Security & Privacy
at Tahsin.ai
How we protect your clinic and your patients — in plain language.
What data does Tahsin.ai store?
When a patient messages your clinic through Tahsin.ai, we store only what's needed to handle their enquiry:
- Their WhatsApp phone number
- The appointment they requested (date, time, name)
- Their conversation step (e.g. "waiting for confirmation")
We do NOT store:
- ✗Medical history or diagnoses
- ✗Payment or insurance information
- ✗Passwords or login credentials
- ✗Any data from your clinic management software
Patient messages are protected by WhatsApp's encryption in transit. Once WhatsApp delivers a message to us, the AI processes it and stores the conversation — encrypted at rest, isolated per clinic, and never sold or shared with third parties.
Where is patient data stored?
All session and appointment data is stored on Supabase — one of the most trusted database platforms in the world, used by over 1 million developers and companies including enterprise healthcare organisations.
Supabase infrastructure is certified to:
SOC 2 Type II
Independently audited for security, availability, and confidentiality controls
Certification held by Supabase, Inc. — our infrastructure provider. View details ↗
ISO 27001
International standard for information security management
Certification held by Supabase, Inc. — our infrastructure provider. View details ↗
HIPAA-Ready
Infrastructure designed to support HIPAA-regulated workloads
Certification held by Supabase, Inc. — our infrastructure provider. View details ↗
These certifications apply to Supabase's infrastructure, which powers Tahsin.ai's data storage. They reflect the security standards of the platform your data sits on — not a direct certification of Tahsin.ai.
How is the system secured?
01
Authentication Required
Every request to the Tahsin.ai API requires a private API key. Unauthenticated access is blocked with a 403 error. The API is not publicly accessible — all traffic is routed through a secured reverse proxy (nginx).
02
Encrypted in Transit
All data between patients, the bot, and our servers is transmitted over HTTPS using TLS encryption. Our SSL certificate is monitored continuously and renewed automatically.
03
Data Isolation Per Clinic
Each clinic's data is stored in a separate namespace. It is technically impossible for one clinic's data to be accessed through another clinic's connection.
04
Vulnerability Monitoring
We monitor security advisories for every component in our stack. When the German Federal Cybersecurity Office (BSI) flagged a vulnerability in June 2026, we patched it within 2 hours of receiving the notification.
Is the AI safe to use with patients?
The Tahsin.ai assistant is designed with clear boundaries:
- ✓Answers questions about your clinic — hours, prices, services, location
- ✓Books appointments and sends confirmations
- ✓Escalates to your team when it can't help
- ✓Respects patient opt-outs immediately (reply STOP at any time)
- ✗Never gives medical advice or diagnoses
- ✗Never recommends medications or treatments
- ✗Never claims to be a human
- ✗Never accesses external systems or patient records
Every Tahsin.ai deployment includes this disclaimer in the bot's first message: "I'm Sara, an AI assistant for [Clinic Name]. For medical advice, please speak directly with our team."
How long do you keep data? Can I delete it?
- Session data (appointment bookings, conversation state) is retained for 90 days, then automatically deleted.
- As a clinic owner, you can request full deletion of your clinic's data at any time by contacting us at security@tahsinai.com. We will confirm deletion within 48 hours.
- Patients can opt out at any time by replying STOP to any message. Their session is immediately terminated and no further messages are sent.
Regulatory Compliance
Tahsin.ai is operated in accordance with:
- UAE Federal Decree-Law No. 45 of 2021 — Personal Data Protection Law (PDPL)
- WhatsApp Business API Terms of Service — Meta Business Partner programme
- General Data Protection Regulation principles — GDPR-aligned practices
We do not sell, share, or monetise any patient or clinic data. Ever.
Security questions?
If you have a security concern, discovered a vulnerability, or need documentation for your compliance team, contact us directly. We take every report seriously. Responsible disclosure is welcomed.
security@tahsinai.com
Response within 24 hours guaranteed
24-hour SLA
For all security reports
Infrastructure Partners
Supabase
Certified database infrastructure
WhatsApp Business API
Delivered via Meta Business Platform
Hetzner Cloud
Hosted in Germany — EU data centres
These are infrastructure partners, not endorsements. Certifications are held by the respective companies.