Privacy policy

Version: 2026-01-26

Effective date: 26 January 2026

This Privacy Policy explains how LinkHMS B.V. (“LinkHMS”, “we”, “us”) processes personal data as a Data Controller.

Patient data is not covered here. Clinics use LinkHMS to store and manage patient data. In that context:

• The clinic is the Data Controller for patient data.
• LinkHMS is the Data Processor for patient data.
  If you are a patient and want to exercise rights about patient records, contact your clinic directly. LinkHMS will support the clinic as required under our Data Processing Agreement.

Controller: LinkHMS B.V., Netherlands
Registered address: Museumlaan 2, 3581HK Utrecht
Chamber of Commerce (KvK): 99036215
Contact: contact@linkhms.com

This policy applies to:

• website visitors
• marketing leads
• clinic admin users (account holders)
• billing contacts
• support requests
• job applicants

We collect only what we need for the purposes below.

A) Website visitors

B) Marketing leads (sales/marketing)

C) Clinic admin users (account holders)

D) Billing contacts

E) Support requests

F) Job applicants

If you are in the EEA/UK, we rely on the GDPR (and UK GDPR where relevant). For Nigeria, we rely on lawful bases under the Nigeria Data Protection Act (NDPA) using similar concepts.

We use one or more of these bases depending on the context:

• Contract / steps before contract: to create accounts, provide the service to clinic customers, handle billing, respond to demo requests.
• Legitimate interests: to secure our website and service, prevent abuse, improve the product, manage B2B relationships, and respond to support. We balance these interests against your rights.
• Consent: for optional cookies/analytics where required, and for marketing in jurisdictions that require opt-in.
• Legal obligation: accounting, tax, and compliance requirements.

We use essential cookies for core site functionality and security. We may use analytics cookies only where permitted and/or after consent (depending on your location and settings). If we use a cookie banner, you can manage preferences there. Your browser settings can also block cookies, but some features may break.

We share Controller data with vetted service providers acting as our processors, for example:

• cloud hosting and infrastructure (e.g., AWS for website/app infrastructure)
• email and productivity tools (sending transactional emails and internal operations)
• CRM and marketing tools (lead management, email campaigns where permitted)
• payment processors and invoicing tools (billing and payment handling)
• support/helpdesk tools (ticketing, live chat)
• analytics providers (website analytics, only if enabled/allowed)

We only share what is necessary, under contracts requiring confidentiality, security, and data protection. We may also share data:

• with professional advisors (legal, accounting) under confidentiality
• if required by law, court order, or to protect rights, safety, and security
• in a business transaction (e.g., merger/acquisition), with appropriate safeguards

We host and process Controller data in regional deployments, depending on the clinic’s location and the deployment selected by the customer:

• EU clinics: data is hosted in the EU deployment.
• US and Canada clinics: data is hosted in the US deployment.
• African clinics: data is hosted in the Africa deployment.
• All other clinics: data is hosted in either the EU deployment or the Africa deployment, as selected by the customer.

Cross-border access and support: Even when data is hosted in a specific region, LinkHMS personnel and approved service providers may access data from other countries when necessary to provide support, maintain security, and operate the service, subject to appropriate controls.

Transfers from the EEA/UK: If Controller data is transferred outside the EEA/UK (for example, when a customer selects a non-EEA deployment or when an EEA-based service provider uses sub-processors outside the EEA), we use appropriate safeguards such as:

• EU Standard Contractual Clauses (SCCs) (and the UK addendum where applicable), and
• additional technical and organizational measures where needed.

Nigeria: Where Nigeria law applies, we use cross-border safeguards and controls consistent with applicable NDPA requirements.

We keep Controller data only as long as needed:

• website logs/security data: typically up to 12 months (shorter where possible)
• marketing leads: until you opt out or we consider the lead inactive (typically 12-24 months)
• admin account data: for the duration of the customer relationship, then typically 12-24 months, unless we must keep it longer for disputes/security
• billing records: typically 7 years (tax/accounting requirements may apply)
• support tickets: typically 24 months after closure (longer if needed for ongoing issues or security)
• job applicants: typically up to 12 months after the hiring decision (unless you agree to longer)

We may retain data longer if required by law, to enforce agreements, or to resolve disputes.

If LinkHMS is the Controller for your data, you may have rights depending on your location.

EEA/UK (GDPR/UK GDPR) rights typically include:

• access
• rectification
• deletion
• restriction
• portability
• objection (including to direct marketing)
• withdraw consent at any time (where processing is based on consent)

Nigeria (NDPA) rights include similar rights, including access, correction, deletion, objection, and consent withdrawal where applicable.

How to exercise rights: email contact@linkhms.com with:

• your name
• the email you used with us
• what you want to request

We may need to verify your identity before fulfilling requests.

Patient data reminder: if your request is about patient records stored by a clinic in LinkHMS, contact the clinic (the clinic is the Controller). LinkHMS will not act directly on patient requests unless instructed by the clinic and permitted by law.

You can opt out of marketing emails at any time using the unsubscribe link in the email or by contacting contact@linkhms.com. You may still receive essential service messages (e.g., security or billing).

We use reasonable technical and organizational measures to protect Controller data (access controls, encryption where appropriate, logging, and vendor due diligence). No system is 100% secure, but we work to reduce risk.

Our website or app may link to third-party websites or services that we do not control. Their privacy practices are governed by their own policies, not this one. We are not responsible for the content, security, or privacy practices of third-party sites.

When a clinic signs up, its use of LinkHMS is governed by our Terms of Service and Data Processing Agreement (DPA). This Privacy Policy explains how LinkHMS processes personal data as a Controller. Where LinkHMS processes patient data on behalf of a clinic, that processing is governed by the DPA and the clinic’s instructions.

This Privacy Policy does not override contracts, but it is intended to describe our controller-side processing transparently.

You can complain to your local data protection authority where applicable.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will post the updated version on our website and update the version/date above. If changes are material, we will provide additional notice (e.g., in-app or by email).