Privacy Policy

1. Introduction

Welcome to MedFlip Profit. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our CRM platform for managing medical supplies buyback businesses.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Password (encrypted and hashed)
• Business name
• Contact information (phone, address)

2.2 Business Data

To provide our CRM services, we collect and store:

• Customer information (names, contact details, purchase history)
• Deal and transaction records
• Expense tracking data
• Product catalog and inventory information

2.3 Communication Data

If you use our messaging features, we collect:

• SMS message content and history (via your Twilio account)
• Message timestamps and delivery status

2.4 Third-Party Integration Data

When you connect external services:

• Twilio: Your Twilio Account SID, Auth Token, and Phone Number (encrypted)
• Stripe: Subscription and payment information

2.5 Usage Information

We automatically collect:

• Login history and session data
• Feature usage patterns
• Device and browser information
• IP addresses for security purposes

3. How We Use Your Information

We use your data to:

• Provide Services: Enable CRM functionality, customer management, deal tracking, and reporting
• Messaging Features: Facilitate SMS communications with your customers
• Account Management: Authenticate users, manage subscriptions, and process payments
• Communication: Send important updates, password resets, and subscription notifications
• Improvement: Analyze usage patterns to enhance our platform
• Security: Detect fraud, prevent abuse, and protect user data
• Legal Compliance: Meet regulatory and legal obligations

4. Third-Party Services and APIs

4.1 Twilio SMS Integration

When you configure Twilio:

• Your Twilio credentials are encrypted using industry-standard encryption (Fernet)
• We use your credentials only to send and receive SMS on your behalf
• SMS content is stored in our database for tracking purposes
• We validate webhook signatures to prevent unauthorized access

4.2 Stripe Payment Processing

We use Stripe for subscription payments:

• Stripe processes your payment information securely
• We do not store credit card details on our servers
• We receive subscription status updates via webhooks

4.3 Resend Email Service

We use Resend for transactional emails:

• Welcome emails with account setup links
• Password reset notifications
• Email addresses are not shared for marketing purposes

5. Data Security

We implement comprehensive security measures:

• Encryption: All sensitive credentials (Twilio) are encrypted at rest using Fernet symmetric encryption
• Password Security: User passwords are hashed using Werkzeug's PBKDF2-SHA256 algorithm
• HTTPS: All data transmitted between your browser and our servers is encrypted via SSL/TLS
• Access Controls: Multi-tenant architecture ensures complete data isolation between users
• Webhook Validation: All incoming webhooks (Twilio SMS) are validated using signature verification
• Session Security: Secure cookie-based session management with Flask-Login

6. Data Sharing and Disclosure

We do not sell your personal data. We share information only in these situations:

• Service Providers: With Stripe, Twilio, and Resend to provide our services
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In case of merger, acquisition, or sale of assets (with prior notice)

Multi-Tenant Isolation: Your data is completely isolated from other users. No user can access another user's customers, deals, expenses, or messages.

7. Data Retention

We retain your data as follows:

• Active Accounts: Data is retained while your account is active
• Closed Accounts: Data may be retained for up to 90 days after account closure for legal and security purposes
• Legal Obligations: Some data may be retained longer if required by law
• Backups: Data in backups may persist for up to 30 days after deletion

8. Your Rights and Choices

You have the following rights:

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information through your account settings
• Deletion: Request deletion of your account and associated data
• Export: Download your data in CSV format (available for deals and other records)
• Disconnect Services: Unlink Twilio integration at any time from Settings
• Opt-Out: Unsubscribe from non-essential communications

9. Cookies and Tracking

We use cookies for:

• Session management (keeping you logged in)
• Security (CSRF protection, OAuth state validation)
• Functionality ("Remember Me" feature)

We do not use third-party advertising or tracking cookies.

10. Children's Privacy

MedFlip Profit is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

11. International Data Transfers

Your data may be stored and processed in data centers located in the United States or other countries where our service providers operate. By using our service, you consent to such transfers.

12. Changes to This Policy

We may update this privacy policy periodically. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email if you have an active account
• Display a notice on our platform

Continued use of our service after changes constitutes acceptance of the updated policy.

13. Contact Us

14. Compliance

This privacy policy is designed to comply with:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Twilio Acceptable Use Policy
• Stripe Terms of Service
• Other applicable data protection laws