Privacy Policy

1. Information We Collect

We collect the following categories of information:

• Account Information: Name, email address, organization name, role, and authentication credentials when you create an account.
• Practice Data: Billing records, provider performance metrics, payer information, session data, and operational metrics that you import via CSV (e.g., Notenetic exports) or through integrations such as GoHighLevel.
• Usage Analytics: Pages visited, features used, session duration, browser type, device information, and IP address to improve the Service.
• Billing Information: Payment method details processed through our payment provider (Stripe). We do not store full credit card numbers on our servers.
• Financial Data via QuickBooks Online: If you connect your Intuit QuickBooks Online account, we access read-only financial data including Profit & Loss statements, Balance Sheet reports, Cash Flow Statements, chart of accounts, invoice summaries, and bill payment data. We do not access bank account numbers, routing numbers, or payment card details from QuickBooks. OAuth 2.0 authentication tokens used to access your QuickBooks account are encrypted at rest using Supabase Vault (pgsodium) and are never exposed to client-side code.

2. How We Use Your Information

• To provide, maintain, and improve the CareIncite platform and its features.
• To generate dashboards, reports, and analytics based on your practice data.
• To process subscription payments and manage your account.
• To send transactional emails such as account confirmations, billing receipts, and security alerts.
• To respond to your support requests and communicate about the Service.
• To generate financial dashboards and cash flow intelligence from connected QuickBooks Online accounts (CashFlowIncite module).
• To detect, prevent, and address technical issues and security threats.
• To comply with legal obligations, including HIPAA requirements.

3. Data Storage & Security

Your data is stored in a dedicated Supabase PostgreSQL database with the following safeguards:

• Row-Level Security (RLS): Database policies ensure that users can only access data belonging to their organization.
• Encryption at Rest: All data stored in Supabase is encrypted at rest using AES-256 encryption.
• Encryption in Transit: All connections to the Service use TLS 1.2 or higher.
• Access Controls: Role-based access control restricts data access based on user roles within each organization.
• Infrastructure: The frontend is hosted on Vercel with automatic DDoS protection. The database is hosted on Supabase with automated backups.

4. HIPAA Compliance & Business Associate Agreement

CareIncite is designed with HIPAA-compliant architecture to protect Protected Health Information (PHI). Our platform implements administrative, physical, and technical safeguards as required under the HIPAA Security Rule.

Customers who require a Business Associate Agreement (BAA) may request one by contacting us at support@careincite.com. We will execute a BAA prior to processing any PHI on behalf of covered entities.

5. Third-Party Services

We use the following third-party services to operate the platform:

• Supabase: Database hosting, authentication, and real-time services.
• Vercel: Frontend hosting, serverless functions, and edge delivery.
• Stripe: Payment processing for subscriptions and billing.
• Intuit QuickBooks Online: Optional accounting integration for financial reporting. When you connect your QuickBooks account, CareIncite accesses read-only financial data via Intuit's OAuth 2.0 API. We do not store your QuickBooks username or password. OAuth tokens are encrypted using Supabase Vault and automatically refreshed. You may disconnect your QuickBooks account at any time from your CareIncite settings, which immediately and permanently deletes all stored tokens. Cached financial data is deleted within 30 days of disconnection.
• GoHighLevel: Optional CRM integration for lead pipeline and marketing analytics.

Each third-party provider maintains its own privacy policy and security practices. We select providers that maintain appropriate security certifications and, where applicable, will enter into Business Associate Agreements.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account Data: Retained until you request account deletion.
• Practice Data: Retained for the duration of your subscription. Upon cancellation, data is retained for 90 days before permanent deletion.
• Usage Analytics: Retained in aggregated, anonymized form for up to 24 months.
• Billing Records: Retained as required by applicable tax and accounting regulations.
• Third-Party Integration Data: OAuth tokens are deleted immediately upon disconnection. Cached data from connected services (e.g., QuickBooks financial reports) is deleted within 30 days of disconnection. No financial data from third-party integrations is retained after this period.

7. Your Rights

You have the following rights regarding your information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your account and associated data, subject to legal retention requirements.
• Export: Request an export of your practice data in a machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at support@careincite.com. We will respond to all requests within 30 days.

8. Cookies & Analytics

CareIncite uses the following types of cookies and similar technologies:

• Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics Cookies: Used to understand how users interact with the platform so we can improve the experience. These are anonymized and do not contain PHI.

We do not use advertising cookies or share analytics data with advertisers.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact Information

If you have questions about this Privacy Policy or our data practices, contact us at: