Privacy Policy

How PatientSort collects, uses, shares, and protects personal data.

Last updated: April 23, 2026

1. Who we are

PatientSort is a product of Questivals LLC, a Delaware limited liability company (File #10176195). In this policy, “PatientSort,” “we,” “us,” and “our” refer to Questivals LLC operating the PatientSort service. For privacy questions, contact support@patientsort.com.

2. What this policy covers

This policy describes how we handle personal data for two distinct groups of people:

• Clinic staff users — coordinators, surgeons, and administrators who log into PatientSort dashboards. For this data, PatientSort acts as the data controller.
• Patients — individuals whose WhatsApp messages flow through clinics using PatientSort. For this data, PatientSort acts as a data processor on documented instructions from the clinic, which is the data controller. A Data Processing Agreement (DPA) between the clinic and PatientSort governs this relationship.

3. Data we collect

From clinic staff users

• Name, business email, phone number
• Hashed login credentials and authentication tokens
• IP address, browser and device information, and usage analytics
• Clinic affiliation, role, and permissions
• Support ticket content and communications with our team

From patient WhatsApp messages (processed on behalf of the clinic)

• WhatsApp phone number (masked in the product UI)
• Patient name as provided by the patient
• Message content — text, images, documents, voice notes, and other media
• Message metadata — timestamps, delivery and read receipts, detected language
• Opt-in and opt-out signals (e.g., replies like STOP, DUR, إيقاف)

What we do not collect

PatientSort does not collect medical diagnoses, prescription data, or billing and insurance information unless a patient or clinic voluntarily shares such information within a WhatsApp message. We do not purchase personal data from third-party brokers.

4. How we use data

• Route incoming patient WhatsApp messages to the correct clinic
• Organize conversations into workflow stages and tabs
• Generate AI-drafted response suggestions that clinic staff review and approve before sending
• Detect opt-out keywords and honor opt-out requests as required by WhatsApp policy
• Support post-operative follow-up cadences configured by clinics
• Provide customer support and troubleshoot service issues
• Improve the service using de-identified, aggregated signals only
• Comply with legal, tax, and regulatory obligations

5. WhatsApp Business Platform

PatientSort connects to the WhatsApp Business Platform, operated by Meta Platforms Ireland Limited, to send and receive messages on behalf of clinics that subscribe to our service. When patients message a clinic's WhatsApp Business number, Meta transmits those messages to PatientSort through the WhatsApp Cloud API. We store message content, media, and metadata to provide the PatientSort service to the clinic.

WhatsApp's own privacy practices are governed by Meta's privacy policy, available at whatsapp.com/legal/privacy-policy. PatientSort is an independent service and is not operated, endorsed, or sponsored by Meta.

6. Legal basis for processing (GDPR Article 6 / KVKK Article 5)

• Contract performance — to provide the PatientSort dashboard and service to clinic subscribers under a subscription agreement.
• Legitimate interest — to operate the processing platform on behalf of the data-controlling clinic and maintain service integrity and security.
• Consent — where a patient has explicitly opted in to marketing or follow-up communications through the clinic.
• Legal obligation — for tax, fraud prevention, and regulatory response.

7. Special categories of data (GDPR Article 9 / KVKK Article 6)

PatientSort processes this data solely as a data processor acting on documented instructions from the clinic (the data controller). Clinics are responsible for obtaining appropriate consent from patients for sharing sensitive data through WhatsApp. PatientSort contractually requires clinics to obtain and document such consent in our Data Processing Agreement.

8. Data sharing

We share personal data only with the following categories of recipients, each under a contract that restricts their use of the data:

• Meta Platforms Ireland Limited — to transmit WhatsApp messages via the WhatsApp Business Platform
• Supabase (EU, Frankfurt region) — database and authentication hosting, under a signed Data Processing Agreement
• Vercel — web hosting and edge delivery
• Azure OpenAI Service (EU region) — to generate AI-drafted response suggestions; customer data is not used to train foundation models
• Stripe — to process clinic subscription payments (clinic billing information only; not patient data)
• Professional advisors — legal, accounting, and auditors, under confidentiality obligations
• Authorities — where required by law, subpoena, or court order

We do not sell personal data, ever. We do not share data for third-party advertising purposes.

9. International data transfers

Because patients may be located in the European Union, United Kingdom, Turkey, the Gulf Cooperation Council states, and elsewhere, personal data may be transferred to and processed in countries outside the patient's home jurisdiction. We rely on the following safeguards:

• European Commission adequacy decisions, where applicable
• Standard Contractual Clauses (EU Commission Decision 2021/914) for transfers to the United States and other third countries
• KVKK-compliant Standard Contract clauses (Turkish Personal Data Protection Authority notification or undertaking, as applicable) for transfers involving Turkish data subjects
• UK International Data Transfer Agreement where applicable

10. Data retention

• Clinic user accounts — retained while the subscription is active, plus 90 days after cancellation (for reactivation), then permanently deleted.
• Patient message content— retained while the clinic's subscription is active. Upon cancellation, patient data is deleted 30 days after the cancellation effective date unless the clinic exports it first.
• Opt-out records — retained indefinitely as required by the WhatsApp Business Messaging Policy to prevent re-messaging.
• Backups — encrypted, retained on a 90-day rolling window.
• Support tickets — 3 years.
• Financial and tax records — 7 years or as legally required.

11. Your rights

Depending on your jurisdiction, you may have the following rights under GDPR Articles 15–22, KVKK Article 11, and equivalent laws:

• Access — a copy of the personal data we hold about you
• Rectification — correction of inaccurate data
• Erasure — “right to be forgotten”
• Restriction — limit processing in certain circumstances
• Portability — receive your data in a portable format
• Objection — object to processing based on legitimate interest
• Automated decision-making — not be subject to solely automated decisions that produce legal or similarly significant effects. Note: AI-drafted response suggestions in PatientSort are always reviewed by human clinic staff before being sent.
• Withdraw consent — where processing is based on consent

Patients should primarily contact the clinic they interacted with (the data controller) to exercise these rights. If the clinic is unresponsive or no longer uses PatientSort, you may contact us at support@patientsort.com or use our data deletion request form. We respond within 30 days.

12. Children's data

The WhatsApp Business Platform requires users to be at least 18 years old. PatientSort does not knowingly process data about children under 18. Clinics using PatientSort represent that their WhatsApp patient communications are with adults. Pediatric clinical communications require parent or guardian accounts and fall outside the scope of the PatientSort service.

13. Cookies and tracking

We use a small number of strictly necessary and functional cookies to operate the service, plus privacy-first analytics. We do not use advertising cookies, Meta Pixel, or Google Analytics. See our Cookie Policy for details.

14. Security

• TLS 1.3 for all data in transit
• AES-256 encryption for data at rest
• Row-level security in our database, partitioned per clinic
• Mandatory two-factor authentication for clinic administrators
• Audit logging of access to patient data
• Least-privilege access for PatientSort personnel
• Annual review of security practices

No system is perfectly secure. If we discover a data breach that affects you, we will notify you and the relevant supervisory authority within 72 hours where required by law.

15. Changes to this policy

We may update this policy to reflect changes in our practices or applicable law. For material changes, we will notify clinic subscribers by email at least 30 days before the change takes effect and update the “Last updated” date at the top. Continued use of the service after the effective date constitutes acceptance of the updated policy.

16. Contact

For any privacy question, request, or complaint:

Email: support@patientsort.com
Postal mail: Questivals LLC, attn: Privacy, Delaware File #10176195 (operating address furnished on request).

For KVKK-specific inquiries from Turkish data subjects, the same email applies. PatientSort has not appointed a formal Data Protection Officer under GDPR Article 37, as our core activities do not meet the appointment threshold, but support@patientsort.com serves as the primary contact for all data-protection matters.

Supervisory authorities

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority in your jurisdiction. Relevant authorities include:

• Turkey: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
• Ireland (lead supervisor for Meta): Data Protection Commission — dataprotection.ie
• United Kingdom:Information Commissioner's Office — ico.org.uk
• Your local EU member-state data protection authority — see edpb.europa.eu