Privacy Policy | CareBravo — How We Protect Your Data

Table of Contents

Overview
Scope of This Policy
Information We Collect
Legal Bases and Roles
How We Use Information
Disclosure of Information
Security, Retention, and Deletion
HIPAA Compliance and Business Associate Agreement
Your Rights
International Transfers
Children's Privacy
Changes to This Policy
Contact Us

1. Overview

This Privacy Policy explains how Caryfy collects, uses, discloses, and protects information in connection with the CareBravo™ platform and related services (the "Services").

By accessing or using the Services, you acknowledge that you have read and understand this Policy. This Policy is incorporated into and forms part of the CareBravo™ Terms of Use.

2. Scope of This Policy

This Policy applies to:

Customers and Users — health-care providers, agencies, and their authorized personnel using CareBravo™;
End-users — patients, caregivers, or other individuals whose information is entered by a Customer; and
Visitors — anyone visiting our websites or communicating with us offline.

This Policy does not apply to third-party products or services linked through the platform.

3. Information We Collect

3.1 Protected Health Information

When our Customers use the Product, we collect and process Protected Health Information ("PHI") on their behalf, including names, contact information, dates, medical record identifiers, health insurance information, clinical data, and other information related to an individual's healthcare.

3.2 Technical and Usage Data

We collect information about how the Product is accessed and used, including IP addresses, device information, browser type, and usage patterns.

3.3 Account and Billing Information

We collect Customer account details, billing addresses, payment information, and transaction history. Caryfy does not sell Personal Data and does not use PHI for marketing.

4. Legal Bases and Roles

Depending on the jurisdiction and data type, Caryfy acts as:

a Business Associate under HIPAA when handling PHI for a Covered Entity or Business Associate; and
a Processor under GDPR (or "Service Provider" under CCPA) when processing Personal Data on behalf of a Customer.

Customers act as the HIPAA Covered Entity / GDPR Controller and remain responsible for obtaining all necessary notices and consents.

5. How We Use Information

5.1 Provide and Improve Services

We use data to deliver, maintain, and enhance the Product and its features.

5.2 De-identified Data for Analytics and AI

We may de-identify and aggregate Customer Data in accordance with HIPAA standards to improve our services, develop new features, train AI and machine learning models, and conduct analytics. De-identified data cannot be used to identify specific individuals.

5.3 Legal Compliance

We use data to comply with applicable laws, regulations, and legal processes.

5.4 Security and Fraud Prevention

We use data to maintain the security of the Product and prevent fraud or misuse.

6. Disclosure of Information

We may disclose information:

To Sub-Processors and Affiliates who assist us in providing the Services;
To regulators or law enforcement when Required by Law;
During business transfers (e.g., merger or sale), subject to continued protection; and
With Customer direction or consent.

Caryfy never discloses PHI for marketing or other uses prohibited by HIPAA.

7. Security, Retention, and Deletion

Caryfy implements administrative, technical, and physical safeguards meeting 45 C.F.R. §§ 164.308–312 and industry standards.

Data Retention & Deletion Schedule

Export: Customers may export Customer Data while the account is active.
U.S. Customers: export within 30 days; delete within 60 days (backups ≤ 90 days).
EU Customers: export within 45 days; delete within 90 days.
Goodwill Reactivation: temporary reactivation allowed for export only.

Breach Notification: Caryfy will notify affected Customers within 60 days of discovery of any Breach of Unsecured PHI, or within such shorter period as required by applicable state law, including details required by 45 C.F.R. § 164.410(c).

8. HIPAA Compliance and Business Associate Agreement

If Customer is a Covered Entity or Business Associate, Caryfy's creation, receipt, maintenance, or transmission of PHI is governed by the Business Associate Agreement (BAA) attached as Exhibit A to the CareBravo™ Terms of Use.

In any conflict between this Policy, the Terms, and the BAA, the BAA controls with respect to PHI.

9. Your Rights

Depending on jurisdiction, you may have the right to:

Access, correct, or delete Personal Data;
Object to or restrict Processing;
Request data portability; and
Withdraw consent.

To submit requests, contact us at privacy@carebravo.com. We verify identity before fulfilling requests.

10. International Transfers

Data may be stored or processed in the United States or other jurisdictions where Caryfy or its affiliates operate. When transferring Personal Data from the EU, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

11. Children's Privacy

The Services are not directed to children under 13 and should not be used for pediatric data entry except by authorized healthcare providers under a HIPAA-covered relationship.

12. Changes to This Policy

We may revise this Policy from time to time. Material changes will be posted with a new "Effective Date." Continued use of the Services after notice constitutes acceptance.

13. Contact Us

Caryfy, LLC
Attn: Privacy Officer
Email: support@caryfy.ai
Address: One Midtown Plaza, 1360 Peachtree Street NE, Suite 800, Atlanta, Georgia 30309 USA