

Certain data is processed by our third-party service providers, some of whom operate outside Switzerland (see Section 7). These transfers are carried out under appropriate safeguards, including Standard Contractual Clauses, in accordance with Swiss nDSG and EU GDPR requirements.

5. Data Retention

We retain personal data for as long as your account is active, plus an additional period required for legal or accounting purposes (typically 10 years under Swiss law). You may request deletion of your account and associated data at any time.

6. Your Rights

Under Swiss nDSG and EU GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict or object to processing
  • Data portability (receive your data in machine-readable format)
  • Withdraw consent at any time

To exercise these rights, contact us at: privacy@lopes2tech.ch

7. Third-Party Processors

We use the following sub-processors, all operating under strict data processing agreements:

  • Supabase (Swiss-hosted instance): database and authentication
  • Vercel: application hosting and CDN
  • Resend (US-based): transactional email delivery
  • Stripe (US-based): payment processing (billing and subscription management)
  • Sentry (US-based): application error monitoring (anonymised stack traces)
  • Google LLC / Google Analytics (US-based): website analytics (only activated with your explicit consent)
  • Vercel Analytics: website performance analytics (cookieless, anonymised)

8. Cookies

We use the following categories of cookies:

Strictly necessary cookies: Used for session management and authentication. These cannot be disabled as they are essential for the platform to function.

Analytics cookies (with consent): We use Google Analytics 4 to understand how visitors use our website. These cookies are only set if you explicitly accept cookies via our consent banner. You may withdraw consent at any time.

Performance monitoring: Vercel Analytics and Vercel Speed Insights collect anonymised performance data without setting cookies or tracking individual users.

9. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) โ€” and, where applicable, the relevant EU supervisory authority โ€” within 72 hours of becoming aware of the breach. Affected individuals will be informed without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

We maintain an internal data breach register and have procedures in place for detecting, investigating, and responding to data breaches.

10. Contact, DPO & Complaints

For privacy-related inquiries, contact: privacy@lopes2tech.ch

As a company that does not engage in large-scale systematic processing of sensitive personal data or public monitoring, we are not required to designate a formal Data Protection Officer (DPO) under Swiss nDSG or EU GDPR. Privacy matters are handled directly by the data controller.

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch

Privacy Policy โ€” Clinika OS | Clinika OS