Privacy Policy

1. Introduction

Doctori ("we," "our," or "us") is a medical SaaS platform that provides clinic management, AI-powered clinical tools, and digital marketing services for healthcare professionals. We are committed to protecting the privacy and security of all personal information entrusted to us by our users, including doctors, clinic staff, and patients.

This Privacy Policy explains what information we collect, how we use and protect it, and what rights you have regarding your data. By using our platform at doctor.swlt.ae, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you register for Doctori, we collect:

• Full name, email address, and phone number
• Professional credentials and medical license information (for healthcare providers)
• Clinic name, address, and operating details
• Billing information and subscription details

Patient Data

Healthcare providers may enter the following patient information into our platform:

• Patient name, date of birth, gender, and contact details
• Medical history, diagnoses, and clinical notes
• Prescriptions and medication records
• Appointment history and scheduling information
• Billing and insurance information
• Communications via WhatsApp, Instagram, or Messenger channels

Usage and Technical Data

• IP address, browser type, device information, and operating system
• Pages visited, features used, and session duration
• Error logs and performance metrics

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and maintaining clinic management services, including patient records, appointment scheduling, and billing
• Powering AI clinical features such as SOAP note generation, diagnostic suggestions, and prescription assistance
• Processing payments and managing subscriptions
• Facilitating omnichannel patient communication via WhatsApp, Instagram, and Messenger
• Delivering digital marketing services for subscribed clinics (Google Ads, social media management, SEO)
• Maintaining audit trails for accountability and compliance
• Improving our platform, fixing bugs, and developing new features
• Sending service-related notifications and updates

4. Medical Data Handling

• Medical records are stored in isolated, tenant-scoped database partitions — each clinic's data is logically separated from all others
• All medical data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Access to patient data is restricted through role-based access controls (RBAC) — only authorized doctors, admins, and assistants within a clinic can view patient records
• All access to and modifications of medical records are logged in an immutable audit trail
• When AI features process medical data (e.g., generating clinical notes), the data is sent securely to our AI provider and is not used to train AI models
• We do not sell, rent, or share medical data with third parties for advertising or marketing purposes

5. Third-Party Services

Doctori integrates with the following third-party services to deliver our platform features. Each integration is designed to share only the minimum data necessary:

Stripe (Payment Processing)

We use Stripe to process subscription payments and manage billing. Stripe receives your payment card details, billing address, and email. We do not store your full credit card number on our servers. Stripe's privacy policy is available at stripe.com/privacy.

OpenAI (AI Clinical Features)

Our AI-powered clinical assistant uses OpenAI's API to generate SOAP notes, diagnostic suggestions, and prescription assistance. When you use these features, relevant clinical context is sent to OpenAI for processing. We use OpenAI's API with data processing agreements that prohibit the use of submitted data for model training. No patient-identifiable information is sent unless strictly necessary for the clinical context.

Meta / WhatsApp Business, Instagram, Messenger (Communication)

Doctori offers omnichannel patient communication through Meta's platforms. When clinics connect their WhatsApp Business, Instagram, or Messenger accounts, message content flows through Meta's infrastructure. We store message history on our servers to provide continuity of care. Our AI-powered booking agent may process incoming messages to help schedule appointments. Meta's privacy policy is available at facebook.com/privacy.

6. Data Retention

We retain your data according to the following guidelines:

• Account data: Retained for the duration of your active subscription, plus 90 days after account closure to allow for reactivation
• Medical records: Retained for a minimum of 10 years from the date of the last clinical entry, in accordance with medical record-keeping requirements in applicable jurisdictions
• Audit logs: Retained for a minimum of 7 years for compliance and accountability purposes
• Communication logs (WhatsApp, Instagram, Messenger): Retained for 3 years from the date of the conversation
• Payment records: Retained for 7 years in accordance with financial and tax regulations
• Technical and usage logs: Retained for up to 12 months, then aggregated or anonymized

7. Security Measures

We implement comprehensive security measures to protect your data:

• All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
• API authentication is enforced via Sanctum token-based authentication with automatic token expiration
• Role-based access control (RBAC) ensures users can only access data appropriate to their role (doctor, admin, assistant, patient)
• Multi-tenant data isolation ensures each clinic's data is logically separated at the database level using tenant-scoped queries
• Regular automated backups with point-in-time recovery capability
• Infrastructure hosted on secure cloud servers with firewall protection, intrusion detection, and DDoS mitigation
• Comprehensive audit trail logging for all data access and modifications
• Rate limiting on all API endpoints to prevent abuse

8. Your Rights

You have the following rights regarding your personal data:

Right of Access

You may request a copy of all personal data we hold about you. Healthcare providers can access and download all patient data from the platform at any time through the admin panel. Patients may request their records from their healthcare provider or directly from us.

Right to Rectification

You may request correction of any inaccurate or incomplete personal data. Healthcare providers can edit records directly within the platform.

Right to Deletion

You may request deletion of your personal data, subject to legal and regulatory retention requirements. Medical records may be subject to mandatory retention periods under applicable healthcare laws. We will inform you of any such limitations when processing your request.

Right to Data Export

You may request an export of your data in a structured, machine-readable format (JSON or CSV). Healthcare providers can export patient records, appointment data, and billing information through the platform's export functionality.

Right to Restrict Processing

You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of your data or object to our processing activities.

To exercise any of these rights, please contact us at support@swlt.ae. We will respond to your request within 30 days.

9. Cookies and Tracking

Doctori uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled as they are necessary for the platform to function.
• Preference cookies: Store your language preference (English/Arabic) and theme selection (dark/light mode).
• Analytics cookies: Help us understand how the platform is used so we can improve it. These are anonymized and do not track individual users across other websites.

We do not use advertising or third-party tracking cookies. We do not sell your browsing data to advertisers.

10. Children's Privacy

Doctori is designed for use by healthcare professionals and adult patients. We do not knowingly collect personal information directly from children under the age of 16. When a healthcare provider enters a minor patient's data into the platform, the provider is responsible for ensuring they have the appropriate parental or guardian consent as required by applicable laws.

If we become aware that we have collected personal information from a child without proper authorization, we will take steps to delete that information promptly.

11. International Data Transfers

Doctori serves healthcare providers internationally. Your data may be processed and stored in locations outside your country of residence, including but not limited to the United States and the United Arab Emirates.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Data processing agreements with all third-party providers
• Encryption of all data in transit and at rest
• Compliance with applicable data protection frameworks, including GDPR for users in the European Economic Area
• Adherence to UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection for users in the United Arab Emirates

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email or through an in-app notification
• Where required by law, obtain your consent to the updated terms

Your continued use of Doctori after any changes to this policy constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 business days.