Privacy Policy

Last Updated: March 2026

1. Introduction

CareStack ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

As a HIPAA-compliant healthcare technology platform, we take data security and privacy extremely seriously. This policy describes our practices for both Protected Health Information (PHI) and other personal information.

2. Information We Collect

2.1 Information You Provide

  • Account information (name, email, phone number, company details)
  • Caregiver information (credentials, certifications, availability)
  • Client information (care requirements, medical information)
  • Shift and scheduling data
  • Training and compliance records
  • Billing and payment information

2.2 Information Collected Automatically

  • Device information (IP address, browser type, operating system)
  • Usage data (features accessed, time spent, actions taken)
  • Location data (for EVV compliance and shift matching)
  • Log data (access times, pages viewed, errors encountered)

2.3 Information from Third Parties

  • Background check providers
  • Payment processors
  • State EVV aggregators
  • Integration partners

3. How We Use Your Information

We use collected information for the following purposes:

  • Provide, operate, and maintain our platform and services
  • Process transactions and manage billing
  • Facilitate shift scheduling and marketplace matching
  • Ensure compliance with healthcare regulations (HIPAA, EVV)
  • Analyze platform usage and improve our services
  • Communicate with you about your account and services
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations and enforce our terms

4. Data Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

4.1 With Your Consent

We share information with third parties when you explicitly authorize us to do so (e.g., connecting with state EVV systems).

4.2 Service Providers

We work with trusted third-party vendors who help us operate our platform (hosting, payment processing, analytics). All vendors sign Business Associate Agreements (BAAs) and are HIPAA-compliant.

4.3 Legal Requirements

We may disclose information if required by law, court order, or government regulation, or to protect the rights, property, or safety of CareStack, our users, or others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard security measures to protect your information:

  • AES-256 encryption for data at rest
  • TLS/SSL encryption for data in transit
  • Role-based access controls (RBAC)
  • Comprehensive audit logging of all PHI access
  • Regular security audits and penetration testing
  • Multi-factor authentication (MFA) support (coming soon)
  • Automatic session timeouts and forced re-authentication

6. HIPAA Compliance

CareStack is a HIPAA-compliant platform. We act as a Business Associate to our customers (Covered Entities) and will sign a Business Associate Agreement (BAA) with all healthcare agencies using our platform.

Protected Health Information (PHI) is subject to additional safeguards beyond those described in this Privacy Policy, as required by HIPAA regulations.

7. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing of your personal information
  • Restriction: Request restriction of processing in certain circumstances

To exercise these rights, contact us at agencycarestack@gmail.com.

8. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations. Specific retention periods include:

  • Account information: Duration of active subscription plus 7 years
  • PHI and care records: 7 years after last service date (per HIPAA requirements)
  • Audit logs: 7 years (per HIPAA requirements)
  • Billing records: 7 years (per tax regulations)

9. Cookies and Tracking

We use cookies and similar tracking technologies to improve your experience, analyze usage, and provide personalized content. You can control cookie settings through your browser preferences.

10. International Data Transfers

CareStack is based in the United States. If you access our services from outside the U.S., your information may be transferred to, stored, and processed in the U.S. We ensure appropriate safeguards are in place for international transfers.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or through the platform. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

CareStack Privacy Team

Email: agencycarestack@gmail.com