Privacy Policy

Scope and role

CareAssist provides software tools that help practices manage appointments, users, records, reporting, and subscription-related workflows. This Privacy Policy applies to information we collect directly from you, information your organization submits through the Services, and technical data generated when the platform is used.

This Privacy Policy does not override any separate contractual terms that may govern a business relationship with a customer organization. It also does not apply to third-party services, websites, or payment processors except to describe how they support the CareAssist service.

Data we collect or process

Depending on how you use CareAssist, we may collect or process several categories of personal or business-related information.

• Account and profile data, such as names, email addresses, login credentials, account preferences, and organization membership information.
• Practice workspace data that customers choose to store in the Services, including appointments, user records, notes, attachments, patient-related records, and configuration data.
• Billing and transaction data required to manage subscriptions, invoices, payment status, and fraud prevention. Payment card details are generally collected and processed by Paddle or other payment partners, not stored directly by CareAssist.
• Technical and usage data, such as device/browser information, log data, approximate usage metrics, error events, audit trails, and information required to maintain security and performance.

How we use information

We use information only where we have a legitimate business purpose, contractual basis, customer instruction, consent, or other legal basis available under applicable law.

• Provide, secure, maintain, and improve the Services and related support.
• Authenticate users, manage accounts, administer subscriptions, and communicate about operational or transactional matters.
• Monitor usage, investigate misuse, troubleshoot issues, enforce our terms, and protect the platform and its users.
• Comply with legal obligations, respond to lawful requests, and exercise or defend legal claims.

Customer responsibilities for managed data

Practice customers control the data they and their authorized users input into CareAssist, including patient or appointment records. Customers are responsible for ensuring they have an appropriate legal basis and any required notices or consents before storing or managing such information through the Services.

Where CareAssist processes customer-managed records on behalf of a practice, the practice remains responsible for determining what information is entered, how long it is retained, and who is permitted to access it within the customer organization.

Sharing, subprocessors, and disclosures

We do not sell personal information as part of the ordinary operation of CareAssist. We may disclose information to service providers and third parties that help us operate the Services, subject to appropriate contractual or legal protections.

• Supabase and related infrastructure providers that support hosting, authentication, storage, and database operations.
• Paddle and related financial providers that support subscription management, invoicing, payments, tax handling, and fraud prevention.
• Professional advisers, law enforcement, regulators, or courts when required to comply with law, protect rights, or respond to lawful requests.

Retention and deletion

We retain information for as long as reasonably necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain business or security records. Retention periods may vary depending on the type of information and the customer relationship.

When accounts are closed or data is deleted, we may retain limited backup, security, billing, or legal records for a reasonable period where required or permitted by law.

Security

We use administrative, technical, and organizational measures designed to protect information against unauthorized access, alteration, disclosure, or destruction. However, no internet-based service, storage system, or transmission method can be guaranteed to be completely secure.

Customers are also responsible for maintaining the confidentiality of account credentials, assigning appropriate permissions to users, and using the Services in a way that aligns with their own security and compliance obligations.

Your rights and contact

Depending on applicable law, you may have rights to request access to, correction of, deletion of, restriction of, or objection to certain processing of your personal information, or to request portability where available. These rights may be subject to verification and legal exceptions.

To make a privacy-related request, contact support@careassist.io. If you are an end user interacting with a practice that uses CareAssist, we may need to direct your request to the relevant practice because that organization may control the underlying records.

International processing and transfers

Depending on your location and the infrastructure used to provide the Services, information may be processed in countries other than the one in which it was originally collected. Where required, we rely on appropriate safeguards intended to support lawful transfers.

By using the Services, you understand that operational data may be processed through service providers that support our hosting, authentication, storage, analytics, communications, and billing functions.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. When we make material changes, we may provide notice through the platform, by email, or by updating the effective date on this page.

Your continued use of the Services after an updated Privacy Policy becomes effective means the updated policy will apply to future use, subject to any rights you have under applicable law.