Last Updated: April 3, 2026

Privacy Policy

How CareCompanion AI handles your health data

01WHO WE ARE

CareCompanion AI ("CareCompanion", "we", "us") is an AI-powered health organizer built for cancer patients and their family caregivers. We help families manage medications, appointments, lab results, and medical records in one place. Our website is carecompanionai.org.

02WHAT DATA WE COLLECT

Data you provide directly:

•Patient profile information (name, age, conditions, allergies)
•Medications, dosages, and refill dates
•Doctor and care team information
•Appointment details and notes
•Lab results and health records
•Insurance information
•Symptom journal entries
•Documents and medical files you upload
•Chat messages with our AI assistant

Data we collect automatically:

•Account email and authentication data
•App usage and feature interactions
•Device type and browser (for app performance only)

Data imported via health system connections:

When you connect your hospital account (e.g. Epic MyChart), we import only the data you explicitly authorize including medications, conditions, allergies, lab results, appointments, and insurance claims. This only happens with your direct consent through the hospital's official OAuth login flow.

03HOW WE USE YOUR DATA

We use your data solely to:

✓Power the CareCompanion AI assistant and its responses
✓Display your health information across the app
✓Send medication reminders and appointment alerts you have enabled
✓Generate health summaries and visit prep sheets
✓Improve app performance and fix bugs

✗ We never use your health data for advertising.

✗ We never sell your data to any third party, ever.

✗ We never share your data without your explicit consent except as required by law.

04HOW WE STORE AND PROTECT YOUR DATA

All data stored in AWS Aurora (PostgreSQL), a SOC 2 Type II certified cloud database

Row-level security ensures no user can access another user's data

All data encrypted in transit (HTTPS/TLS) and at rest

API keys and credentials are never stored in code

Care team access is permission-controlled — you decide who sees what

05CARE TEAM SHARING

When you invite family members to your care team:

•You control their permission level (viewer, editor, or owner)
•They only see data for the patient profile you invited them to
•You can remove them at any time
•All care team activity is logged in the activity feed

06DATA RETENTION

We keep your data for as long as your account is active. If you delete your account, all associated data is permanently deleted within 30 days including patient profiles, medications, appointments, messages, memories, and uploaded documents. You can also export all your data before deletion from the Settings page.

07YOUR RIGHTS

You have the right to:

✓Access all your data (export from Settings)

✓Correct any inaccurate data

✓Delete your account and all associated data

✓Disconnect any health system integration at any time

✓Withdraw consent for data processing at any time

08CHILDREN'S PRIVACY

CareCompanion is not directed at children under 13. We do not knowingly collect data from children under 13.

09CHANGES TO THIS POLICY

We will notify users by email and in-app notification of any material changes to this policy at least 14 days before they take effect.

10CONTACT US

For any privacy questions, data requests, or concerns:
Email: privacy@carecompanionai.org
Website: carecompanionai.org

11SECURITY PRACTICES

CareCompanion AI encrypts all data in transit using TLS 1.2+ and at rest using AES-256 encryption through our database provider (AWS Aurora, SOC 2 Type II certified). Every database table is protected by row-level security (RLS) policies that cryptographically enforce user-scoped access, meaning no user can ever query another user's data, even through direct API calls. All API keys, OAuth tokens, and secrets are stored in environment variables and never committed to source code. We conduct regular dependency audits and follow OWASP security guidelines. Health portal connections use the SMART on FHIR OAuth 2.0 protocol with PKCE where supported, and we never see or store hospital login passwords.

CareCompanion AI follows HIPAA-aligned security practices. We are not currently a HIPAA-covered entity.