Privacy Policy

Data we collect

Depending on your role and how you use the Services, we may collect:

• Account and profile data: Name, email address, phone number, profile picture, language preference, role within an organization, professional credentials (for providers), and authentication credentials (we store passwords as one-way salted hashes — never in plain text).
• Clinical and appointment data (sensitive personal data): Patient demographics, government-issued ID, appointment history, clinical notes (SOAP notes, diagnoses, procedures, prescriptions, follow-ups), file attachments, comments, and status history. Under Argentine Ley 25.326, health data is classified as "sensitive data" and receives heightened protection. This data is owned by the healthcare organization that collected it.
• Communications data: Email content and delivery logs for messages we send on behalf of organizations (appointment reminders, confirmations, invitations, password resets), and metadata about in-app and push notifications.
• WhatsApp integration data: When an organization uses our WhatsApp integration, we process the phone numbers (in E.164 format) and the content and metadata of messages sent or received through Meta's WhatsApp Business Platform. These messages are sent from FlexyCare to your patients on behalf of the clinic. WhatsApp data flows through Meta Platforms, Inc.'s infrastructure under their terms.
• Billing and payment data: When applicable, billing identifiers, tax IDs, invoice records, and payment metadata. Card payments are processed by Mercado Pago; we do not store full card numbers on our servers. Fiscal documents (electronic invoices) are authorized through Argentina's tax authority (ARCA / AFIP).
• Technical data: IP address, browser and device information, cookies and session identifiers, timestamps of activity, and audit logs (who did what, when, from where). We use this data for security, troubleshooting, and compliance.

How we use your data

We process personal data to:

• Provide, operate, and maintain the Services
• Authenticate users and secure accounts
• Send transactional communications (appointment reminders, account notifications, billing receipts) by email, WhatsApp, SMS, push, or in-app channels
• Generate fiscal documents and process payments where applicable
• Detect, prevent, and respond to fraud, abuse, and security incidents
• Comply with legal obligations, including health-data, tax, and accounting requirements
• Improve the Services through aggregated analytics

Legal basis for processing

Under Argentine law, our processing relies primarily on (a) the contract with our customer (clinic or organization) and the underlying terms applicable to end users, (b) explicit consent where required (especially for sensitive data and certain marketing communications), (c) legal obligations (tax, healthcare regulation, audit), and (d) our legitimate interest in operating and securing the Services.

Sharing with third parties

We share personal data only with service providers ("encargados de tratamiento") that help us operate the Services, under contractual obligations to protect the data:

• Amazon Web Services (AWS) — cloud hosting, database, file storage (S3), email delivery (SES), authentication (Cognito for our internal console). Data may be processed in AWS regions outside Argentina, including the United States.
• Meta Platforms, Inc. — WhatsApp Business Platform for messaging when an organization has enabled the WhatsApp integration. Meta processes phone numbers and message content as a separate controller for the message delivery itself.
• Mercado Pago — payment processing (where billing is enabled).
• ARCA / AFIP — Argentina's tax authority, for electronic invoice authorization (where billing is enabled).

We do not sell personal data. We do not share personal data for advertising purposes.

International data transfers

Some of our service providers, including AWS and Meta, process data in the United States or other jurisdictions. We rely on the legal mechanisms required by Argentine law for cross-border transfers, including service provider contracts that bind these recipients to data protection obligations equivalent to those required locally.

Data retention

We retain personal data for as long as needed to provide the Services and meet legal obligations:

• Account and profile data: while your account is active, plus 30 days after account closure
• Clinical and appointment data: for as long as the clinic's account is active, then per the clinic's instructions on closure (subject to legal retention requirements that may apply to medical records)
• Billing and fiscal records: for the period required by Argentine tax law (typically 10 years)
• Audit and security logs: typically 12 months
• WhatsApp message records: 12 months unless required longer for legal or contractual purposes

Your rights

Under Ley 25.326 and related regulations, you have the right to:

• Access the personal data we hold about you (free of charge, at intervals of no less than six months unless a legitimate interest is established)
• Rectify inaccurate or incomplete data
• Delete ("supresión") your data, subject to legal retention requirements
• Object to certain processing
• Withdraw consent where processing is based on consent

To exercise any of these rights, email privacy@flexycare.co from the email address associated with your account. We will respond within 10 business days as required by Argentine law (or longer where the request is complex or where verification is needed). If we cannot fulfill your request, we will tell you why.

If you are a patient/client of a clinic, please direct requests about your clinical records to the clinic first; we will assist where required.

You also have the right to file a complaint with the Agencia de Acceso a la Información Pública (AAIP) — Argentina's data protection authority — if you believe your rights have been violated.

If you are located outside Argentina, you may have additional rights under your local law (for example, LGPD in Brazil). Contact us and we will respond consistent with the applicable law.

Security

We protect personal data with technical and organizational safeguards: encryption in transit (TLS) and at rest, access controls and role-based permissions, audit logging, regular security updates, and isolated multi-tenant architecture so that one organization's data cannot be accessed by another. No system is perfectly secure; we encourage you to use a strong password and to notify us immediately at privacy@flexycare.co if you suspect a security incident on your account.

Cookies and similar technologies

We use a small number of strictly necessary cookies for authentication and session management. We do not use third-party advertising or tracking cookies. You can configure your browser to refuse cookies, though doing so may prevent you from logging in.

Children

The Services are not directed to children. However, healthcare organizations using FlexyCare may store records about minors (e.g., pediatric or dental care) where they have a lawful basis to do so under applicable health regulations. In those cases, the organization (clinic) is the controller and is responsible for obtaining the consent of the minor's parent or legal guardian as required by law.

Changes to this Policy

We may update this Policy from time to time. The "Effective date" at the top reflects the latest version. Material changes will be communicated by email or through the Services with reasonable notice before they take effect.

Contact

For any privacy question or to exercise your rights, contact us at: