Privacy Policy

This Privacy Policy describes how ClearPass.health collects, uses, transmits, retains, and protects information when you use the ClearPass.health clinical documentation assistance service ("ClearPass.health" or "the Service") at clearpass.health and related domains.

This policy is governed by the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) ("PDPL").

1. Who we are and how to contact us

ClearPass.health is operated as an unincorporated business from Dubai, United Arab Emirates, by a licensed UAE physician operating under the trading name ClearPass.health ("ClearPass.health," "we," "us," "our"). The operator's full legal name and postal address are available on written request to support@clearpass.health.

For privacy questions, data subject requests, or to exercise any of your rights under this policy, contact us at support@clearpass.health. This address serves both general privacy enquiries and Data Protection Officer functions (see Section 15). A postal address is available on written request.

We aim to respond to privacy enquiries within 14 working days, in line with PDPL Article 17.

You also have the right to lodge a complaint directly with the UAE Data Office if you believe your rights under the PDPL have been infringed.

2. Who this policy applies to

ClearPass.health is a B2B tool intended for use by licensed healthcare professionals. Account holders must be 18 years of age or older. ClearPass.health does not knowingly create user accounts for individuals under 18.

However, in the course of providing the Service, ClearPass.health may indirectly process clinical information about paediatric patients entered by the treating clinician. Section 10 of this policy explains how we handle data relating to minors.

3. What information we collect

We collect the following categories of personal data:

Account information. When you create a ClearPass.health account, we collect: your full name, email address, professional specialty, and an encrypted password hash. We do not ask for, store, or have access to your medical licence number, Emirates ID, passport, or any other identity document.

Subscription and billing data. Subscription tier, subscription status, renewal date, and a customer reference token issued by our payment processor, Paddle. We do not collect, store, or have access to your credit card number, CVV, billing address, or other payment card details — these are handled directly by Paddle as the Merchant of Record (see Section 6).

Clinical text input. When you generate a note using ClearPass.health, the clinical description you enter is processed transiently to produce the structured EMR note and pre-authorisation justification. The handling of this text is described in detail in Sections 4 and 5.

Usage data. Number of notes generated, date of last activity, specialty preferences, feature use, and similar aggregate metrics. This data is used to operate, secure, and improve the Service.

Technical logs. Standard server logs collected by our hosting provider Railway, including IP address, browser user-agent, timestamp, request path, and HTTP status code. These logs are used for service reliability, fraud prevention, and security monitoring.

Cookies and local storage. ClearPass.health uses essential browser local storage to retain your generated note history on your device only — this data never leaves your browser and is not transmitted to ClearPass.health servers. We do not use third-party tracking cookies, behavioural advertising cookies, or analytics tools that identify individual users.

4. How we handle clinical text — the core privacy commitment

ClearPass.health is designed around the principle that clinical content is not retained on our servers. Specifically:

1. When you enter clinical text and request a generation, the text is submitted to our backend over an encrypted HTTPS connection.
2. Our backend applies an automated identifier-redaction step (see Section 5) before transmitting the redacted text to our AI processing provider.
3. The redacted text is transmitted to Anthropic PBC's API (United States) for real-time generation.
4. Anthropic returns the generated note and justification.
5. Our backend returns the response to your browser.
6. Our backend discards both your original input and the generated response after the response is returned. ClearPass.health does not write clinical text to disk and does not maintain a server-side history of your notes.
7. Your generated note is stored only in your browser's local storage on your own device, where you can copy, edit, or delete it at will.

Anthropic's handling of the redacted text: Anthropic operates under its Commercial Terms of Service and Data Processing Addendum, which apply automatically to commercial API usage. Under these terms:

• Anthropic does not use commercial API inputs or outputs to train AI models.
• Anthropic automatically deletes API inputs and outputs from its backend within 30 days of receipt, except where required by law or to enforce its Usage Policy.
• Anthropic's full data retention practices for commercial customers are documented at privacy.claude.com.

This means that for any given note you generate, the upper-bound persistence of the redacted content at any layer is approximately 30 days, after which it is automatically deleted everywhere. The text is never stored on ClearPass.health servers at any point.

5. Identifier auto-redaction — what it does and does not do

Before transmitting your clinical text to Anthropic, ClearPass.health applies a multi-layer identifier-redaction pipeline:

1. Client-side (advisory) — your browser runs an initial redaction pass before the text is submitted to our servers, reducing what travels over the network.
2. Server-side (authoritative) — our backend re-runs a more comprehensive redaction pass on the text before any API request to Anthropic is made. This is the enforced safety boundary.
3. Response-side (defense in depth) — the same redaction logic is applied to Anthropic's response before it is returned to your browser, in case the AI has echoed an identifier back in its output.

The redactor uses deterministic regular-expression patterns — not a machine-learning model. When a pattern matches, the matched text is replaced with a placeholder such as [REDACTED-EMAIL] before transmission. This makes the behaviour auditable, predictable, and reviewable.

What the server-side redactor matches

The following nine categories are currently detected and replaced:

Category	Example matched
Emirates ID numbers	784-1985-1234567-1
UAE mobile numbers	+971 50 123 4567, 050 123 4567
Labelled phone numbers	Tel: +971 4 ..., Phone: 04 ...
Email addresses	name@example.com
Medical record numbers (when labelled)	MRN: 12345, File No: ABC-7890, Patient ID: ...
Passport numbers	A12345678
Dates of birth (when labelled)	DOB: 15-03-1985, Date of birth: 15/3/1985
Names preceded by a title	Mr Ahmed Hassan, Mrs Fatima Al Marri
Names following a label	Patient: John Smith, Pt: A. Hassan

What the redactor does NOT match by design

The patterns are intentionally conservative to avoid corrupting clinical content (vital signs, ages, ICD/CPT codes, anatomic measurements, lab values, and similar). The following categories are not automatically removed:

• First names appearing in free-text narrative without a title or label prefix (e.g., "Ahmed presented with...")
• Dates not labelled as DOB (e.g., "born 15 March 1985" without a "DOB:" prefix)
• Street addresses, residential locations, or workplace identifiers
• Bare numerical strings that could be MRNs without a recognised label keyword
• Identifiers in non-Latin scripts or unusual formats

Because the auto-redactor cannot catch every conceivable identifier, the content of your submission remains your responsibility.

Your responsibilities as the treating clinician

When using ClearPass.health, you should:

• Enter only the minimum clinical detail necessary to generate useful documentation.
• Avoid entering patient names, Emirates IDs, MRNs, full dates of birth, addresses, phone numbers, or other direct identifiers wherever possible.
• Use initials, age in years, and clinical descriptors instead of identifying details.
• Treat ClearPass.health output as draft documentation that must be reviewed before insertion into any patient record.

These practices are consistent with your existing professional duties of patient confidentiality under DHA/DOH guidelines and UAE healthcare law.

Legal status of the redaction

The redaction step is a privacy-engineering safeguard, not a formal de-identification process. It does not constitute de-identification under HIPAA Safe Harbor, Expert Determination, or any equivalent legal standard. Clinical content remaining after redaction may still indirectly identify individuals when combined with other data (e.g., rare diagnoses in small populations). For this reason, your professional duty of confidentiality continues to apply to all text you submit, regardless of whether redaction is enabled.

6. Subprocessors and data flow

We rely on the following service providers to operate ClearPass.health. Each is contractually bound to protect the data they process on our behalf or, in the case of Paddle, as an independent controller.

Provider	Role	Location	Data accessed
Anthropic PBC	AI processing of redacted clinical text	United States	Redacted clinical text submitted for generation; generated response
Railway	Hosting infrastructure and server logs	United States	Account data, subscription data, server logs (no clinical content)
Paddle.com Market Limited	Payment processing as Merchant of Record	United Kingdom / global	Customer name, email, billing country, payment data (collected directly by Paddle; not by ClearPass.health)

Note on Paddle's role. Paddle operates as our Merchant of Record. Under this arrangement, Paddle is the legal seller of ClearPass.health subscriptions and acts as an independent data controller for payment, billing, and tax data — not as our processor. Paddle's own Privacy Policy (paddle.com/legal/privacy) governs its handling of that data. ClearPass.health receives only an anonymised customer reference and subscription status back from Paddle.

Data Processing Addenda. Where the provider acts as our processor, we have executed (or have automatically incorporated) Data Processing Addenda including Standard Contractual Clauses for international transfers:

• Anthropic: DPA incorporated into the Commercial Terms of Service
• Railway: Self-service DPA executed under Railway's standard terms
• Paddle: Master Services Agreement and Data Sharing Addendum (independent-controller framework)

7. International data transfers

ClearPass.health processes data in the United States (Anthropic, Railway). The United States does not have an adequacy decision from the UAE Data Office under PDPL Article 22.

We rely on the following safeguards for cross-border transfers, consistent with PDPL Articles 22–23:

• Standard Contractual Clauses within each subprocessor's Data Processing Addendum.
• Explicit informed consent at the point of use. When you submit clinical text through the Service, the disclaimer you have accepted, together with this Privacy Policy, constitutes your explicit consent to the cross-border transfer of the (redacted) content for the limited and specified purpose of generating clinical documentation.
• Data minimisation through automated identifier redaction before any transfer occurs.
• Health-sector legal basis. The cross-border processing of health-related clinical content described in this policy is conducted under UAE Federal Law No. 2 of 2019 concerning the use of information and communication technology in the field of health, and Ministerial Resolution 51/2021 thereunder. ClearPass.health relies on the exception for Insurance Claims Administration (Resolution Article 6). Under this exception, the treating clinician is responsible for obtaining the patient's informed consent for the use of AI-assisted documentation as part of routine care, as set out in Section 8 of the ClearPass.health Terms of Service. This is in addition to, and not in place of, the PDPL-based safeguards above.

If you do not consent to international transfer of redacted clinical text to Anthropic in the United States, you should not use the Service.

8. Legal basis for processing

Under PDPL Article 5, we rely on the following legal bases for each processing activity:

Processing activity	Legal basis
Creating and maintaining your account	Performance of the contract between you and ClearPass.health
Processing clinical text to generate notes	Explicit, informed consent at point of use
Cross-border transfer of redacted text to Anthropic	Explicit consent + appropriate safeguards (SCCs)
Subscription billing via Paddle	Performance of contract + legal obligation (tax records)
Service security, fraud prevention, abuse detection	Legitimate interest
Service improvement using aggregated, non-identifying usage data	Legitimate interest
Communications about your account, service, or material policy changes	Legitimate interest + legal obligation
Cross-border processing of health-related clinical content for insurance pre-authorisation	UAE Federal Law No. 2 of 2019 and Ministerial Resolution 51/2021 Article 6 (Insurance Claims Administration), combined with the safeguards listed in Section 7

You may withdraw your consent at any time by ceasing to use the Service and deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

9. How long we keep your data

Data category	Retention
Clinical text input	Not retained by ClearPass.health after the response is returned. Retained by Anthropic for up to 30 days for abuse detection, then automatically deleted.
Generated note history	Stored in your browser's local storage only; not retained by ClearPass.health. Deleted when you clear your browser data.
Account data (name, email, password hash)	Retained while your account is active and for 7 years after closure, to satisfy UAE tax record-keeping and audit obligations.
Subscription and billing records	Retained for 7 years after the relevant transaction, consistent with UAE Federal Decree-Law No. 47 of 2022 on Corporate Tax.
Server logs	Retained for 90 days, then automatically purged.
Usage metrics	Retained for 12 months in identifiable form; thereafter aggregated and anonymised.
Records related to data subject requests	Retained for 3 years after the request is closed, for audit purposes.

10. Children's data

ClearPass.health is provided to licensed healthcare professionals; the user must be 18 or older. However, the clinical text you enter may relate to paediatric patients, including infants and adolescents in the paediatric subspecialties listed on our website.

We process information about paediatric patients only:

• Indirectly, through clinical text submitted by you in the course of your professional duties;
• Subject to the same auto-redaction safeguards as adult patient data; and
• Under the legal framework that you, as the treating clinician, hold appropriate parental or guardian consent for the use of clinical documentation tools as part of routine care.

Where paediatric data is processed, you remain responsible — under DHA/DOH professional standards and UAE healthcare law — for ensuring that parental authority covers your use of AI-assisted documentation tools. We recommend you consider this in your routine patient/parental information practices.

11. Security measures

We protect personal data using:

• Encryption in transit: All communication with ClearPass.health uses HTTPS/TLS.
• Encryption at rest: Account and subscription data are encrypted at rest by our hosting provider.
• Access controls: Only the ClearPass.health operator has administrative access to backend systems. All access is authenticated with multi-factor authentication.
• Multi-layer redaction pipeline: Client-side pre-submission redaction, server-side enforced redaction before any Anthropic API call, and response-side redaction of any echoed identifiers (see Section 5).
• Logging hygiene: Server logs record event counts, types, and aggregate metrics only — not raw clinical content. Where redaction events are logged, identifier samples are masked to the first three characters before being recorded.
• No long-term clinical storage: Clinical text exists in server memory only for the duration of the request that produced it. The absence of server-side clinical data storage materially reduces the impact of any security incident.
• Subprocessor selection: Subprocessors are selected for documented security postures, including SOC 2 Type II certification (Railway) and equivalent enterprise security controls (Anthropic, Paddle).

No system is perfectly secure. We continuously review and improve our controls based on the evolving threat landscape.

12. Breach notification

In the event of a personal data breach affecting your rights, ClearPass.health will:

1. Investigate and contain the breach as a matter of priority.
2. Notify the UAE Data Office within 72 hours of becoming aware of the breach, in accordance with PDPL Article 9.
3. Notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms.
4. Document the breach, our response, and lessons learned, and retain those records for at least 3 years.

If you become aware of any actual or suspected security breach affecting your ClearPass.health data, please contact us immediately at support@clearpass.health.

13. Your rights under the PDPL

Under Articles 13–17 of the PDPL, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your account and associated data.
• Restriction of processing — request that we limit how we use your data while a dispute is resolved.
• Data portability — request that we provide your data in a structured, machine-readable format.
• Withdraw consent — withdraw any consent you previously gave; this does not affect lawfulness of prior processing.
• Object to automated processing — note that ClearPass.health does not make decisions about you based solely on automated processing.
• Lodge a complaint with the UAE Data Office.

To exercise any of these rights, contact support@clearpass.health. We will respond within 14 working days and will not charge a fee except where requests are manifestly unfounded or excessive.

14. Automated decision-making

ClearPass.health uses AI to generate draft clinical documentation based on your input. This does not constitute automated decision-making about a data subject under PDPL Article 15: the output is draft documentation that must be reviewed and approved by you (the treating clinician) before it is used in any patient record or insurance submission. ClearPass.health does not make decisions that produce legal or similarly significant effects on individuals.

15. Data Protection Officer

For an organisation of ClearPass.health's current size and processing scope, the ClearPass.health operator serves as the designated Data Protection Officer under PDPL Article 10. The DPO can be contacted at support@clearpass.health — the same address used for general privacy enquiries. This consolidated contact is appropriate at our current operational scale.

This designation, and the consolidated contact arrangement, will be reviewed as ClearPass.health scales. If processing volume or complexity requires, a dedicated DPO mailbox and/or external DPO will be appointed and this policy updated accordingly.

16. Changes to this policy

We will update this policy from time to time as our practices, services, or applicable law evolve.

• Material changes (e.g., new subprocessors, new processing purposes, expansion of data categories): we will notify registered users by email at least 14 days before the change takes effect, where reasonably practicable.
• Non-material changes (clarifications, formatting, typo correction): we will update the "Last updated" date at the top of this policy and the version number.

A change history is maintained internally and is available on request.

17. Governing law and jurisdiction

This Privacy Policy is governed by the laws of the United Arab Emirates, in particular Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. Any dispute arising from this policy is subject to the exclusive jurisdiction of the courts of Dubai, UAE.

This Privacy Policy is provided in English. In case of any conflict with translations into other languages, the English version prevails.