What we store about you on our servers
- Your first and last names (so we know how to address you)
- Your business name (see above)
- Your email address (so we can contact you — e.g. for trial expiry notices, billing issues etc.)
- A link to your subscription in our payment processor, Stripe (so we can bill you)
- When you signed up (so we can calculate your trial)
- When you activated your account
- When your trial expires
- The number of practitioners you have on your Cliniko account (so we know what plan to put you on)
- A list of IDs of the businesses you have on Cliniko (i.e. if you have multiple locations setup in Cliniko, these are known as diferent businesses) (we only want every business having one account, so we use this list to match against if you ever decide to use a different API key than the one you with which you first signed up)
- Your Cliniko account ID
- A guess at your currency code e.g. AUD (we look at your currency symbol and Cliniko country to work this out)
- A one-way hash of your Cliniko API key(s) (this is used to match your iPads against your account so we know who you are — so we can let you know if your trial has expired or if you've exceeded the number of allocated practitioners on your account and need to upgrade)
- A list of practitioners from your Cliniko account, their roles and encrypted API keys (so we can perform actions within your Cliniko account not only from your connected iPad, but also from our server)
- Your Finger-Ink forms
- Your Cliniko referral source types
- When/if you consented to our other opt-in communications
What we store about your patients on our servers
Absolutely nothing 🎉
(yes, that's right — no patient data ever touches our servers — it's all on your iPad(s), and Cliniko's servers).
How information is stored and transferred between your iPad(s) and our servers
All communication between our servers, your iPad(s) and/or Cliniko's servers is encrypted in transit.
This means that even in the very unlikely event that someone did get past our encryption and get an unencrypted version of our database, they still wouldn't be able to access your Cliniko account using the API key(s) we store:
- The API key(s) stored using the one-way hash allow us to verify who you are by going API key → hash. They can never be translated back from the hash to the API key.
- The encrypted API key(s) are encrypted in a similar way to how Google encrypts its data.
Again, none of your patient data is stored on our servers.
Third party integration
No patient information is shared with any of these — except for Cliniko.
Obviously, we interact with Cliniko in a huge way. We use the API key(s) you provide us to communicate with their servers both regularly in our app and, the first time you connect with us, from our servers.
In the app, we communicate with Cliniko to
- Get your appointments
- Get patient information before filling out a form
- Send updated patient information
- Attach PDFs to patient records
- Get a list of your treatment note templates
- Get a specific treatment note template that you've selected
- Create draft treatment note templates
- Get your practitioner and user settings to determine if we need to provide for any other API keys to be entered into the app
- Get your settings to determine your online booking logo image, company name and email address
On our server, we communicate with Cliniko the first time you connect with us to
- Get your settings to determine your billing currency, administrator name, administrator email address and your company name — so we can use these to create a Finger-Ink account for you
- Get a list of your business IDs (so if you connect with a different API key in the future, we can match this to a previous account of yours if one exists)
- Get a list of practitioners so we know in which plan to place you
Also on our server, we may also communicate with Cliniko to
- Download your referral source types
- Download treatment note templates
- Update patient referral sources
We use Intercom as our customer support service. Any time you send an email to firstname.lastname@example.org, email@example.com or contact us through the chat button on the website, or in the app, it goes through Intercom's servers.
We also send key events from the app so we can better serve you — e.g. when you first load the app, when you have filled out your first form, when you've imported a template from Cliniko etc.
No patient information is shared with Intercom.
We use Stripe as for subscription billing. To facilitate this, the following information about your subscription is stored with Stripe:
- Your subscription plan
- Your billing address
- Your billing email address
- Your credit card details — name, number, expiry date (we can't access these, see Stripe's security documentation)
- A history of your transactions with us
No patient information is shared with Stripe.
Fabric is a Google service we use to let us know when the app crashes.
No patient information is shared with Fabric.
Slack is our company communication service — we use it to plan features, collaborate on supporting you, our customers, and for general company communication.
We occasionally mention company names and first names during this communication.
No patient information is shared with Slack.
Github is where our application source code is hosted. We also use it to plan features. We occasionally tag planned features or bugs with company and customer names.
No patient information is shared with Github.
Quip is like Google docs, and it allows collaboration on documents across our team. We use it to collect the results of optional surveys you may take.
No patient information is shared with Quip.
Xero is our accounting software. When payments come in, they need to be matched against our bank account. Xero is how we do that. Your name, your company name and your billing address may be stored within Xero.
No patient information is shared with Xero.
Webflow is where we host our the Finger-Ink website. We do not currently process any of your data with this service, but there was a time when we asked for your name and email address before downloading the app — and this is where it was collected.
No patient information is shared with Webflow.
We use Google Docs for team collaboration on policies and legal documents. We don't generally store any of your information here. We do not use Google Analytics.
No patient information is shared with Google.
Migadu is our email hosting provider for any non-Intercom address. As such, all email communication we send and/or receive through these addresses go through Migadu. We do not generally mention specific customers over email so your information shouldn't be there.
No patient information is shared with Migadu.
Aircall is our phone service provider. Our phone numbers are hosted with them. When we call you — we're doing it through Aircall. We do not currently use their call recording feature. We do make notes of our conversations.
Patient information is only ever shared with Migadu if you choose to share it on a call.
ProfitWell is our company analytics provider. We use them to keep track of our KPIs, such as monthly recurring revenue. Your company name, your email address and your billing history is stored in ProfitWell.
No patient information is shared with ProfitWell.
Survicate is our survey provider. We use them to send out surveys to leads and customers to better understand our market. Your name, your company name and your email address, and any answers to any surveys you fill out may be stored in Survicate.
No patient information is shared with Survicate.
What we store about you and your patients on your iPad(s)
Almost everything we store about you on our servers, plus:
- Your actual plain-text API-key (so we can communicate with Cliniko to get your appointments, pull/push patient info, attachments and treatment notes)
- All information provided to you by your patients.
- Metadata allowing normal operation of the app (such as your form definitions, details about which filled forms need processing / pushing to Cliniko etc.)
This information is also encrypted on your device — any time the app isn't in the foreground. (so it's encrypted if the iPad is asleep, or if you're in another app).
If someone gets the iPad and goes into our app without you knowing, they still have to guess your iPad passcode and the Finger-Ink passcode to get into the admin area, where patient information is kept.
The biggest risk to your patients' data is losing an iPad. If this happens, the first thing you should do is remotely wipe the lost iPad. The second thing you should do is revoke the API key you provided to our app.