Legal

Privacy Policy

Last updated: July 1, 2026

1. Who We Are

SayHelloClinic.com ("SayHello", "we", "us") is a consultation conversion desk for premium clinics, available at sayhelloclinic.com and operated by BuzzMinter LLC, a Delaware limited liability company. SayHello helps clinics capture inquiries from LINE, WhatsApp, Instagram, Facebook Messenger, TikTok and their website, qualify them, book consultations (with Google Calendar), and send confirmations, reminders and follow-ups. You can reach us at desk@sayhelloclinic.com.

2. Our Role: Processor for Clinics

For the personal data of a clinic's inquiries and patients, the clinic (our customer) is the data controller and SayHello acts as a processoron the clinic's behalf and on its instructions. For account and website data of clinic staff who sign up and use SayHello directly, we act as controller. The clinic is responsible for having a lawful basis and any required patient consent (for example, consent to be contacted on a messaging channel).

3. Information We Collect

From clinic staff (account holders): name, email address, phone number, clinic name and role, provided when you contact us, request a demo, or sign in to SayHello.

On behalf of clinics, from their inquiries and patients: contact name, phone number or messaging channel identifier, the source channel (LINE, WhatsApp, Instagram, Facebook Messenger, TikTok, web form), the language and location provided, the service or treatment of interest, the message content exchanged, the requested and confirmed appointment slot, the appointment status, and the follow-up history.

Usage data: basic technical information (pages visited, browser type, IP address) collected through analytics to operate and improve the service.

4. What We Do NOT Collect (No Medical Records)

SayHello is a front-desk conversion tool, not an electronic medical record (EMR) or clinical system. We do not collect, request or store medical records, diagnoses, prescriptions, treatment notes, lab results or medical images. Clinics are asked to keep sensitive clinical detail out of SayHello and in their own clinical systems. Because inquiries may indirectly reveal an interest in a treatment, we minimize what is captured, restrict access, and process it only to book and manage appointments.

5. How We Use Information

We use the information to capture, qualify, route and book consultations; send confirmations, reminders, rescheduling links and no-show follow-ups; operate the front-desk dashboard and reporting; respond to your requests; and improve the service. We do not sell, rent, or share personal information with third parties for their own marketing.

6. Messaging Channel Integrations

When a clinic connects a channel, we receive and store on its behalf the channel account identifier, display name, and the OAuth access and refresh tokens (or channel credentials) needed to receive and send messages the clinic has asked us to handle. This applies to Meta channels (WhatsApp Business, Instagram, Facebook Messenger), LINE (Messaging API) and TikTok. Credentials are stored under strict access controls, isolated per clinic (tenant), and used solely to perform the actions the clinic has requested. We do not use them for any purpose outside that scope, and we do not access content beyond what is necessary to deliver the requested action. Outbound messages sent outside a platform's service window use pre-approved templates in accordance with that platform's rules.

7. Google Calendar and Google API Limited Use

SayHello's use of Google Calendar complies with the Google API Services User Data Policy, including the Limited Use requirements. When a clinic connects a Google account, we access on its behalf:

• Google Calendar free/busy intervals of the connected calendar (start and end timestamps of existing busy blocks), read-only, to compute available consultation slots shown on the clinic's booking flow. We do not read event titles, descriptions, attendees or other details.
• The ability to create, update and delete calendar events, exclusively for consultations booked through SayHello. Events we create are tagged with a private extended property identifying us as the source, so we never read or modify events created outside our flow. Push notification channels (Google Calendar watch) keep the clinic's booking dashboard in sync if an event is rescheduled or cancelled directly in Google Calendar.
• The Google account's primary email address (userinfo.email), captured at connection time only, to record which account was connected.

Data obtained through Google APIs is used solely to provide the booking features the clinic requested; it is not transferred except to the infrastructure providers strictly necessary to run the service or to comply with law, is not used for advertising, and is not read by humans except with consent, for security, to comply with law, or in aggregated/anonymized form.

8. Third-Party Service Providers

We use Amazon Web Services (AWS) for hosting and transactional email, and Supabase (managed Postgres) for backend infrastructure. These providers process data on our behalf under their own privacy commitments.

9. Data Security

We apply the following technical and organizational safeguards:

Encryption in transit. All traffic, including channel and API calls and dashboard access, is served over HTTPS using TLS 1.2 or higher.

Encryption at rest. The managed Postgres database and object storage are encrypted at rest using AES-256; backups inherit the same encryption. Channel and Google refresh tokens are additionally encrypted at the application layer before being stored.

Tenant isolation.Every record carries a clinic identifier, and all endpoints authenticate the caller before any read or write, so one clinic can never access another clinic's inquiries, tokens or reporting. Sensitive tables use Row-Level Security reachable only by our backend service role.

Limited human access.Personal and inquiry data is not read by humans except with the customer's consent, for security purposes, to comply with law, or in aggregated and anonymized form.

Incident response. On a confirmed incident affecting personal data or credentials, we notify affected clinics without undue delay, describe the data involved, and detail remediation, including revoking and rotating impacted tokens.

Data deletion. When a clinic disconnects an integration, terminates its account, or submits a written request to desk@sayhelloclinic.com, the associated tokens and personal data are deleted from production; residual copies in encrypted backups are purged within 30 days.

10. Data Retention

We retain inquiry and appointment data for as long as the clinic's account is active and the data is needed to provide the service, or as required by law, and delete it on request or on account termination as described above.

11. Your Rights

Depending on your jurisdiction, you (or a patient, via the clinic) may have the right to access, correct, or delete personal data. Patients should contact the clinic (the controller); we will assist the clinic in responding. For requests concerning data we control, contact desk@sayhelloclinic.com.

12. Cookies

Our website and dashboard use essential cookies for proper functionality. We do not use advertising tracking cookies without your consent.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes are reflected by updating the date at the top of this page.

14. Contact

For any privacy-related question, contact us at:
BuzzMinter LLC (operator of SayHelloClinic.com) — 8 The Green #21902, Dover, Delaware 19901, USA
desk@sayhelloclinic.com