DRAFT — pending counsel review
This version of the Privacy Policy is a draft placeholder. It is not legal advice and is not yet binding in its current form. CareML Health is operating in demo / non-PHI mode until the counsel-reviewed version of these Terms — and all required Business Associate Agreements with our sub-processors — are executed.

Privacy Policy

Version 2026-05-28-draft-1

1. Scope

This Privacy Policy describes how CareML Health ("we") collects, uses, and shares information when you use the Service. This is the consumer-facing privacy policy; HIPAA-covered handling is governed separately by our Business Associate Agreement.

2. Information We Collect

  • Account information: name, email, professional credentials (NPI, specialty), phone.
  • Authentication metadata: sign-in events, IP, user agent, MFA enrollment state.
  • Clinical content you enter: drafts, notes, generated artifacts, attached documents. Treated as PHI from the moment you enter it.
  • Operational telemetry: error reports, performance metrics, audit-log events.

3. How We Use Information

  • Provide the Service and the clinical features you request.
  • Maintain security (rate limiting, lockouts, MFA, audit logging).
  • Improve the Service in aggregate, without exposing identifiable data.
  • Comply with legal obligations including HIPAA recordkeeping.

4. Sub-Processors

CareML uses the following sub-processors. Each handles only the data described:

  • Anthropic (Claude API): clinical inquiry, brainstorm, and artifact-generation prompts.
  • Voyage AI / MongoDB: text embeddings for retrieval.
  • Supabase: database, authentication, file storage.
  • Stripe: subscription billing only (no PHI).

Each sub-processor's role is bounded by a written agreement. The current sub-processor list is published at /sub-processors (forthcoming).

5. Retention

Clinical content is retained for at least six (6) years per HIPAA. Account-level metadata persists for the life of the account plus the legally required retention period. Audit-log events are append-only and retained per § 6.

6. Audit-Log Tamper Protection

Authentication events, PHI-access events, and configuration changes are written to an append-only hash-chained log. The chain can be independently verified.

7. Your Rights

You may request access to or deletion of your personal information by emailing [email protected]. PHI access is governed by your organization's HIPAA Privacy Officer.

8. Changes

We may update this Policy. Material changes are re-presented to you for acceptance at next sign-in.

9. Contact

Privacy questions: [email protected].

Version 2026-05-28-draft-1Terms of Service →