Privacy Policy

1. Introduction

Welcome to SpecsFlow ("we," "our," or "us"). We provide a cloud-based optometry practice management platform designed for clinics in the Philippines. We are committed to protecting your privacy and ensuring that all personal and medical data is handled in strict compliance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations.

2. Our Role: Controller vs. Processor

Under the Data Privacy Act:

• The Optometry Clinic (Our Client) is the Personal Information Controller (PIC). The clinic determines why and how patient data is collected.
• SpecsFlow acts strictly as the Personal Information Processor (PIP). We only process, store, and transmit patient data on behalf of and according to the instructions of the Clinic.

3. Information We Collect

We collect two main categories of information:

4. How We Use the Information

We use the collected data strictly to provide, maintain, and improve our Service. This includes:

• Storing patient medical records and examination histories.
• Facilitating clinic workflows such as appointment scheduling, inventory management, and lab orders.
• Processing billing, invoicing, HMO tracking, and calculating statutory discounts (e.g., SC/PWD).
• Sending automated SMS/Viber/Email notifications (e.g., appointment reminders, marketing campaigns, optical orders) via local gateways on behalf of the Clinic.
• Generating reports and analytics for the Clinic’s internal management.

5. Data Sharing and Third-Party Sub-Processors

We do not sell, rent, or trade personal or medical data. To provide specific features, data may securely pass through vetted third-party service providers:

• Cloud Hosting: Secure servers (e.g., AWS or DigitalOcean) located in the Asia-Pacific region (e.g., Singapore) to ensure low latency and data sovereignty.
• Communications: Local SMS/messaging gateways (e.g., Semaphore, Promotexter) to facilitate automated reminders and marketing.
• Financial Integrations: Payment gateways (e.g., PayMongo, Xendit) and accounting software (e.g., Xero, QuickBooks Online) if integrated by the Clinic.

These third parties are bound by strict data processing and confidentiality agreements.

6. Data Security

We implement robust technical, organizational, and physical security measures to protect data against unauthorized access, alteration, disclosure, or destruction. This includes encryption of data in transit (HTTPS/SSL) and at rest, Role-Based Access Control (RBAC), and regular automated backups.

7. Data Retention

We retain Clinic Data for as long as the Clinic maintains an active subscription. If a Clinic terminates its account, we will provide a grace period of 30 days for the Clinic to securely export its Patient Data. Following this period, Patient Data will be permanently and irreversibly deleted from our active servers, unless legal obligations require further retention.

8. Rights of the Data Subject

Under the Data Privacy Act of 2012, individuals (patients) have the right to be informed, object, access, rectify, erase, and secure data portability. Because the Clinic is the Personal Information Controller, patients must direct these requests to their respective Optometry Clinic. SpecsFlow will assist the Clinic in fulfilling these legal requests to the extent possible through our platform.

9. Contact Us

If you have questions about this Privacy Policy, please contact our Data Protection Officer (DPO) at:

• Email: tresworkflow@gmail.com
• Address: Davao City, Philippines