Privacy Policy

MyHealDesk is operated by a company registered in the United States. For privacy questions, contact us atprivacy@myhealdesk.com.

We collect the following categories of information:

• Account information — your name, email, clinic name, and authentication credentials when you sign up.
• Clinic data — services, staff, locations, schedules, and branding you configure.
• Patient data — information you enter about your patients, including names, contact details, date of birth, health records, intake forms, measurements, training programs, therapy session notes, and uploaded files.
• Appointment and financial data — bookings, payments, invoices, packages, and expenses.
• Technical data — IP address, browser type, device information, and analytics events, used for security and to improve the Service.
• Google account data — if you choose to connect Google Calendar, we receive only the scopes you explicitly approve (see Section 7).

• To provide, maintain, and secure the Service.
• To process bookings, payments, invoices, and reports on your behalf.
• To send transactional emails (appointment confirmations, reminders, invoices) that you configure.
• To respond to your support requests.
• To improve our product — analytics are aggregated and do not identify individual patients.
• To comply with legal obligations.

We never sell your data or your patients’ data. We do not use patient health data for advertising or profiling.

We process personal data under the following legal bases under GDPR:

• Contract — to deliver the Service you’ve subscribed to.
• Legitimate interest — to keep the Service secure and improve it.
• Consent — for optional integrations (e.g. Google Calendar).
• Legal obligation — when required by law.

When it comes to your patients’ data, you (the clinic) are the Data Controller. MyHealDesk acts as a Data Processor, processing that data only under your instructions as set out in our Terms of Service.

We share data only with the following categories of third parties, each of which is contractually bound to protect it:

• Supabase — database and authentication hosting.
• Vercel — application hosting.
• Resend — transactional email delivery.
• Google — only if you connect Google Calendar, and only the data required to create/manage calendar events.
• Legal authorities — if required by a valid legal process.

We retain your account and clinic data for as long as your account is active. If you cancel, we keep the data for 30 days so you can reactivate, then we permanently delete it, except where we are required to retain it by law (e.g. invoicing records). You can export or request deletion of your data at any time by emailing us.

MyHealDesk’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• We request only the specific Google Calendar scopes needed to create and manage events that correspond to appointments you book in MyHealDesk.
• We do not use Google user data to serve ads.
• We do not transfer Google user data to third parties except as necessary to provide the Service, to comply with law, or as part of a merger, acquisition, or sale of assets where users are notified.
• We do not allow humans to read Google user data except (a) with explicit consent, (b) for security, (c) to comply with law, or (d) when data is aggregated and used for internal operations with privacy safeguards.
• You can revoke MyHealDesk’s access to your Google account at any time from your Google account permissions page.

We use TLS encryption in transit and at-rest encryption via our infrastructure providers. Access to production systems is limited to authorized personnel and protected by multi-factor authentication. Despite our efforts, no service can guarantee perfect security. If we become aware of a data breach affecting your data, we will notify you without undue delay.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion (“right to be forgotten”).
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent for optional processing.

To exercise these rights, email privacy@myhealdesk.com. We respond within 30 days. If you are not satisfied, you may lodge a complaint with your local data protection authority.

We use a small number of essential cookies to keep you signed in and to secure our forms against CSRF. We do not use third-party tracking cookies for advertising. We may use privacy-respecting analytics (e.g. Plausible) that do not set cross-site identifiers.

MyHealDesk is intended for use by healthcare professionals. The Service is not directed at children under 16. Clinics using the Service may store records about minor patients with the consent of a parent or legal guardian, as permitted by applicable law.

Your data is hosted on servers operated by our infrastructure providers, which may be located outside your country. When we transfer data internationally, we rely on appropriate safeguards (such as Standard Contractual Clauses).

We may update this policy from time to time. Material changes will be announced by email to account holders at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

Questions or concerns? Email privacy@myhealdesk.com.