Privacy Policy

This Privacy Policy applies to information processed through websites and applications operated as part of the Caresoft Service. The data controller or processor role may depend on your contract and configuration (for example whether your organization hosts data or we process it as a service provider).

Depending on how you use Caresoft, we may collect:

• Account data: name, email, phone, professional credentials, organization details, and authentication identifiers.
• Clinical and operational data: information you enter about care delivery, scheduling, assessments, notes, and communications sent through the Service.
• Technical data: IP address, device and browser type, logs, cookies or similar technologies, and diagnostic information used for security and reliability.
• Informed consent and audit: when you sign clinical consent forms in the product, we store the agreement text (including language), version you agreed to, a cryptographic integrity hash, and the time of signing. We may also record IP address and browser type for audit and dispute resolution. When authorized clinicians or administrators view stored consent records, we may log that access for accountability.
• Integration data: information received from services you connect (for example calendar or identity providers), as authorized by you.

We use information to:

• Provide, maintain, and improve the Service;
• Authenticate users, enforce access controls, and prevent abuse;
• Communicate about the Service, security, and policy updates;
• Comply with law and respond to lawful requests;
• Analyze usage in aggregate or de-identified form where permitted.

If laws such as the GDPR apply, we rely on appropriate bases including contract performance, legitimate interests (for example securing the Service), consent where required, and legal obligation.

We share information with vendors that help us operate the Service (hosting, email, analytics, support), subject to confidentiality and security obligations. We may disclose information if required by law or to protect rights, safety, and integrity. A current list of subprocessors should be published or provided to customers as part of your procurement process.

We retain information for as long as needed to provide the Service, meet legal and contractual obligations, resolve disputes, and enforce agreements. Retention periods may be configured with your organization where the product supports it.

We implement technical and organizational measures designed to protect information. No method of transmission or storage is completely secure. See our Trust & security page for a high-level discussion of how we think about controls and compliance messaging.

Depending on your location, you may have rights to access, correct, delete, or export personal data, or to object to or restrict certain processing. Many Caresoft users exercise rights through their healthcare provider or employer as the primary account holder. You may also contact us as described below. You may lodge a complaint with a supervisory authority where applicable.

If data is processed across borders, we use appropriate safeguards (such as standard contractual clauses) where required by law.

The Service is not directed at children for independent sign-up. Patient accounts are typically created under a clinician’s direction. If you believe we have collected information improperly, contact us.

We may update this Privacy Policy. We will post the new version and revise the “Last updated” date. Material changes may require additional notice under applicable law.

For questions about these policies, contact the administrator of your Caresoft deployment.