Does your website use third-party services? Get GDPR compliant in minutes.

PatientLoop

What does PatientLoop do?

Healthcare patient engagement platform that sends appointment reminders, surveys, satisfaction questionnaires and educational follow ups by web, e mail and SMS, with optional connectors to electronic health record (EHR) systems.

What PatientLoop is

PatientLoop is a patient engagement platform used by clinics, hospitals, dental practices and outpatient providers to send appointment reminders, satisfaction surveys, NPS questionnaires and educational follow ups by web portal, e mail and SMS. Some deployments connect to electronic health records (EHR) to pull patient lists and push back outcome data.

What data is processed

PatientLoop processes patient identifiers, contact details, appointment metadata, survey responses, free text comments, satisfaction scores and, depending on the configuration, EHR data such as procedure codes, diagnoses and clinician notes. Most of this data is health related and qualifies as special category personal data under Article 9 GDPR.

GDPR, ePrivacy and health data implications

Processing must be grounded in Article 6 and Article 9 of the GDPR. The lawful conditions for health data include explicit consent, the provision of healthcare or public interest in public health, with appropriate safeguards. National rules add layers: HDS certification in France, KHZG and SGB in Germany, LOPDGDD in Spain. SMS and e mail engagement also triggers ePrivacy article 13.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent and lawful basis

In most patient engagement use cases, explicit consent (Article 9(2)(a)) is the safest legal basis for sending non strictly necessary surveys or marketing follow ups. Article 9(2)(h) (healthcare) can support clinical follow up tied to the actual treatment. Strictly necessary appointment reminders normally rely on the legitimate care relationship; commercial style satisfaction surveys require opt in.

International data transfers

PatientLoop is mainly US based. Transfers of health data to the United States are particularly sensitive. Require an EU residency option where possible, document a transfer impact assessment, ensure SCCs and the EU US Data Privacy Framework apply, and check national rules that may forbid offshoring health data without an additional authorisation (HDS hosting in France, ISO 27799 / ISO 27001 globally).

Practical compliance steps

Sign a DPA and a Business Associate Agreement equivalent, run a DPIA, choose EU hosting if available, restrict EHR scopes to the strict minimum, enable encryption at rest and in transit, enforce role based access, document explicit consent for non clinical communications, define short retention for free text responses, set up DSAR workflows and align with national health data certification (HDS, KHZG, etc.).

GDPR consent category

Analytics

Websites using PatientLoop must obtain user consent under GDPR regulations.

Legal basisArticle 9(2)(a) GDPR (explicit consent) or Article 9(2)(h) (provision of healthcare) for special category data. Article 6(1)(b) (contract) or 6(1)(f) (legitimate interest) for non sensitive identification, scheduling and engagement signals.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, national health data laws (HDS in France, BDSG and SGB in Germany, LOPDGDD in Spain), HIPAA, German Patientendaten Schutz Gesetz, French CNIL HDS guidelines

DPIA considerations

A DPIA is mandatory: PatientLoop processes special category health data on a large scale, may include vulnerable patients, performs systematic engagement and can integrate with EHR systems. Cover legal basis, security (encryption, role based access), data minimisation, retention, transfer impact assessment and patient rights workflows.

Sample consent text

With your explicit consent we use PatientLoop to send you appointment reminders, satisfaction surveys and follow up information about your care. Some of this data is sensitive and is hosted on US infrastructure with appropriate safeguards. You can withdraw consent and request deletion at any time.

Technical details

Tracking methodPatient facing widgets and portals, first party cookies, e mail and SMS engagement tracking, secure API integrations with electronic health records (EHR)

Server locationUnited States (primary). Some deployments offer EU regions for healthcare customers.

Data transferred outside the EUPatientLoop is operated from the United States. Health related personal data and identifiers can be transmitted to the US backend. Transfers rely on Standard Contractual Clauses, the EU US Data Privacy Framework and any additional safeguards required for health data (Article 9 GDPR).

Third-party domains contacted

patientloop.comapp.patientloop.comapi.patientloop.comsms.patientloop.com

Cookies placed

Name	Type	Duration	Purpose
patientloop_session	http	Session	Strictly necessary session cookie that keeps the patient signed in to the PatientLoop portal.
patientloop_csrf	http	Session	CSRF protection token used by the PatientLoop forms.
patientloop_lang	http	1 year	Stores the patient language preference.
pl_survey	http	30 days	Tracks whether a patient has already answered a specific survey to avoid duplicate prompts.

PatientLoop collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Which cookies does PatientLoop set?

PatientLoop sets strictly necessary cookies in its patient portal (patientloop_session, patientloop_csrf, patientloop_lang) and a short lived pl_survey cookie that prevents duplicate surveys. No advertising cookies are set.

Is patient consent required?

Yes for non strictly necessary communications such as satisfaction surveys, marketing follow ups and engagement reminders that are not directly tied to care. Strictly necessary appointment reminders can rely on the treatment relationship under Article 9(2)(h) GDPR.

What is the legal basis?

For health data the legal basis is normally Article 9(2)(a) (explicit consent) or 9(2)(h) (provision of healthcare). Article 6(1)(b) (contract) and 6(1)(f) (legitimate interest) can apply to non sensitive operational data with appropriate safeguards.

Does PatientLoop transfer data to the US?

Yes, the platform is mainly US based. Transfers rely on SCCs and the EU US Data Privacy Framework. Pay particular attention to national health hosting rules (HDS in France, BDSG / SGB in Germany, LOPDGDD in Spain).

Is a DPIA required?

Yes. Health data processing on a large scale is explicitly listed in Article 35(3) and on most EU DPA DPIA lists. The DPIA must cover lawful basis, security controls, retention, transfer impact and patient rights workflows.

How do I implement PatientLoop compliantly?

Sign a DPA and BAA equivalent, run a DPIA, prefer EU hosting, minimise EHR scopes, enable encryption, enforce role based access, obtain explicit consent for non clinical communications, define short retention for free text answers, document SCC and Privacy Framework reliance and align with national health hosting certifications.

What are the alternatives?

Other patient engagement and feedback platforms include Klara, Phreesia, Luma Health, Solutionreach, Calenso, Doctolib (EU), MyTherapy, MediaLeads and Tonic Health. EU based solutions reduce health data transfer risk.

How do I update the cookie policy?

List PatientLoop as a processor under healthcare services, describe the strictly necessary cookies, the health data flows, the transfers to the United States, the rights of the data subject (Article 15 to 22) and refresh the policy whenever you enable a new module or EHR connector.

Get compliant — Try FlowConsent free

Free plan · 10-min setup