CareAI

Beta
 Start Assessment

Privacy Policy

We take your health data seriously. This policy explains exactly what we collect, why we need it, and how we protect it.

Last updated: March 4, 2026

1. Who We Are

CareAI ("we", "our", or "us") is an AI-powered clinical assessment service provided by CosmoOps. We operate the platform available at care.ai and all related subdomains and applications (collectively, the "Service"). For privacy enquiries, contact us at privacy@care.ai.

2. Information We Collect

We collect information you provide directly, information generated through your use of the Service, and limited information from third-party providers:

2.1 Account Information

  • Email address (used for passwordless magic-link authentication)
  • Display name and profile details you optionally provide
  • Dependent profiles you create on behalf of others (e.g. children)

2.2 Health & Clinical Data

  • Symptom descriptions you enter via text, voice, or live conversation
  • Medical images, photographs, and documents (PDFs, lab reports) you upload
  • Answers to AI follow-up questions (yes/no, scales, free text)
  • Conditions, diagnoses, medications, SOAP notes, and other clinical outputs generated during assessments
  • Diet plans, prescription history, and lab/imaging recommendations
  • Dental chart findings and risk-assessment scores
  • Insurance information you voluntarily enter

2.3 Usage & Technical Data

  • IP address, browser type, operating system, and device identifiers
  • Pages visited, features used, and session duration
  • Error logs and performance telemetry
  • Google reCAPTCHA v3 scores (anti-fraud signals)

3. How We Use Your Information

  • Delivering the Service: Processing your symptoms through our AI models to produce structured clinical reports.
  • Authentication: Sending and verifying passwordless magic-link sign-in emails.
  • Personalisation: Displaying your assessment history, saved conditions, medications, and documents in your personal portal.
  • Safety & Fraud Prevention: Using reCAPTCHA signals and rate-limiting to detect and block abusive traffic.
  • Service Improvement: Aggregated and anonymised analytics to improve AI accuracy and platform features. We never train models on identifiable health data without explicit consent.
  • Legal Compliance: Retaining records as required by applicable law and responding to valid legal requests.
  • Communications: Sending transactional emails (sign-in links, account notices). We do not send marketing email without your explicit opt-in.

4. Health Data & Sensitive Information

Health data is Special Category data under GDPR and Protected Health Information (PHI) under HIPAA-equivalent frameworks. We treat it accordingly:

  • All health data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Access to identifiable health records is restricted to systems that need it to operate the Service and to a minimal set of authorised personnel.
  • We process your health data on the basis of your explicit consent, which you give when you submit a symptom assessment.
  • You may withdraw consent and request deletion at any time (see Section 8).
  • We do not sell, rent, or license your health data to any third party.

5. Third-Party Services & Data Sharing

We share data with the following categories of trusted sub-processors, each under contractual data-protection obligations:

  • Google Firebase: Authentication, Firestore database, and file storage. Data processed in accordance with Google's Cloud Data Processing Addendum.
  • Google reCAPTCHA v3: Collects browser signals to detect bots. Subject to Google's Privacy Policy.
  • AI Inference Providers: Your symptom descriptions are sent to large language model providers (e.g. Google Gemini, Anthropic Claude) solely for generating clinical assessments. These providers process data under strict data-processing agreements and do not use your content to train public models.
  • Vercel / CDN: Hosting and edge delivery. No health data is stored at the CDN layer.
  • Legal Disclosures: We may disclose information if required by law, court order, or to protect the safety of users or the public.

We do not share your personal or health data with advertisers, data brokers, or any third party for commercial purposes.

6. Cookies & Tracking

  • Strictly Necessary Cookies: Session tokens and CSRF protection required to operate the Service. Cannot be disabled.
  • Performance Cookies: Anonymous telemetry for error tracking and performance monitoring.
  • No Advertising Cookies: We do not use third-party advertising or cross-site tracking cookies.

7. Data Retention

  • Account & Health Data: Retained for as long as your account is active plus 30 days, to allow account recovery.
  • Assessment History: Stored indefinitely by default so you can review past reports. You can delete individual assessments or all history at any time from Settings.
  • Uploaded Files: Retained until you delete them or close your account.
  • Aggregated Analytics: Anonymised statistical data may be retained indefinitely; it cannot be linked back to you.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of all data we hold about you.
  • Correction: Ask us to correct inaccurate data.
  • Deletion ("Right to Be Forgotten"): Request deletion of your account and all associated data.
  • Restriction: Ask us to restrict processing while a dispute is resolved.
  • Portability: Receive a machine-readable export of your data.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Stop further health-data processing at any time; this does not affect past assessments.

To exercise any right, email privacy@care.ai or use the data controls in your account Settings. We will respond within 30 days.

9. Children's Privacy

The Service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal data from children without verified parental consent. Parents may create dependent profiles for minor children; doing so constitutes parental consent to the collection and processing described in this policy for that child. If you believe a child has provided data without consent, contact us and we will delete it promptly.

10. International Transfers

CareAI and its sub-processors operate globally. If your data is transferred outside your country or region (including outside the European Economic Area), we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms.

11. Security Measures

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Passwordless authentication (magic links) — no passwords stored
  • Role-based access control limiting employee access to health data
  • Regular security audits and penetration testing
  • Automatic session expiry and token rotation

Despite these measures, no system is 100% secure. If you discover a vulnerability, please report it responsibly to security@care.ai.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by email and/or a prominent banner in the app at least 14 days before taking effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

13. Contact & Complaints

For privacy questions or requests: privacy@care.ai
For security disclosures: security@care.ai
For general support: support@care.ai

If you are in the EU and believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority.