Privacy Policy
Effective: August 18, 2025 Last Updated: February 25, 2026 support@getruana.com
Contents
  1. Who We Are
  2. Who Uses Ruana
  3. Information We Collect
  4. Legal Basis for Processing
  5. How We Use Information
  6. Patient Health Information & HIPAA
  7. AI & Automated Processing
  8. Analytics, Cookies & Tracking
  9. Cross-Border Data Transfers
  10. Third-Party Service Providers
  11. Data Retention
  12. Your Rights
  13. California Residents — CCPA
  14. EU/EEA Residents — GDPR
  15. Security & Breach Notification
  16. Children’s Privacy
  17. SMS Communications
  18. Changes to This Policy
  19. Contact Us

1. Who We Are

Ruana LLC (“Ruana”, “we”, “us”, “our”) is a practice management software company incorporated in California, United States. Principal Office: 548 Market St #228047, San Francisco, CA 94104.

Ruana operates as a data processor on behalf of healthcare practitioners and clinics (“Subscribers”) who use our platform. Subscribers are the data controllers responsible for patient data entered into Ruana.

2. Who Uses Ruana

  • Practitioners and Clinics — account owners and administrators who are data controllers for patient data
  • Staff and Assistants — practice support roles operating under the direction of the practitioner
  • Patients — limited access for booking appointments and completing intake forms

3. Information We Collect

3.1 Practitioner and Staff Data

When you register for or use Ruana, we collect: name, email address, contact details, login credentials, billing and payment information, practice records (SOAP notes, invoices, reports), and professional information.

3.2 Patient Data

Subscribers enter patient data into Ruana. This may include name, email, contact details, health questionnaires, symptom forms, insurance details, appointment history, and clinical notes. Subscribers are solely responsible for the lawful collection and processing of patient data.

3.3 Technical and Usage Data

We automatically collect technical information including IP address, browser type, device information, pages visited, and usage patterns.

4. Legal Basis for Processing (GDPR)

4.1 Subscriber and Staff Data

  • Contract performance — necessary to provide the Services under our Terms of Service
  • Legitimate interests — security monitoring, fraud prevention, and service improvement
  • Legal obligation — where required by applicable law

4.2 Patient Data

  • Contract performance — processing on behalf of the Subscriber to provide the Services
  • Consent — where obtained by the Subscriber from the patient
  • Legitimate interests of the Subscriber — providing healthcare services to patients

4.3 Website Analytics and Marketing

  • Consent — Google Analytics and Meta Pixel are only activated following explicit cookie consent

5. How We Use Information

  • Provide and maintain the Ruana platform
  • Facilitate scheduling, reminders, and billing
  • Enable practitioners to manage patient care records
  • Process payments through Stripe
  • Send transactional emails and SMS communications
  • Provide customer support through Featurebase
  • Comply with legal obligations
  • Improve and develop our Services

We do not sell or rent personal information to third parties for their marketing purposes.

6. Patient Health Information & HIPAA

Ruana operates as a HIPAA Business Associate for US-based Covered Entities. Subscribers who process PHI must execute a Business Associate Agreement (BAA) with Ruana before using the Services for that purpose. Patient health information is processed only as directed by the Subscriber and is not accessed by Ruana staff except as required for technical support with the Subscriber’s explicit authorization.

7. AI & Automated Processing

Ruana uses an AI-powered customer support assistant through Featurebase for general account and product questions. This assistant does not access or process patient records or sensitive health data. Ruana does not use AI for processing patient clinical information.

8. Analytics, Cookies & Tracking

Ruana’s marketing website (getruana.com) uses Google Analytics, Google Ads, and Meta (Facebook) Pixel. These tools are only activated after you provide explicit cookie consent. You may withdraw consent at any time by updating your cookie preferences.

9. Cross-Border Data Transfers

Ruana’s infrastructure is hosted on AWS servers located in the United States. For users in the EEA, UK, or Switzerland, the transfer of personal data to the US is governed by Standard Contractual Clauses (SCCs) as set out in our Data Processing Agreement. AWS acts as a subprocessor under its standard data processing terms, which incorporate SCCs where required.

10. Third-Party Service Providers

  • AWS — cloud hosting and infrastructure (United States)
  • Stripe — payment processing (United States)
  • Twilio — SMS communications (United States)
  • Mandrill (Mailchimp) — transactional email (United States)
  • Featurebase — customer support and feedback (EU — Netherlands and Germany)
  • Google Analytics — website analytics, consent-gated (United States)
  • Meta Pixel — advertising analytics, consent-gated (United States)

11. Data Retention

We retain personal data for the duration of the Subscriber’s active subscription. After account closure, data is retained for 90 days to allow data export, then permanently deleted. Backup copies may persist for up to 35 additional days.

12. Your Rights

  • Right of access — to obtain a copy of your personal data
  • Right to rectification — to correct inaccurate personal data
  • Right to erasure — to request deletion of your personal data
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing based on legitimate interests
  • Right to withdraw consent

To exercise your rights: support@getruana.com

13. California Residents — CCPA Rights

  • Right to know — the categories and specific pieces of personal information we collect, use, and disclose
  • Right to delete — to request deletion of personal information we have collected
  • Right to opt-out of sale — we do not sell personal information
  • Right to non-discrimination — we will not discriminate for exercising your CCPA rights

Contact: support@getruana.com

14. EU/EEA Residents — GDPR Rights

EEA residents have all rights described in Section 12 and the right to lodge a complaint with your local supervisory authority. In Germany: the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or the relevant Landesdatenschutzbehörde.

Ruana does not have a mandatory Data Protection Officer (DPO) as we do not meet the threshold requiring mandatory DPO appointment. For all GDPR-related inquiries, contact us at support@getruana.com.

15. Security & Breach Notification

Ruana implements AES-256 encryption at rest, TLS 1.2+ in transit, role-based access controls, MFA, and continuous security monitoring. Full details at getruana.com/legal/security. In the event of a breach, we will notify affected Subscribers within 72 hours where required by GDPR.

16. Children’s Privacy

Ruana is not intended for individuals under 18. Minor patient data must be entered by the practitioner with appropriate parental or guardian consent.

17. SMS Communications

If you opt in to SMS communications, you may receive transactional text messages. Opt out by replying STOP. For assistance: support@getruana.com. SMS services provided through Twilio.

18. Changes to This Policy

We will notify users of material changes by email or platform notification. Current version always at getruana.com/legal/privacy.

19. Contact Us

support@getruana.com
Ruana LLC | 548 Market St #228047 | San Francisco, CA 94104 | USA

© 2026 Ruana LLC · 548 Market St #228047, San Francisco, CA 94104
Privacy Policy Terms of Service DPA BAA Security