Privacy Policy

1. Who We Are

Clinic OS Pro is a product of Wiebe Consulting Inc. ("Company," "we," "us," or "our").

We provide:

• Clinic OS Pro: A Software-as-a-Service (SaaS) platform designed to help physical therapy and rehabilitation clinics identify revenue leakage, manage patient outreach, and improve plan-of-care completion rates.
• 60-Day Sprint: A done-for-you implementation service (the "60-Day Sports PT Revenue & Retention Sprint") delivered through the Clinic OS Pro platform.
• Consulting Services: Strategic consulting, AI integration, and process automation for healthcare practices.

We are a software tool and consulting provider, not a healthcare provider. We do not provide medical advice, make clinical decisions, or have any direct relationship with your patients. Your clinic is the data controller for patient information; we act as a data processor on your behalf.

2. Information We Collect

2.1 When You Visit Our Website (clinicospro.com)

• IP address and device information
• Browser type and operating system
• Pages visited and time spent on our website
• Referring website or source
• Cookies and similar tracking technologies
• Contact form submissions (name, email, phone, company, message)

2.2 When You Create a Clinic OS Pro Account

• Clinic name, address, phone number
• User names, email addresses, and roles
• Billing and subscription information
• Timezone and regional preferences
• EMR system credentials (encrypted, for integration purposes only)

2.3 Patient Information (via EMR Sync or CSV Import)

We collect only the minimum patient data necessary to provide our services:

• Identifiers: Patient name, email address, phone number
• Visit Metadata: Last visit date, next scheduled visit, visit counts
• Plan of Care Data: Planned visits vs. completed visits
• Appointment Status: No-show flags, appointment history
• Program Information: Treatment program type (e.g., "Sports Rehab")
• Contact Preferences: Do-not-contact flags, communication preferences

2.4 When You Engage Our Consulting Services (Sprint)

• Business information shared during consultations
• Communications (emails, chat messages, call recordings and transcripts)
• Information about your clinic operations and workflows
• Implementation notes and progress tracking

2.5 Usage & Technical Data

• IP addresses and device information
• Browser type and operating system
• Pages visited and features used within Clinic OS Pro
• Login timestamps and session information
• Error logs and performance data

2.6 Communication Data

• Records of emails and SMS messages sent through our platform
• Delivery status and engagement metrics
• Message templates and customizations

3. Information We Do NOT Collect

Our platform is intentionally designed for data minimization. We only access and store the information necessary to identify patients at risk of dropping off care and facilitate appropriate follow-up outreach by your staff.

4. How We Use Information

We use collected information solely to:

• Provide the Clinic OS Pro platform and its features
• Deliver consulting services (including the 60-Day Sprint)
• Generate task lists for patient outreach
• Calculate revenue metrics and generate reports
• Send communications on your behalf (when you initiate them)
• Create meeting notes, documentation, and action items
• Provide customer support
• Improve and secure our services
• Comply with legal obligations

We do NOT:

• Sell your data or patient data to third parties
• Use patient data for advertising or marketing
• Share data with third parties except as described in this policy
• Make clinical or treatment decisions
• Contact patients directly — all communications are sent by your clinic

5. Information Sharing & Subprocessors

We share information only with trusted service providers who help us deliver our services:

For the complete, current list of subprocessors, see our Subprocessor List.

We may also disclose information:

• To comply with legal obligations, court orders, or government requests
• To protect our rights, privacy, safety, or property
• In connection with a merger, acquisition, or sale of assets (with notice)

6. Data Security

We implement industry-standard security measures including:

• Encryption in Transit: All data transmitted via TLS 1.2 or higher (HTTPS)
• Encryption at Rest: Database encryption using AES-256
• Access Controls: Role-based access, multi-factor authentication available
• Audit Logging: Comprehensive logs of data access and modifications
• Regular Backups: Automated backups with tested restore procedures
• Vulnerability Monitoring: Regular security scans and updates
• Employee Training: Security awareness and HIPAA training for staff

While we take security seriously, no system is 100% secure. We maintain an incident response plan and will notify affected parties in accordance with applicable breach notification laws.

7. Data Retention

• Active Accounts: Data retained while your subscription is active
• After Cancellation: Data retained for 90 days, then permanently deleted
• Audit Logs: Retained for 7 years for compliance purposes
• Backup Data: Purged within 30 days of primary deletion
• Consulting Records: 7 years after engagement ends
• Call Recordings & Transcripts: 2 years
• Biometric Data (voiceprints): 2 years or when purpose is satisfied

You may request earlier deletion by contacting ben@wiebe-consulting.com.

8. Call Recording & Biometric Data

8.1 Recording of Communications

We record and transcribe client calls and meetings for documentation, quality assurance, and training purposes. Recordings may be made using various platforms including Zoom, Google Meet, and AI-powered transcription tools.

8.2 Biometric Data Collection

AI transcription tools may create voice profiles or "voiceprints" to identify and distinguish between speakers. These voiceprints may constitute biometric identifiers under laws such as the Illinois Biometric Information Privacy Act (BIPA) and similar state laws.

8.3 Purpose of Biometric Data Collection

Biometric data (voiceprints) is collected solely for:

• Accurate speaker identification in meeting transcripts
• Creating attributed meeting notes and action items
• Quality documentation of client engagements

8.4 Retention and Destruction

Biometric data will be retained for no longer than 2 years from collection, or when the purpose for collection has been satisfied, whichever comes first.

8.5 No Sale of Biometric Data

We will NOT sell, lease, trade, or otherwise profit from your biometric data. Biometric data is disclosed only to service providers necessary for transcription services.

8.6 Consent and Opt-Out

By engaging our consulting services, you consent to call recording and biometric data processing. You may opt out of recording for specific meetings by notifying us in writing before the meeting begins.

9. Your Rights

Depending on your location, you may have the right to:

• Access: Request a copy of your data
• Rectification: Correct inaccurate data
• Deletion: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain processing activities
• Withdraw Consent: Where processing is based on consent

To exercise these rights, contact us at ben@wiebe-consulting.com. We will respond within 30 days (or as required by applicable law).

Note for Patient Rights: Clinic OS Pro stores patient data on behalf of clinics. Patients seeking to exercise their rights should contact their healthcare provider directly. Clinics can use our data export and deletion features to fulfill patient requests.

10. HIPAA Compliance (US Healthcare Clients)

Clinic OS Pro may be considered a "Business Associate" under HIPAA when processing protected health information (PHI) on behalf of covered entities (healthcare providers).

No BAA = No PHI. US clinics must sign our Business Associate Agreement (BAA) before they can:

• Connect their EMR
• Import patient data
• Send patient communications

Our HIPAA-aligned measures include:

• Encryption of PHI at rest and in transit
• Access controls and audit logging
• Workforce training on HIPAA requirements
• Business Associate Agreements with subprocessors
• Incident response and breach notification procedures (24-hour notification)

11. United States Specific Provisions

11.1 California (CCPA/CPRA)

California residents have additional rights under the CCPA/CPRA:

• Right to know what personal information is collected and how it's used
• Right to delete personal information
• Right to opt-out of "sale" of personal information (we do not sell data)
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

Do Not Sell My Personal Information: We do not sell personal information as defined by the CCPA.

11.2 Other US State Laws

We comply with applicable state privacy laws including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other emerging state privacy regulations.

12. Canada Specific Provisions

12.1 PIPEDA Compliance

For Canadian clinics, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and its 10 fair information principles.

12.2 Provincial Health Privacy Laws

We recognize and support compliance with provincial health information laws including:

• Ontario: Personal Health Information Protection Act (PHIPA)
• Alberta: Health Information Act (HIA)
• British Columbia: Freedom of Information and Protection of Privacy Act (FIPPA)
• Quebec: Act Respecting the Protection of Personal Information in the Private Sector

12.3 CASL Compliance (Anti-Spam)

When using our messaging features, Canadian clinics must ensure compliance with Canada's Anti-Spam Legislation (CASL). The clinic is responsible for obtaining and documenting express or implied consent before sending commercial electronic messages.

13. Israel Specific Provisions

13.1 Privacy Protection Law

We comply with Israel's Protection of Privacy Law, 5741-1981 and the Privacy Protection Regulations (Data Security), 5777-2017.

13.2 Data Subject Rights

Israeli data subjects have the right to:

• Access their personal data held in databases
• Request correction of inaccurate data
• Object to use of data for direct marketing
• Request deletion of data in certain circumstances

13.3 Cross-Border Transfers

Data may be transferred to the United States for processing. We ensure adequate protection through contractual safeguards and compliance with Israeli data transfer requirements.

14. European Union / GDPR

While our primary markets are the US, Canada, and Israel, we comply with GDPR requirements for any EU-based users:

14.1 Legal Basis for Processing

• Contract: Processing necessary to provide our services
• Legitimate Interest: Improving services, security, fraud prevention
• Legal Obligation: Tax, audit, and regulatory compliance
• Consent: Where specifically obtained (e.g., marketing communications)

14.2 International Transfers

Data is transferred to the United States. We rely on Standard Contractual Clauses (SCCs) and supplementary measures to ensure adequate protection. Our Data Processing Addendum includes the latest EU SCCs.

14.3 Data Protection Contact

For GDPR inquiries, contact us at ben@wiebe-consulting.com.

15. Children's Privacy

Clinic OS Pro is designed for use by healthcare businesses, not individual consumers. We do not knowingly collect personal information from children under 13 (or applicable age of consent in your jurisdiction). If you believe we have inadvertently collected such information, please contact us immediately.

16. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Posting the updated policy with a new "Last Updated" date
• Sending email notification to account administrators
• Displaying a notice within the Clinic OS Pro application

Continued use of our services after changes constitutes acceptance of the updated policy.

17. Contact Us

For privacy-related inquiries: