Your Privacy Matters

Privacy Policy

CareMetric AI is committed to protecting your privacy and safeguarding your data with industry-leading security practices.

Effective: February 1, 2026Last Updated: February 19, 2026

Table of Contents

Introduction

CareMetric AI, Inc. ("CareMetric AI," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website at caremetric.ai, use our electronic health record (EHR) platform, or interact with any of our services (collectively, the "Services").

By accessing or using our Services, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Services.

CareMetric AI is designed for healthcare providers and their practices. Protected Health Information (PHI) processed through our platform on behalf of healthcare providers is governed by our Business Associate Agreement (BAA) and the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy addresses the collection and use of non-PHI data and general website visitor information.

Information We Collect

Information You Provide Directly

  • Account registration information (name, email address, phone number, professional credentials)
  • Practice and organization details (practice name, NPI number, address, specialty)
  • Billing and payment information (processed securely through Stripe; we do not store full card numbers)
  • Communications you send to us (support requests, feedback, inquiries)
  • Information submitted through forms, surveys, or promotional sign-ups
  • Professional license and credentialing information

Information Collected Automatically

  • Device and browser information (IP address, browser type, operating system, device identifiers)
  • Usage data (pages visited, features used, time spent, click patterns, search queries)
  • Log data (access times, error logs, referring URLs)
  • Cookies and similar tracking technologies (see "Cookies" section below)
  • Geolocation data (approximate location based on IP address)

Information from Third Parties

  • Identity verification services for provider credentialing
  • Payment processors (transaction confirmation, fraud prevention data)
  • Analytics providers (aggregated usage statistics)
  • Public databases (NPI registry, state licensing boards) for verification purposes

How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain our Services: Including account creation, platform access, feature delivery, and customer support
  • Improve and develop our Services: Analyzing usage patterns to enhance user experience, develop new features, and optimize performance
  • Personalize your experience: Tailoring content, templates, and recommendations based on your specialty and usage patterns
  • Process transactions: Managing billing, subscriptions, and payment processing
  • Communicate with you: Sending service-related notices, updates, security alerts, and support messages
  • Marketing communications: With your consent, sending product updates, newsletters, and promotional offers (you may opt out at any time)
  • Ensure security and compliance: Detecting fraud, enforcing our terms, and complying with legal obligations
  • AI model improvement: De-identified, aggregated data may be used to improve our AI documentation and clinical decision support features (never individual PHI)

HIPAA and Protected Health Information

CareMetric AI operates as a Business Associate under HIPAA when processing Protected Health Information (PHI) on behalf of healthcare providers (Covered Entities). Our handling of PHI is governed by:

  • Our executed Business Associate Agreement (BAA) with each healthcare provider
  • The HIPAA Privacy Rule (45 CFR Part 164, Subpart E)
  • The HIPAA Security Rule (45 CFR Part 164, Subpart C)
  • The HITECH Act and Omnibus Rule requirements

We implement administrative, physical, and technical safeguards as required by HIPAA to protect PHI. PHI is encrypted at rest (AES-256) and in transit (TLS 1.3). Access to PHI is strictly controlled through role-based access controls and audit logging.

We do not sell, rent, or trade PHI under any circumstances. We do not use PHI for marketing purposes. PHI is only used as permitted by HIPAA and our BAA with the applicable Covered Entity.

How We Share Your Information

We may share your information in the following circumstances:

  • Service providers: We work with trusted third-party vendors who assist in operating our Services (hosting, payment processing, email delivery, analytics). These providers are contractually bound to protect your information and may only use it to perform services on our behalf.
  • Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
  • Legal compliance: When required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of CareMetric AI, our users, or the public.
  • With your consent: We may share information for purposes not described in this Privacy Policy with your explicit consent.

We do not sell your personal information to third parties. We do not share your data with advertisers or data brokers.

Third-Party Authentication (Google Sign-In)

CareMetric AI offers the option to sign in using your Google account ("Sign in with Google") as a convenience alongside our standard email and password authentication. This section describes how we handle the data received from Google when you use this feature.

What Data We Receive from Google

When you choose to sign in with Google, we receive only the information Google makes available through the OAuth 2.0 authentication flow. This is limited to:

  • Your Google account email address
  • Your full name as stored in your Google profile
  • Your Google profile photo (avatar)
  • A unique Google account identifier used to link your CareMetric AI account

We do not request, receive, or store access to any other Google services, Google Drive files, Gmail messages, Google Calendar data, or any other data beyond what is listed above.

How We Use This Data

  • To create or authenticate your CareMetric AI account
  • To pre-populate your display name and avatar within the application
  • To identify your account on future sign-ins

We do not use your Google account data for advertising, marketing profiling, or any purpose unrelated to providing you with access to CareMetric AI.

Google Limited Use Policy

CareMetric AI's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide and improve the CareMetric AI service
  • We do not transfer Google user data to third parties except as necessary to provide our service
  • We do not use Google user data for serving advertisements
  • We do not allow humans to read Google user data unless you have given us explicit permission, it is necessary for security purposes, or it is required by law

Revoking Google Access

You may revoke CareMetric AI's access to your Google account at any time by visiting your Google Account Permissions page and removing CareMetric AI. Revoking access will not delete your CareMetric AI account or any clinical data. You may continue to sign in using your email and password after revoking Google access.

SMS/Text Messaging

CareMetric AI enables healthcare practices to send transactional and informational SMS text messages to patients who have provided explicit opt-in consent. This section describes how we collect, use, and protect mobile phone numbers and SMS consent data.

What We Collect

We collect your mobile phone number when you provide it during patient registration or through the patient portal to receive SMS notifications about your healthcare appointments and care. We use your mobile number solely to deliver transactional and informational text messages on behalf of your registered healthcare provider, including appointment reminders, appointment confirmations, care follow-up notifications, assessment completion requests, and health-related messages. We do not use your mobile number for marketing or promotional purposes.

No Sharing of SMS/Mobile Data with Third Parties

All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. Mobile opt-in data, including phone numbers collected for SMS notifications, will not be shared with, sold to, or transferred to third parties for marketing or promotional purposes. Your mobile information will not be shared with third parties for promotional or marketing purposes.

We may share your personal data, including your SMS opt-in or consent status, with third parties that help us provide our messaging services, including but not limited to platform providers, phone companies, and any other vendors who assist us in the delivery of text messages. These service providers are contractually bound to protect your information and may only use it to perform messaging services on our behalf.

How to Opt Out of SMS

To stop receiving SMS notifications, reply STOP to any text message, update your preferences in the patient portal, or contact your healthcare provider directly. Opt-out requests are processed immediately and all pending messages are cancelled. You may also reply HELP to any message for assistance.

Contact Us About SMS

For questions about SMS notifications or how we handle your mobile information, contact us at support@caremetricai.com or visit caremetric.ai.

Data Security

We implement industry-leading security measures to protect your information, including:

  • AES-256 encryption for all data at rest
  • TLS 1.3 encryption for all data in transit
  • SOC 2 Type II certified infrastructure
  • Role-based access controls with principle of least privilege
  • Multi-factor authentication for all administrative access
  • Regular penetration testing and vulnerability assessments
  • 24/7 infrastructure monitoring and intrusion detection
  • Comprehensive audit logging of all system access
  • Automated backup with encrypted off-site storage
  • Incident response procedures with breach notification within 72 hours

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

Essential Cookies

Required for the Services to function properly (authentication, session management, security). These cannot be disabled.

Analytics Cookies

Help us understand how visitors interact with our website and Services to improve performance and user experience.

Preference Cookies

Remember your settings and preferences (language, display options, specialty configurations) for a more personalized experience.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our Services. We do not use third-party advertising cookies.

Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Portability: Request a machine-readable copy of your data
  • Restriction: Request restriction of processing of your personal information
  • Objection: Object to processing of your personal information for certain purposes
  • Opt-out of marketing: Unsubscribe from marketing communications at any time via the unsubscribe link in emails or by contacting us

To exercise any of these rights, contact us at privacy@caremetric.ai. We will respond to your request within 30 days.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Services. We will also retain and use your information as necessary to:

  • Comply with legal obligations (including HIPAA record retention requirements)
  • Resolve disputes and enforce our agreements
  • Maintain business records as required by applicable law

When your account is terminated, we will delete or anonymize your personal information within 90 days, except where retention is required by law. PHI retention is governed by HIPAA requirements and our BAA with the applicable healthcare provider.

Children's Privacy

Our Services are designed for healthcare professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information promptly.

Patient data involving minors is processed as PHI under HIPAA and our BAA, and is subject to the protections described in the "HIPAA and Protected Health Information" section above.

State-Specific Privacy Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information held by businesses
  • Right to opt-out of the sale or sharing of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your privacy rights
  • Right to correct inaccurate personal information
  • Right to limit the use and disclosure of sensitive personal information

Other State Privacy Laws

We comply with applicable state privacy laws, including those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy legislation. Residents of these states may have additional rights. Contact us for state-specific information.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Post the updated Privacy Policy on this page with a new "Last Updated" date
  • Notify you via email if changes are material (for registered users)
  • Provide a prominent notice on our website for significant changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes are posted constitutes your acceptance of the revised Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

CareMetric AI, Inc.

Attn: Privacy Officer

Email: privacy@caremetric.ai

General inquiries: info@caremetric.ai

For HIPAA-related privacy concerns or to report a potential breach, please contact us immediately at security@caremetric.ai.

HIPAA Compliant
SOC 2 Type II Certified
AES-256 Encryption