Privacy Policy

Last updated: January 15, 2025

1. Introduction

CareConvo AI, Inc. ("CareConvo AI," "we," "our," or "us") is committed to protecting the privacy and security of our customers' and their patients' information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI patient engagement platform and related services (collectively, the "Services").

As a healthcare technology company, we are subject to the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. We take our obligations under HIPAA seriously and have implemented extensive technical, administrative, and physical safeguards to protect Protected Health Information (PHI).

2. Information We Collect

2.1 Customer Information (Business Customers)

When healthcare organizations sign up for CareConvo AI, we collect:

  • Organization name, type, and contact information
  • Billing and payment information (processed via PCI-compliant payment processors)
  • Account credentials and access logs
  • EHR integration credentials and API access tokens
  • Usage data and analytics related to platform performance

2.2 Patient Information (End Users)

Patient information processed through CareConvo AI is considered Protected Health Information (PHI) under HIPAA. This information is processed on behalf of our healthcare organization customers under a Business Associate Agreement (BAA). Patient information may include:

  • Name, date of birth, and contact information
  • Appointment information and scheduling data
  • Pre-visit intake responses and medical history
  • Medication information and adherence data
  • Symptom reports and triage assessment results
  • Conversation history with the CareConvo virtual assistant

3. How We Use Information

We use collected information to:

  • Provide, operate, and improve the CareConvo AI platform
  • Process patient engagement interactions on behalf of healthcare customers
  • Deliver appointment reminders, intake forms, medication reminders, and follow-up communications
  • Detect and prevent fraud, security incidents, and technical errors
  • Comply with legal obligations
  • Communicate with customers about platform updates, features, and support

We do not sell patient data. We do not use PHI for advertising purposes. We do not share PHI with third parties except as required to provide the Services (e.g., SMS delivery providers) or as required by law.

4. HIPAA Compliance

CareConvo AI functions as a Business Associate under HIPAA for all healthcare organization customers. We sign a Business Associate Agreement (BAA) with every customer before any PHI is processed through our platform. Our HIPAA compliance program includes:

  • Annual HIPAA Security Rule risk assessments
  • Workforce training on HIPAA Privacy and Security Rules
  • Technical safeguards including AES-256 encryption at rest and TLS 1.3 in transit
  • Access controls, audit logging, and minimum necessary information practices
  • Breach notification procedures in compliance with 45 CFR § 164.400-414

5. Data Security

We maintain SOC 2 Type II certification and implement industry-leading security practices including:

  • AES-256 encryption for all data at rest
  • TLS 1.3 for all data in transit
  • Multi-factor authentication for all administrative access
  • Regular penetration testing by independent security firms
  • 24/7 security monitoring and incident response
  • Disaster recovery with RPO < 1 hour and RTO < 4 hours

6. Data Retention

We retain PHI for the duration of our contract with the relevant healthcare organization customer, plus any retention period required by applicable law (typically 6 years for HIPAA-covered records). Upon contract termination, customers may request export of their data, after which data is securely deleted within 30 days.

Non-PHI customer account data is retained for the duration of the customer relationship plus 3 years for legal and billing purposes.

7. Your Rights

As a patient, your privacy rights are governed primarily by your healthcare provider's privacy practices and HIPAA. If you wish to access, correct, or request deletion of your information, please contact your healthcare provider directly.

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). Please see our California Privacy Notice for more information.

8. Cookies and Tracking

Our marketing website uses cookies for analytics (Google Analytics) and to remember your preferences. You can opt out of analytics tracking by adjusting your browser settings or using the Google Analytics opt-out browser add-on. The CareConvo AI patient-facing chat interface does not use tracking cookies.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy on this page with a revised effective date, and for significant changes, by email or in-app notification to affected customers.

10. Contact Us

For privacy-related questions, to exercise your rights, or to report a suspected privacy incident, please contact our Privacy Officer:

  • Email: privacy@careconvo.ai
  • Mail: CareConvo AI, Inc., Attn: Privacy Officer, 123 Health Innovation Drive, San Francisco, CA 94105

For urgent security incidents, please email security@careconvo.ai.