flows.care

Privacy Policy

Last updated: April 26, 2026

1. Introduction

This Privacy Policy describes how flows.care ("flows.care", "we", "us", "the platform") collects, uses, discloses, and protects personal data processed through the flows.care appointment management platform. flows.care is a multi-tenant Software-as-a-Service product provided to licensed healthcare and rehabilitation clinics ("Tenants"), and through them to their staff, patients, and guardians.

This policy is designed to align with the Kingdom of Saudi Arabia Personal Data Protection Law ("PDPL") and its Implementing Regulations, with applicable personal-data legislation in the Gulf Cooperation Council (GCC) region, and with internationally recognised privacy standards including the EU General Data Protection Regulation ("GDPR").

2. Definitions

"Personal Data" means any data, of any form, that identifies a natural person, or that may identify them directly or indirectly, including name, identification number, contact details, online identifiers, and health-related data.

"Sensitive Personal Data" means personal data revealing racial or ethnic origin, religious or philosophical belief, criminal records, biometric or genetic identifiers, and health data.

"Data Controller" means the party that determines the purposes and means of processing personal data.

"Data Processor" means the party that processes personal data on behalf of, and under the instruction of, the Data Controller.

"Tenant" means a clinic, rehabilitation centre, or other healthcare-adjacent organisation that has signed up for the flows.care platform.

"Data Subject" means the natural person to whom the personal data relates.

3. Scope

This policy applies to all personal data processed through the flows.care platform, including the web applications, mobile clients, REST APIs, background processing services, and Tenant-specific portals. It does not govern external systems operated by Tenants outside of flows.care, websites linked from flows.care, or third-party services Tenants choose to integrate with.

4. Controller and Processor Roles

flows.care plays two roles depending on the data category:

As a Data Processor — for personal data that Tenants enter or generate about their own patients, guardians, employees, therapists, schedules, appointments, invoices, and accounting records, flows.care processes that data on behalf of, and under the instructions of, the Tenant. The Tenant is the Data Controller for that information.

As a Data Controller — for personal data that flows.care collects directly to operate the platform itself (Tenant-administrator account credentials, billing relationship with the Tenant, support communications, security telemetry, and product analytics), flows.care is the Data Controller.

A separate Data Processing Addendum (DPA) is available to Tenants on request and governs the processor relationship in detail.

5. Categories of Personal Data We Process

  • Account identity data — name, work email, phone number, hashed password, time-based one-time-password (TOTP) seed for two-factor authentication, preferred language, role assignments, branch scope, and account activity timestamps.
  • Service provider data — clinic legal name (in English and Arabic), commercial registration details, tax identifiers, contact information, branding assets, operating address, timezone, working days, and operational settings.
  • Patient data — first/last name in English and Arabic, medical record number (MRN), date of birth, gender, nationality, national ID or residency number where applicable, phone number, email, address, language preference, and the Tenant the record belongs to.
  • Guardian and relationship data — guardian identity details, relationship type to the patient, consent flags (cross-tenant consent where enabled), and booking/viewing permissions.
  • Appointment data — date, time, duration, therapist, branch, status, status history (booked, checked-in, in-progress, completed, no-show, cancelled, rescheduled), pricing snapshot, cancellation reason, and clinical notes provided by staff.
  • Scheduling data — therapist availability templates, generated time slots, exception/blocked-time entries, and waitlist entries with patient preferences.
  • Pricing and package data — pricing rules, duration bundles, package definitions, package enrolments, and cancellation policies.
  • Invoicing and payment data — invoice line items, tax calculations, payment records, receipts, and refunds.
  • Accounting data — chart of accounts, journal entries, ledger postings, period status, and accounting reports.
  • ZATCA e-invoicing data — invoice XML payloads, cryptographic stamps, ZATCA submission status and clearance identifiers, and onboarding credentials, retained as required by Saudi tax authorities.
  • Notification data — message content, recipient identifier, delivery status, channel (email/SMS), and timestamps. Templates may be authored in English or Arabic.
  • Uploaded files — patient documents, therapist or staff profile images, Tenant logos, and other attachments, together with file metadata (name, size, content type, owner, uploader).
  • Audit logs — records of significant lifecycle events (appointment status changes, schedule changes, permission changes, sensitive data access) with actor, timestamp, and before/after state where applicable.
  • Technical data — JWT access and refresh tokens, IP addresses, user-agent strings, OTP verification codes (short-lived), session cookies, locale cookie, and API request/response metadata required for security and auditing.

6. Sources of Personal Data

Personal data is obtained from: (a) the Tenant and its authorised users when they configure their organisation, register patients, schedule appointments, raise invoices, and operate the platform day to day; (b) patients and guardians who register, log in, book appointments, or upload documents through the patient-facing portal or mobile app; (c) automated platform processes that generate slots, status updates, audit log entries, or notification logs; and (d) third-party sub-processors that flows.care engages to deliver email, SMS, hosting, or e-invoicing services.

7. Lawful Bases for Processing

  • Performance of a contract — to provide the flows.care platform to a Tenant or to a patient/guardian who has registered an account.
  • Legitimate interest — to secure the platform, prevent fraud, maintain audit trails, and improve service quality, balanced against the rights and freedoms of data subjects.
  • Consent — for optional communications, cross-tenant guardian consent flows, and any future marketing communications, where applicable. Consent may be withdrawn at any time.
  • Compliance with a legal obligation — including Saudi tax law (e.g., ZATCA e-invoicing record retention) and other regulatory or judicial requirements.

8. Purposes of Processing

  • Operating the appointment workflow — slot generation, booking, check-in, in-progress tracking, completion, cancellation, no-show handling, and waitlist matching.
  • Authenticating users, verifying contact details through OTP codes, supporting two-factor authentication, and protecting accounts from unauthorised access.
  • Sending appointment confirmations, reminders, cancellation notices, demo welcome emails, and other transactional notifications via email or SMS.
  • Calculating appointment pricing, generating invoices and receipts, recording payments, and supporting Tenants in financial workflows.
  • Maintaining accurate accounting records (general ledger, balance sheet, profit and loss, trial balance), supporting period closing, and producing financial reports for the Tenant.
  • Generating, signing, and transmitting compliant electronic invoices to the Saudi Zakat, Tax and Customs Authority (ZATCA) on behalf of Tenants, and retaining the relevant records for the period required by law.
  • Maintaining audit trails, detecting abuse, monitoring intrusion attempts, and ensuring the security and integrity of the platform.
  • Aggregated, de-identified analytics to improve performance, fix defects, and prioritise platform improvements. We do not use Tenant patient data, demo-tenant data, or sensitive personal data for product improvement or for training machine-learning models.

9. Children and Vulnerable Persons

Rehabilitation services are frequently delivered to minors and to adults under guardianship. flows.care supports this through the Guardian Relationship model, which allows a guardian account to manage one or more linked patient profiles with documented permissions for booking and record viewing.

Where applicable law (including KSA PDPL) requires parental or guardian consent for the processing of a child's personal data, the Tenant is responsible for obtaining and recording that consent before entering data into flows.care. flows.care supports tenants by providing the cross-tenant consent mechanism (where enabled) and by exposing audit trails for consent grants.

10. Data Sharing

flows.care does not sell personal data and does not share it for advertising purposes. Personal data may be shared in the following circumstances only:

• With the Tenant the data subject is associated with — patient, guardian, and operational data is visible to authorised users at that Tenant in line with their role and branch scope.

• With our sub-processors — strictly to deliver platform infrastructure (see §11).

• With ZATCA — invoice records that are required to be transmitted to the Saudi tax authority for compliance.

• With law-enforcement or regulatory authorities — where compelled by a binding legal request.

• In connection with a business transfer — in the event of a merger, acquisition, or asset sale, subject to appropriate confidentiality undertakings and continuity of this policy.

11. Sub-processors

flows.care engages a limited set of third-party sub-processors to deliver the platform. Categories of sub-processors include cloud hosting and database providers, object storage (e.g., S3-compatible storage), email delivery providers, SMS gateways, monitoring and error-reporting providers, and ZATCA-clearance integrators.

A current list of sub-processors is maintained and may be obtained by Tenants on request. Tenants will be notified in advance of material changes to the sub-processor list, with a reasonable opportunity to object.

12. Cross-Border Transfers

Personal data is hosted by default in data centres located in the Kingdom of Saudi Arabia or in another GCC country, where commercially available. Where personal data is transferred outside its country of origin — for example to a global email provider, an SMS gateway, or a monitoring service — the transfer is performed under contractual safeguards (such as the Standard Contractual Clauses) or another lawful transfer mechanism recognised by KSA PDPL or the relevant GCC law.

Tenants may request information about the location of their data and the transfer mechanisms in place.

13. Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, or to protect the rights of flows.care and its Tenants. Specific schedules apply per category:

  • Account identity data — retained while the account remains active, and for up to 24 months after deactivation for security and audit purposes, unless the data subject requests earlier erasure where this is permitted.
  • Patient data — retained for the duration of the Tenant's subscription and as required by applicable healthcare-record retention rules. Soft-deleted records remain recoverable for a defined window before being permanently purged.
  • Appointment, schedule, and audit records — retained for the duration of the Tenant's subscription, supporting financial and operational audit obligations.
  • Invoicing, accounting, and ZATCA-related records — retained for at least six (6) years from the end of the relevant tax period, in line with Saudi Arabia tax-record retention obligations.
  • Security and audit logs — retained for a minimum of twelve (12) months and for as long as needed to investigate security incidents.
  • Demo-tenant data — automatically and permanently deleted seven (7) days after the demo tenant is provisioned, with a 24-hour advance notification email to the demo administrator.

14. Your Rights

Subject to applicable law, data subjects have the following rights with respect to their personal data:

  • Right of access — to confirm whether flows.care processes personal data about the data subject and to obtain a copy.
  • Right to rectification — to correct inaccurate or incomplete personal data.
  • Right to erasure — to request deletion of personal data, subject to retention obligations under applicable law (including tax law).
  • Right to restriction — to limit how personal data is processed in defined circumstances.
  • Right to object — to object to processing carried out on the basis of legitimate interest.
  • Right to data portability — to receive personal data in a structured, commonly used, machine-readable format where applicable.

Patients and guardians should normally direct rights requests to the Tenant clinic that registered them, since the Tenant is the controller of that data. Tenant administrators and flows.care-issued account holders may contact flows.care directly. flows.care will respond within thirty (30) days of receiving a verifiable request, or within the period required by applicable law if shorter.

15. Cookies and Similar Technologies

flows.care uses a minimal set of cookies and local-storage entries that are strictly necessary to operate the platform: HTTP-only authentication cookies carrying short-lived JWT access and refresh tokens, a locale cookie used to remember the preferred language, and a session-state cookie used by the framework. flows.care does not place advertising cookies and does not use third-party tracking pixels for marketing purposes. Where any analytics cookies are introduced in the future, they will be governed by an updated cookie notice and will respect applicable consent requirements.

16. Security Measures

flows.care applies a defence-in-depth security programme, including: encryption of all traffic in transit using industry-standard TLS; password storage using salted hashing algorithms; optional two-factor authentication using TOTP; least-privilege role and branch-scoped access controls; tenant isolation enforced at the application layer with explicit service-provider scoping on every query; audit logging of significant lifecycle events; restricted, logged production access; regular security review of dependencies; and routine backups stored under access controls.

17. Personal Data Breach Notification

In the event of a personal data breach that is likely to result in risk to data subjects, flows.care will notify the affected Tenants without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of the breach. The notification will describe the nature of the breach, categories and approximate number of records affected, likely consequences, and the measures taken or proposed. flows.care will support Tenants with notifications to data subjects and to competent regulators (including the Saudi Data and Artificial Intelligence Authority, where applicable) as required.

18. Demo Tenant Data

flows.care offers time-limited demo tenants for prospective customers. Demo tenants are clearly marked in the platform, have a fixed seven-day validity, and are populated with synthetic sample data unless the demo administrator chooses to enter their own data.

All personal data entered into a demo tenant — including any contact details, sample patient profiles, or notes — is permanently deleted at expiry, together with any uploaded files. Demo data is never used for product analytics, machine-learning training, or marketing.

19. Multi-Tenant Isolation

flows.care enforces strict tenant isolation at the application layer. Every business record is scoped to a Tenant via a service-provider reference, and queries are filtered so that staff from one Tenant cannot access data from another. A patient who is registered by more than one Tenant has a separate record under each Tenant; the patient may voluntarily link those records to a single personal account through a guardian or self-consent flow. Cross-tenant aggregations and platform analytics exclude demo tenants.

20. Changes to this Policy

flows.care may update this Privacy Policy from time to time. Material changes will be notified to Tenant administrators by email and will be reflected in the "Last updated" date at the top of this page. Continued use of the platform after the effective date of the change constitutes acceptance of the updated policy.

21. Contact and Data Protection Officer

Patients and guardians should normally contact the clinic that registered them. Tenant administrators and flows.care account holders may contact flows.care at [email protected].

flows.care designates a responsible person (acting as Data Protection Officer where required by law) who can be reached at [email protected] for privacy enquiries, rights requests, and breach reports. Postal correspondence may be addressed to flows.care, Riyadh, Kingdom of Saudi Arabia.