Privacy Policy

TruPass ("TruPass", "we", "our", "us") operates the website gettrupass.com and the related software services. We act as a data processor for clinics ("Clinic Customers") who use our platform to manage their own patients, and as a data controller for visitors and account holders interacting directly with our marketing site and dashboard.

For privacy questions or to exercise your rights, contact us at privacy@gettrupass.com.

We collect the following categories of information:

• Account data: name, email, phone number, role (clinic / patient), and authentication credentials.
• Clinic-supplied content: patient profiles, medical forms, photos, treatment plans, offers, consent documents, and other information uploaded by clinics on behalf of their patients.
• Messaging and integration data: if a clinic connects WhatsApp Business (via Meta Cloud API, Wati, or Twilio) or Meta-related services, we receive message content, sender phone numbers, and delivery metadata necessary to route conversations into the clinic dashboard.
• Usage and device data: IP address, browser, operating system, pages viewed, and timestamps. We use this for security, debugging, and product analytics.
• Cookies: session cookies for authentication and limited analytics cookies (see Cookie Preferences).

• Provide, maintain, and secure the TruPass service.
• Route patient communications between clinics and their patients across channels they have connected (WhatsApp, email, SMS).
• Generate, store, and deliver medical forms, consent documents, treatment plans, and offers on behalf of the clinic.
• Detect abuse, prevent fraud, and comply with legal obligations.
• Communicate with you about product changes, security notices, and (where you have opted in) marketing.

We do not sell personal data, and we do not use clinic-supplied patient data to train AI models.

When a clinic connects WhatsApp Business through the Meta Cloud API or links a Facebook Business account, we receive only the data necessary to operate that integration: business account IDs, phone-number IDs, message content sent or received in the connected conversation, and delivery status.

• We use this data only to provide the messaging features the clinic has enabled.
• We do not share Meta Platform data with advertising networks or third-party analytics providers.
• Tokens issued by Meta are encrypted at rest using a per-environment Fernet key.
• When you disconnect the integration or delete your account, the related Meta Platform data is deleted from our active systems within 30 days. See our Data Deletion Instructions.

We share information only as follows:

• With the Clinic: patient data uploaded or generated through the platform is visible to the clinic that invited the patient.
• Sub-processors: we use vetted infrastructure providers (e.g. cloud hosting, email, SMS, WhatsApp gateways, payment processors) under contractual data-protection terms.
• Legal requirements: when required by law, court order, or to protect rights and safety.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to affected users.

We retain account and clinic data for the duration of the service contract. Patient records are retained according to the clinic's retention rules and applicable medical-records legislation. Logs and operational telemetry are kept for up to 12 months. After deletion is requested or the contract ends, data is purged from active systems within 30 days and from encrypted backups within 90 days.

We protect data with TLS in transit, encryption at rest for sensitive credentials, role-based access control, audit logging, and least-privilege infrastructure access. No system is perfectly secure; if a breach affects you we will notify you and the relevant authorities as required by law.

Depending on your jurisdiction (including GDPR and KVKK), you may have the right to access, correct, port, or delete your personal data, to object to or restrict processing, and to lodge a complaint with a supervisory authority.

To exercise these rights, email privacy@gettrupass.com. If your data is held by a clinic that uses TruPass, please also contact that clinic directly — they are the controller for their patient records.

TruPass is intended for use by adults. Clinics may upload data about minors in connection with treatment, in which case the clinic is responsible for obtaining lawful consent from a parent or legal guardian.

TruPass is operated from servers located in the European Union. If we transfer data outside the EU/EEA, we rely on Standard Contractual Clauses or another lawful transfer mechanism.

We may update this policy from time to time. The "Last updated" date above reflects the most recent revision. Material changes will be communicated through the dashboard or by email to account holders.

Questions, requests, or complaints can be sent to privacy@gettrupass.com.