Privacy Policy

1. Information We Collect

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including AI-powered transcription, contract generation, and care documentation.
• Process your transactions and manage your subscription.
• Send transactional emails (account verification, password resets, billing receipts).
• Provide customer support and respond to your inquiries.
• Improve and personalize the Service through usage analytics.
• Detect, prevent, and address security issues and fraudulent activity.
• Comply with legal obligations, including healthcare data regulations.

3. Data Sharing & Disclosure

We do not sell your personal information. We may share information with:

• Service Providers: Third-party vendors who assist in operating the Service (e.g., cloud hosting, payment processing, email delivery). These providers are contractually obligated to protect your data.
• AI Processing Partners: Audio and transcript data may be processed by AI service providers (e.g., Deepgram for transcription, Anthropic Claude for analysis) for transcription and document generation. Data is transmitted securely and is not used to train third-party models.
• Legal Requirements: When required by law, subpoena, or government request, or to protect our rights, safety, or property.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

4. Healthcare Data & HIPAA

We recognize that the Service may be used to process Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). We implement the following safeguards:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access Controls: Role-based access with secure authentication, session timeouts, and audit logging.
• Data Isolation: Each agency's data is logically isolated and inaccessible to other customers.
• Audit Trails: All access to sensitive data is logged for compliance and security purposes.
• Business Associate Agreements: We will enter into a BAA with covered entities upon request. Contact us at [email protected] to arrange this.

5. Audio Recording & Consent Disclosures

PalmCare AI processes audio recordings of care assessments to generate transcripts, visit notes, service contracts, and billable item documentation. Recording consent requirements vary by state.

6. Data Retention

• Account data is retained for the duration of your active subscription and for 90 days following account closure.
• Audio recordings are retained for 30 days after processing, then permanently deleted unless you choose to retain them.
• Generated contracts, notes, and care documentation are retained for the life of your account.
• Audit logs are retained for a minimum of 6 years for compliance purposes.
• You may request deletion of your data at any time by contacting [email protected].

7. Data Security

We implement industry-standard technical and organizational measures to protect your data, including:

• 256-bit AES encryption for data at rest
• TLS 1.2+ encryption for data in transit
• Secure password hashing (bcrypt)
• Regular security assessments and vulnerability scanning
• Multi-factor authentication support
• Automatic session timeouts after periods of inactivity

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Cookies & Tracking

We use the following types of cookies:

• Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Service to improve the experience. These can be opted out of.

We do not use advertising cookies or sell data to advertisers.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request a machine-readable export of your data.
• Opt-Out: Unsubscribe from marketing emails at any time using the link in any email.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of any sale of personal information. We do not sell personal information. To make a request, contact [email protected].

11. Account & Data Deletion

You have the right to delete your account and all associated data at any time. We provide multiple ways to exercise this right:

12. Sensitive Health Data & Consent

The Service processes sensitive health-related data including patient assessments, medical conditions, care needs, and clinical documentation. We handle this data with the highest standard of care:

• Explicit Consent: By using the Service to input or record health data, you confirm that you have obtained all necessary consents from the individuals whose health information is being processed.
• Purpose Limitation: Health data is processed solely for the purpose of generating care documentation, assessments, contracts, and billing records as part of the Service. It is never used for advertising, marketing, or profiling purposes.
• No Sale of Health Data: We never sell, rent, or trade health data to any third party for any purpose.
• AI Processing: Health data processed by AI systems (transcription, document generation) is handled in accordance with Section 4 (HIPAA) and Section 5 (Audio Recording) of this policy. AI outputs are tools to assist healthcare professionals and do not constitute medical advice.
• Minimum Necessary: We only collect and process the minimum amount of health data necessary to provide the specific Service features you use.

13. Third-Party Services & SDKs

The Service integrates with the following third-party services. Each processes data according to their own privacy policies:

• Deepgram (Speech-to-Text): Processes audio recordings for transcription. Audio is transmitted securely and is not retained by Deepgram after processing. Deepgram Privacy Policy
• Anthropic (AI Analysis): Processes transcript text for document generation (care plans, contracts, billable items). Data is not used to train Anthropic's models. Anthropic Privacy Policy
• Stripe (Payments): Processes payment information. We do not store credit card numbers. Stripe Privacy Policy
• Resend (Email): Delivers transactional and service emails on our behalf. Resend Privacy Policy
• Railway (Hosting): Hosts our API infrastructure. All data is encrypted in transit and at rest. Railway Privacy Policy
• Google (Calendar, OAuth): Optional integration for demo scheduling and calendar sync. Only activated when you explicitly connect your Google account. Google Privacy Policy

We vet all third-party service providers for appropriate security and privacy practices. We do not permit any third-party SDK or service to collect data from our users for advertising or unrelated purposes.

14. AI-Generated Content Disclaimer

The Service uses artificial intelligence to generate documents including care plans, clinical notes, service contracts, and billable item summaries. Please be aware of the following:

• Assistance Tool: AI-generated content is intended as a professional assistance tool, not a replacement for clinical judgment, legal advice, or medical decision-making.
• Review Required: All AI-generated documents should be reviewed by a qualified professional before use. You are responsible for verifying the accuracy and appropriateness of generated content.
• No Guarantees: While we strive for accuracy, AI-generated content may contain errors or omissions. PalmCare AI is not liable for decisions made based on AI-generated output.
• Transparency: Documents generated by AI are clearly identified as such within the Service.

15. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States where our servers are located and our central database is operated. By using the Service, you consent to the transfer of your information to the United States. We ensure that any international data transfers are conducted with appropriate safeguards in compliance with applicable data protection laws.

16. Permissions We Request

The Service may request the following device permissions. Each permission is used solely for its stated purpose and can be revoked at any time through your device settings:

• Microphone: Required for recording care assessments via voice. Only active during explicit recording sessions initiated by you.
• Camera: Optional. Used for document scanning or profile photo capture if you choose to use these features.
• Notifications: Optional. Used to send reminders, task alerts, and team messages. Can be disabled in settings.
• Internet Access: Required for core functionality including data sync, AI processing, and real-time collaboration.
• Storage: Used for caching data offline and storing downloaded reports or exported documents.

17. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 18, we will promptly delete it.

18. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

19. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. For significant changes, we will also send a notification to the email associated with your account.

20. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: