Skip to main content

Privacy Policy

How we handle and protect your data

Effective Date: October 1, 2025

Last Updated: October 15, 2025

TABLE OF CONTENTS

1. INTRODUCTION AND SCOPE

1.1 Who We Are

Caremaze ("we," "us," "our") operates https://app.caremaze.com and related services (web, mobile, and voice/phone agents) that help patients book appointments and coordinate care using autonomous agent technology (the "Services").

1.2 Scope of This Policy

This Privacy Policy explains how we collect, use, disclose, store, and protect information when you:

  • Visit or use our websites or apps
  • Interact with our autonomous/phone agents
  • Communicate with us by email, SMS, phone, or in-app channels
  • Receive support or otherwise engage with the Services

We operate in all U.S. states. We do not target children under 13 and do not knowingly collect information from them.

1.3 Acceptance

By using the Services, you acknowledge this Privacy Policy. If you do not agree, please do not use the Services.

1.4 Important Notice for Healthcare Providers

If you are a healthcare provider (or act on behalf of one), Section 2 (HIPAA) may apply. Please contact us to execute a Business Associate Agreement (BAA) where required.

2. HIPAA STATUS AND CONSUMER HEALTH DATA

We are not acting as a HIPAA Business Associate for this product and do not process Protected Health Information (PHI) under HIPAA. Health-related data we collect is handled under applicable state privacy laws and consumer health data laws.

2.1 What that means

  • HIPAA generally does not apply to our processing in this product. Your healthcare providers remain subject to HIPAA for information in their systems.
  • Consumer health data (CHD) that we collect directly from you (e.g., appointment reasons, symptoms) is governed by state law (e.g., Washington My Health My Data Act; Nevada SB370) and by comprehensive privacy laws (e.g., CA/CO/CT/VA/UT and others). We provide required notices and, where required, obtain opt-in consent for certain collection, use, and disclosures.
  • We prohibit geofencing around healthcare facilities for CHD collection, tracking, or targeted messaging as required by law.

2.2 Consumer Health Data rights & controls

  • We provide a Consumer Health Data Notice describing categories, purposes, and sharing.
  • Where required, we obtain opt-in consent and provide withdrawal mechanisms.
  • We honor CHD deletion and other rights consistent with state law.

2.3 Automated decision-making (ADMT)

2.4 Breach notifications (non-HIPAA)

We follow the FTC Health Breach Notification Rule (HBNR) for qualifying personal health records, and applicable state breach notice laws. If a breach of unsecured PHR identifiable health information occurs, we will notify affected individuals and regulators as required and within required timelines.

3. INFORMATION WE COLLECT

3.1 Personal Identifiers

Name, email, phone, postal address, account credentials, device IDs, IP address, cookie IDs, date of birth, insurance plan, insurance member number, insurance group id, reason for your visit to the provider.

3.2 Health and Medical Information (Sensitive)

Appointment details and reason for visit; conditions, symptoms, medications, allergies; provider and insurer details; referral, discharge or care-coordination information. This may be PHI when processed for a Covered Entity; otherwise it may be regulated as consumer health data under state law.

3.3 Financial Information

Payment card/bank details (processed by third-party processors), billing address, transaction history. We do not store full card numbers/CSC on our servers.

3.4 Demographic Information

Age/age range and language.

3.5 Usage and Technical Information

Device/browser, OS, app version, pages/events, telemetry/crash logs, referrers, coarse location (from IP), in-product search queries, and interactions with autonomous/phone agents (e.g., transcripts/recordings where enabled).

3.6 Communications and Interactions

Support inquiries, surveys, messages, call recordings and communications with providers via the Services.

3.7 Inferences and Derived Data

Preference and routing inferences to improve scheduling, safety/fraud signals, and user experience. We do not create unrelated marketing profiles where prohibited and honor opt-out rights where applicable.

3.8 Sensitive Personal Information (SPI) (State Law)

Health data; account log-ins with credentials.

4. HOW WE COLLECT INFORMATION

  • Directly from you (accounts, forms/flows, agent interactions, support)
  • Automatically (cookies/SDKs/pixels; logs; telemetry; device signals with permission)
  • From third parties (health systems/providers, insurers, payment processors, identity verification, referrals/partners)
  • From healthcare providers (as authorized and subject to HIPAA/BAA where applicable)

5. HOW WE USE YOUR INFORMATION

  • Provide, secure, and improve the Services (scheduling, provider communications, care coordination)
  • Authenticate users; prevent fraud/abuse; ensure integrity and safety
  • Operate, QA, and improve autonomous/phone agents (including limited human review for safety/quality where permitted)
  • Communicate about transactions, features, updates, outages, and service notices
  • Send marketing communications (with required consent/opt-out)
  • Comply with legal obligations; enforce terms; protect rights and safety
  • De-identify/aggregate data for analytics and service improvement

5.1 Automated Decision-Making (ADMT) & Profiling

We use limited automation to route requests, detect fraud, and surface provider options. Where a decision produces legal or similarly significant effects under state law, you may:

  • Opt out of that processing,
  • Request human review, and
  • Appeal outcomes.

Appeals: Submit via https://caremaze.notion.site/privacy-appeal or email privacy@caremaze.ai with subject "Privacy Appeal." We respond within 45 days (extension as permitted by law).

6. HOW WE SHARE AND DISCLOSE INFORMATION

We share personal information only as described below. We do not sell personal information for money. Some states define "sale" or "sharing" to include certain analytics or ads – see Section 9 and 17 for opt-out rights.

6.1 Healthcare Providers

To schedule and coordinate care, we share: identity and contact info, appointment preferences/details, insurer data, and relevant health information you provide. HIPAA applies when we act for a Covered Entity.

6.2 Service Providers / Processors (incl. Business Associates)

Cloud hosting, storage/backup, communications (email/SMS/voice), identity verification, security/fraud, analytics (limited to operational metrics in HIPAA contexts), QA/transcription, and customer support.

  • Contractual limits on use
  • Security obligations
  • BAAs where PHI is involved

6.3 Health Insurers (with authorization)

Eligibility/coverage checks, claims/payment support, and coordination activities you authorize.

6.4 Payment Processors

If collecting payment, we use PCI-compliant processors for payments. Payment data goes directly to them; we do not store full card numbers/CSC.

6.5 Affiliates/Subsidiaries

For operations consistent with this Policy (not for their independent marketing unless you consent where required).

6.6 Advertising and Analytics Partners

If we use analytics/advertising services that qualify as "sale" or "sharing" for cross-context behavioral advertising, you may opt out (see Section 9). We do not permit third parties to collect PHI for their own advertising.

6.7 Business Transfers

In mergers, acquisitions, reorganizations, or asset sales, information may be transferred under this Policy's commitments and applicable laws.

6.8 Legal/Compliance

We may disclose information to comply with law, lawful requests, or to protect rights, safety, and security. PHI disclosures follow HIPAA rules/authorizations.

6.9 With Your Consent

We may share information for other purposes with your explicit consent/direction.

6.10 Aggregate/De-identified Data

We may share de-identified or aggregate data for analytics, research, or service improvement (no re-identification).

7. DATA RETENTION AND DELETION

We retain personal information only as long as needed for the purposes in this Policy or as required by law/contract.

  • General account data: while active + 12 months
  • Logs/telemetry: 7 years
  • Call recordings/transcripts: 7 years
  • Backups: retained for 24 weeks, then overwritten
  • PHI: per HIPAA and BAA terms (often 6–7 years or as specified by the Covered Entity)
  • Consumer health data (non-HIPAA): retention as disclosed by state law (e.g., WA/NV) and our health data notice

Deletion Requests: See Section 9. We will delete from active systems and instruct processors to do the same, subject to legal/operational exceptions (e.g., security, debugging, legal obligations, or HIPAA/medical record retention).

8. SECURITY MEASURES

We implement administrative, technical, and physical safeguards designed to protect information:

  • Technical: encryption in transit/at rest; role-based access; MFA; network segmentation; audit logging; vulnerability management; secure SDLC
  • Administrative: policies/standards; workforce training; vendor/BAA management; incident response; risk analysis/management
  • Physical: facility and device controls; secure media handling and disposal

We investigate, contain, and remediate security events. For incidents involving personal health records outside HIPAA, we comply with the FTC Health Breach Notification Rule and applicable state breach laws. Notifications include the incident description, data types, protective steps, and our mitigation actions.

Limitations: No system is perfectly secure. You are responsible for keeping credentials confidential and notifying us of suspected compromise.

9. YOUR PRIVACY RIGHTS

Rights vary by jurisdiction and may include:

  • Right to Know/Access categories and specific pieces of information; sources; purposes; third-party disclosures; retention.
  • Right to Delete personal information (subject to exceptions).
  • Right to Correct inaccurate personal information.
  • Right to Data Portability (structured, commonly used format).
  • Right to Opt Out of sale, sharing for cross-context behavioral advertising, and targeted advertising.
  • Right to Limit Use of Sensitive Personal Information to necessary purposes (where available).
  • Right to Opt Out of Certain Automated Decision-Making and to request human review and appeal.
  • Right to Non-Discrimination for exercising rights.
  • Authorized Agents may submit requests with proof of authorization.

How to exercise rights:

Verification: We may request information to verify your identity and state residency.

Appeals: If we deny a request, you may appeal via https://caremaze.notion.site/privacy-appeal or email support@caremaze.ai with subject "Privacy Appeal." We respond within 45 days (extension permitted by law).

We honor Global Privacy Control (GPC) for California sale/sharing opt-outs and recognized Universal Opt-Out Mechanisms (UOOM) for Colorado targeted advertising/sale.

Colorado and other states requiring UOOM: We honor recognized Universal Opt-Out Mechanisms for sale/targeted ads.

10. COOKIES AND TRACKING TECHNOLOGIES

We use cookies/SDKs/pixels and similar tech for authentication, security, analytics, and improving the Services.

  • Controls: Manage preferences via Cookie Settings: https://caremaze.notion.site/privacy-settings
  • Consent: Where required, we obtain consent for non-essential cookies.
  • Signals: We honor applicable GPC/UOOM signals for sale/sharing/targeted-ads opt-outs.
  • Healthcare contexts: We avoid use of tracking that would disclose PHI to third parties.

Our Services may link to third-party sites or integrate third-party tools. Their use of your information is governed by their policies and our contracts with them. We do not permit third parties to use PHI for their own advertising/marketing.

12. CHILDREN'S PRIVACY (COPPA)

We do not target or knowingly collect information from children under 13. If you believe a child under 13 provided information, contact us at support@caremaze.ai so we can delete it.

13. EMAIL AND SMS (CAN-SPAM / TCPA)

  • Transactional messages (e.g., confirmations/reminders) are necessary for the Services.
  • Marketing messages include an unsubscribe link; we honor opt-outs promptly per CAN-SPAM. We do not send promotional SMS or make promotional calls.

14. INTERNATIONAL USERS

The Services are intended for use in the United States. If you access from other regions, you consent to processing in the U.S.

15. CHANGES TO THIS POLICY

We may update this Policy periodically. We will post changes here with an updated "Last Updated" date and provide additional notice if changes materially affect your rights.

16. CONTACT INFORMATION

Email: support@caremaze.ai

Address: 380 Portage Ave, Palo Alto, CA 94306

Phone (optional): +1 (408) 762-3002

Privacy Officer (optional): Privacy Officer

Footer links to include on all pages/screens:

17. STATE-SPECIFIC PRIVACY RIGHTS AND NOTICES

17.1 California (CCPA/CPRA)

  • Rights: know/access, delete, correct, portability, opt-out of sale/sharing, limit SPI, ADMT rights, non-discrimination.
  • GPC honored for sale/sharing opt-outs.
  • Provide a Notice at Collection at/near the point of collection.

California Notice at Collection

Category Examples Purposes Retention Sold/Shared?
Identifiers name, email, phone, IP account, scheduling, security, support ✔︎ Sale/Share: No
Sensitive (health) reason for visit, insurer, provider info scheduling, coordination, safety ✔︎ Sale/Share: No
Internet/usage device, pages, events security, analytics, performance ✔︎ Sale/Share: No
Geolocation (coarse) IP-based region fraud prevention, localization ✔︎ Sale/Share: No

17.2 Virginia, Colorado, Connecticut, Utah

  • Rights: access, delete, correct (except UT), portability; opt-out of targeted advertising, sale, and certain profiling.
  • Colorado: honors recognized Universal Opt-Out Mechanisms (UOOM). We process approved signals accordingly.

17.3 Additional Comprehensive State Laws (as of October 1, 2025)

We extend comparable rights and mechanisms for states with comprehensive privacy laws (e.g., DE, FL (limited scope), IA, IN, MD, MN, MT, NE, NH, NJ, OR, TN, TX, and others enacted as of October 1, 2025).

17.4 Appeals

If we deny your request, you may appeal via https://caremaze.notion.site/privacy-appeal or email support@caremaze.ai with subject "Privacy Appeal." We respond within 45 days (extension permitted by law).

18. REGULATORY AND INDUSTRY-SPECIFIC NOTICES

18.1 Consumer Health Data Outside HIPAA

When health data is processed outside HIPAA (e.g., you interact with us directly and not through a Covered Entity), certain state consumer health data laws may apply (e.g., Washington My Health My Data Act, Nevada SB370). Requirements may include:

  • A dedicated health data notice describing categories and purposes
  • Opt-in consent for certain collection/uses/disclosures
  • Limits on geofencing near healthcare facilities

18.2 FTC Act Section 5 (Unfair/Deceptive Practices)

We avoid unfair or deceptive practices and ensure our privacy/security statements reflect actual practices. Security claims, consent flows, and user controls must match behavior.

18.3 FTC Health Breach Notification Rule (Non-HIPAA PHR)

If we maintain a personal health record outside HIPAA, we comply with the FTC Health Breach Notification Rule for unauthorized acquisitions of PHR identifiable health information.

18.4 Gramm-Leach-Bliley Act (GLBA) (If Applicable)

If we provide financial services covered by GLBA (distinct from routine payment processing), we will provide GLBA privacy notices and safeguards.

GLBA does not apply to our Services at this time.

18.5 Biometrics

If we collect biometric identifiers (e.g., voiceprints for speaker recognition), we will provide prior notice, obtain required consent, and follow retention/destruction schedules under applicable state laws (e.g., IL BIPA, TX, WA).

We do not collect biometric identifiers.