Version 2026-05-28-draft-1
This Privacy Policy describes how CareML Health ("we") collects, uses, and shares information when you use the Service. This is the consumer-facing privacy policy; HIPAA-covered handling is governed separately by our Business Associate Agreement.
CareML uses the following sub-processors. Each handles only the data described:
Each sub-processor's role is bounded by a written agreement. The current sub-processor list is published at /sub-processors (forthcoming).
Clinical content is retained for at least six (6) years per HIPAA. Account-level metadata persists for the life of the account plus the legally required retention period. Audit-log events are append-only and retained per § 6.
Authentication events, PHI-access events, and configuration changes are written to an append-only hash-chained log. The chain can be independently verified.
You may request access to or deletion of your personal information by emailing [email protected]. PHI access is governed by your organization's HIPAA Privacy Officer.
We may update this Policy. Material changes are re-presented to you for acceptance at next sign-in.
Privacy questions: [email protected].