Privacy Policy

1. Scope and Applicability

This Privacy Policy describes the privacy practices of CareCentra, Inc. (“CareCentra,” “we,” “us,” or “our”) in connection with our website at carecentra.com and ris.carecentra.com (the “Sites”), our mobile application (the “App”), and our clinical platform services (collectively, the “Services”).

This policy applies to all visitors, patients, caregivers, healthcare providers, and other individuals who interact with our Services. If you are a patient whose health system or health plan uses CareCentra, certain information about you is also governed by HIPAA and the terms of our Business Associate Agreement with your provider or plan -- see Section 5 for details.

2. Information We Collect

Information You Provide Directly

• Account and contact information: name, email address, phone number, date of birth, mailing address
• Eligibility and enrollment data: insurance plan, provider name, diagnosis information submitted through eligibility check forms
• Patient-reported data: symptom surveys, quality of life assessments, medication logs, and feedback submitted through the App
• Communications: messages to our care team, support requests, and any other information you provide when contacting us

Information Collected From Connected Devices

• Biometric and clinical data: spirometry readings (FEV1, FVC, PEF), pulse oximetry (SpO2), inhaler usage and technique quality from connected smart inhalers
• Environmental data: local air quality index, pollen counts, temperature, and humidity readings from integrated environmental data sources

Information Collected Automatically

• Device and usage information: IP address, browser type, device identifiers, operating system, pages visited, time stamps, and referring URLs
• App usage data: feature interactions, session duration, notification engagement, and crash reports

Information From Third Parties

• Health system and payer data: clinical records, ADT (Admission, Discharge, Transfer) feeds, medication lists, and care plans received via HL7 FHIR or other interoperability protocols from your healthcare provider or health plan

3. How We Use Your Information

We use the information we collect for the following purposes:

• Deliver clinical services: operate the CareCentra platform, generate personalized nudges and alerts, predict exacerbation risk, and support care team interventions
• Improve health outcomes: analyze population-level trends to improve our algorithms, clinical protocols, and intervention strategies
• Communicate with you: send medication reminders, health tips, appointment follow-ups, and respond to your inquiries
• Operate and improve our Services: monitor platform performance, troubleshoot issues, develop new features, and conduct quality assurance
• Research and analytics: generate de-identified, aggregate analyses for clinical research, quality improvement, and publication -- never using individually identifiable data without proper authorization or consent
• Comply with legal obligations: meet regulatory requirements, respond to lawful requests, and enforce our terms

4. How We Share Your Information

CareCentra does not sell your personal information. We do not share your information for third-party advertising. We share information only in the following circumstances:

5. HIPAA and Protected Health Information

When CareCentra processes Protected Health Information (PHI) on behalf of a covered entity (your health system or health plan), that data is governed by HIPAA and our Business Associate Agreement -- not solely by this Privacy Policy. In the event of a conflict between this policy and our obligations under HIPAA, HIPAA controls.

For detailed information about our HIPAA compliance program, including safeguards, breach notification procedures, and how we support individual rights under HIPAA, please visit our HIPAA Compliance page.

6. Cookies and Tracking Technologies

Our Sites use cookies and similar technologies to operate, analyze usage, and improve your experience. We use the following types:

We do not use cookies for behavioral advertising. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Site functionality.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• PHI: retained per our BAA with the applicable covered entity, typically a minimum of six years
• Account data: retained for the duration of the account relationship plus a reasonable wind-down period
• Website usage data: typically retained for up to 26 months
• De-identified research data: may be retained indefinitely as it is no longer individually identifiable

When data is no longer needed, it is securely deleted or de-identified in accordance with NIST SP 800-88 guidelines.

8. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you
• Correction: request correction of inaccurate or incomplete information
• Deletion: request deletion of your personal information, subject to legal retention obligations
• Portability: receive your data in a structured, machine-readable format
• Opt-out of sale: CareCentra does not sell personal information -- no action required
• Non-discrimination: we will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at privacy@carecentra.com. We will respond within the timeframes required by applicable law. We may need to verify your identity before processing a request.

9. State-Specific Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, opt out of its sale (we do not sell personal information), and limit the use of sensitive personal information. Note that personal information processed under HIPAA as part of clinical operations is exempt from the CCPA/CPRA. For non-HIPAA data, California residents may submit requests to privacy@carecentra.com or call our toll-free number below.

Other State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have additional rights, including the right to appeal a decision regarding a privacy request. To appeal a denied request, contact privacy@carecentra.com with the subject line “Privacy Appeal.”

10. Children's Privacy

CareCentra's Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If a child under 13 is enrolled in the CareCentra platform through a participating health system, that enrollment is governed by HIPAA and the covered entity's authorization processes -- not by general online data collection rules. If you believe we have inadvertently collected information from a child under 13 outside of a HIPAA-governed relationship, please contact us immediately.

11. Data Security

We implement administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These include AES-256 encryption at rest, TLS 1.2+ encryption in transit, role-based access controls, multi-factor authentication, and continuous monitoring. For full details, visit our Security page.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page and, where required by law, provide additional notice (such as an in-app notification or email). Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us:

• Email: privacy@carecentra.com
• Mail: CareCentra, Inc., Attn: Privacy Office

For HIPAA-specific inquiries, contact our HIPAA Privacy Officer at hipaa@carecentra.com.