CareTrace is an AI-powered nursing documentation platform for long-term care facilities. Nurses speak their clinical observations, and CareTrace generates structured, CMS-compliant notes in under 60 seconds.

Is CareTrace HIPAA compliant?

Yes. CareTrace is fully HIPAA compliant. All data is encrypted at rest and in transit, and we sign Business Associate Agreements (BAAs) with every customer.

How does CareTrace integrate with existing EHR systems?

CareTrace auto-fills documentation directly into your existing EHR through secure API integrations, supporting systems like PointClickCare and MatrixCare.

How long does it take to implement CareTrace?

Most facilities are fully onboarded within 2 to 4 weeks. Our team handles setup, training, and EHR integration at no additional cost.

What types of facilities does CareTrace serve?

CareTrace is built for skilled nursing facilities, long-term care homes, assisted living communities, memory care units, and rehabilitation centers.

Does CareTrace replace our EHR?

No. CareTrace complements your existing EHR. Notes generated in CareTrace sync to your EHR system automatically.

Privacy Policy | CareTrace

CareTraceAI (“CareTraceAI,” “we,” “us,” or “our”) provides an AI-powered voice documentation platform designed for nurses and caregivers working in assisted living facilities, including California Residential Care Facilities for the Elderly (“RCFEs”). This Privacy Policy describes how we collect, use, disclose, retain, and protect information — including Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) — when you use the CareTraceAI mobile application, website, browser extension, and related services (collectively, the “Service”).

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you are using the Service on behalf of a healthcare facility or organization, you represent that you have the authority to bind that organization to this Privacy Policy.

1. Information We Collect

We collect several categories of information in connection with the Service. The specific types of information collected depend on how you interact with our platform.

1.1 Audio Recordings

When caregivers use the Service, they record spoken patient notes through the CareTraceAI mobile application. These audio recordings are captured on the user’s device and transmitted to our servers for processing. Audio recordings may contain PHI, including patient names, medical conditions, medications, vital signs, behavioral observations, and other clinical details spoken by the caregiver.

1.2 Transcribed Text

Audio recordings are processed through an automated speech-to-text transcription system to produce written transcripts of the caregiver’s spoken notes. These transcripts are derived directly from the audio recordings and may contain the same categories of PHI present in the original audio.

1.3 Structured Clinical Notes

Transcribed text is further processed by an AI system that organizes the unstructured transcript into structured clinical documentation fields. These structured notes may include, but are not limited to, patient assessment data, care interventions, behavioral observations, vital signs, medication administration records, dietary intake, mood and cognition observations, and caregiver recommendations. Structured clinical notes constitute PHI.

1.4 Account Information

When you create a CareTraceAI account, we collect:

Full name
Email address
Password (stored in hashed form; we do not store plaintext passwords)
Professional role or title (e.g., nurse, caregiver, administrator)
Facility affiliation

1.5 Facility Information

For facilities that subscribe to the Service, we collect:

Facility name and address
Facility license number (where applicable)
State of operation
Primary contact information for the facility administrator

1.6 Patient and Resident Information

As entered by authorized caregivers through the Service, we may collect and process the following patient and resident information:

Patient or resident full name
Room number or bed assignment
Medical record number (“MRN”)
Date of birth
Medical conditions and diagnoses
Known allergies and current medications
Care plan details
Behavioral and clinical observations
Vital signs and other health metrics

All patient and resident information is entered solely by authorized caregivers in the course of providing care documentation. CareTraceAI does not independently collect patient information from any source other than authorized users of the Service.

1.7 Device and Usage Data

We automatically collect certain technical and usage information when you access or use the Service, including device type, operating system, application version, unique device identifiers, IP address, date and time of access, features used, session duration, crash logs, and network connection type.

2. How We Use Your Data

2.1 Providing the Service

The primary purpose of data collection is to deliver the core functionality of the Service. Audio recordings are transcribed into text, and transcribed text is structured into clinical documentation. This processing is performed on behalf of the subscribing facility.

2.2 Maintaining and Improving the Service

We use device data, usage data, crash logs, and error reports to identify and resolve technical issues, monitor system performance, and improve the reliability of the Service. We do not use PHI for product improvement or AI model training unless we have obtained explicit, written authorization from the applicable covered entity.

2.3 Customer Support

When you contact us for assistance, we may use your account information and relevant usage logs to diagnose issues. Any PHI accessed during support interactions is handled in accordance with our HIPAA obligations.

2.4 Service-Related Communications

We may use your email address for account verification, service updates, security notifications, policy changes, and billing communications. We do not send unsolicited marketing emails or share your email with third parties for marketing purposes.

2.5 Compliance with Legal Obligations

We may use and disclose information as necessary to comply with applicable federal and state laws, including HIPAA, CCPA, California Title 22 regulations, and valid legal process.

3. Data Processing and Third-Party Processors

3.1 Audio Transcription — On-Premise Processing

Audio recordings are transcribed using open-source speech-to-text technology running entirely on CareTraceAI–controlled infrastructure. Audio data is never transmitted to any external or third-party service for transcription. Raw audio recordings remain within our secure, HIPAA-compliant environment at all times.

3.2 Amazon Web Services (AWS) — AI Note Structuring

Transcribed text (not audio) is processed through AWS Bedrock using a large language model for clinical note structuring. AWS operates under a signed Business Associate Agreement (BAA). Data submitted through the API is not used to train AI models. Only transcript text is transmitted; raw audio recordings are never sent to AWS or any external AI provider.

3.3 Supabase — Database, Authentication, and Storage

All categories of information are stored in a managed PostgreSQL database hosted on AWS infrastructure in the United States, operated by Supabase under a signed BAA with HIPAA add-on enabled. Security includes encryption at rest (AES-256), encryption in transit (TLS 1.3), row-level security policies, multi-factor authentication, and role-based access controls.

3.4 Fly.io — Backend Infrastructure

The CareTraceAI API and audio processing services are hosted on Fly.io under a signed BAA with HIPAA-enabled workspace. All Protected Health Information processing, including on-premise audio transcription, occurs within this HIPAA-compliant infrastructure environment.

3.5 Vercel — Marketing Website

The public-facing marketing website is hosted on Vercel. No Protected Health Information is processed, stored, or transmitted through Vercel.

4. Data Retention

4.1 Audio Recordings

Audio recordings are retained for up to ninety (90) calendar days to allow for quality verification and re-processing if necessary. Audio recordings are automatically and permanently deleted after the retention period expires. Audio is processed and stored exclusively on CareTraceAI–controlled infrastructure and is never transmitted to external services.

4.2 Clinical Notes

Structured clinical notes are retained for the duration of the service agreement plus three (3) additional years, consistent with California Title 22 requirements.

4.3 Account and Facility Data

Account data is deleted within thirty (30) days of account deletion. Facility data follows the same three-year post-termination retention as clinical notes.

4.4 Audit Logs

Audit logs are retained for a minimum of six (6) years to satisfy HIPAA requirements.

5. Data Security

CareTraceAI implements administrative, technical, and physical safeguards designed to comply with the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards protect the confidentiality, integrity, and availability of all data, including Protected Health Information.

Encryption in transit: All data transmitted between client devices, the CareTraceAI API, and data stores is encrypted using TLS 1.3 or higher.
Encryption at rest: All stored data, including database records and audio files, is encrypted using AES-256.
On-premise audio processing: Audio recordings are transcribed on CareTraceAI–controlled infrastructure and are never transmitted to external third-party services.
Multi-factor authentication: MFA is required for all user accounts accessing the Service.
Role-based access controls: Access to PHI is restricted by user role (e.g., caregiver, nurse, director of nursing, administrator). Users can only access data relevant to their assigned responsibilities.
Row-level security: Database-enforced row-level security policies ensure that users can only access records associated with their facility. Cross-facility data access is prohibited at the database level.
Audit logging: Every access to, creation of, modification of, or deletion of PHI is recorded in a tamper-resistant, append-only audit log. Audit logs are retained for a minimum of six (6) years.
PHI scrubbing: Application logs and error reports are automatically scrubbed to prevent inadvertent exposure of Protected Health Information in system diagnostics.
Session management: User sessions expire after a defined period of inactivity. Expired sessions require re-authentication.
Key rotation: Cryptographic keys are rotated on a quarterly basis.
Security assessments: Periodic security assessments and vulnerability scans are conducted to identify and remediate potential threats.
Workforce training: All personnel with access to PHI complete HIPAA security and privacy training prior to accessing the Service and on an annual basis thereafter.

6. Data Deletion and Portability

Facilities and users may request data exports in standard formats (CSV or JSON) by contacting privacy@caretrace.ai. Deletion requests are fulfilled within thirty (30) days. Upon facility cancellation, a thirty-day export period is provided, followed by the mandatory retention period before permanent deletion.

7. California Consumer Privacy Act (CCPA)

California residents have the right to know what personal information we collect, request deletion, opt out of the sale of personal information, and exercise these rights without discrimination. CareTraceAI does not sell personal information.

To exercise your rights, contact privacy@caretrace.ai. We will respond within forty-five (45) calendar days.

8. HIPAA

CareTraceAI acts as a business associate under HIPAA and will execute a Business Associate Agreement (BAA) with each covered entity before processing PHI. We implement minimum necessary standards, access controls, transmission and storage security, audit controls, integrity controls, and workforce training as described in this policy.

In the event of a breach of unsecured PHI, we will notify affected covered entities within sixty (60) days and cooperate in fulfilling breach notification obligations.

9. Cookies

CareTraceAI does not use cookies for advertising or cross-site tracking. The Service may use strictly necessary cookies for session management and authentication.

10. Children’s Privacy

The Service is not directed at children under thirteen (13). We do not knowingly collect personal information from children. The Service may process clinical documentation relating to residents of any age as entered by authorized adult caregivers.

11. Changes to This Policy

We will update the effective date and notify users of material changes through the application, email, or our website. Changes affecting PHI handling will be communicated to facility administrators at least thirty (30) days in advance.

12. Contact

Privacy inquiries: privacy@caretrace.ai
General support: support@caretrace.ai

13. Governing Law

This Privacy Policy is governed by the laws of the State of California. Legal proceedings shall be brought in the state or federal courts located in Los Angeles County. Before initiating formal proceedings, the parties agree to attempt informal resolution over thirty (30) days.