Tenant isolation and access control
Clinic data access is tenant-scoped with role-based permissions. Staff actions are constrained by workflow and role.
Security & Privacy
Security and privacy controls
Private Practice is designed for day-to-day clinical operations with practical controls around access, audit, identity, and data handling. This page summarizes platform controls and does not make legal or regulatory certification claims.
Account security
Two-factor authentication with backup codes, secure password reset flows, and staff access governance.
Audit and support traceability
Audit logs capture sensitive actions, including support impersonation reason trails where enabled.
Storage and retention controls
Encrypted key handling, configurable storage targets, and retention tooling with dry-run support for safer operations.
GDPR-oriented controls
Private Practice includes technical measures aligned with common GDPR expectations for health data platforms: storage limitation, safeguards around third-party AI processing, and security of processing. Clinics remain data controllers for patient records; the platform operator supports processors with configurable retention, auditability, and access controls. This section describes implemented product capabilities only — it is not legal advice and does not represent GDPR certification or a completed compliance programme.
Storage limitation and retention
Operational data is purged or anonymised on configurable schedules: audit log IP addresses are hashed at 90 days and rows purged at 2 years; private note revisions, bulk messaging records, AI suggestion cache, stock movement history, and impersonation sessions each have documented retention windows. A super-admin retention job supports dry-run before live purges. Core clinical records remain governed by clinic and statutory retention rules and are not deleted by this job.
AI processing safeguards
Patient identifiers are redacted from note and prescription text before third-party LLM calls; structured prompts include patient age only, not name. Clinics can disable AI processing entirely per tenant. OpenAI and xAI calls use non-storage modes; cached AI suggestions are anonymised after 90 days.
Security of processing
Tenant-scoped access, role-based permissions, two-factor authentication, audit logging (including support impersonation reasons), and encrypted handling of API keys support confidentiality, integrity, and accountability for health data processing.