Privacy Policy
Clinic Membership by Apavai Ltd
Last updated: March 2026
1. Who We Are
Clinic Membership is provided by Apavai Ltd, a UK-based company. We are the data controller for this website and service. We are committed to protecting your privacy and ensuring you have a positive experience on our website and using our service.
2. What Data We Collect
We collect data in two different contexts. It is important to understand your role in data protection:
2.1 Data from Clinic Owners (Our Customers)
As a clinic owner using our service, we collect:
- Your name, email address, and password
- Your clinic name, location, and contact details
- Payment card information and billing address (processed by Stripe, we do not store card details)
- Bank account details for BACS Direct Debit (processed by Stripe)
- Details of your clinic's membership plans and pricing
- Usage data (IP address, browser type, features used, login times)
- Communication with our support team
2.2 Data from Members/Patients (Processed on Your Behalf)
When your members/patients register and purchase memberships through your clinic's Clinic Membership account, we process personal data on your behalf. You remain the data controller, and we are your data processor. This data includes:
- Member names, email addresses, and passwords
- Contact details and membership plan information
- Payment card information (processed by Stripe, we do not store card details)
- Membership transaction history and payment records
- Usage patterns and service engagement data
3. Lawful Basis for Processing
We process your data on the following lawful bases under UK GDPR:
- Contract: Processing necessary to provide you with the Clinic Membership service
- Legitimate Interests: Improving our service, preventing fraud, compliance with legal obligations
- Consent: For marketing communications (you can opt out at any time)
- Legal Obligation: Compliance with UK tax and employment laws
4. How We Use Your Data
We use your data to:
- Provide, maintain, and improve the Clinic Membership service
- Process payments and manage your subscription
- Send service notifications (payment confirmations, important updates)
- Provide customer support and respond to inquiries
- Monitor service security and prevent fraud
- Analyse usage patterns to improve features
- Comply with legal and regulatory requirements
- Send marketing communications (with your consent)
5. Data Sharing with Third Parties
We share your data with carefully selected service providers, all bound by data protection agreements:
5.1 Essential Service Providers
- Stripe: Payment processing (card payments, BACS Direct Debit). View Stripe's privacy policy at stripe.com/privacy
- Resend: Email delivery and notifications. View Resend's privacy policy at resend.com/privacy
- Cloudflare: Website hosting, DDoS protection, and security. View Cloudflare's privacy policy at cloudflare.com/privacypolicy
- Railway: Application hosting and infrastructure. View Railway's privacy policy at railway.app/privacy
- Vercel: Frontend hosting and CDN. View Vercel's privacy policy at vercel.com/legal/privacy-policy
5.2 Legal Requirements
We may disclose your data when required by law (e.g., court order, data subject access request, fraud investigation). We will notify you of such requests unless prohibited by law.
6. International Data Transfers
Some of our service providers (Stripe, Cloudflare, Railway, Vercel) may process data outside the UK and EEA. Where this occurs, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) with processors
- Adequacy decisions where available
- Your explicit consent where required
7. Data Retention
We retain your data for as long as necessary to provide the service and comply with legal obligations:
- Active account data: Retained while your account is active
- After subscription cancellation: Retained for 30 days (then deleted unless legal hold applies)
- Payment records: Retained for 6 years (UK tax requirements)
- Member/patient data: Deleted when clinic deletes records or 30 days after clinic account termination
You can request deletion of your data at any time, subject to legal retention requirements.
8. Your Rights
You have the following rights under UK GDPR:
- Right of Access: Request a copy of your personal data
- Right of Rectification: Correct inaccurate data
- Right of Erasure ("Right to be Forgotten"): Request deletion of your data (subject to exceptions)
- Right of Portability: Receive your data in a portable format
- Right of Restriction: Restrict processing in certain circumstances
- Right to Object: Object to marketing or legitimate interest processing
- Rights related to automated decision-making: Request human review if automated decisions affect you
To exercise any of these rights, contact us via the contact form on our website.
9. Cookies
Cookies are small text files stored on your device when you visit our website. They help the platform function correctly and improve your experience. We use cookies in compliance with UK PECR (Privacy and Electronic Communications Regulations 2003).
Essential Cookies
These cookies are necessary for the platform to function and cannot be switched off. They include session cookies to maintain your login status, authentication tokens to verify your identity, CSRF protection tokens for security, and tenant identification cookies for multi-tenant clinic management.
Functional Cookies
These cookies remember your choices to provide a more personalised experience, such as user preferences (language, theme, UI settings) and clinic/subdomain identification for users managing multiple clinics.
Third-Party Cookies
We use third-party services that may set their own cookies: Stripe for payment processing and security, and Cloudflare for website security and DDoS protection.
Managing Cookies
You can control and delete cookies through your browser settings. Please note that disabling essential cookies will prevent you from logging in and using the platform correctly.
10. Children's Data
Clinic Membership is designed for business use by clinic owners and is not intended for children under 13. We do not knowingly collect personal data from children under 13. If we become aware of such data, we will delete it promptly.
11. Data Security
We implement robust security measures to protect your data:
- HTTPS encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Regular security audits and penetration testing
- Strict access controls and authentication (multi-factor authentication available)
- DDoS protection via Cloudflare
- Incident response procedures for data breaches
While we take security seriously, no system is completely risk-free. You are responsible for keeping your password confidential.
12. Changes to This Privacy Policy
We may update this policy from time to time. Material changes will be communicated to you via email or a prominent notice on our website. Your continued use of the service constitutes acceptance of the updated policy.
13. Contact & Complaints
If you have questions about this privacy policy or your data:
- Contact us via the contact form on our website
- Visit our website: clinicmembership.co.uk
- Write to: Apavai Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113