Privacy Policy
Effective Date: January 18, 2026 Version: 2.0
Introduction
Caretrics ("we", "us") is a revenue protection system that processes clinic operational data to help identify and recover revenue leaks. We process billing and scheduling data, which may include patient names for reconciliation purposes; we never access clinical notes or protected health information. We comply with PIPEDA and implement safeguards aligned with healthcare industry best practices. This Policy explains what we collect, why, and your choices.
1. Information We Collect
| Category | Examples | Notes |
|---|---|---|
| Account Info | Name, email, clinic name, billing details | Needed to create & service your account. |
| Operational Data | Revenue totals, appointment counts, billing status, patient names (for billing reconciliation only) | Pulled only from integrations you authorize (Jane.app). Clinical notes are never accessed. |
| Usage Data | IP, timestamps, clicks, error logs | Improves performance & security. |
| Cookies | Session & analytics cookies | Essential cookies run the service; analytics cookies help us improve (you can opt out). |
2. How We Use Your Information
- Provide & maintain the Service (dashboards, revenue leak detection, billing reconciliation).
- Improve features, security, and performance.
- Communicate (support, account notices, optional marketing—you can unsubscribe).
- Legal compliance & fraud prevention.
- Business transfers if ownership changes (with equivalent safeguards).
3. Sharing Your Data
We never sell your information. We share it only with:
- Trusted subprocessors (see Section 3.1) under strict data processing agreements.
- Third‑party services you connect, at your instruction.
- Lawful requests or to protect rights, safety, or comply with legal obligations.
- Business transfers (merger, acquisition) with continued protection and advance notice.
- Your consent for any other disclosure.
3.1 Subprocessors
We use the following service providers to operate Caretrics:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication | Canada (AWS ca-central-1) or USA (AWS), depending on customer region |
| Vercel | Web application hosting | USA (Edge network) |
| Railway | Background job processing | USA |
| Stripe | Payment processing | USA |
| Resend | Transactional email | USA |
We maintain contracts with all subprocessors requiring them to protect your data consistent with this Policy. Enterprise customers may request a complete subprocessor list and notification of changes.
4. Data Security
- HTTPS/TLS 1.3 encryption for all data in transit; AES-256 encryption at rest.
- Least‑privilege internal access; access logs audited regularly.
- Secure SDLC, vulnerability scanning, and periodic security assessments.
- Continuous monitoring with incident response procedures.
- Credential Security: Jane.app credentials you provide are encrypted with AES-256 in a secure vault. You control these credentials and can change them anytime.
- Security Roadmap: We are working toward industry security best practices with SOC 2 Type II certification targeted for 2027.
- Breach Notification: In the event of a confirmed security incident affecting your data, we will notify you within 72 hours.
5. Your Rights
You may:
- Access personal data we hold.
- Correct inaccuracies.
- Delete data (subject to legal retention requirements).
- Withdraw consent for marketing.
- Export your data in CSV or JSON format within 5 business days upon request.
Contact privacy@caretrics.com to exercise these rights. We respond within 30 days.
6. Data Retention
- Account data kept while account is active; deleted within 30 days of account closure upon request (except records required for tax/legal compliance, retained up to 7 years).
- Operational metrics stored while your integration connection exists; removed on request or account deletion.
- Logs retained only as long as needed for security/diagnostics (typically ≤ 12 months).
- Backups follow fixed rotation schedules; deleted after retention period.
Upon account termination, you may request a full data export within 30 days. Data is permanently deleted within 90 days of termination unless legal retention applies.
7. International Transfers
Data may be processed in Canada, the USA, or other countries where our subprocessors operate. We use Standard Contractual Clauses and other safeguards to protect cross‑border transfers.
8. Third‑Party Links
Links in Caretrics may lead to external sites (e.g., tutorials, social media). Their privacy practices apply once you leave our domain.
9. Children's Privacy
Caretrics is not for children under 13. We don't knowingly collect children's data. Contact us if you believe we have inadvertently done so.
10. Enterprise Customers
Enterprise customers (multi-clinic networks, organizations with negotiated contracts) may be entitled to:
- Data Processing Agreements (DPAs) for compliance requirements
- Custom data retention and export provisions
- Audit rights including annual security questionnaire completion
- Subprocessor change notifications
Contact enterprise@caretrics.com for enterprise privacy inquiries.
11. Changes to This Policy
We'll post updates here and notify you of material changes via email or in‑app notice at least 30 days before they take effect. Continued use after the effective date = acceptance.
Contact Us
Caretrics – Privacy Team Email: privacy@caretrics.com Enterprise: enterprise@caretrics.com
We're happy to answer any questions or handle data requests.
Your data stays yours. We're the custodian, you're the owner.