Last updated: April 27, 2026
This Privacy Policy describes how ClinicOctane (“we,” “us,” or “our”) collects, uses, stores, and protects information when you use our practice management platform at cxosy.com and any practice subdomains (collectively, the “Service”). The Service provides healthcare practices with workflow tools for patient communications, medical records release, billing inquiry management, and related administrative functions.
1. Who We Are
ClinicOctane operates the Service for healthcare practice clients (“Practices”) and their authorized staff. Patients, parents, guardians, and other third parties may also interact with the Service through public forms, secure chat sessions, and record-delivery flows operated on behalf of a Practice.
2. Information We Collect
a. Account and Practice Information
When a Practice or staff member is provisioned on the Service we collect names, email addresses, phone numbers, professional roles, and the Practice’s identifying information (legal name, subdomain, locations, configuration choices).
b. Patient and Health Information
The Service handles Protected Health Information (PHI) on behalf of Practices under written Business Associate Agreements (BAAs) consistent with the Health Insurance Portability and Accountability Act (HIPAA). PHI may include patient names, dates of birth, contact details, medical record content, billing inquiries, and related metadata.
c. Communications Data
The Service stores SMS, email, voicemail, fax, and secure-chat content exchanged through it, together with delivery metadata (timestamps, status, sender/recipient identifiers). This data is used to support the Practice’s workflow and audit obligations.
d. Google Workspace and Gmail Data
When an authorized Practice administrator connects a Google Workspace or Gmail mailbox to the Service via Google’s OAuth 2.0 authorization flow, the Service accesses messages and attachments in that mailbox in order to route inbound patient and third-party correspondence into the Practice’s billing and medical-records workflows. This is a Practice-controlled, opt-in connection and may be revoked at any time.
e. Technical Data
We collect IP addresses, browser type, device identifiers, session cookies, and access logs for security, abuse prevention, and audit purposes.
3. How We Use Information
We use the information described above only to:
- Operate, secure, and maintain the Service for the Practice that owns the data.
- Authenticate users, route communications, fulfill medical-records requests, manage billing inquiries, and produce HIPAA-required audit logs.
- Detect, prevent, and respond to security incidents, fraud, and abuse.
- Comply with legal obligations applicable to us or to the Practice we serve.
- Support Practice users when they request assistance, in accordance with the BAA in force with that Practice.
4. Google API Services User Data Policy — Limited Use
ClinicOctane’s use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, with respect to data obtained from Google Workspace APIs (including Gmail):
- Scopes used. The Service requests only the Gmail scopes necessary for its functionality: reading inbox messages to ingest patient correspondence (
gmail.readonly), marking ingested messages as read or applying labels (gmail.modify), and sending replies on behalf of the connected mailbox (gmail.send). - No advertising use. We do not use Google user data to serve advertisements.
- No transfer for unrelated purposes. We do not transfer Google user data to third parties except as necessary to provide or improve the Service for the Practice that authorized the connection, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to affected Practices.
- No human access. We do not allow humans to read Google user data unless (a) we have the Practice’s affirmative consent for specific messages, (b) it is necessary for security purposes (such as investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operations.
- No use for AI training. We do not use Google user data to develop, improve, or train generalized or non-personalized artificial-intelligence or machine-learning models.
5. How We Share Information
We do not sell personal information. We share information only with:
- The Practice that owns the data and its authorized staff.
- Sub-processors that help us operate the Service (cloud hosting, telecommunications, OCR/AI processing of practice documents, transactional messaging) under written confidentiality and, where applicable, BAA obligations.
- Patients, requestors, and third parties expressly identified by the Practice as recipients of a particular communication or document release.
- Authorities, courts, or other parties when required by law, subpoena, or to protect the rights, safety, or property of ClinicOctane, our Practices, or the public.
6. Data Retention
We retain Practice and patient data for the period required by the Practice’s instructions, by applicable law (including HIPAA record-retention requirements), and for our legitimate audit obligations. Google Workspace data ingested via OAuth is retained only for as long as needed to operate the connected workflow and is deleted on Practice request or upon disconnection of the mailbox, subject to legal hold.
7. Security
The Service uses industry-standard administrative, physical, and technical safeguards, including TLS in transit, AES-256 encryption of sensitive fields and stored documents at rest, role-based access control, multi-factor authentication for staff, and immutable audit logging. No method of transmission or storage is perfectly secure; we work to address vulnerabilities promptly when identified.
8. Your Choices and Rights
Patients seeking access, correction, or deletion of records held by a Practice should contact that Practice directly; we will support the Practice in fulfilling such requests. Practice administrators may revoke OAuth authorizations at any time through Google account settings or through the in-app inbox controls. Where applicable law (such as state privacy statutes) grants additional rights, we honor them in accordance with the Practice’s instructions.
9. Children’s Privacy
The Service is intended for use by healthcare practices and adults acting on behalf of patients. We collect information about minors only when a Practice processes that information as part of its clinical or billing workflow, and only with the supervision of a parent or legal guardian as applicable.
10. International Users
The Service is operated from the United States. By using the Service, users outside the United States consent to the transfer of their information to, and processing in, the United States.
11. Changes to this Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated to Practice administrators by email or in-app notice.
12. Contact
Questions about this Privacy Policy or our handling of personal information may be directed to: privacy@clinicoctane.com.