1. Introduction

ERP Flow Studios (“we”, “our”, or “us”) operates the ERP Flow Studios clinic management platform accessible at erpflowstudios.vercel.app. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

• Account information: name, email address, phone number, and clinic details provided during registration.
• Patient data: demographic information, visit records, prescriptions, and medical notes entered by clinic staff.
• Usage data: pages visited, features used, and interaction logs for improving the platform.
• Device information: browser type, IP address, and operating system for security and support purposes.
• Email integration data: if you connect your Gmail account or configure SMTP, we store OAuth tokens and SMTP credentials securely (encrypted at rest).

3. How We Use Your Information

• To provide and maintain the clinic management service.
• To send transactional emails (e.g., purchase order notifications, appointment reminders) on behalf of your clinic.
• To authenticate users and secure access to clinic data.
• To respond to support requests and improve platform performance.
• To comply with applicable legal obligations.

4. Google API and Gmail Integration

When you connect a Gmail account using Google OAuth, ERP Flow Studios accesses only the permissions you explicitly grant. Specifically, we request the Gmail Send scope (https://www.googleapis.com/auth/gmail.send) to send emails on behalf of your clinic.

We do not read, store, or process the contents of your Gmail inbox. OAuth tokens are stored securely and used solely to send emails that you configure within the platform. You can disconnect your Gmail account at any time from Clinic Settings → Integrations → Email.

Our use of Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

5. Data Sharing and Disclosure

We do not sell or rent your personal data. We may share data only in the following limited circumstances:

• Service providers: trusted third-party processors (e.g., Supabase for database hosting, Cloudinary for image storage) who are bound by confidentiality obligations.
• Legal requirements: if required by law, court order, or governmental authority.
• Business transfers: in the event of a merger or acquisition, with advance notice to affected users.

6. Data Security

We implement industry-standard security measures including HTTPS encryption, hashed passwords, encrypted credential storage, and session-based authentication. Patient data is isolated per clinic and accessible only by authorized clinic staff.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide services. You may request deletion of your clinic data at any time by contacting us. Upon deletion, data is permanently removed within 30 days.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your personal data.
• Withdraw consent for data processing.
• Request a portable copy of your data.
• Lodge a complaint with a data protection authority.

9. Children's Privacy

Our platform is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the “Last updated” date above.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at: