Privacy Policy
HIPAA-Compliant Privacy Practices
Effective Date: February 15, 2026
Arthur Ford, LLC, a Virginia limited liability company doing business as CareCoordinate ("Company," "we," "us," or "our"), is committed to protecting the privacy and security of your personal and health information. This Privacy Policy ("Policy") describes how we collect, use, store, share, and protect information when you use the CareCoordinate platform, including our website, mobile applications, and AI-powered care assistant (collectively, the "Service").
CareCoordinate is not a healthcare provider, health plan, or healthcare clearinghouse. To the extent we process protected health information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA") on behalf of a covered entity, we are committed to safeguarding your health information in compliance with HIPAA, the HITECH Act, and their implementing regulations. This Policy also serves as our notice regarding our privacy practices.
1. Information We Collect
We collect the following categories of information:
Account Information: Your name, email address, phone number (if provided for optional SMS verification), and encrypted password.
Protected Health Information (PHI): Care recipient names, medical conditions, diagnoses, medications (including names, dosages, frequencies, and prescribing providers), healthcare provider information, care notes, daily visit records, appointment details, and other health-related data you enter into the platform.
Care Circle Data: Information about your caregiving team members, roles, relationships, and permissions.
Financial Information: Bill tracking data, insurance plan details, and subscription payment information. Payment processing is handled by Stripe — we do not store your credit card numbers on our servers.
Pet Care Data: Pet profiles, veterinary information, medications, and check-in records.
Usage Data: Device tokens for push notifications, session information, IP addresses, browser type, and interaction data necessary to provide and secure the Service.
2. Legal Bases for Processing
We process your information under the following legal bases:
Contractual Necessity: To provide the CareCoordinate Service as described in our Terms of Service.
Consent: For processing PHI through AI features, which you may grant or withdraw at any time through your care circle settings.
Legitimate Interests: To maintain, secure, and improve the Service, provided such interests are not overridden by your rights.
Legal Obligation: To comply with HIPAA, tax, and other regulatory requirements.
3. How We Use Your Information
We process personal and health information solely at your direction and for the purpose of providing the Service. In doing so, we use your information for the following purposes:
Care Coordination: To enable you and your caregiving team to organize, share, and manage care information for the care recipient.
AI Assistant: To power our AI-powered care assistant, which uses your care circle data to provide contextual responses, answer questions, and help manage care tasks. See Section 5 for full details on AI data processing.
Notifications: To send you alerts about appointments, medications, care tasks, and other time-sensitive information you have configured.
Service Operation: To maintain, improve, monitor, and secure the Service, including detecting and preventing fraud or abuse.
Community Features: To enable participation in our caregiver support forums.
We do not monitor, verify, or validate the accuracy, completeness, or appropriateness of information entered into the Service.
Important: Forum posts are visible to other CareCoordinate users. Do not share protected health information in community posts. We implement content warnings but cannot prevent and are not responsible for any disclosures made by users in public or community areas. You are solely responsible for information you share in public forum areas.
4. Third-Party Service Providers
We share information with the following third-party service providers, solely as necessary to operate the CareCoordinate platform:
Anthropic (AI Processing): Powers our AI care assistant. PHI from your care circle may be sent to Anthropic’s Claude API to generate responses. Anthropic operates under a Business Associate Agreement (BAA) with the Company and does not train their AI models on your data. See Section 5 for full details.
Stripe (Payment Processing): Processes subscription payments. Stripe receives your email address and payment method information. Stripe is PCI-DSS compliant. We do not store your credit card numbers.
Resend (Email Delivery): Delivers transactional emails including account verification, password resets, and configured notifications. Resend receives your email address and email content.
Twilio (SMS Delivery): Delivers SMS verification codes when you opt in to SMS-based two-factor authentication. Twilio receives your phone number and the verification code message. We do not use Twilio for marketing or promotional messages. Your phone number is not shared with Twilio unless you explicitly enable SMS verification.
RevenueCat (Subscription Management): Manages subscription entitlements and purchase verification across platforms. RevenueCat receives your anonymous user identifier and purchase receipts from Apple or Google. RevenueCat does not receive your name, email, or any health information.
DigitalOcean (Hosting): Hosts our application servers and managed database infrastructure. All data is encrypted at rest and in transit.
We are not responsible for the independent acts or omissions of third-party service providers, except as required by applicable law.
We do not sell, rent, or trade your personal or health information to any third party for marketing, advertising, or any other purpose. We will never monetize your data.
5. AI Data Processing
CareCoordinate’s AI care assistant is a core feature of the platform. This section explains in detail how your data is used by our AI systems.
5.1 What Data Is Sent. When you interact with the AI assistant, relevant data from your care circle may be included in the request. This can include care recipient names, medical conditions, medications, provider information, care notes, daily visit records, appointment details, and other health-related data you have entered.
5.2 How It Is Processed. Data is sent to Anthropic’s Claude API via encrypted connection (TLS 1.2 or higher). Anthropic processes the data to generate a response, which is streamed back to CareCoordinate in real time. Anthropic does not retain your data beyond what is technically necessary to process the individual request.
5.3 HIPAA Compliance. Anthropic operates under a Business Associate Agreement (BAA) with the Company. Under HIPAA, this means Anthropic is contractually and legally obligated to protect your health information with safeguards equivalent to those we maintain ourselves, including administrative, physical, and technical protections.
5.4 No Model Training. Anthropic does not use your data to train, improve, or fine-tune their AI models. Your health data is used solely to generate a response to your specific query and is not incorporated into any machine learning dataset.
5.5 Your Choices. You can disable AI features entirely or limit the AI’s access to PHI through your care circle settings. Care circle owners control whether AI access is available for the circle; individual members can further restrict their own AI preferences within the boundaries set by the circle owner. Disabling AI features does not affect your ability to use any other features of CareCoordinate.
6. Data Security
We implement administrative, physical, and technical safeguards designed to protect your information in accordance with HIPAA security requirements:
Encryption at Rest: Sensitive PHI fields — including medications, provider details, care notes, and medical conditions — are encrypted at the field level using AES-256 encryption before being stored in our database.
Encryption in Transit: All data transmitted between your device, our servers, and third-party providers is encrypted using TLS 1.2 or higher.
Password Security: Passwords are hashed using bcrypt with appropriate work factors and are never stored in plaintext.
Access Controls: Data access is restricted to authorized care circle members. Role-based membership verification is enforced on every API request.
Audit Logging: All data access and modifications are logged with tamper-proof HMAC integrity checks for accountability and compliance auditing.
Session Security: Sessions are protected with JWT tokens and automatic timeout after periods of inactivity, in compliance with HIPAA session management requirements.
Incident Response: We maintain an incident response plan for identifying, containing, and remediating security incidents in accordance with HIPAA requirements.
While we implement commercially reasonable safeguards, no system can be guaranteed to be completely secure. You acknowledge that any transmission or storage of data carries inherent risk, and we cannot guarantee that unauthorized access, disclosure, alteration, or destruction of data will never occur.
7. Data Retention and Deletion
7.1 Active Accounts. We retain your account data, care circle data, pet care data, and associated records for as long as your account is active or as needed to provide the Service. However, we do not guarantee continued availability of any data and recommend that you maintain independent records where necessary.
7.2 Account Deletion. If you delete your account, we will delete or irreversibly anonymize your personal data within thirty (30) calendar days, except where retention is required by law.
7.3 Legal Retention. HIPAA requires retention of certain records for a minimum of six (6) years. Audit logs are retained for this minimum period regardless of account status. Financial records may be retained as required by applicable tax law.
7.4 AI Conversation History. AI conversation history is retained for the duration of your account and deleted upon account closure, subject to the audit log retention requirements above.
8. Your Rights
Under HIPAA and applicable state privacy laws, you have the following rights regarding your health and personal information:
Right to Access: You may request a copy of your personal and health data at any time. CareCoordinate provides a built-in data export feature that allows you to download your care circle data in a portable format.
Right to Correction: You may request correction of any inaccurate or incomplete information. You can edit your data directly within the application, or contact us for assistance with corrections.
Right to Deletion: You may request deletion of your personal and health data, subject to the legal retention requirements described in Section 7. Account deletion removes your data within thirty (30) calendar days.
Right to Restrict Processing: You may request that we limit how your data is used, including opting out of AI data processing.
Right to an Accounting of Disclosures: You may request a record of when and to whom your health information has been disclosed.
Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format.
To exercise any of these rights, contact us at [email protected]. We will acknowledge your request within five (5) business days and complete it within thirty (30) calendar days. If additional time is needed, we will notify you of the extension and the reason for it.
9. State Privacy Law Compliance
9.1 Virginia Consumer Data Protection Act (“VCDPA”). If you are a Virginia resident, you have additional rights under the VCDPA, including the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of the processing of personal data for targeted advertising, sale, or profiling. We do not sell personal data, engage in targeted advertising, or profile users for decisions that produce legal or similarly significant effects. To exercise your VCDPA rights, contact us at [email protected].
9.2 California Consumer Privacy Act (“CCPA”/“CPRA”). If you are a California resident, you have the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your rights. We do not sell or share personal information as defined by the CCPA. To exercise your CCPA rights, contact us at [email protected].
10. Cookies and Tracking
CareCoordinate uses only essential, strictly necessary cookies required for authentication and session management. We do not use tracking cookies, advertising pixels, third-party analytics services, or any form of cross-site tracking. We do not sell, share, or otherwise disclose your browsing data to any third party.
11. Children’s Privacy
CareCoordinate is not intended for use by children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately at [email protected] and we will promptly investigate and delete such information.
12. Breach Notification
12.1 Federal Requirements. In the event of a breach of unsecured protected health information, we will notify affected individuals and the U.S. Department of Health and Human Services as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Notification will occur without unreasonable delay and no later than sixty (60) days after discovery of the breach.
12.2 State Requirements. We will also comply with the Virginia Personal Information Breach Notification Act (Va. Code § 18.2-186.6) and any other applicable state breach notification laws, which may require notification to the Virginia Attorney General and may impose shorter timelines than federal law.
13. International Users
CareCoordinate is operated from the United States and is intended primarily for users in the United States. If you access the Service from outside the United States, you acknowledge that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfer, storage, and processing.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes — including changes to how we collect, use, or share PHI, or changes to third-party service providers that process PHI — we will provide at least thirty (30) calendar days’ advance notice through the platform and via email. We will require affirmative consent for material changes affecting PHI processing. The "Effective Date" at the top of this Policy indicates when it was last revised.
15. Governing Law
This Privacy Policy shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, without regard to its conflict-of-laws principles, consistent with our Terms of Service.
16. Contact Us
If you have questions about this Privacy Policy, our data practices, wish to exercise your rights, or need to report a security concern, contact us at the address listed below.
See also our Terms of Service, which govern your use of CareCoordinate.