Privacy Policy

At CLARUS® (كلاروس), privacy is not a legal afterthought — it is part of how the product is built. This Privacy Policy explains what information we handle when your laboratory uses our cloud, hybrid, or offline Laboratory Information System (LIS), why we handle it, and the rights and choices you have.

We have written this in clear, human language and kept the jargon to a minimum. Where a topic needs more depth — particularly around the patient and health data your lab puts into the system — we point you to the specific document that governs it, such as our Data Processing Agreement (DPA).

This policy is effective as of 26 June 2026.

1.Our Commitment & Scope

CLARUS® is a Software-as-a-Service Laboratory Information System operated for medical laboratories across the MENA region (with Egypt as our primary market), the Gulf, the Maghreb, and Africa. This policy applies to the CLARUS® platform at claruslis.com and every laboratory tenant hosted at its own <subdomain>.claruslis.com address, together with our websites, customer portal, and support channels.

Our commitment is simple: you own your data, we never lock it in, and we never quietly repurpose what is entrusted to us. We design for transparency, per-tenant isolation, and strong security by default, and we hold ourselves to global best practice adapted for a regional, healthcare audience.

This Privacy Policy covers the personal data of the people we deal with directly — the lab owners, managers, and staff who hold CLARUS® accounts, and the visitors to our sites. The patient and health data that a laboratory enters into CLARUS® is handled differently, under the lab's own instructions; Sections 2 and 5 and our DPA explain that relationship in full.

• Who we are: CLARUS®, an LIS SaaS provider; the operator of claruslis.com and its tenant subdomains.
• What this covers: account, billing, usage, website, and support data we control.
• What the DPA covers: patient/health data your lab processes through CLARUS®.
• Effective date: 26 June 2026.

2.Controller vs Processor — Two Different Roles

Privacy law distinguishes between the party that decides why and how data is used (the controller) and the party that handles data on someone else's instructions (the processor). CLARUS® plays both roles, and it matters which one applies to which data.

For your laboratory's own account, contact, and billing information, CLARUS® is the data CONTROLLER. We decide how to run your account, invoice you, secure the platform, and support you, and this Privacy Policy governs that data.

For the patient and health data your laboratory enters into the system — demographics, orders, samples, results, reports — your LABORATORY is the CONTROLLER and CLARUS® is the PROCESSOR. We act only on your lab's documented instructions, we do not decide the purposes of that processing, and we never use it for our own ends. The detailed terms of that relationship live in our Data Processing Agreement (DPA), which forms part of your contract with us.

• CLARUS® as CONTROLLER: lab account details, named-user contacts, billing and payment records, usage telemetry, support correspondence.
• CLARUS® as PROCESSOR: patient identifiers, test orders, sample data, results and reports, and any health data your lab stores in the system.
• The DPA, not this policy, governs the processor relationship for patient data.

3.Information We Collect

We collect only what we need to provide, secure, bill, and support the service. The categories below describe data for which CLARUS® acts as controller.

Account and identity data includes the laboratory's name and registration details, subdomain, and the names, roles, work email addresses, and phone numbers of the staff you authorise to use CLARUS®, together with the credentials and two-factor settings that protect their logins. We never ask for, and you should never store as account data, more than is needed to identify and authenticate your team.

Usage and telemetry data includes login events, feature usage, device and browser type, IP address, language and currency preferences, performance metrics, and security and audit logs. We use this to keep the service reliable, diagnose problems, prevent abuse, and improve the product. Billing data includes your plan, add-ons, invoices, payment status, and the limited transaction details our payment partners return to us — we do not store full card numbers. Support data includes the messages, attachments, and chat transcripts you send us when you contact support.

• Account & identity: lab profile, subdomain, named users, roles, credentials, 2FA settings.
• Usage & telemetry: logins, feature use, device/browser, IP, preferences, performance and audit logs.
• Billing: plan and add-ons, invoices, payment status, partner transaction references (never full card numbers).
• Support: emails, live-chat transcripts, and attachments you send us.

4.How We Use Information & Our Legal Bases

We use the data described above to deliver CLARUS® to your laboratory, keep it secure, charge fairly for it, and support you well. Concretely, that means provisioning and running your tenant, authenticating users, processing payments and renewals, providing technical support and live chat, monitoring for fraud and security threats, meeting our legal and tax obligations, and improving and developing the product.

Each use rests on a clear legal basis. Most processing is necessary to perform our contract with your laboratory or to take steps at your request before entering one. Some processing — such as security monitoring, abuse prevention, and product improvement — relies on our legitimate interests in running a safe, dependable service, balanced against your rights. A limited amount relies on compliance with legal obligations (for example, retaining invoices for tax purposes), and any optional communications that require consent are sent only where you have given it and can be withdrawn at any time.

Throughout, we honour the governing law of the Arab Republic of Egypt while preserving any mandatory data-protection and consumer rights you hold under the law of your own country.

• Contract: running your tenant, authentication, billing, renewals, support.
• Legitimate interests: security, fraud prevention, reliability, product improvement.
• Legal obligation: tax, accounting, and statutory record-keeping.
• Consent: optional marketing or product updates — opt-in, and revocable at any time.

5.Patient & Health Data — Processed Only on Your Instructions

The clinical heart of CLARUS® is the patient and health data your laboratory processes. We treat it with particular care, and we want to be unambiguous about how we handle it.

For this data your laboratory is the controller and CLARUS® is the processor. We process it solely to provide the LIS service and strictly on your lab's documented instructions — to store, organise, transmit, and present the records and results you create. We do NOT use patient or health data for our own purposes, we do NOT sell it, we do NOT mine it for advertising, and we do NOT use it to train models or build profiles for our benefit. Our staff access it only when necessary to deliver or support the service, under confidentiality obligations and least-privilege controls.

Because the data is yours, you keep control of its lifecycle. You can export it at any time in open, standards-based formats — we support HL7, ASTM, and FHIR — so there is no lock-in, and you can move to another system if you ever choose to. The full terms, including sub-processing, security, breach notification, and return-or-deletion on exit, are set out in our DPA.

• Lab = controller; CLARUS® = processor, acting only on documented instructions.
• Never used for our own purposes, never sold, never used for advertising or model training.
• Staff access is least-privilege, logged, and bound by confidentiality.
• Open export via HL7, ASTM, and FHIR — your data, no lock-in.
• Governed in detail by the Data Processing Agreement (DPA).

6.Sharing & Sub-Processors

We do not sell your data, and we do not share it except as needed to run the service or as required by law. Where we rely on trusted third parties to operate CLARUS®, we engage them as sub-processors under written contracts that bind them to confidentiality, security, and purpose-limitation obligations at least as strict as our own.

These sub-processors fall into a small number of categories: infrastructure and hosting providers that run the platform; payment processors that handle billing and settlement; and communication providers that deliver transactional email and SMS or messaging notifications on your behalf. Each is given only the minimum data required for its function.

We may also disclose data where the law genuinely compels it — for example a valid order from a competent authority — and in that case we disclose only what is required and, where we are lawfully able, inform you. We maintain a current list of sub-processors and notify customers of material changes so you can stay informed.

• Hosting & infrastructure: to run and secure the platform.
• Payments: to process invoices and settle charges (settlement in Egyptian Pound, EGP).
• Email / SMS / messaging: to send transactional and account notifications.
• Each is contractually bound; none is permitted to use your data for its own purposes.
• We keep a sub-processor list current and notify you of material changes.

7.International Transfers & Safeguards

CLARUS® serves laboratories across MENA and Africa, and some of our infrastructure and sub-processors may operate in more than one country. This means your data may, where necessary, be transferred and processed outside the country in which your laboratory is located.

Wherever data moves, it remains protected by this policy and by appropriate legal safeguards. We use recognised transfer mechanisms — such as contractual data-protection clauses with our sub-processors — and we apply the same technical and organisational security measures regardless of location. We choose providers that meet our security and confidentiality standards.

Where your laboratory requires data residency in a particular jurisdiction, talk to us; we will explain the hosting options available to you under your plan.

8.Data Retention

We keep data only for as long as it is needed for the purposes described in this policy, and then we delete or anonymise it. The right period depends on the type of data.

We retain your account and configuration data for as long as your laboratory has an active subscription. After your contract ends, we keep patient and health data available for a defined return-and-deletion window — set out in the DPA — so you can export everything you need before it is securely deleted from our active systems and, on the agreed schedule, from backups. Billing and tax records are kept for the periods required by Egyptian law and applicable accounting rules. Security and audit logs are retained for a limited period proportionate to their protective purpose.

When a retention period ends, we delete data securely or irreversibly anonymise it. You can always ask us about the retention applied to a specific category.

• Account & configuration: for the life of your subscription.
• Patient/health data: returnable on exit, then securely deleted per the DPA timeline (including backups).
• Billing & tax records: as required by Egyptian and applicable law.
• Logs: a limited, proportionate period for security and audit.

9.Security Measures

Protecting your data is a core engineering responsibility, not a checkbox. CLARUS® is built with security in depth, and we continually review and improve our controls against evolving threats.

Our safeguards include encryption of data in transit and at rest, strict per-tenant isolation so one laboratory's data is never commingled with another's, role-based access control with least-privilege defaults, and detailed audit logging of sensitive actions. We support two-factor authentication for user accounts, maintain encrypted backups, and operate disaster-recovery procedures designed to keep your service available and your data restorable.

No system can promise perfect security, but we work hard to minimise risk and to respond quickly if something goes wrong. Our DPA sets out our breach-notification commitments for patient and health data, and we will inform you promptly of any incident that materially affects your data.

• Encryption in transit and at rest.
• Per-tenant isolation — no commingling of laboratories' data.
• Role-based access control with least-privilege defaults.
• Audit logging, two-factor authentication, encrypted backups, and disaster recovery.
• Prompt, defined breach notification under the DPA.

10.Your Rights & How to Exercise Them

You have meaningful rights over the personal data we hold about you as a controller, and we make them easy to exercise. Depending on the circumstances and applicable law, these include the right to access the data we hold about you, to correct it if it is inaccurate, to delete it, to receive a copy in a portable format, to object to or restrict certain processing, and to withdraw any consent you have given.

Many of these you can act on directly inside CLARUS® — updating your profile, managing users, adjusting communication preferences, and exporting data in open formats. For anything else, contact our Data Protection Officer at dpo@claruslis.com or our privacy team at privacy@claruslis.com, and our in-app live chat is also available. We will verify your identity, respond within the timeframes required by applicable law, and not charge for reasonable requests.

Important: if your request concerns patient or health data, your laboratory — not CLARUS® — is the controller. In that case we will direct the request to your lab and support it as processor, in line with the DPA. If you believe we have not handled your data properly, we would like the chance to put it right; you also retain the right to complain to your competent data-protection authority.

• Access, correct, delete, port, object/restrict, and withdraw consent.
• Self-serve in-app for profile, users, preferences, and data export.
• Contact: dpo@claruslis.com or privacy@claruslis.com, or in-app live chat.
• Patient-data requests are routed to your lab as controller, with our support as processor.

11.Cookies & Similar Technologies

Our websites and customer portal use cookies and similar technologies to keep you signed in, remember your language and currency preferences, secure your session, and understand how the service is used so we can improve it.

We keep this to what is necessary and proportionate, and we do not use cookies to sell your data. For the full detail of which cookies we use, their purposes, and how you can manage your choices, please see our separate Cookie Policy.

12.Children

CLARUS® is a professional tool for medical laboratories and their staff. Our accounts and websites are intended for use by adults acting in a professional capacity, and we do not knowingly create accounts for or direct our services to children.

Patient records processed through CLARUS® may, of course, relate to patients of any age, including children — but that data is entered and controlled by your laboratory under its own clinical and legal duties, with CLARUS® acting only as processor. We do not use any such data for our own purposes. If you believe a CLARUS® account has been created by someone who should not have one, please contact us so we can address it.

13.Changes to This Policy & How to Contact Us

We may update this Privacy Policy as our service, technology, or legal obligations evolve. When we make material changes, we will update the effective date and notify you through the platform or by email before the changes take effect, so you are never caught by surprise. The current version will always be available in the CLARUS® legal centre.

This policy is governed by the law of the Arab Republic of Egypt, while preserving any mandatory consumer-protection and data-protection rights you hold under the law of your own country.

We would genuinely rather hear from you than have you wonder. For any privacy question, to exercise a right, or to raise a concern, reach our Data Protection Officer and privacy team using the contacts below — and remember our in-app live chat is always there too.

• Data Protection Officer: dpo@claruslis.com
• Privacy enquiries: privacy@claruslis.com
• Legal: legal@claruslis.com | Billing & refunds: billing@claruslis.com | Support: support@claruslis.com
• Governing law: Arab Republic of Egypt, preserving your local mandatory rights.
• Last updated: 26 June 2026.

14.Complaints & Supervisory Authorities

If you have a concern about how we handle personal data, we would like the chance to resolve it first — please contact our privacy function at privacy@claruslis.com or our Data Protection Officer at dpo@claruslis.com, and we will respond promptly.

You also have the right to lodge a complaint with the data-protection or privacy supervisory authority in your country or region. Exercising this right does not affect any other remedy available to you, and we will cooperate in good faith with any lawful inquiry from a competent authority.