Privacy Policy
Last updated: 15 June 2026
Who we are
OsteoRise Limited operates MyNewClinic (mynewclinic.com). References to "we", "us" or "our" mean OsteoRise Limited. We are a company registered in England & Wales (company no. 15200521) and registered with the UK Information Commissioner's Office (ICO) under reference ZB762812. Our registered address is available on request at hello@mynewclinic.com.
What data we collect
Account data, name, email, clinic name and role, collected when staff sign up or are invited.
Patient records, the data your clinic enters or imports: patient demographics and contact details, appointments, clinical notes and charts, invoices and payments, intake forms and communications. You control and own this data.
Card data, when a clinic enables card payments, card details are held by Stripe, our payment processor. MyNewClinic stores only the card brand, last four digits and Stripe tokens, never the full card number.
Clinic billing data, payment details for your MyNewClinic subscription are held by Stripe, our billing processor. We do not store full card or bank account details.
Usage data, basic logs (timestamps, actions, record-access events) for security and audit. No third-party advertising or analytics trackers.
How we use your data
- To provide and operate the MyNewClinic practice-management service
- To send appointment confirmations and reminders you configure
- To take payments and raise invoices on your behalf
- To provide optional AI assistance, only when you enable it (see below)
- To process your clinic subscription via Stripe
- To respond to support requests and meet our legal obligations
We do not sell, rent or share your data for marketing purposes.
Patient data
You are the data controller for your patients' data. MyNewClinic acts as your data processor, processing it only to provide the service to you. You are responsible for the lawful basis for your processing and for any patient consent required under UK GDPR (including Article 9 for health data) and your professional obligations (e.g. GOsC, GCC, HCPC).
MyNewClinic gives you the tools to meet your patients' data-protection rights directly: one-click export of everything held on a patient, anonymising erasure that respects clinical-record retention, and a per-record access log.
AI features
The optional AI Assistant sends patient data (names, notes) to Anthropic to function. It is off by default and only operates once your clinic explicitly enables it in Settings, after putting your data-processing agreement in place. Under Anthropic's commercial API data-processing agreement, data submitted via the API is not used to train models and inputs and outputs are retained for up to 30 days for trust-and-safety purposes only. This is a contractual commitment from our provider rather than something MyNewClinic enforces in the application; confirm it against Anthropic's current DPA.
For a feature-by-feature breakdown of what each AI feature does, what data it sees, and where a clinician stays in the loop, see our AI, safety & trust page.
Data storage and security
Patient data is stored on UK infrastructure (Supabase, London region). Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is role-based and restricted; record access is logged; two-factor authentication is available for staff accounts. Supabase, our database host, is SOC 2 Type II certified.
Data retention
We retain clinical records for the duration of your subscription plus the period required by healthcare record-keeping rules (typically 8 years for adults, longer for children). On cancellation, clinical records are retained for the required period and then securely deleted or anonymised. You may request earlier deletion of non-clinical account data.
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your account data (subject to legal retention)
- Object to or restrict processing
- Data portability
- Lodge a complaint with the ICO (ico.org.uk)
To exercise any of these rights, email hello@mynewclinic.com.
Sub-processors
Supabase, database, authentication and file hosting (UK, London region).
Stripe, card payments, cards on file and clinic subscription billing.
Anthropic, AI Assistant (only when enabled). Per Anthropic's API terms, does not train on API data.
Telnyx, SMS reminders (optional).
Vercel, web app hosting (no patient data at rest).
A signed Data Processing Agreement and the current sub-processor list are available on request.
Cookies
We use only functional cookies necessary to maintain your login session. No advertising or tracking cookies are set.
Changes & contact
We may update this policy; material changes will be notified by email. OsteoRise Limited · hello@mynewclinic.com