These Terms govern access to, and use of, the CareBravo™ Autonomous Care OS™ platform and related services provided by Caryfy, LLC.
These Terms of Use ("Agreement" or "Terms") govern access to, and use of the CareBravo™ Autonomous Care OS™ platform and related services (the "Product" or "Services") provided by Caryfy, LLC ("Caryfy," "we," "us," or "our"). By executing an Order Form or using the Product, the entity or individual identified on an Order Form ("Customer") agrees to be bound by these Terms.
Subject to these Terms and the Order Form, Caryfy grants Customer a limited, non-exclusive, non-transferable, revocable license to access and use the Product during the Term.
Customer shall not (and shall not permit others to):
Caryfy may engage Sub-Processors to support the Product. A current list is available upon request. For EU Customers, Caryfy will provide 30 days' prior notice of material changes, during which Customers may object on GDPR-based grounds. If an objection cannot be resolved, Customer may terminate the affected services.
Customer retains all rights in Customer Data.
Caryfy will Process Customer Data solely to provide and improve the Product, comply with legal obligations, and develop analytics and AI/ML models using only de-identified or aggregated data consistent with applicable standards (HIPAA de-identification, CCPA, GDPR). Customer may opt out of use of Customer Data for AI/ML model training purposes by submitting a written request to privacy@carebravo.com. Opt-out will be effective within thirty (30) days of receipt of such written request.
Caryfy implements administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, disclosure, and loss.
(a) US Customers: Customer may export Customer Data while the account is active. Within 30 days of termination, upon written request, Caryfy will provide client and caregiver profile data in CSV format only. Caryfy has no obligation to produce data in other formats or reconstruct data from backups. Remaining data will be deleted within 60 days, unless legally prohibited.
(b) EU Customers: Customer may export Customer Data via the Product within 45 days following expiration or termination. Caryfy will delete remaining data within 90 days, except as required by law.
At Caryfy's discretion, it may temporarily reactivate an account to allow self-export of data as a courtesy only, without creating any continuing obligation.
If Customer is a Covered Entity or Business Associate under HIPAA and requires Caryfy to create, receive, maintain, or transmit PHI, the Parties' rights and obligations are governed by the Business Associate Agreement attached as Exhibit A (the "BAA"), which is incorporated by reference. By accepting these Terms (including via click-through) or executing an Order Form, Customer agrees to and is deemed to have executed the BAA. In any conflict between these Terms and the BAA, the BAA controls with respect to PHI and HIPAA compliance obligations.
Caryfy shall implement safeguards compliant with 45 C.F.R. §§ 164.308–312 and shall notify Customer of any Breach of Unsecured PHI without unreasonable delay and in no event later than sixty (60) days after discovery, including the information required by 45 C.F.R. § 164.410(c). Unsuccessful security incidents (e.g., pings, blocked malware, failed log-ins) are deemed reported by this Section; summaries are available upon request.
Caryfy may engage subcontractors and Affiliates to perform functions or services involving access to Customer Data or PHI, provided each is bound by written obligations no less protective than those set forth herein and in the HIPAA Rules. Upon written request, Caryfy will provide a list of material subcontractors or Affiliates with access to PHI.
Nothing in these Terms restricts lawful access, exchange, or use of Electronic Health Information under the 21st Century Cures Act and 45 C.F.R. Part 171. Caryfy will implement reasonable and appropriate measures to support such exchange and may rely on any regulatory exceptions under Part 171.
Where the General Data Protection Regulation (EU 2016/679) ("GDPR") applies, Customer acts as Data Controller and Caryfy acts as Data Processor. Caryfy shall process Personal Data only on Customer's documented instructions, ensure persons authorized to process such data are bound by confidentiality, and implement appropriate technical and organizational measures in accordance with Article 32 GDPR. The Parties agree this Section constitutes a Data Processing Addendum as required by Article 28 GDPR.
Customer shall pay all fees specified in the Order Form. Unless otherwise specified, fees are non-refundable.
Payment is due upon invoice. If not received within five (5) days, Caryfy may suspend access. A $250 reactivation fee plus bank charges may apply.
Any invoice disputes must be raised in writing within thirty (30) days of receipt; Caryfy will investigate and adjust billing as appropriate.
Fees are exclusive of taxes. Customer is responsible for all applicable taxes.
Caryfy may apply a surcharge to cover actual credit-card processing costs, not to exceed 3% of the transaction amount.
(a) U.S. Customers: Surcharges apply only to B2B card payments in U.S. jurisdictions that permit surcharging and will be disclosed at payment.
(b) EU Customers: No surcharges on consumer transactions where prohibited under PSD2; B2B payments may incur a surcharge within these limits.
(c) Network Compliance: Surcharges reflect Caryfy's actual cost of acceptance and comply with card-network rules, including any advance notification requirements.
(d) Disclosure: Any surcharge will be clearly disclosed prior to payment, on the checkout screen or invoice.
Caryfy may add, modify, or remove Product features, functionality, or content at any time; major removals or deprecations will be communicated via release notes or the customer portal.
Caryfy may amend these Terms upon thirty (30) days' prior notice. Continued use after the Effective Date constitutes acceptance of the amended Terms.
All rights in the Product, including software, trademarks, and documentation, are owned by Caryfy or its licensors.
Customer retains all rights in Customer Data. Caryfy is granted a limited, non-exclusive, worldwide license to use Customer Data solely to perform and improve the Product.
Customer is granted a perpetual, royalty-free license to use AI-generated outputs for its business purposes. Caryfy retains no ownership in such outputs but may use aggregated, de-identified insights for lawful business purposes.
Customer grants Caryfy a royalty-free, perpetual license to use suggestions or feedback provided.
Customer grants Caryfy a non-exclusive license to use Customer's trademarks and logos solely to perform the Services and market integrations, subject to Customer's brand guidelines.
Each party represents it has the right and authority to enter into these Terms.
Caryfy warrants the Product will materially conform to documentation, as unmodified by any party other than Caryfy.
EXCEPT AS EXPRESSLY PROVIDED, THE PRODUCT IS PROVIDED "AS IS" AND CARYFY DISCLAIMS ALL WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
NEITHER PARTY SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS OR DATA LOSS.
EXCEPT AS PROVIDED IN SECTION 8.3, EACH PARTY'S TOTAL AGGREGATE LIABILITY UNDER THESE TERMS SHALL NOT EXCEED THE FEES PAID BY CUSTOMER DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY OR FIVE HUNDRED U.S. DOLLARS (USD $500), WHICHEVER IS GREATER.
For any Breach of Unsecured PHI resulting from Caryfy's failure to comply with its obligations under these Terms or the HIPAA Rules, or resulting from Caryfy's gross negligence or willful misconduct, Caryfy's aggregate liability shall not exceed the greater of (a) the fees paid during the twelve (12) months preceding the Breach or (b) Fifty Thousand U.S. Dollars (USD $50,000). Neither Party shall be liable for regulatory fines or penalties to the extent such indemnification is prohibited by law.
CARYFY SHALL NOT BE LIABLE FOR SERVICE INTERRUPTIONS, DATA LOSS, RANSOMWARE ATTACKS, OR OTHER FAILURES CAUSED BY SUB-PROCESSORS OR THIRD-PARTY HOSTING/VENDOR SERVICES, PROVIDED THAT CARYFY USES REASONABLE COMMERCIAL EFFORTS TO MONITOR AND COORDINATE WITH SUB-PROCESSORS, EXCEPT TO THE EXTENT SUCH LIABILITY ARISES FROM CARYFY'S OBLIGATIONS UNDER APPLICABLE HIPAA RULES, WHICH SHALL NOT BE LIMITED BY THIS SECTION.
Neither party is liable for delays or failures caused by events beyond reasonable control, including natural disasters, labor disputes, or internet outages.
Caryfy will defend Customer against third-party claims alleging that the Product infringes any U.S. patent, copyright, or trademark and will pay any final award or settlement, provided Customer gives prompt notice, reasonable cooperation, and sole control of the defense to Caryfy.
Customer will defend Caryfy against claims arising from Customer Data, misuse of the Product, or breach of these Terms, and will pay any final award or settlement.
Customer shall indemnify, defend, and hold harmless Caryfy and its Affiliates from and against claims, damages, losses, and expenses arising out of or in connection with any third-party products or services, including those provided by Sub-Processors, or any invoicing activities conducted by Caryfy acting as an agent.
Where GDPR applies, Customer acts as Data Controller and Caryfy acts as Data Processor. Customer shall indemnify Caryfy from fines, penalties, or third-party claims arising from Customer's failure to comply with Controller obligations, except to the extent caused by Caryfy's gross negligence or willful misconduct.
Indemnification obligations survive for two (2) years following termination.
These Terms continue for the Term set forth in the Order Form.
Either party may terminate for material breach if the other party fails to cure within thirty (30) days' written notice.
Upon termination, licenses granted herein terminate. Each party shall return or delete the other's Confidential Information, and Caryfy will handle Customer Data in accordance with Section 3.4.
Each party shall protect the other's Confidential Information with at least the same degree of care it uses for its own confidential information (but not less than reasonable care) and shall not use or disclose such information except to perform under these Terms. PHI and Customer Data are Confidential Information.
These Terms are governed by the laws of the State of Georgia, without regard to conflict-of-law principles. Disputes must first be submitted to mediation in Fulton County, Georgia. If unresolved within sixty (60) days, disputes will be finally resolved by binding arbitration administered by the American Arbitration Association under its rules, before a single arbitrator in Fulton County, Georgia. Arbitration is on an individual basis only, and class or representative proceedings are waived. Caryfy may seek injunctive or equitable relief in court to protect intellectual property or prevent unauthorized use.
Neither party may assign these Terms without the other's consent, except to an Affiliate or in connection with a merger, reorganization, or sale of substantially all assets, provided the assignee assumes all obligations.
If any provision is held invalid or unenforceable, the remainder remains in full force and effect.
These Terms, the Privacy Policy, the Order Form, and Exhibit A (BAA) constitute the entire agreement and supersede prior or contemporaneous agreements concerning the subject matter.
If Customer accesses services from Caryfy Affiliates the Affiliate's terms and privacy policy govern those services. These Terms apply only to the CareBravo™ Product.
Notices shall be sent to the addresses in the Order Form or to the email designated by each party and are deemed received when delivered by email with confirmation of receipt or by nationally recognized overnight courier.
This Business Associate Agreement ("Agreement") is incorporated by reference into the CareBravo™ Terms of Use between Caryfy, LLC ("Business Associate" or "Caryfy") and the Customer identified in the applicable Order Form ("Covered Entity" or "Customer").
WHEREAS, the Parties have entered into the CareBravo™ Terms of Use (the "Underlying Contract"), pursuant to which Caryfy provides certain software, platform, and related support services to the Customer;
WHEREAS, in connection with the Underlying Contract, Business Associate may receive, create, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity that is subject to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 C.F.R. Parts 160 and 164;
WHEREAS, the Parties desire to comply with the Privacy Rule, Security Rule, and Breach Notification Rule under HIPAA and to set forth their respective duties and responsibilities regarding PHI; and
WHEREAS, the Parties intend that this Agreement supplement and be incorporated into the Underlying Contract, and that this Agreement shall control with respect to the use and protection of PHI.
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties agree as follows:
Terms not defined here have the meanings given in 45 C.F.R. Parts 160 and 164.
Caryfy may use and disclose PHI solely to perform the CareBravo™ Services described in the Underlying Contract and as permitted by this Agreement and the HIPAA Rules.
Caryfy may use PHI for its own management and administration or to carry out its legal responsibilities if (a) the disclosure is Required by Law, or (b) the recipient gives reasonable assurances of confidentiality and reports any known breach.
Caryfy may use PHI to provide data-aggregation services and may de-identify PHI consistent with 45 C.F.R. § 164.514(a)–(c). De-identified data may be used for analytics, platform improvement, and other lawful purposes.
Caryfy shall limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose.
Caryfy shall implement administrative, physical, and technical safeguards meeting 45 C.F.R. §§ 164.308–312 to protect the confidentiality, integrity, and availability of PHI.
Caryfy may engage subcontractors and Affiliates, including those located outside the U.S., provided each is bound by a written agreement imposing HIPAA-equivalent protections.
Caryfy shall mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI in violation of this Agreement.
Caryfy shall report to Customer (a) any use or disclosure of PHI not permitted by this Agreement, (b) any Security Incident, and (c) any Breach of Unsecured PHI, in each case without unreasonable delay, and in no event later than sixty (60) days after discovery including: identities of affected Individuals; dates and description of the incident; types of PHI involved; mitigation steps taken; contact information for follow-up.
Caryfy shall provide access to and amend PHI in a Designated Record Set as directed by Customer (45 C.F.R. §§ 164.524–526).
Caryfy shall document disclosures as necessary for Customer to provide an accounting under 45 C.F.R. § 164.528.
Caryfy shall make relevant records available to HHS for purposes of determining Customer's compliance.
To the extent Caryfy carries out any obligation of Customer under the Privacy Rule, Caryfy shall comply with the requirements of 45 C.F.R. Part 164, Subpart E that apply to Customer in the performance of such obligation, including responding to requests for access, amendment, or accounting of PHI, applying the minimum-necessary standard, and coordinating with Customer to ensure timely fulfillment of individual rights.
Upon Customer's reasonable written request, Caryfy shall make available information reasonably necessary to demonstrate its compliance with this Agreement, which may include summaries of third-party security or compliance audits (e.g., SOC 2 Type II, HIPAA assessments) and relevant security policies. If a material Security Incident or Breach involving Customer's PHI is suspected, Customer may, upon reasonable notice and during normal business hours, conduct a focused audit of Caryfy's records relevant to PHI handling, provided that such audit (a) does not unreasonably interfere with Caryfy's operations, and (b) does not compromise the confidentiality or security of other customers' data. Caryfy shall also make such information available as necessary to assist Customer in responding to audits or inquiries by HHS or other regulatory authorities concerning HIPAA compliance.
Customer shall (a) not request Caryfy to use or disclose PHI in any manner prohibited by HIPAA, (b) obtain all consents and authorizations required for Caryfy's permitted uses, and (c) notify Caryfy of any restriction, revocation, or change affecting PHI use or disclosure.
This Agreement begins on the Effective Date of the Underlying Contract and continues until all PHI is returned or destroyed.
Either Party may terminate upon written notice if the other materially breaches this Agreement and fails to cure within thirty (30) days.
(a) Upon termination of this Agreement for any reason, Caryfy shall promptly return to Customer or, if agreed to by Customer, destroy all PHI that Caryfy maintains in any form, and shall require any subcontractors or affiliates to do the same.
(b) If Caryfy determines that return or destruction is infeasible, Caryfy shall (i) extend the protections of this Agreement to the retained PHI, (ii) limit further use or disclosure of such PHI to those purposes that make return or destruction infeasible, and (iii) destroy the PHI as soon as the reason for retention no longer applies.
(c) For clarity, data return and destruction conducted in accordance with Section 3.4 (Data Retention and Deletion) of the Caryfy Terms of Use shall be deemed to satisfy this Section with respect to PHI, provided that Caryfy certifies destruction upon Customer's written request.
(d) All protections, restrictions, and obligations under this Agreement shall remain in effect with respect to any PHI retained pursuant to this Section until such PHI is destroyed.
Sections 3, 5.3, 6, and 7 survive termination.
In the event of conflict, this Section shall control with respect to any claim arising from the use, disclosure, or safeguarding of PHI. Caryfy shall indemnify and hold harmless Customer from third-party claims, damages, or losses arising from Caryfy's (a) breach of this Agreement, (b) violation of the HIPAA Rules, or (c) gross negligence or willful misconduct, subject to Section 7.
Customer shall indemnify and hold harmless Caryfy from claims or losses arising from Customer's breach of this Agreement or violation of HIPAA Rules, except to the extent caused by Caryfy's gross negligence or willful misconduct.
THIS INDEMNIFICATION OBLIGATION IS IN ADDITION TO, AND NOT IN LIMITATION OF, THE INDEMNIFICATION OBLIGATIONS SET FORTH IN THE CAREBRAVO™ TERMS OF USE.
The Parties shall amend this Agreement as necessary to comply with changes in the HIPAA Rules.
The terms of this Agreement shall prevail in the case of any conflict with the terms of any Underlying Contract to the extent and only to the extent of the conflict and only to the extent that it is reasonably impossible to comply with both the terms of the Underlying Contract and the terms of this Agreement.
Neither Party may assign this Agreement without the other's written consent, except to an Affiliate or successor in interest assuming all obligations.
All notices under this Agreement must be in writing and delivered (a) by email to the notice addresses specified in the applicable Order Form (or as updated in writing by a Party), (b) via the Customer portal/administrative console where expressly permitted for operational notices, or (c) by nationally recognized overnight courier. Notices are deemed given: (i) for email, when sent with confirmation of transmission and no bounce-back or system error is received; (ii) for portal postings/messages, when posted to the Customer's designated administrative account; and (iii) for courier, upon documented delivery.
Each Party is responsible for keeping its notice contact information current. Breach and Security Incident notices to Customer shall be sent by email to Customer's designated privacy/security contact(s) listed in the Order Form (with a copy to legal, if provided) and may also be posted in the Customer portal. Either Party may update its notice details by notice given in accordance with this Section.
This Agreement is governed by the laws of the State of Georgia and shall be enforceable in the courts of the State of Georgia, or in the Atlanta Division of the U.S. District Court for the Northern District of Georgia. The Parties irrevocably submit to the exclusive jurisdiction of such courts.
This Agreement is accepted electronically through Customer's acceptance of the CareBravo™ Terms of Use and does not require separate physical or digital signatures to be valid and enforceable under applicable electronic signature laws (including the U.S. E-SIGN Act and state UETA statutes).
Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
A 30-minute walkthrough tailored to your agency size and payer mix. No pitch deck — just what the system does and what the numbers look like for an agency like yours.