Compliance & Privacy

​

Healthcare Compliance

Routiq is designed with healthcare compliance in mind. We implement industry-standard security controls to protect patient data.

​

HIPAA Alignment

While Routiq is not currently HIPAA certified, we implement HIPAA-aligned security controls:

• Data Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based permissions and row-level security
• Audit Logs: Complete tracking of all data access (retained for 7 years)
• Secure Infrastructure: SOC 2 Type II certified cloud providers

​

GDPR Compliance

For practices in the EU or treating EU patients, Routiq supports GDPR requirements: Patient Rights

• Right to access (data export available)
• Right to erasure (account deletion)
• Right to data portability
• Right to rectification

Data Protection

• Privacy by design
• Data minimization (we only collect what’s needed)
• Encryption and secure storage
• Breach notification within 72 hours

​

Regional Standards

Australia

• Privacy Act 1988
• Australian Privacy Principles (APPs)
• Spam Act 2003 compliance

United States

• HIPAA-aligned controls
• State privacy laws (CCPA, etc.)

​

Data Privacy

​

What We Collect

Required for patient reactivation:

• Patient name and contact information
• Appointment history
• Treatment types

We do NOT collect:

• Medical diagnoses
• Test results
• Clinical notes
• Payment information

​

How We Use Your Data

• Patient reactivation campaigns - The core purpose
• Service improvements - Analytics to improve Routiq
• Compliance - Required record keeping

​

How We Protect Your Data

Encryption

• All data encrypted at rest (AES-256)
• All data encrypted in transit (TLS 1.3)
• API keys encrypted before storage

Access Control

• Multi-factor authentication (2FA) available
• Role-based access control (Owner, Admin, Member)
• Row-level security (you only see your practice data)

Infrastructure

• Hosted on AWS (SOC 2 Type II certified)
• Daily automated backups
• 24/7 security monitoring

​

Data Retention

​

Data Sharing

We NEVER:

• Sell your patient data
• Share data with advertisers
• Use data for non-service purposes

We ONLY share with:

• Services you connect (Cliniko, Chatwoot)
• Service providers bound by data processing agreements
• Law enforcement (when legally required)

​

Security Best Practices

​

For Practice Owners

​

For Team Members

• Lock your device when stepping away
• Don’t share login credentials
• Report suspicious activity to your practice owner
• Only access Routiq from approved devices

​

Audit Logs

All security-relevant events are logged and available for review:

• User logins and failed attempts
• Patient record access
• Campaign actions
• Settings changes
• Integration updates

Access logs: Settings → Security → Audit Logs (Owner access only)

​

Third-Party Services

Routiq uses trusted, certified service providers:

​

Certifications & Compliance Status

Current

• GDPR compliance in progress
• HIPAA-aligned security controls implemented
• SOC 2 Type II audit in progress with Vanta (expected Q1 2026)

​

Questions?

For all support, compliance, and security questions:

• Email: support@routiq.ai

​

Vulnerability Disclosure

Found a security issue? We appreciate responsible disclosure:

1. Email: support@routiq.ai
2. Include: Detailed description, steps to reproduce, impact
3. Don’t: Publicly disclose before we’ve fixed the issue
4. We will: Acknowledge within 48 hours and work to remediate