Privacy Policy

How we protect and handle your personal information

Last updated: January 8, 2025

Introduction

Welcome to Sapling, where healthcare practices grow. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our practice management services.

As a healthcare practice management platform, we understand the critical importance of protecting sensitive health and personal information. We are committed to compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant privacy legislation.

Information We Collect

Information You Provide to Us

  • Waitlist Information: Name, email address, practice type when joining our waitlist
  • Account Information: Name, email, password, practice details when you create an account
  • Practice Data: Client information, appointment records, treatment notes, billing information (when using our services)
  • Communication: Messages, feedback, and correspondence with our support team

Information Collected Automatically

  • Usage Data: How you interact with our website and services
  • Device Information: IP address, browser type, operating system
  • Cookies and Tracking: We use cookies and similar technologies as described in our Cookie Policy

How We Use Your Information

We use the information we collect for the following purposes:

  • Provide, maintain, and improve our services
  • Process your waitlist registration and communicate updates
  • Enable practice management functionality for healthcare practitioners
  • Provide customer support and respond to inquiries
  • Send important notices about our services
  • Comply with legal obligations and regulatory requirements
  • Protect against fraud and ensure platform security

Healthcare Data Protection

As a healthcare practice management platform, we implement additional protections for sensitive health information:

  • Data Minimization: We only collect and process data necessary for providing our services
  • Access Controls: Strict access controls ensure only authorized practitioners can access their patient data
  • Encryption: All sensitive data is encrypted in transit and at rest
  • Audit Trails: We maintain comprehensive logs of data access and modifications
  • Data Segregation: Each practice's data is completely isolated from others

Legal Basis for Processing (GDPR)

Under GDPR, we process personal data based on the following legal bases:

  • Consent: When you voluntarily provide information (e.g., joining our waitlist)
  • Contract Performance: To provide our practice management services
  • Legitimate Interest: For service improvement and security purposes
  • Legal Obligation: To comply with healthcare regulations and legal requirements

Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties except in the following circumstances:

  • Service Providers: Trusted third parties who assist in operating our platform (e.g., hosting, email services)
  • Legal Requirements: When required by law, court order, or government regulation
  • Protection of Rights: To protect our rights, property, or safety, or that of our users
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

All third-party service providers are bound by confidentiality agreements and must meet our security standards.

Your Rights and Choices

You have the following rights regarding your personal information:

  • Access: Request copies of your personal data
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Request transfer of your data to another service
  • Restriction: Request limitation of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent for processing at any time

To exercise these rights, please contact us using the information provided below.

Data Security

We implement comprehensive security measures to protect your information:

  • Industry-standard encryption for data in transit and at rest
  • Regular security audits and vulnerability assessments
  • Multi-factor authentication and access controls
  • Regular backups and disaster recovery procedures
  • Employee training on data protection and security best practices
  • Compliance with healthcare data security standards

Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law. Specifically:

  • Waitlist Data: Until you request removal or we launch our service
  • Account Data: For the duration of your account plus applicable legal retention periods
  • Healthcare Data: As required by healthcare regulations and professional standards
  • Usage Data: Typically 12-24 months unless longer retention is required

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by relevant data protection authorities
  • Other appropriate safeguards as required by applicable law

Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of any material changes by:

  • Posting the updated policy on our website
  • Sending email notification to users with active accounts
  • Providing prominent notice on our platform

Your continued use of our services after any changes constitutes acceptance of the updated Privacy Policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: privacy@sapling.app

Data Protection Officer: dpo@sapling.app

For EU residents, you also have the right to lodge a complaint with your local data protection authority if you believe we have not addressed your concerns appropriately.