Caryfy, Inc. (“Caryfy,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and protect information in connection with our websites (including www.caryfy.ai and related landing pages), mobile or web-based applications (including Cary AI, the Autonomous Care OS, and any other applications we may offer), and any other services we provide (collectively, the “Services” or “Product Offering”).

By accessing or using our Services, you agree to this Policy and our [Terms and Conditions] (“Terms”), which are incorporated by reference. If you do not agree, please discontinue use of our Services immediately.

---

1. WHO WE SERVE & SCOPE OF THIS POLICY

1.1 Primary Users
Caryfy provides software solutions—including the Cary AI Autonomous Care OS—primarily to long-term care (“LTC”) providers (e.g., home care agencies, home health care, adult day care, personal care homes, case management, assisted living facilities, skilled nursing facilities, and others). These Providers, along with their employees, contractors, and other authorized users, enter and manage data through our Services. While Clients (care recipients) or their families may also indirectly provide or view data, our primary contractual relationship is with the LTC Provider.

1.2 Provider-Entered Data
LTC Providers may enter personally identifiable information (“PII”), Protected Health Information (“PHI”), and other sensitive data about their Clients and staff into our Services. Caryfy does not enter into standalone Business Associate Agreements (BAAs). By using our Services, Providers represent that they have the legal authority to upload PHI to Caryfy’s systems under HIPAA.

1.3 Policy Scope
This Policy governs Caryfy’s practices for data collected and used within Caryfy’s Services. It does not govern any LTC Provider’s own privacy practices outside of Caryfy’s environment.

---

2. INFORMATION WE COLLECT

We collect information from or about you in the following ways:

2.1 Information Provided by LTC Providers & Users

• Account Creation: When you (or your LTC Provider) create an account, we may collect information such as names, email addresses, roles/titles, usernames/passwords, and billing details.
• Client/Patient Records: LTC Providers or authorized staff may input data about Clients—e.g., health records, care plans, assessments, schedules, or other PHI—into Caryfy’s Services.

2.2 Information We Collect Automatically

• Usage Data: We may track metadata about your interactions with our Services, including IP addresses, device types, browser information, pages viewed, and access times.
• Cookies & Tracking: We may use cookies, web beacons, and similar technologies to remember preferences, provide analytics, and enhance user experience.

2.3 Information from Third Parties

• Service Providers: We may receive limited data from payment processors, analytics services, or cloud hosting providers that assist us in operating or improving our Services.
• Employer/LTC Provider: If you are an employee or contractor, your employer may share user credentials or other relevant details to set up your account.

---

3. HOW WE USE YOUR INFORMATION

3.1 Operate & Enhance the Services

• To manage and deliver the Cary AI Autonomous Care OS and related products, including updates, bug fixes, and feature improvements.
• To personalize user experiences and support LTC Providers in long-term care administration.

3.2 Mandatory AI Model Training

Caryfy utilizes the data you input, which may include PHI, for machine learning and AI training (e.g., refining predictive analytics or workflow optimizations). No separate opt-out exists for this processing. If you do not wish your data to be used in this manner, you must discontinue use of our Services, per our Terms.

3.3 Compliance & Security

• To detect and prevent fraud, security threats, or other malicious activities.
• To comply with legal obligations and enforce our Terms.

3.4 Communications

• To provide customer support, respond to inquiries, or send essential notices (e.g., policy or Terms changes).
• To send limited marketing or promotional messages; you can typically unsubscribe from non-transactional emails.

3.5 Analytics & Performance

• To analyze Service usage trends and measure the effectiveness of new features or updates.
• To improve workflows and design by understanding user interactions within our Services.

---

4. HIPAA & PROTECTED HEALTH INFORMATION

4.1 PHI Handling

Some LTC Providers may store or process Protected Health Information (“PHI”) within Caryfy’s Services. Caryfy implements administrative, physical, and technical safeguards consistent with HIPAA security principles to help protect PHI from unauthorized access.

4.2 Provider Responsibility

LTC Providers ultimately ensure HIPAA compliance for the PHI they collect. Providers must manage user credentials, access controls, and any disclosures of PHI to unauthorized parties. Caryfy’s role is limited to providing the software platform; we do not act as a formal Business Associate and do not execute standalone BAAs.

4.3 Third-Party Providers

Certain service providers (e.g., cloud hosting) may have HIPAA-aligned safeguards. However, Caryfy does not sign a “Business Associate Agreement” with each LTC Provider. Use of any other third-party tools (e.g., messaging or telecommunication platforms) is managed in accordance with overall security and privacy measures but is ultimately the Provider’s responsibility to approve under HIPAA.

4.4 Exemptions

PHI under HIPAA may be exempt from certain state privacy laws, like the California Consumer Privacy Act (“CCPA”), to the extent it is used or disclosed under HIPAA.

---

5. DISCLOSURES OF YOUR INFORMATION

We may share or disclose information (including PHI, where applicable) in the following circumstances:

5.1 Service Providers & Corporate Affiliates

• Corporate Umbrella: We may share data with our affiliates or umbrella companies (e.g., a holding company or sister companies) strictly for the purposes described in this Policy and as permitted by the Terms.
• Contracted Vendors: We also share data with trusted vendors or contractors who help us deliver our Services (e.g., hosting, analytics, payment processing). These parties must maintain confidentiality consistent with this Policy.

5.2 Legal Compliance & Protection

We may disclose information if required by law, subpoena, or other legal process, or if necessary to protect our rights, safety, or property, or that of our users and the public.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or asset sale, your information may be transferred subject to confidentiality commitments.

5.4 De-Identified Data

We may share aggregated or de-identified data (which cannot reasonably identify a specific individual) for research, marketing, analytics, or similar purposes.

5.5 No Sale of Data

We do not sell personal information or PHI to third parties for marketing purposes.

---

6. CALIFORNIA RESIDENTS & CCPA/CPRA

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (collectively, “CCPA/CPRA”). These rights typically include:

1. Right to Know: Request details about the personal information we collect and how we use it.
2. Right to Delete: Request deletion of personal information, subject to exceptions (e.g., data needed to provide Services).
3. No Sale: We do not sell or share personal information for cross-context advertising.
4. Mandatory AI Usage: We rely on data for AI/ML training. If you request deletion of essential data, you may lose access to our Services. This is not discrimination but a functional limitation.
5. HIPAA Exemption: PHI may be exempt from certain CCPA/CPRA provisions.

To exercise these rights, please contact us at support@caryfy.ai. We will verify your identity before fulfilling requests as required by law.

---

7. DATA SECURITY & RETENTION

7.1 Security Measures

We employ encryption, secure data centers, access controls, and other safeguards to protect data within our environment. However, no system is perfectly secure, and users must keep login credentials confidential.

7.2 Retention & Data Deletion

• Retention: We retain data as long as needed to fulfill the purposes for which it was collected and to comply with legal or contractual requirements.
• Account Suspension or Cancellation: Per our Terms, if an account is canceled (for instance, due to non-payment), we may permanently delete data. Data may not be reinstated even if you later wish to reopen the account.
• Provider Controls: LTC Providers are responsible for retrieving any necessary records via the reporting/export features before account termination or cancellation.

---

8. INTERNATIONAL USERS

8.1 U.S.-Based Services

Our Services are primarily provided within the United States, and our servers are located in the U.S. If you access or use our Services from outside the U.S., you consent to the transfer of your data to the U.S. for processing consistent with this Policy.

8.2 GDPR Inapplicability

Because Caryfy does not offer services in the European Union and does not collect data from EU residents, the General Data Protection Regulation (GDPR) does not apply to Caryfy’s operations or this Policy.

---

9. CHILDREN & MINORS

Our Services are not directed to individuals under the age of majority. If a minor’s data is entered into the system by an LTC Provider for legitimate care reasons, the LTC Provider is responsible for obtaining any necessary consents under applicable law.

---

10. YOUR CHOICES

10.1 Account Information

If you are an employee or authorized user of an LTC Provider, you may update certain account details by contacting your Provider’s administrator or Caryfy’s support.

10.2 Marketing Emails

You may opt out of non-transactional marketing emails by clicking “unsubscribe” or adjusting your email preferences. Essential administrative emails (e.g., service updates) may still be sent as needed.

10.3 Cookies

You can manage cookies or tracking technologies via your browser settings. Disabling cookies may limit certain features of our Services.

---

11. CHANGES TO THIS POLICY

We may update this Policy from time to time to reflect changes in our practices or legal requirements. If updates are material, we will attempt to notify you (e.g., by posting a notice on our website or sending a communication). Your continued use of our Services after any update constitutes acceptance of the revised Policy.

---

12. CONTACT US

If you have any questions about this Policy or our data practices, please contact us at:

Caryfy, Inc.
1360 Peachtree Street, Suite 800
Atlanta, Georgia 30309 (USA)
Email: support@caryfy.ai

BY USING OUR SERVICES OR CONTINUING TO PROVIDE DATA, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS PRIVACY POLICY AND AGREE TO ITS TERMS.