ClinoraPatient data is a responsibility, not a feature.
A clinic's records are among the most sensitive data a small business can hold. Clinora was designed by starting from that fact: your data stays in Europe, the journal is encrypted column by column, and every access leaves a trace.
Data stays in Europe
Your clinic's data is stored and processed inside the EEA, on European infrastructure. We don't transfer it out — not for analytics, not for support, not for anything. Where a sub-processor is used, it is bound to the same boundary.
Encryption that assumes a breach
Everything is encrypted in transit and at rest — and the sensitive columns of the journal (names, contact details, clinical notes) are encrypted again at the column level. A stolen database file reads as noise.
Every access leaves a trace
Each read of a patient record is logged: who, what, when, from which clinic. The audit chain is tamper-evident — entries can't be quietly edited or deleted, including by us. If a patient asks who opened their record, you can answer.
Retention by country, not by accident
Clinical records must be kept for years — roughly ten in the Nordics, up to twenty in the Netherlands — and GDPR erasure rights don't override those duties. Clinora applies the right rule per country automatically, and disposes records defensibly when time is up.
Five countries, five rulebooks — one system that knows them.
Indicative overview of how Clinora is configured per market. Not legal advice — your obligations depend on your registration and services.
| Country | Language | Currency & VAT | Journal retention | Payment rails |
|---|---|---|---|---|
| Sweden | Svenska | SEK · 25% | ≈ 10 years | Swish, cards |
| Norway | Norsk | NOK · 25% | ≈ 10 years | Vipps, cards |
| Denmark | Dansk | DKK · 25% | ≈ 10 years | MobilePay, cards |
| Finland | Suomi | EUR · 25.5% | ≈ 12 years | MobilePay, cards |
| Netherlands | Nederlands | EUR · 21% | 20 years (WGBO) | iDEAL, cards |
What we don't do yet.
We'd rather tell you now than surprise you later. National eID login (BankID, MitID, FTN, DigiD) and direct connections to national health registries are not live yet — they are on our roadmap, and the platform's architecture was built for them from day one. Today, identity is verified at the clinic and registry reporting remains your manual process, with Clinora giving you the complete, traceable record to report from.
The boring things, done properly.
Do you sign a data processing agreement (DPA)?+
Yes — a GDPR Article 28 DPA is part of every contract, in your language, naming every sub-processor and the EEA processing boundary.
Who at Clinora can see patient data?+
By default: nobody. Support access requires your explicit, logged consent per case, is time-limited, and appears in the same audit trail your own staff's access does.
What happens if we leave?+
Your data is yours. You get a complete, structured export — patients, journals, history, finances — and we destroy our copies on a documented schedule after the legal retention duties pass to you.
How do you handle backups and recovery?+
Encrypted, automated backups inside the EEA with point-in-time recovery. Restores are tested on a schedule, not assumed.
How are incidents handled?+
A documented incident process aligned to GDPR's 72-hour notification duty: we detect, contain, assess, and notify you with everything you need for your own regulator and patient communication.
Put your questions to us directly.
Security reviews, DPA terms, data flows — bring your advisor, we'll bring the answers.
Talk to us →