Skip to content

Privacy Policy

Effective April 20, 2026 · Last updated April 20, 2026

CareTraceAI, Inc., a Delaware corporation with principal operations in California (“CareTraceAI, Inc.,” “CareTraceAI,” “we,” “us,” or “our”), provides an AI-powered voice documentation platform for nurses and caregivers working in skilled nursing facilities (“SNFs”) and California Residential Care Facilities for the Elderly (“RCFEs”). This Privacy Policy describes how we collect, use, disclose, retain, and protect information, including Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), when you access our mobile application, application programming interfaces, browser extension, and related services (collectively, the “Service”), and when you visit our public-facing marketing website (the “Marketing Site”).

Two roles, two regimes.When we process PHI on behalf of a subscribing healthcare facility (“Facility”), we act as a Business Associate under 45 CFR § 160.103, and our handling of PHI is governed by the executed Business Associate Agreement (“BAA”) between CareTraceAI and that Facility. When you visit the Marketing Site, or when we process non-PHI personal information (such as workforce account data or site-visitor analytics), we act as a “business” under the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”). PHI that we process under a BAA is exempt from the CCPA/CPRA pursuant to Cal. Civ. Code § 1798.145(c)(1); the CCPA/CPRA rights described in Section 8 apply only to non-exempt personal information.

This Privacy Policy is informational and is not clinical advice, legal advice, or compliance advice.

1. What This Policy Is Not

This Privacy Policy is not a Notice of Privacy Practices (“NPP”). NPP obligations under 45 CFR § 164.520 belong to the covered-entity Facility. CareTraceAI is not a covered entity and does not issue an NPP. Resident and patient rights disclosures, 42 CFR § 483.10 for SNFs, and 22 CCR §§ 87468, 87468.1, and 87468.2 for RCFEs, are the Facility’s responsibility. This Privacy Policy does not represent that CareTraceAI has received any HIPAA, SOC 2, HITRUST, or ISO 27001 certification.

2. Information We Collect

We collect several categories of information in connection with the Service. The specific categories collected depend on how you interact with our platform.

2.1 Audio Recordings

When caregivers use the Service, they record spoken resident notes through the CareTraceAI mobile application. These audio recordings are captured on the user’s device and transmitted to our servers for processing. Audio recordings may contain PHI, including patient names, medical conditions, medications, vital signs, behavioral observations, and other clinical details spoken by the caregiver.

2.2 Transcribed Text

Audio recordings are processed through an automated speech-to-text system to produce written transcripts of the caregiver’s spoken notes. These transcripts are derived directly from the audio recordings and may contain the same categories of PHI present in the original audio.

2.3 Structured Clinical Notes

Transcribed text is further processed by an AI system that organizes the unstructured transcript into structured clinical documentation fields. These structured notes may include resident observation data, care actions, behavioral observations, vital signs, medication administration records, dietary intake, mood and cognition observations, and caregiver recommendations. Structured clinical notes constitute PHI.

2.4 Account Information

When you create a CareTraceAI account, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form; we do not store plaintext passwords)
  • Professional role or title (e.g., nurse, caregiver, administrator)
  • Facility affiliation

2.5 Facility Information

For Facilities that subscribe to the Service, we collect:

  • Facility name and address
  • Facility license number (where applicable)
  • State of operation
  • Primary contact information for the facility administrator

2.6 Patient and Resident Information

Authorized caregivers may enter, and we may process, resident and patient information in the course of care documentation, including identifiers described at 45 CFR § 164.514(b)(2)(i)(A)–(R) (such as names, dates, medical record numbers, and account numbers), along with medical conditions, diagnoses, allergies, current medications, care plan details, behavioral and clinical observations, and vital signs. CareTraceAI does not independently collect patient information from any source other than authorized users of the Service.

2.7 Device and Usage Data

We automatically collect certain technical and usage information when you access or use the Service, including device type, operating system, application version, unique device identifiers, IP address, date and time of access, features used, session duration, crash logs, and network connection type.

2.8 Categories of Personal Information (CCPA/CPRA)

For purposes of the CCPA/CPRA and consistent with the statutory categories at Cal. Civ. Code § 1798.140(v), we collect the following categories of personal information about users and Marketing Site visitors (excluding PHI exempt under § 1798.145(c)(1)): identifiers (name, email, account identifier); customer-records information (professional role, facility affiliation); commercial information (subscription and billing data, where applicable); internet or other electronic network activity (device identifiers, IP address, application and site usage); geolocation (inferred from IP address; we do not collect precise GPS location); audio information (caregiver voice recordings, to the extent not processed as PHI under a BAA); and professional or employment-related information.

3. How We Use Information

3.1 Providing the Service

The primary purpose of collection is to deliver the core functionality of the Service. Audio is transcribed into text, and transcribed text is structured into clinical documentation. This processing is performed on behalf of the subscribing Facility under the BAA.

3.2 Service Operation, Reliability, and Security

We use device data, usage data, crash logs, and error reports to identify and resolve technical issues, monitor system performance, secure the Service, and improve reliability. CareTraceAI does not use PHI to train, fine-tune, or improve any artificial-intelligence model. Any future use of data for model improvement will occur only (i) after de-identification in accordance with 45 CFR § 164.514(b), or (ii) pursuant to a valid individual authorization obtained by the covered entity under 45 CFR § 164.508, and in each case as expressly permitted by the executed BAA.

3.3 Customer Support

When you contact us for assistance, we may use your account information and relevant usage logs to diagnose issues. In strictly limited scenarios, support personnel may access PHI only as necessary to resolve a reported issue, subject to access controls, logging, and our HIPAA obligations.

3.4 Service-Related Communications

We may use your email address for account verification, service updates, security notifications, policy changes, and billing. We do not send unsolicited marketing emails and do not share your email with third parties for marketing.

3.5 Compliance with Legal Obligations

We use and disclose information as necessary to comply with applicable federal and state laws, including: HIPAA for PHI; the CCPA and CPRA for personal information not exempt under Cal. Civ. Code § 1798.145(c)(1); the California Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56 et seq.) to the extent applicable; 42 CFR Part 483 (Subpart B) for SNFs and 22 CCR Division 6 Chapter 8 (RCFEs) where applicable to the Facility; and valid legal process.

3.6 Sensitive Personal Information

To the extent caregivers’ voice recordings are not processed as PHI under a BAA, they may constitute Sensitive Personal Information (“SPI”) under Cal. Civ. Code § 1798.140(ae). We use and disclose SPI only for purposes reasonably necessary to provide and secure the Service, uses that fall within the § 1798.121(b) carve-out from the “right to limit.” We do not use SPI to infer characteristics about you. To the extent voice recordings are PHI processed under a BAA, the § 1798.145(c)(1) exemption applies.

4. Data Processing and Sub-Processors

This Section is the authoritative sub-processor list referenced by the CareTraceAI HIPAA Compliance Statement.Each sub-processor listed below that receives PHI is a subcontractor Business Associate under 45 CFR § 164.502(e)(1)(ii), bound by a flow-down BAA. We will provide subscribing Facilities with at least thirty (30) days’ advance notice of any material change to the sub-processors that process PHI, consistent with the executed BAA.

4.1 AssemblyAI, Audio Transcription

Recorded audio is transmitted over TLS to AssemblyAI for speech-to-text transcription using AssemblyAI’s medical-vocabulary configuration. AssemblyAI operates under a signed BAA and processes audio in United States regions. Audio is used solely to return a transcript to CareTraceAI; AssemblyAI does not use CareTraceAI customer audio to train its foundation models, consistent with AssemblyAI’s BAA and data-use terms in effect. Raw audio is never transmitted to AWS Bedrock or any other AI service.

4.2 Amazon Web Services (AWS Bedrock), AI Note Structuring

Transcribed text (not audio) is processed through AWS Bedrock using a large language model for clinical note structuring. AWS operates under a signed BAA. Data submitted through the AWS Bedrock API is not used by AWS to train foundation models, consistent with the AWS Bedrock Service Terms in effect.

4.3 Neon, Managed PostgreSQL Database

Structured application data, including PHI, is stored in a managed PostgreSQL database operated by Neon in a United States region on AWS infrastructure. Neon operates under a signed BAA. Controls include encryption at rest (AES-256), encryption in transit (TLS 1.3), database-enforced row-level security policies that restrict users to records associated with their Facility, and least-privilege database roles.

4.4 Amazon Web Services (AWS Cognito), Identity and Authentication

User accounts, sign-in, and session management for the Service are operated through AWS Cognito in a United States region. AWS operates under a signed BAA. Controls include multi-factor authentication, unique user identifiers, password-policy enforcement, and session-expiration controls.

4.5 Amazon Web Services (AWS S3), Audio Object Storage

Audio recordings are uploaded directly by the mobile application to an AWS S3 bucket using short-lived presigned URLs. Objects are encrypted at rest using AWS-managed keys via AWS KMS and encrypted in transit using TLS 1.3. AWS operates under a signed BAA. Audio is retained under the schedule in Section 5.1.

4.6 Amazon Web Services (AWS KMS), Key Management

Cryptographic keys used to encrypt PHI at rest are managed through AWS Key Management Service in a United States region. Keys are rotated in accordance with CareTraceAI’s written key-management procedures. AWS operates under a signed BAA.

4.7 Fly.io, Backend Compute

The CareTraceAI application programming interface and associated backend workloads run on Fly.io in United States regions under a signed BAA with HIPAA-enabled workspace. PHI processed by our own code (note structuring orchestration, audit logging, authorization, and API traffic) is processed within this environment.

4.8 Sentry, Error Telemetry (Non-PHI)

Application errors and performance telemetry are sent to Sentry in a United States region. Before transmission, event payloads are passed through an automated PHI-scrubbing function that redacts known PHI fields (transcripts, clinical notes, signatures, patient identifiers, contact information, and authentication tokens). Sentry is not a Business Associate of CareTraceAI and does not receive PHI; it receives only scrubbed diagnostic signals.

4.9 Vercel, Marketing Site

The Marketing Site is hosted on Vercel. No PHI is processed, stored, or transmitted through Vercel, and Vercel is not a Business Associate of CareTraceAI.

5. Data Retention

5.1 Audio Recordings

Audio recordings are retained for up to ninety (90) calendar days to allow for quality verification and re-processing if necessary, after which they are automatically and permanently deleted.

5.2 Clinical Notes

Structured clinical notes are retained for the duration of the service agreement plus three (3) additional years, consistent with 22 CCR § 87506(b) for RCFE records. For SNFs, record-retention periods set by 22 CCR § 72543 or other applicable law may be longer; the specific retention schedule is set in the executed BAA with each Facility.

5.3 Account and Facility Data

Account data in production systems is deleted within thirty (30) days of account deletion. Backups containing account data are retained for up to an additional ninety (90) days before secure destruction. Facility data follows the same three-year post-termination retention as clinical notes.

5.4 Audit Logs

Audit logs and required Security Rule documentation are retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later, in accordance with 45 CFR § 164.316(b)(2)(i).

5.5 De-identification and Aggregation

CareTraceAI may create de-identified information from data processed through the Service solely in accordance with 45 CFR § 164.514(b) (Safe Harbor or Expert Determination). De-identified information is not PHI. We do not attempt to re-identify de-identified information and do not disclose it in a manner that could reasonably permit re-identification.

6. Data Security

CareTraceAI implements administrative, technical, and physical safeguards designed to comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C), including the standards at 45 CFR §§ 164.308, 164.310, and 164.312. These safeguards are designed to protect the confidentiality, integrity, and availability of data, including PHI.

  • Encryption in transit: Data transmitted between client devices, the CareTraceAI API, and our data stores is encrypted using TLS 1.3 or higher.
  • Encryption at rest: Stored data, including database records and audio files, is encrypted using AES-256.
  • Audio transcription under BAA: Audio is transmitted over TLS to AssemblyAI (medical-vocabulary configuration) under executed BAA for transcription only; transcribed text, not raw audio, is then processed by AWS Bedrock under executed BAA for clinical-note structuring. See Section 4 for the authoritative sub-processor list.
  • Multi-factor authentication: MFA is required for all user accounts accessing the Service.
  • Role-based access controls: Access to PHI is restricted by user role (e.g., caregiver, nurse, director of nursing, administrator) and is designed to limit users to data relevant to their assigned responsibilities.
  • Row-level security: Database-enforced row-level security policies are designed to restrict users to records associated with their Facility; cross-facility data access is denied by default at the database layer.
  • Audit logging: Access to, creation of, modification of, and deletion of PHI is recorded in an append-only audit log; retention is described in Section 5.4.
  • PHI scrubbing: Application logs and error reports are processed through automated redaction intended to prevent exposure of PHI in system diagnostics.
  • Session management: User sessions expire after a defined period of inactivity; expired sessions require re-authentication.
  • Key management: Cryptographic keys are managed and rotated in accordance with written key-management procedures.
  • Security assessments: We conduct security assessments and vulnerability scans on a defined schedule under written procedures.
  • Workforce training: Personnel with access to PHI complete HIPAA security and privacy training before accessing the Service and on an annual basis thereafter.

7. Data Deletion, Portability, and Exports

Facilities and users may request data exports in standard formats (CSV or JSON for structured data; PDF for finalized notes) by contacting privacy@caretrace.ai. Upon Facility termination, a thirty (30) day export window is provided before the retention schedules in Section 5 apply. Verifiable consumer deletion requests under the CCPA/CPRA are fulfilled without unreasonable delay and in no case later than forty-five (45) calendar days of receipt, extendable once by an additional forty-five (45) days where reasonably necessary, with notice to the requester.

8. California Privacy Rights (CCPA/CPRA)

8.1 Scope and HIPAA/CMIA Carve-Out

PHI that CareTraceAI processes as a Business Associate under a BAA, and “medical information” governed by the Confidentiality of Medical Information Act, are exempt from the CCPA/CPRA pursuant to Cal. Civ. Code § 1798.145(c)(1). The rights described in this Section apply only to personal information that is not so exempt, for example, workforce account data, Marketing Site visitor data, and billing contacts.

8.2 Categories Collected, Sources, and Purposes

The categories of personal information we collect are described in Section 2.8. Sources include: directly from users and Facilities (account and facility information); automatically from user devices and browsers (device and usage data, analytics); and, for the Service only, from authorized caregivers acting in the course of their duties. We use personal information for the business and commercial purposes described in Section 3 (providing, operating, securing, and supporting the Service; communications; and legal compliance).

8.3 Categories of Recipients

We disclose personal information to the sub-processors listed in Section 4, each operating under a contract that restricts use to providing services on our behalf, and to government authorities where required by law. We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined in Cal. Civ. Code § 1798.140(ah).

8.4 Retention Criteria

The concrete retention periods for each data category are set forth in Section 5. We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

8.5 Your California Privacy Rights

Subject to verification, California residents have the right to:

  • Know what personal information we collect, use, and disclose about you (Cal. Civ. Code § 1798.100, § 1798.110, § 1798.115).
  • Delete personal information we collected from you, subject to statutory exceptions (§ 1798.105).
  • Correct inaccurate personal information we maintain about you (§ 1798.106).
  • Portability, obtain a copy of personal information in a readily usable format (§ 1798.130(a)(3)).
  • Opt out of sale or sharing of personal information, we do not sell or share, so there is nothing to opt out of (§ 1798.120).
  • Limit use and disclosure of SPI (§ 1798.121), see Section 3.6.
  • Non-discrimination for exercising these rights (§ 1798.125). We do not offer financial incentives for personal information.

8.6 How to Submit a Request

Submit requests to privacy@caretrace.ai. We will take commercially reasonable steps to verify your identity before responding. Authorized agents may submit requests on your behalf with written authorization; we may additionally verify directly with you. If you are a Facility user whose personal information is PHI, direct the request to the Facility as the covered entity; we will cooperate with the Facility to fulfill the request under the BAA.

8.7 Do-Not-Track and Global Privacy Control

Our Service is a workforce tool and does not track users across third-party websites. On the Marketing Site, we honor the Global Privacy Control (“GPC”) signal and treat a valid GPC signal as a request to opt out of sale or sharing for that browser session, consistent with the CPRA regulations and Cal. Bus. & Prof. Code §§ 22575–22579.

8.8 Minors

We do not have actual knowledge that we sell or share personal information of consumers under sixteen (16) years of age (Cal. Civ. Code § 1798.120(c)).

9. HIPAA

CareTraceAI acts as a Business Associate under HIPAA and will execute a BAA with each covered-entity Facility before creating, receiving, maintaining, or transmitting PHI for or on behalf of the Facility. We implement minimum-necessary standards, access controls, transmission and storage security, audit controls, integrity controls, and workforce training as described in this Policy. In the event of a Breach of Unsecured PHI, we will notify each affected covered entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery, consistent with 45 CFR § 164.410. A dedicated statement of our HIPAA posture is available at /hipaa-compliance.

10. California Confidentiality of Medical Information Act (CMIA)

To the extent CareTraceAI is deemed a “provider of health care” under Cal. Civ. Code § 56.06 by virtue of offering software that is designed to maintain medical information, we maintain the safeguards required of such businesses. CMIA disclosure restrictions are codified at Cal. Civ. Code § 56.10, and statutory remedies for unauthorized disclosure are at Cal. Civ. Code § 56.36.

11. Breach Notification for Non-PHI Personal Information

For security breaches involving non-PHI personal information of California residents, we will provide notice in accordance with Cal. Civ. Code § 1798.82, as amended, including timely individual notice and any Attorney General notice required by statute for qualifying breaches.

12. Cookies

CareTraceAI does not use cookies for advertising or cross-site tracking. The Service uses session cookies solely for authentication and session management. The Marketing Site may use strictly necessary cookies and, where disclosed, privacy-respecting analytics; no advertising pixels or cross-site tracking technologies are used.

13. Children’s Privacy

The Service is a workforce documentation tool; we do not market to, and do not knowingly collect personal information directly from, any individual under eighteen (18). Clinical documentation the Service processes may relate to residents of any age as entered by authorized adult caregivers.

14. Changes to This Policy

We will update the effective date and notify users of material changes through the application, email, or the Marketing Site. Changes affecting PHI handling will be communicated to Facility administrators at least thirty (30) days in advance where practicable.

15. Certifications

As of the effective date of this Policy, CareTraceAI does not hold SOC 2, HITRUST, or ISO 27001 certification. HIPAA itself is not a certification program; statements of “HIPAA compliance” reflect CareTraceAI’s internal program and are not third-party attestations. Pursuing SOC 2 Type 1 (and, subsequently, SOC 2 Type 2) is on our post-pilot roadmap.

16. Contact

Privacy inquiries: privacy@caretrace.ai
Security inquiries: security@caretrace.ai
Legal inquiries: legal@caretrace.ai
General support: support@caretrace.ai

17. Governing Law and Order of Precedence

This Privacy Policy is governed by the laws of the State of California, without regard to its conflict-of-laws rules. Legal proceedings shall be brought in the state or federal courts located in Los Angeles County. Before initiating formal proceedings, the parties agree to attempt informal resolution over thirty (30) days; the applicable limitations period shall be tolled during this period.

Order of precedence. In the event of any conflict between this Privacy Policy and another CareTraceAI legal document with respect to the treatment of PHI, the order of precedence is: (1) the executed BAA; (2) the Terms of Service; (3) this Privacy Policy; (4) the HIPAA Compliance Statement. Disputes concerning PHI are governed by the executed BAA to the extent of any conflict.

Spend the shift on care.Not charting.

We're piloting now and hoping to bring on more communities across the West Coast. If you run a long-term care community or facility, we'd like to meet you.

Get in touch