CareBridge Privacy Policy
Effective date: 2026-06-13
Version: 1.0 (pending legal counsel review for production-grade adoption)
Anchor:repo/docs/PRIVACY_POLICY.mdoncutover-backend-pathc
Checklist item: A4 in /root/.ductor/workspace/output_to_user/carebridge_saas_completion_checklist.md
Customer-facing URL: https://carebridge.cloud/privacy
1. Who we are
CareBridge ("we", "our", "us") is operated by Chris Butler. We provide a HIPAA-bounded clinical documentation and case management workspace for field care teams.
Contact: chris@carebridge.cloud
Privacy questions: chris@carebridge.cloud (Privacy Officer)
Security disclosures: security@carebridge.cloud (see security.txt)
2. What data we collect
From you (account)
- Organization name
- User name + work email
- Billing email
- Billing address + payment method (via Stripe — see §6)
From you (clinical workflows — PHI)
- Client records you create (initials, alias, identifiers, demographics)
- Progress notes, signouts, JCC referrals, tasks, appointments, weekly summaries
- Anything else you enter into the app
Automatically
- Session cookies (
cb_session) to keep you signed in - Audit log of clinical actions (who did what, when) — see §3
- Server logs (request timing, error traces) — retained 90 days
- IP address at login (for fraud / abuse investigation)
What we do NOT collect
- Marketing tracking pixels by default (opt-in only, off by default)
- Third-party analytics tags in the customer app
- Behavioral profiling
- Cross-site tracking cookies
3. How we use your data
To deliver the service
- Authenticate you (magic-link auth, no passwords)
- Save and retrieve your clinical records
- Run AI-assisted features (progress note drafting, risk flagging, etc.) on your behalf via Azure OpenAI BAA-covered models
- Send service emails (sign-in links, billing notices, incident notifications)
For compliance
- Audit trail of clinical actions (HIPAA § 164.312(b)) retained 6 years per AUDIT_LOG_RETENTION_POLICY.md
- Breach detection and notification per HIPAA_BREACH_NOTIFICATION_PROCEDURE.md
What we will NOT do with your data
- Sell it to third parties
- Use it to train AI models outside the scope of serving you
- Share it with marketers, advertisers, data brokers, or analytics vendors
- Use de-identified versions for benchmarking or research without your written consent
4. Where your data lives
| Surface | Provider | Region | BAA-covered |
|---|---|---|---|
| Database (PHI at rest) | Microsoft Azure Postgres Flexible Server | East US 2 | Yes |
| Object storage | Microsoft Azure Blob | East US 2 | Yes |
| Application compute | Microsoft Azure Container Apps | East US | Yes |
| AI inference (clinical) | Microsoft Azure OpenAI Service | East US | Yes |
| Email (transactional) | Hostinger SMTP | EU | No (no PHI sent through this channel) |
| Billing | Stripe Inc. | US | No BAA required — no PHI flows to Stripe (see STRIPE_PCI_BASELINE.md) |
| Edge CDN | Microsoft Azure Front Door | Global | Yes |
PHI columns (clients.full_name, clients.ssn) are encrypted at rest via Fernet beyond Azure's managed-key encryption. Row-Level Security isolates one organization's data from another at the database query layer.
5. Who can see your data
- You and your organization's users**: per role (admin, case_manager, viewer). Cross-organization access is impossible — enforced at the SQL row level on every query.
- CareBridge staff (currently: Chris)**: for support, debugging, breach response, and operational maintenance. Each access is audit-logged. We minimize PHI access on principle.
- Third-party processors (Microsoft, AWS)**: only as needed to operate their infrastructure. Each has signed a Business Associate Agreement.
- Authorities**: only under valid legal process (subpoena, warrant). We will notify you unless legally prohibited.
6. Payment processing (Stripe)
Stripe processes your billing. We deliberately segregate PHI from Stripe — only your organization name, billing email, billing address, and payment method are sent. Clinical data, client identifiers, and demographics never reach Stripe.
This means Stripe is a PCI-DSS Service Provider, not a HIPAA Business Associate. Stripe's standard PCI-DSS Level 1 compliance covers payment data; no HIPAA BAA is required for this scope.
See STRIPE_PCI_BASELINE.md for the exact data flow.
7. Your rights
HIPAA right of access (45 CFR § 164.524)
You can request a copy of any PHI we hold about you. Email chris@carebridge.cloud and we will provide an export within 30 days. Once the export feature ships in /app/admin/export, you can self-serve.
Account data export
You can export all data your organization has entered into CareBridge at any time. Currently via email request; self-serve UI is on the roadmap.
Account closure
You can cancel your subscription at any time via /app/billing (or by email). Your data is retained for 90 days post-cancellation in case you resume; after that, the live database is purged of your PHI while the audit chain rows are retained 6 years per HIPAA.
State law rights
If you reside in a state with additional privacy rights (California CCPA, Virginia CDPA, etc.) and want to exercise them, email chris@carebridge.cloud with your request.
8. Cookies
We use one cookie: cb_session for authentication. It is httpOnly, secure, sameSite=Strict, path=/app, and 3-hour expiry. We do not use marketing or analytics cookies in the customer app.
9. Data retention
| Data type | Retention |
|---|---|
| Live clinical records | While your account is active + 90 days after cancellation |
| Audit chain (per-tenant) | 6 years (HIPAA § 164.530(j)) |
| System audit chain (platform) | 6 years |
| Auth events (login, magic-link) | 6 years |
| Server console logs | 90 days |
| pg_dump backups | 365 days rolling on B2 + 90 days off-host on BB |
| Billing records | 7 years (tax + Stripe compliance) |
10. Children
CareBridge is for professional case managers and healthcare workforces. Our service is not directed to children under 13. If your organization works with minors as clients, you remain the covered entity under HIPAA and assume the obligations that flow from that.
11. International transfers
Our infrastructure is US-based (Azure East US 2). We do not currently transfer data internationally, except for Hostinger SMTP (EU) which receives only non-PHI service emails.
12. Changes to this policy
We will notify you of material changes via email to your account email at least 30 days before they take effect. Routine clarifications (typo fixes, link updates) may be made without notice. The "Effective date" at the top of this page is authoritative.
13. Contact
Privacy questions: chris@carebridge.cloud
Security disclosures: security@carebridge.cloud
General support: chris@carebridge.cloud
This v1.0 policy is in production use pending legal counsel review for production-grade adoption. Counsel review will produce v2.0; this notice will be removed when v2.0 is effective.