ClinicBoost
Free audit
Legal

Privacy Policy

Plain language. Cited articles. Designed to be read by a layperson and verified by counsel.

Effective: [date - placeholder] · Last updated 2026-04-29
A closed leather folder embossed with a small gold-foil monogram, lying on cream paper with a brass paperclip beside it.

1. Header

This Privacy Policy is issued by Tellus DWC LLC, trading as ClinicBoost, with registered office at Office 1704, 17th Floor, Mayaza BB2, JLT, Dubai, United Arab Emirates. The company is registered in the DMCC Free Zone, trade licence number [placeholder].

Contact for privacy matters: privacy@clinicboost.ae. Postal contact: as above.

2. Scope of this policy

This policy covers personal data collected through the clinicboost.ae website, the audit request form, the WhatsApp business number, direct email correspondence, calendar booking flows, and any pre-contractual clinic onboarding steps.

This policy does not cover the platform-side processing of patient data for clinics under contract. That processing is governed by the Data Processing Agreement (DPA) signed with each clinic at the start of an engagement, and by our compliance posture. The DPA is available on request.

3. Identity of the data controller

The data controller for personal data within the scope of this policy is Tellus DWC LLC, registered in the DMCC Free Zone, Dubai. The accountable individual for privacy matters is Faheem ud Din (engineering and data architecture). The operational point of contact is Besnik (Dubai).

Cited:

UAE PDPL (Federal Decree-Law 45/2021), Article 7.

4. Data we collect - visitor data

We collect the following categories, with examples, in plain English:

  • Form data. Your name, role at the clinic, clinic name, clinic specialty, ad spend range, and the free-text response you write in the audit request form.
  • Technical data. Your IP address, browser, device class, and the page that referred you to ours. We do not fingerprint visitors.
  • Communication data. Your replies to our emails and WhatsApp messages.
  • Calendar booking data. The times you book and the names you provide when booking.

5. Data we collect - clinic and patient data (under contract)

This policy does not authorise or describe the processing of patient data. That processing is governed by the Data Processing Agreement between Tellus DWC LLC and the clinic, available on request.

Patient data processed under contract is subject to UAE Federal Law 2 of 2019, in particular Article 13 (residency), Article 16 (confidentiality), and Article 20 (the 25-year retention duty), and to the relevant emirate-level health authority's standards (DHA, DoH Abu Dhabi, MOHAP).

Cited:

UAE Federal Law 2 of 2019, Articles 13, 16, 20.

6. How we use the data

We use the data described in Section 4 for the following specific purposes:

  • To answer your audit request.
  • To prepare for your audit call.
  • To send you the audit document.
  • To follow up after the call, once.
  • To meet our legal record-keeping obligations.

We do not use the data described in Section 4 for:

  • Training artificial-intelligence or machine-learning models.
  • Sale to third parties.
  • Retargeted advertising of clinic owners.

7. Lawful bases

Each processing purpose is paired with the lawful basis it relies on under UAE PDPL Articles 4-6.

  • Audit request and follow-up. Legitimate interests (PDPL Article 4), balanced against your interests and rights as a data subject.
  • Contract performance for clinics under engagement. Contractual necessity (PDPL Article 4).
  • Marketing newsletters or communications. Explicit consent only. Consent must be free, specific, informed, unambiguous, and revocable (PDPL Article 5).
  • Public-health processing of patient data, where applicable. Falls under the permitted-without-consent provisions of PDPL Article 4 (occupational and preventive medicine, medical diagnosis, provision of health or social care, treatment, health insurance, management of health or social care systems, protection of public health). Operationally governed by Federal Law 2 of 2019, not this policy.
  • Legal obligations. Where Article 4's lawful-obligation provision applies.

Cited:

UAE PDPL, Articles 4, 5, 6.

8. Sharing with third parties and sub-processors

We use the following sub-processors. The list mirrors the live table on our compliance page.

  • GoHighLevel (CRM and marketing automation, US-hosted).
  • Twilio (voice and SMS telephony, region-pinnable).
  • ElevenLabs (voice synthesis, US-hosted).
  • OpenAI and Anthropic (LLM inference).
  • Microsoft Azure UAE North and UAE Central (primary cloud).
  • AWS me-central-1 (UAE) and me-south-1 (Bahrain).
  • Vercel (this marketing site).

We do not share personal data with parties outside this list except where required by law. Where we are required to disclose personal data to law enforcement or to a regulator, we will notify the data subject before disclosure where lawfully permitted to do so.

Cited:

UAE PDPL, Articles 7-8 (sub-processor controls).

9. International transfers

Default residency for personal data we control is the United Arab Emirates, hosted on Microsoft Azure UAE North (primary) and UAE Central (redundancy).

Transfers outside the UAE are governed by UAE PDPL Articles 22-23. They occur only to jurisdictions with an adequate protection level, or under contractual safeguards (Standard Contractual Clauses or equivalent), with the data subject's explicit consent where required.

For clinic-side patient data, UAE Federal Law 2 of 2019 Article 13 prohibits extra-territorial storage absent an authorised exception. For data subjects resident in Saudi Arabia, KSA PDPL Article 29 and the SDAIA Regulation on Personal Data Transfer Outside the Kingdom of Saudi Arabia (August 2024) govern, and we comply with the lawful purpose, safeguard, and approved-mechanism requirements set by those instruments.

Cited:

UAE PDPL Articles 22, 23. UAE Federal Law 2 of 2019 Article 13. KSA PDPL Article 29. SDAIA Personal Data Transfer Regulation (August 2024).

10. Your rights

You have the following rights as a data subject under UAE PDPL:

  • The right to access the personal data we hold about you.
  • The right to rectify inaccurate data.
  • The right to erasure where the lawful basis permits.
  • The right to restrict processing.
  • The right to object to processing.
  • The right to portability.

To exercise any of these rights, write to privacy@clinicboost.ae. We will acknowledge within 72 hours and respond within 30 days.

You also have the right to lodge a complaint with the UAE Data Office, the relevant emirate-level health authority, or your country's data-protection authority. For Saudi residents: SDAIA. For Qatari residents: the National Cyber Security Agency, or, on healthcare-specific matters, the Ministry of Public Health.

Cited:

UAE PDPL, Articles 13-18 (rights of the data subject).

11. Retention

  • Marketing inquiry data. Retained for 24 months after last contact, then deleted or fully anonymised.
  • Patient data under contract. At least 25 years from the patient's last health procedure, per UAE Federal Law 2 of 2019 Article 20. This is a clinic-level legal obligation. We honour it as the clinic's processor.
  • Commercial records (invoices, contracts). 5-7 years per UAE commercial law.

Specific retention by data category is documented in our Record of Processing Activities (ROPA), available to clinic counsel on request.

Cited:

UAE Federal Law 2 of 2019, Article 20.

12. Breach notification

We maintain an internal breach-response runbook. On detection, our containment target is 1 hour. Notification to the relevant supervisory authority follows UAE PDPL Article 9 (“without undue delay”), with our internal target of 72 hours from confirmation. For data subjects resident in Saudi Arabia, we follow the 72-hour standard set by Article 24 of the KSA PDPL Executive Regulations.

Affected data subjects are notified jointly with the clinic where applicable. A post-incident report is delivered within 14 days of containment.

Cited:

UAE PDPL Article 9. KSA PDPL Executive Regulations Article 24.

13. Data Protection Officer and DPIAs

A Data Protection Officer is designated for high-risk processing, large-scale sensitive-data processing, and systematic profiling, in line with UAE PDPL Articles 10-11. The DPO can be contacted at privacy@clinicboost.ae. The DPO name is [placeholder pending pre-launch appointment]; the current internal candidate is Faheem ud Din, with a fractional external DPO available where the clinic portfolio composition requires one.

Data Protection Impact Assessments are conducted for all high-risk processing per UAE PDPL Article 21. The voice-AI workflow has a completed DPIA, available to clinic counsel on request.

Cited:

UAE PDPL, Articles 10, 11, 21.

14. Cookies, updates, and contact

Cookies set by this site are described separately in our Cookie Policy.

Material updates to this policy are notified by email to anyone who has previously contacted us, with 30 days' notice. The operative version is the one published at clinicboost.ae/legal/privacy with the most recent effective date.

Contact for privacy matters: privacy@clinicboost.ae. Postal address: as in Section 1. Named accountable individual: Faheem ud Din.