Privacy Policy

This Privacy Policy explains how [COMPANY], established in [COUNTRY] ("OnPoint", "we", "us"), processes personal data when you use OnPoint. Contact the data controller at [CONTACT EMAIL] or [POSTAL ADDRESS].

1. Data we collect

Account data

We process your name, email address, authentication details, preferred language, account role, subscription status and, where applicable, school name and school email used to verify student eligibility.

Payment data

Stripe processes subscription payments on our behalf. We receive transaction identifiers, payment status, plan, amount and limited billing details. We do not receive or store complete card numbers. Stripe processes payment data under its own privacy terms.

Usage and technical data

We may collect feature interactions, login events, device and browser information, approximate location derived from IP address, diagnostic logs, cookie choices and support correspondence to operate, secure and improve the service.

2. Clinical and patient data

OnPoint supports acupuncture and manual-technique workflows, including acupuncture, gua sha, tuina, cupping and moxibustion. Never enter a patient's name, contact details, identity number, exact birth date or any other identifying information. Use only initials, an internal code or a pseudonymous patient reference.

You are responsible for deciding whether and how to use OnPoint with clinical information, for obtaining any required consent, and for complying with professional secrecy, health-data and record-keeping rules in your jurisdiction. Clinical information may constitute sensitive or special-category data even when pseudonymised.

3. Data processing agreement

Where you act as controller and [COMPANY] processes personal data on your documented instructions, the parties will enter into a data processing agreement meeting GDPR Article 28 or equivalent local requirements. The agreement will address confidentiality, security, subprocessors, assistance with rights requests and incidents, deletion or return, and audit information. Request it at [CONTACT EMAIL]. Do not upload patient-identifying data before an applicable agreement and lawful basis are in place.

4. Purposes and legal bases

• Performing our contract: creating accounts, providing features, subscriptions, support and payments.
• Legitimate interests: securing the service, preventing fraud, troubleshooting and improving OnPoint, balanced against your rights.
• Legal obligations: accounting, tax, compliance and responding to lawful requests.
• Consent: optional analytics or other processing where consent is required; consent may be withdrawn at any time.

If special-category data is processed, you as the professional user must identify an applicable Article 9 GDPR condition or corresponding local basis.

5. Security and access controls

We use technical and organisational safeguards including encrypted transport, restricted administrative access, authentication, backups, monitoring and database row-level security designed to ensure users can access only records authorised for their account. No system is completely secure; notify us promptly at [SECURITY CONTACT EMAIL] if you suspect an incident.

6. Recipients and international transfers

Data may be shared only as needed with hosting, database, authentication, analytics, support, email and payment providers, including Stripe, and with professional advisers or authorities where legally required. Current subprocessors are listed at [SUBPROCESSOR URL]. Where data is transferred internationally, we use an applicable safeguard such as an adequacy decision or standard contractual clauses.

7. Retention

Account and usage data is retained for [RETENTION PERIOD] after account closure, unless a longer period is required by law or needed for legal claims. Payment and accounting records are retained for [PAYMENT RETENTION PERIOD]. Support and security logs are retained for [LOG RETENTION PERIOD]. Pseudonymous clinical content is deleted or anonymised according to [CLINICAL DATA RETENTION PERIOD / USER-CONTROLLED DELETION RULE].

8. Your rights

Depending on your country, you may have rights to access, correct, erase, restrict or object to processing, receive portable data, withdraw consent and complain to [RELEVANT DATA PROTECTION AUTHORITY]. You may also have rights concerning automated decisions. Contact [CONTACT EMAIL]. We may need to verify your identity.

9. Cookies and local storage

We use essential cookies or local storage for authentication, security, language, preferences and offline functionality. Optional analytics are used only where permitted and according to your consent choice. See [COOKIE POLICY URL] or the in-app cookie controls for details.

10. Children, changes and contact

OnPoint is intended for qualified practitioners and eligible adult students, not children. We may update this policy and will provide appropriate notice of material changes. Questions or requests may be sent to [CONTACT EMAIL], [COMPANY], [POSTAL ADDRESS], [COUNTRY].