Legal

Privacy Policy

Effective date: June 28, 2026  ·  Shinzox Group Limited (trading as Clarvera)

Shinzox Group Limited, trading as Clarvera ("Clarvera," "we," "us," "our"), is committed to protecting the privacy and security of information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website and use the Clarvera platform (collectively, the "Service"). This Policy does not govern the handling of Protected Health Information (PHI) processed on behalf of our customers, which is governed exclusively by our Business Associate Agreement (BAA) and applicable HIPAA regulations.

1. Scope of This Policy

This Policy applies to: (a) visitors to our marketing website; (b) individuals who register for a free trial or paid account; and (c) Authorised Users of the Clarvera platform acting in their individual capacity. It does not apply to PHI or other data that Clarvera processes as a Business Associate on behalf of a Covered Entity customer — that data is governed solely by the BAA and HIPAA.

2. Information We Collect

2.1 Information You Provide

  • Account Information. Name, email address, job title, organisation name, phone number, and billing information collected during registration or subscription.
  • Communications. Content of support requests, email correspondence, survey responses, and other communications you send to us.
  • Payment Information. Billing details collected through our third-party payment processor (Stripe). We do not store full payment card numbers.

2.2 Information We Collect Automatically

  • Log Data. IP address, browser type, operating system, referring URLs, pages visited, and timestamps.
  • Usage Data. Feature interactions, session duration, API call volumes, and platform performance metrics — collected at the account level.
  • Cookies and Similar Technologies. See Section 10 below.

2.3 Information from Third Parties

We may receive information about you from third parties such as identity verification services, public healthcare registries (e.g., NPPES), or analytics providers, which we use to supplement our records and improve the Service.

3. PHI vs. Business Data

Clarvera processes two distinct categories of data:

  • Business Data (covered by this Policy): General business information about your organisation, account administrators, and billing contacts. This is the type of data described throughout this Policy.
  • Protected Health Information (PHI) (NOT covered by this Policy): Provider records, patient data, credentialing files, and any other data that constitutes PHI under HIPAA. PHI is processed by Clarvera as a Business Associate under the BAA and subject exclusively to HIPAA. The BAA governs how PHI is collected, used, disclosed, safeguarded, and returned or destroyed.

We maintain strict logical and technical separation between Business Data and PHI. PHI is encrypted using per-tenant AWS KMS keys and is never used for marketing or analytics purposes.

4. How We Use Information

We use Business Data to:

  • Provision, operate, maintain, and improve the Service;
  • Process transactions and send invoices and receipts;
  • Provide customer support and respond to inquiries;
  • Send transactional communications (account alerts, security notices, service updates) and, with your consent, marketing communications;
  • Monitor Service security and investigate suspicious activity;
  • Comply with legal obligations;
  • Conduct internal analytics to improve the platform (using aggregated, anonymised data);
  • Enforce our Terms of Service and other policies.

We do not use Customer Data (including PHI) for advertising, marketing profiling, or any purpose other than providing the Service.

5. Disclosure of Information

We may share Business Data with:

  • Service Providers. Trusted vendors who assist us in operating the Service (cloud hosting, payment processing, customer support, analytics), bound by confidentiality obligations and permitted to use data only to perform services for us.
  • Affiliates. Entities within the Shinzox Group under equivalent privacy protections.
  • Business Transfers. In connection with a merger, acquisition, or sale of assets, provided the successor is bound by this Policy or an equivalent policy.
  • Legal Obligations. When required by law, regulation, court order, or lawful governmental request; or to protect the rights, property, or safety of Clarvera, its customers, or the public.
  • With Your Consent. For any other purpose with your explicit consent.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. International Transfers

Clarvera is incorporated in England and Wales and operates infrastructure in the United States. Customer PHI is stored exclusively in your selected US region and never transferred internationally. Business Data of individuals in the European Economic Area (EEA) or United Kingdom may be transferred to the United States; we rely on Standard Contractual Clauses and other appropriate transfer mechanisms to ensure adequate protection. Contact us at privacy@shinzox.com for details of our transfer mechanisms.

7. Data Retention

  • Account Data. Retained for the duration of the customer relationship and for up to two (2) years after account closure for legal and auditing purposes.
  • Audit Logs. Retained for a minimum of six (6) years as required by HIPAA § 164.530(j) and applicable state law.
  • Marketing Data. Retained until you unsubscribe or request deletion.
  • PHI. Retention governed by the BAA and applicable HIPAA requirements.

We securely delete or anonymise data when it is no longer needed for the purposes described in this Policy or required by law.

8. Security

Clarvera implements industry-standard administrative, technical, and physical safeguards including:

  • AES-256 encryption at rest with per-tenant AWS KMS keys;
  • TLS 1.3 enforced for all data in transit — TLS 1.0 and 1.1 rejected at the load balancer;
  • Role-based access control (RBAC) and mandatory multi-factor authentication (MFA) for all platform access;
  • WORM (write-once, read-many) audit logging with no UPDATE or DELETE privileges for any application database role, retained for a minimum of six (6) years;
  • Regular penetration testing and vulnerability management;
  • Break-glass access controls for Clarvera staff, with every access logged and reported to the tenant administrator.

No method of transmission over the Internet is 100% secure. In the event of a data breach, we will notify you as required by applicable law and the BAA.

9. Your Rights

9.1 General Rights

Depending on your jurisdiction, you may have the right to: access your personal data; correct inaccurate data; request deletion; object to processing; request restriction of processing; or receive your data in a portable format. To exercise these rights, contact us at privacy@shinzox.com.

9.2 HIPAA Patient Rights

Requests from individuals (patients) to access, amend, or restrict their PHI must be directed to the Covered Entity (your healthcare provider or health plan). Clarvera, as a Business Associate, processes PHI on the Covered Entity's behalf and cannot respond directly to patient requests.

9.3 California Residents (CCPA)

California residents may request to know what personal information we collect, request deletion, and opt out of sale (we do not sell personal information). Contact privacy@shinzox.com to submit a CCPA request.

9.4 UK and EEA Residents (GDPR/UK GDPR)

Individuals in the EEA or UK may lodge a complaint with their supervisory authority. Our lawful bases for processing include: contract performance (account provision), legitimate interests (security, fraud prevention, product improvement), legal obligation, and consent (marketing).

10. Cookies and Tracking Technologies

We use the following types of cookies on our marketing website:

  • Strictly Necessary Cookies. Required for the website to function (session management, security). Cannot be disabled.
  • Analytics Cookies. Help us understand how visitors use our website. Used with consent.
  • Preference Cookies. Remember your settings and preferences.

The Clarvera platform itself uses session cookies strictly required for authentication and security. No third-party advertising or tracking cookies are used within the platform.

11. Children's Privacy

The Service is directed to businesses and healthcare professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to account holders by email or by a notice on the Service at least thirty (30) days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

13. Contact

For privacy questions, data subject requests, or to report a potential privacy issue:
Data Protection Officer / Privacy Team
Shinzox Group Limited (trading as Clarvera)
Email: privacy@shinzox.com

We will respond to privacy requests within thirty (30) days (or such shorter period as required by applicable law).