Privacy Policy

Last updated: May 2026 · Privacy contact: privacy@chirovault.ai

Plain-language summary

We collect account data (name, email, billing) to run the service. We act as data controller for this data.
Patient records belong to your practice. We act as a data processor for patient/clinical data — processing it only on your instruction. You are the data controller.
We do not sell personal data. We do not train AI on patient data.
A Data Processing Agreement (DPA) is available and executed with all clinic customers.
You can exercise your GDPR rights by emailing privacy@chirovault.ai. We respond within 30 days.

1. Who We Are

ChiroVault operates the clinical platform at chirovault.ai. Our registered entity details are in the Imprint. For data protection purposes, ChiroVault acts in two distinct roles depending on the data involved — explained in section 2 below.

Data protection inquiries: privacy@chirovault.ai

2. Two Data Roles: Controller and Processor

This distinction matters for your GDPR rights and for understanding how data is governed on the platform.

ChiroVault as Data Controller — account and platform data

For data you provide to create and maintain your ChiroVault account — name, email address, practice details, billing information, usage logs, and support communications — ChiroVault is the data controller. We determine the purpose and means of processing this data. This Privacy Policy governs that processing.

ChiroVault as Data Processor — patient and clinical data

For patient records, SOAP notes, intake forms, appointment data, imaging, and any other clinical data your practice uploads to the platform, your practice is the data controller and ChiroVault is the data processor. We process this data solely on your instruction to deliver the service. A separate Data Processing Agreement (DPA / verwerkersovereenkomst) governs this relationship and is executed with all clinic customers. Request yours at privacy@chirovault.ai.

3. Data We Collect (Controller Role)

Category	Examples	Purpose
Account data	Name, email, practice name, country	Delivering and managing your subscription
Billing data	Payment method, invoice history	Processing payments via Mollie B.V.
Usage data	Feature interactions, session identifiers, error logs	Service stability, product improvement
Communications	Support emails, in-app messages to ChiroVault	Customer support and follow-up

We do not use advertising trackers. No data is sold to third parties.

4. Legal Bases for Processing (GDPR Art. 6)

Contract performance (Art. 6(1)(b)): processing necessary to deliver the service you subscribed to.
Legal obligation (Art. 6(1)(c)): audit logs, data retention under applicable healthcare and tax law.
Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, service improvement. We balance these interests against your rights before relying on this basis.
Consent (Art. 6(1)(a) and Art. 9(2)(a)): where required for health-related data processing or for optional communications such as newsletters.

5. How We Use Account Data

We use account data to: provision and manage your subscription; deliver billing and invoices; send service-critical notifications (security alerts, downtime, policy changes); and improve the platform through aggregated, anonymised analytics. We do not use account data for advertising or sell it to data brokers.

6. Data Sharing

We share data only with sub-processors required to deliver the service. Current categories of sub-processors: cloud infrastructure and database hosting (EU region), payment processing (Mollie B.V.), email delivery (AWS SES), and AI/LLM providers (used with PHI scrubbing, under DPA). All sub-processors are bound by data processing agreements. A full sub-processor list is available on request at privacy@chirovault.ai.

We do not share data with government authorities except where legally compelled. We will notify you of any such request unless prohibited by law.

7. International Transfers

We process data within the EU/EEA by default. Where any sub-processor involves non-EEA infrastructure, we apply Standard Contractual Clauses (SCCs) and supplementary technical measures as required by EDPB guidance. Cloudflare and Supabase EU-region configurations are selected specifically to minimise non-EEA transfers.

8. Data Retention

Data type	Retention period	Basis
Patient / clinical data	20 years from last treatment	WGBO (Dutch Medical Treatment Act) minimum
Audit logs	7 years	NEN 7510-aligned healthcare log retention
Account / billing data	7 years from last transaction	Dutch tax law (Belastingdienst) requirement
Data after subscription end	Available 90 days for export, then securely deleted	Terms of Service and contractual obligation

9. Your Rights (GDPR Art. 15–22)

For data where ChiroVault is the controller (account/platform data), you have the following rights:

Access: request a copy of the personal data we hold about you.
Rectification: correct inaccurate data.
Erasure (“right to be forgotten”): request deletion where no legal basis for retention remains.
Restriction: limit processing in certain circumstances.
Portability: receive your data in a machine-readable format.
Objection: object to processing based on legitimate interests.
Withdraw consent: where processing is based on consent, you can withdraw at any time without affecting prior processing.

For patient/clinical data, your patients' rights must be exercised through your practice as the data controller. We will assist you in fulfilling subject access requests — contact us at privacy@chirovault.ai.

To exercise your own rights or lodge a complaint, email privacy@chirovault.ai. You also have the right to complain to the Dutch supervisory authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

10. Security

We implement TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access control, tamper-evident audit logging, and automated encrypted backups. Our security controls are designed to align with NEN 7510 and ISO 27001 principles. See the Trust Center for a full technical description of our security architecture.

11. Cookies

We use essential session cookies only — no advertising cookies, no third-party tracking pixels. The payment provider (Mollie) may set cookies subject to their own privacy policy during the checkout flow. You can disable non-essential cookies in your browser settings without affecting platform functionality.

11a. Traffic Metrics

We collect aggregated, cookieless traffic metrics on our own EU-resident infrastructure (page views, CTA clicks, language preference). No personal data, no cross-site tracking, no third-party analytics. Data is retained for 90 days for product improvement.

12. Children

ChiroVault is a professional healthcare platform for use by licensed practitioners and their practices. We do not knowingly collect personal data from children under 16 outside the clinical context of a licensed practice.

13. Changes to This Policy

We may update this policy. Material changes will be communicated by email to the account holder at least 14 days before taking effect. The current version is always at chirovault.ai/privacy.html with the date of last revision at the top.

14. Contact

For all data protection matters: privacy@chirovault.ai
For general inquiries: info@chirovault.ai
Company details: see Imprint