Privacy Policy

1. Data Controller

VYLTA is the controller of your personal data. To exercise your rights or resolve questions, contact us at: privacy@vylta.app

2. Data We Collect

We collect the following categories of personal data:

• Account data: full name, email address, and bcrypt-hashed password.

• Payment data: processed exclusively by Stripe Inc. VYLTA does not store card numbers, CVV, or bank details on its servers.

• Usage data: pages visited, IP address, device type and browser, access time.

• Clinical patient data: name, phone, email, date of birth, insurance, clinical notes, appointment history, treatments, invoices, intake forms, NPS scores, and reward points.

• Communication data: log of messages sent to patients (SMS, email, WhatsApp), including content, channel, delivery status, and date.

All clinical data is entered by you as the practice or clinic owner and is stored encrypted at rest.

3. Purpose of Processing

We use your data exclusively to:

• Provide and maintain the clinic management Service.

• Process payments and manage your subscription.

• Send automatic appointment reminders to your patients.

• Generate reports and analytics for your practice.

• Send essential Service communications (account verification, password recovery, terms changes).

• Comply with applicable legal obligations.

We do not use your data for third-party advertising, commercial profiling, or sell it to any third party under any circumstances.

4. Legal Basis

Processing is based on: (a) performance of the service contract; (b) your explicit consent where applicable; and (c) compliance with legal obligations.

5. Data Security

We implement: in-transit encryption (TLS/HTTPS), at-rest encryption (AES-256), bcrypt password hashing, two-factor authentication (2FA), automatic daily backups, and restricted access for authorized personnel.

6. Sharing with Third Parties

We share your data only with trusted service providers: Supabase (database), Stripe (payments), Resend (transactional emails), Vercel (hosting).

All are bound by data protection agreements and may not use your data for their own purposes.

7. Data Retention

We retain your data while your account is active and for 90 additional days after cancellation. Patient data is permanently deleted when that period expires.

8. Your Rights

Under applicable data protection laws, you have the following rights:

• Access: You can request and download a complete copy of all your data and your clinic's patient data in JSON format from Settings → Data → Export Data.

• Rectification: You can correct your personal data directly from Settings → Profile. Patient data can be edited from each patient's record.

• Erasure: You can request complete deletion of your account and all associated data (including patient data) from Settings → Account → Delete Account. Deletion is irreversible and executed within 72 hours.

• Objection: You can opt out of non-essential communications by disabling reminders from Settings → Notifications.

You may also exercise these rights by sending your request to privacy@vylta.app. We will respond within 20 business days.

9. Cookies

We use only essential cookies for session management. We do not use tracking or advertising cookies.

10. International Transfers

Your data may be processed in the USA by our service providers. All have adequate data protection mechanisms in accordance with international standards.

11. Changes to This Policy

We may update this Policy at any time. We will notify you by email of any significant changes.

12. Contact

For privacy questions: privacy@vylta.app