Privacy Policy

1. Overview

ClinikAPI ("we", "us", "our") operates the ClinikAPI healthcare infrastructure platform. This privacy policy explains how we collect, use, store, and protect information when you use our services, including the REST API, Developer Dashboard, TypeScript SDK, and React component library.

2. Data Ownership

You own your data. ClinikAPI acts as a data processor (Business Associate under HIPAA) for clinical information submitted through our APIs. We do not sell, rent, license, or monetize patient data under any circumstances. Clinical data is stored in your organization's isolated partition within AWS HealthLake and is only accessible through your authenticated API keys.

3. Information We Collect

4. How We Use Information

Account data is used to authenticate you, process billing, and send service-related communications (outage notifications, security alerts, billing receipts). Usage data powers the analytics dashboard and helps us improve API performance. We do not use clinical data for any purpose other than storing and returning it through the API.

5. Data Sharing

We do not sell or share your data with third parties for marketing purposes. We share data only with: (1) AWS — our infrastructure provider, under their BAA; (2) Stripe — for payment processing; (3) Supabase — for dashboard authentication and metadata storage; (4) PostHog — for anonymized product analytics (no PHI). All sub-processors maintain SOC 2 or equivalent certifications.

6. Data Retention

7. Data Security

All data is encrypted at rest (AES-256 via AWS HealthLake) and in transit (TLS 1.2+). API keys are SHA-256 hashed before storage. Multi-tenant isolation is enforced via FHIR meta.tag on every resource. Rate limiting, path traversal protection, and body size limits are applied to all API requests. Audit logs capture every operation for compliance monitoring.

8. Your Rights

You have the right to: (1) Access your data via the API or Dashboard at any time; (2) Export all your data via the bulk export endpoint; (3) Delete specific resources via the API or request full account deletion; (4) Revoke API keys instantly from the Dashboard; (5) Request a copy of your audit logs. For GDPR-covered users, you additionally have the right to data portability, rectification, and the right to object to processing.

9. Cookies

The Dashboard uses essential cookies for session management (Supabase Auth). The marketing site uses PostHog for anonymized analytics. We do not use advertising cookies or tracking pixels. You can disable analytics cookies without affecting service functionality.

10. Children's Privacy

ClinikAPI is a developer platform, not a consumer-facing service. We do not knowingly collect information from children under 13. Clinical data about minors may be stored by your application through our API — this is governed by your own privacy policy and HIPAA obligations.

11. Changes to This Policy

We will notify you of material changes via email at least 30 days before they take effect. Continued use of the service after changes constitutes acceptance. The current version is always available at clinikapi.com/privacy.

12. Contact

For privacy questions, data deletion requests, or GDPR inquiries: [email protected]. For security concerns: [email protected]. Response time: within 48 hours for privacy requests, 24 hours for security reports.