1. Introduction

CareTrack ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our healthcare management application and website (collectively, the "Service").

We comply with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable healthcare privacy regulations to protect your protected health information (PHI).

2. Information We Collect

2.1 Personal Information

• Name, email address, and phone number
• Date of birth and gender
• Account credentials (username/password)
• Profile picture and biographical information

2.2 Health Information

• Blood glucose readings and trends
• Blood pressure measurements
• Weight and BMI data
• Medication information and adherence tracking
• Medical reports and documents
• Health goals and progress tracking
• Sleep, activity, and mood data

2.3 Technical Information

• IP address and device identifiers
• Browser type and operating system
• Usage patterns and feature interactions
• Crash reports and performance data

3. How We Use Your Information

• Service Delivery: To provide, maintain, and improve the CareTrack service
• Personalization: To deliver personalized health recommendations and insights
• Communication: To send service updates, security alerts, and support responses
• AI Processing: To generate health insights using AI analysis (with your consent)
• Compliance: To comply with legal obligations and healthcare regulations
• Research: For aggregate, de-identified health trend analysis (opt-in only)
• Security: To detect, prevent, and address fraud and security issues

4. Data Security & Encryption

We implement industry-standard security measures to protect your data:

• End-to-end encryption for all health data in transit (TLS 1.2+)
• Encryption at rest using AES-256
• Secure authentication with multi-factor authentication (MFA) support
• Regular security audits and penetration testing
• HIPAA-compliant database hosting on Supabase
• Access controls limiting data access to authorized personnel

5. Data Retention

We retain your health data as long as your account is active. Upon account deletion, we:

• Delete or de-identify your personal health information within 30 days
• Retain anonymized data for research purposes (opt-in only)
• Keep backup copies for up to 90 days for data recovery purposes
• Comply with legal retention requirements for billing records (7 years)

6. Data Sharing & Disclosure

We do NOT sell your personal health information. We may share data only with:

• Healthcare Providers: When you explicitly authorize sharing with your doctor
• Service Providers: Third parties who assist us (bound by confidentiality agreements)
• Legal Requirements: When required by law or court order
• Your Consent: With explicit permission for specific purposes

7. AI & Automated Decision Making

Our AI assistant provides general health information and insights. Important limitations:

• AI responses are NOT medical diagnoses or treatment recommendations
• Always consult a healthcare professional for medical decisions
• AI may not account for all your medical history or individual factors
• We never use automated decision-making for critical healthcare decisions

8. Your Rights

You have the following rights regarding your health data:

• Access: Request a copy of your health information
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and data
• Portability: Export your data in a machine-readable format
• Opt-out: Withdraw consent for data processing at any time

To exercise these rights, contact us at privacy@caretrack.health

9. HIPAA Compliance

CareTrack is HIPAA-compliant and maintains a Business Associate Agreement (BAA) with our service providers. We safeguard your PHI in accordance with HIPAA regulations and maintain administrative, physical, and technical safeguards.

10. Third-Party Services

Our service may use third-party services:

• Supabase: Database hosting (HIPAA-compliant)
• Vercel Blob: Secure file storage
• OpenAI: AI processing (encrypted data with usage policy)

These providers are contractually obligated to maintain the confidentiality and security of your information.

11. Children's Privacy

CareTrack is not intended for users under 13. We do not knowingly collect information from children under 13. If we become aware of such collection, we will delete the information and terminate the account.

12. International Data Transfers

Your data is stored and processed in the United States. By using CareTrack, you consent to the transfer of your information to the US for processing according to this Privacy Policy.

13. Policy Changes

We may update this Privacy Policy at any time. Changes will be effective immediately upon posting. We will notify you of material changes via email or prominent notice on our website.

14. Contact Us

For privacy inquiries or to exercise your data rights: