CareAI Privacy Policy

1. Who we are

Data controller: CareAI Co.

Contact: privacy@careai.com.

2. Scope

This policy applies to the Services and to individuals who use them (patients, caregivers, family members, and clinicians). If you use CareAI through a healthcare provider, we may process data as a processor on the provider's behalf subject to a Business Associate Agreement (BAA) or Data Processing Agreement (DPA).

3. Information we collect

We collect information you provide, information automatically, and information from integrations you connect.

A) You provide

• Profile & contact: name, email, phone, preferred language, emergency contacts.
• Health information you enter or authorize us to access: symptoms, medications, schedules, notes.
• Communications: messages, support requests, recorded voice notes (if you enable recording).
• Payment & subscription details (processed by third‑party payment providers—CareAI does not store full card numbers).

B) Automatically collected

• Device & app data: device model/OS, app version, unique identifiers, crash logs, performance metrics.
• Usage data: features used, buttons clicked, pages viewed, session timestamps, approximate location derived from IP.

C) From integrations you connect

• Wearables / health platforms (e.g., HealthKit / Google Fit, Bluetooth devices).
• EHR/EMR systems or clinic software (if your organization connects these).

We only access data you explicitly authorize.

4. Why we use your information (purposes & legal bases)

• Provide and secure the Services (perform the contract; legitimate interests).
• Care features such as medication reminders, adherence tracking, fall alerts, voice assistant, and sharing with approved caregivers (consent; vital interests; substantial public interest where permitted).
• Research and product improvement such as analytics, debugging, A/B testing (legitimate interests; consent where required).
• Communications like service messages, security alerts, and—with your opt‑in—marketing (consent; legitimate interests).
• Legal compliance including responding to lawful requests and enforcing terms (legal obligation; legitimate interests).

5. Sharing your information

We share information only with:

• Your authorized contacts (family, caregivers, clinicians) when you enable sharing.
• Service providers (cloud hosting, analytics, crash reporting, support). They may access data only to perform services for us under contract.
• Emergency services if you trigger SOS or we reasonably believe there is imminent risk to life or safety.
• Legal & compliance when required by law, to protect rights and safety, or in a corporate transaction (with notice and safeguards).

We do not sell your personal information and we do not use sensitive health data for targeted advertising.

6. International transfers

We may transfer data to countries with different privacy laws. Where we do, we use safeguards such as Standard Contractual Clauses (SCCs) and, for transfers to the U.S., participation in the EU‑U.S. Data Privacy Framework (DPF) (if certified). Copies of relevant safeguards are available upon request.

7. Security

We use technical, organizational, and physical safeguards, including: TLS 1.3 in transit, encryption at rest for sensitive data, access controls, logging and monitoring, routine security testing, and incident response procedures. No method is 100% secure; we continuously improve our protections.

8. Retention

We retain data for as long as needed to deliver the Services and for legitimate purposes such as security, auditing, and legal compliance. Typical periods:

• Active accounts: retained while your account is active.
• After deletion request: deleted or anonymized within 30 days (backups within 90 days).
• Analytics & crash logs: up to 12 months, then aggregated or deleted.

Actual periods may vary by record type and law.

9. Your choices & rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to processing, portability, and withdraw consent.

• EEA/UK/Swiss: rights under GDPR/UK GDPR; you may contact your Supervisory Authority.
• California: rights under CCPA/CPRA, including to know, delete, correct, and opt‑out of the sale/share of personal information (we do not sell/share in the CPRA sense).

Request via privacy@careai.com or in‑app settings. We will verify your request and respond within required timeframes.

10. Children's privacy

CareAI is not directed to children under 13 and does not knowingly collect their data without verifiable parental consent. If you believe a child provided data, contact us and we will take appropriate action.

11. Cookies & similar technologies

Our web properties use cookies/SDKs to remember preferences, secure sessions, measure usage, and improve performance. You can manage cookies in your browser and opt‑out of certain analytics where available. Some features may not function without essential cookies.

12. Third‑party services

We integrate with analytics, crash reporting, performance monitoring, health platforms, and payment processors. Their use of information is governed by their own privacy policies. We contractually require appropriate safeguards and minimize sharing.

13. Automated decision‑making

We may use automated processing to detect anomalies (e.g., potential falls or medication non‑adherence). These detections are designed to assist—not replace—clinical judgment. You can request human review via support.

14. Security incidents

If we discover a breach of security that affects your data, we will investigate, notify you and regulators when required, and take remedial steps.

15. Changes to this policy

We will post updates here and update the “Last updated” date. If changes materially affect your rights, we will provide additional notice and seek consent where required.

16. Contact

Questions or requests: privacy@careai.com

Postal: Saudi Arabia, Eastern Region, Khobar 31952 P.O. Box 32035

Telephone: +966 5333 53318