Privacy Policy
Last updated: 30 June 2026 | Version 1.1
1. Introduction & Data Controller
Welcome to Clanics. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how Glanis Ltd ("Company", "Glanis", "we", "us", "our") collects, uses, shares, stores, and protects personal data through the Clanics website, applications, chat tools, and related services (collectively, the "Platform"), and your rights in relation to it.
For the purposes of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 where applicable, Glanis Ltd, a company registered in England and Wales under company number 13444991, is the Data Controller for personal data collected through the Platform's general infrastructure, accounts, search, and communication features. This policy forms part of, and should be read with, our Terms of Service.
Global service, UK controller. Clanics is operated from the United Kingdom and used by Clients and Clinics in many countries around the world. Wherever you are located, Glanis Ltd remains the UK-based controller of the data described above, and we apply the standards of the UK GDPR as our baseline for protecting your personal data globally. Depending on where you live, additional local data-protection laws (for example, the EU GDPR for individuals in the European Economic Area) may also give you rights — see sections 9 and 16.
This policy is provided as a transparency notice under Articles 13 and 14 of the UK GDPR and does not itself limit your statutory rights.
2. Who This Policy Applies To
This policy applies to: Clients (patients) who search, chat, shortlist, enquire, message, or review; Clinic users (owners, administrators, and staff) who register and manage Clinic profiles; and visitors who browse the Platform. Where a Clinic receives your data to respond to you, the Clinic is a separate, independent data controller for its own use of that data (see section 8).
3. The Personal Data We Collect
Depending on how you use the Platform, we may collect:
- Account data (Clients): name, email address, age confirmation (18+), language and location preferences, marketing preferences, and consent timestamps.
- Account data (Clinic users): name, business email, role, the Clinic's business details (name, address, phone, website, opening hours, services, prices, images), professional registration numbers (e.g. GMC/GDC/NMC) where provided, and login/activity timestamps.
- Enquiry & messaging data: the content of enquiries and messages you exchange with Clinics, including any health-related details you choose to include, and any images you upload.
- Reviews: ratings, review text, the services reviewed, and your chosen display name.
- Clara chat data: the queries and messages you enter into the Clara chat (see section 7).
- Billing data (Clinics): subscription and payment records, plan, invoices, and limited card metadata (brand and last four digits). Full card numbers are handled by Stripe and are not stored by us.
- Technical & usage data: IP address, approximate location (city/country derived locally from IP), device, browser and operating system, referrer, and pages viewed, used for security, fraud prevention, and analytics.
- Contact-form data: name, email, subject, and message when you contact us.
4. Special Category (Health) Data & Explicit Consent
Under Article 9 of the UK GDPR, personal data concerning health, medical history, treatments, or physical conditions is Special Category Data subject to heightened protection. When you chat with Clara, search for procedures, or send an enquiry, you may disclose health-related information.
- Explicit consent: Under Article 9(2)(a) UK GDPR, by registering, interacting with Clara, or submitting an enquiry, you give your explicit, freely-given, unambiguous consent for us to process and route your health-related personal data for the sole purpose of facilitating your search and your communications with Clinics.
- Data minimisation: You should share as little health detail as possible in the Platform and discuss specifics directly with the Clinic. Clara is designed not to request sensitive identity documents, financial details, or full medical histories.
- Withdrawing consent: You may withdraw consent at any time by emailing hi@clanics.com. Because we cannot operate your account or facilitate enquiries without processing this data, withdrawal will result in closure of your account. Withdrawal does not affect processing carried out before withdrawal, or data a Clinic already holds as an independent controller.
5. Our Lawful Bases for Processing
We rely on the following lawful bases under Article 6 (and, for health data, Article 9) of the UK GDPR:
- Contract (Art. 6(1)(b)): to create and run your account and provide the Platform's search, messaging, review, and billing features.
- Consent (Art. 6(1)(a) and Art. 9(2)(a)): to process health-related enquiry data and to send optional marketing where you have opted in. Consent can be withdrawn at any time.
- Legitimate interests (Art. 6(1)(f)): to secure the Platform, prevent fraud and abuse, moderate content, analyse usage to improve our services, and pursue or defend legal claims — balanced against your rights.
- Legal obligation (Art. 6(1)(c)): to comply with our legal, tax, accounting, and regulatory duties.
- Establishment/exercise/defence of legal claims (Art. 9(2)(f)): for retaining records needed to defend potential claims.
6. How We Use Your Personal Data
We use personal data to: operate accounts and authenticate logins; power Clara search and the directory; transmit enquiries and messages to your chosen Clinics; publish and moderate reviews; process Clinic subscriptions and Boosts via Stripe; send service and transactional emails; provide support; secure the Platform and prevent fraud and abuse; produce aggregated analytics; comply with law; and, with your consent, send marketing. We do not sell your personal data.
7. Clara Chat Processing & Our Sub-Processor (OpenAI)
- AI processing: Text you enter into Clara is transmitted securely to our AI language-model provider, OpenAI, acting as our processor under enterprise terms, to generate responses and interpret your search. This processing is governed by data-processing terms that restrict OpenAI's use of the data to providing the service; under our enterprise/API terms, inputs and outputs are not used to train OpenAI's models.
- Minimisation: We apply data-minimisation principles. Clara is instructed never to solicit identity documents, financial details, or detailed medical histories. You are cautioned against entering raw identifying or excessive medical detail into the chat.
8. Sharing Your Data & Independent Controllers
- Clinics you contact: When you submit an enquiry or message a Clinic, we transmit your name, email, and the content of your enquiry/message (including any details you include) to that Clinic. The Clinic then acts as an independent data controller for its copy and is solely responsible for its own compliance with data-protection law, clinical governance, and record-retention duties. Facilitating this contact does not make us and the Clinic joint controllers.
- Service providers (processors): We use trusted providers who process data on our instructions under Article 28 contracts, including: Stripe (payments and billing), OpenAI (Clara and review moderation), Cloudinary (image hosting), Google (Places/Maps data for clinic onboarding), our cloud hosting and database provider, and our email-delivery provider. Each is permitted to use the data only to provide its service to us. These providers may process data in the UK or in other countries (see section 9). We may add, replace, or remove sub-processors as our technology needs change; an up-to-date list of our current sub-processors is available on request from hi@clanics.com.
- Legal and protective disclosures: We may disclose data where required by law, regulation, or court order, to enforce our Terms, to prevent fraud or harm, or in connection with a sale or reorganisation of our business.
- No third-party ad-selling: We do not sell, rent, or share your personal data with third-party advertisers, and we do not share it with Clinics you have not chosen to contact.
9. International Data Transfers
Transfers into the UK. Because we operate from the United Kingdom, if you access the Platform from outside the UK your personal data will be transferred to, stored in, and processed in the United Kingdom, and may be transferred to the Clinics you choose to contact and to our service providers in other countries. By using the Platform and submitting your data, you understand and agree that it will be processed in the UK and in the other locations described in this policy.
Where your data is processed — UK or other countries. To run the Platform reliably and securely we depend on technology and service providers (including our cloud hosting and database, AI provider, payment processor, image host, and email and mapping providers). As a result, your personal data may be processed and stored in the United Kingdom or in other countries as our technology needs require — including countries outside the UK and the European Economic Area (for example, the United States) — wherever those providers, and the Clinics you choose to contact, operate. We may change the providers and processing locations we use as the Platform and its technology evolve.
Safeguards for international transfers. Wherever your personal data is transferred outside the UK, we put in place an appropriate safeguard recognised under UK data-protection law — such as a UK adequacy regulation (for a country the UK government recognises as providing adequate protection), the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any additional measures needed — so that your data continues to receive an essentially equivalent level of protection, and we bind our providers by Article 28 processor contracts. The Clinics you choose to contact are independent controllers and are responsible for any onward transfer under their own local law. Details of the safeguards we use for a particular transfer are available on request from hi@clanics.com.
10. Automated Processing & Review Moderation
We use automated tools (including word blocklists and automated content moderation, which may use OpenAI) to screen reviews and messages for prohibited or unlawful content. These tools may automatically hold, hide, or reject Content. This automated screening does not produce legal or similarly significant effects on you within the meaning of Article 22 UK GDPR; where a decision materially affects you, you may request human review by contacting hi@clanics.com. Clara's responses are automated but are informational only and do not make decisions about you.
11. Cookies & PECR Compliance
Under the Privacy and Electronic Communications Regulations (PECR), we use cookies and similar local-storage technologies:
- Strictly necessary cookies: essential to maintain your login session, authenticate dashboard requests, and protect against Cross-Site Request Forgery (CSRF). Because they are strictly necessary for the service you request, they are exempt from the consent requirement.
- No third-party advertising or tracking: the Platform does not deploy third-party advertising cookies, social-media tracking pixels, or cross-site tracking scripts.
You can control or delete cookies through your browser settings, though disabling strictly necessary cookies may stop core features working.
12. Data Retention & Deletion
We keep personal data only as long as necessary for the purposes set out above, then delete or anonymise it. In particular:
- Enquiries and messages: retained for up to 6 years from the date of last activity, aligned with the Limitation Act 1980, to allow potential contract, statutory, or negligence claims to be resolved, after which message content is purged.
- Soft-deletion: when you "delete" a conversation from your inbox, it is hidden from your view but is not removed from the Clinic's records, because the Clinic has independent professional and regulatory obligations to retain enquiry and communication records.
- Reviews: reviews remain published under your display name. If you delete your account, your reviews are anonymised (separating the text from your identity) rather than deleted, to preserve directory integrity.
- Account deletion: on a verified erasure request, your profile, credentials, and contact logs are permanently deleted from our active systems within 30 days, subject to lawful retention overrides. A minimal, hashed, non-identifying record of the deletion event is kept to evidence compliance with Article 17.
- Billing records: Clinic invoices and payment records are retained for the period required by UK tax and accounting law (generally 6 years).
13. Data Security
We implement appropriate technical and organisational measures to protect personal data, including encryption of data in transit (TLS/SSL), access controls, authentication safeguards, and rate-limiting. While we take security seriously, no system can be guaranteed completely secure, and you are responsible for keeping your account access secure. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours where required, and affected individuals where the law requires.
14. Children's Data
The Platform is intended only for users aged 18 or over. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected such data, we will delete it. If you believe a minor has provided us data, contact hi@clanics.com.
15. Marketing
We only send marketing emails where you have opted in. You can unsubscribe at any time via the link in any marketing email or in your account settings. Withdrawing marketing consent does not affect service or transactional messages necessary to operate your account.
16. Your Legal Rights
Subject to conditions and exemptions under UK data-protection law, you have the right to:
- Access (SAR): obtain a copy of the personal data we hold about you.
- Rectification: have inaccurate or incomplete data corrected.
- Erasure ("right to be forgotten"): request deletion, subject to lawful retention overrides.
- Restriction / objection: restrict processing or object to processing based on legitimate interests, including profiling.
- Portability: receive certain data in a structured, machine-readable format.
- Withdraw consent: where processing relies on consent, at any time.
To exercise any right, email hi@clanics.com. We will respond within one month (extendable by two further months for complex requests). We may need to verify your identity first. Exercising your rights is free unless a request is manifestly unfounded or excessive.
If you are outside the UK, you may have additional or different rights under the data-protection law of your own country (for example, the EU GDPR if you are in the EEA), and you may be able to complain to your local data-protection authority as well as, or instead of, the UK ICO. We honour applicable local rights where the law requires.
17. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date shows the latest revision. Material changes will be notified on the Platform or by email where appropriate. Continued use after changes take effect indicates acceptance of the updated policy.
18. Contact & Complaints
For any privacy question or to exercise your rights, contact us at hi@clanics.com.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk (helpline 0303 123 1113). We would, however, appreciate the chance to address your concerns first.