Privacy Policy

1. Intro and scope

This Privacy Policy explains how CareCircle ("we", "us") collects, uses, discloses, and protects personal information in connection with:

• A practice management platform for mental health professionals (the "Professional Platform").
• A mobile and web application for clients of those professionals (the "Client App").

We are established in Québec and subject to Québec's private‑sector privacy law (including Law 25) and applicable Canadian privacy law (PIPEDA).

If we serve users in the European Economic Area or United Kingdom, we also act as a "data controller" or "data processor" under the GDPR as applicable.

If our customers are subject to HIPAA, we may act as a "business associate" and will sign Business Associate Agreements (BAAs), but our service itself does not replace a provider's professional or legal obligations under HIPAA.

This is a draft and must be reviewed and customized by qualified legal counsel before production use.

2. Roles and responsibility (controllers vs processors)

For professional users (therapists, clinics, organizations), we generally act as a "service provider" / "data processor" processing personal information on their behalf, according to our contract and their instructions.

For certain limited activities (e.g., operating our website, account billing, security monitoring, analytics we perform for ourselves), we act as an independent "data controller" and determine the purposes and means of processing.

Mental health professionals are responsible for obtaining any consents required from their clients and for configuring the Professional Platform and Client App in a way that complies with their own legal obligations (including Québec health information law, PIPEDA, GDPR or HIPAA where applicable).

3. Information we collect

3.1 From mental health professionals and organizations

We may collect:

• Account and identity information: name, professional title, license number, clinic or organization name, contact details, preferred language, authentication credentials.
• Practice information: caseload lists, patient codes or pseudonyms, appointment schedules, telehealth session metadata (dates, times, duration, connection status), internal resource lists (e.g., associated therapists).
• Content entered into the Professional Platform:
  • Session notes and summaries, including AI‑generated drafts or summaries which professionals can review and edit.
  • Patient management notes, treatment plans, materials sent to clients, and internal communications related to care.
• Communications: messages sent via the Platform to clients or other professionals, support requests, and feedback.
• Billing and subscription information: subscription tier, billing contact, payment method details processed via third‑party payment processors (we do not store full card numbers).
• Technical information: device and browser information, IP address, log data, cookies or similar technologies for authentication, security, and service improvement.

3.2 From clients / end users

We may collect, on behalf of the professional:

• Account information: name or pseudonym as chosen by the professional or client, contact details, authentication credentials.
• Habit and wellness tracking: entries about habits, mood, sleep, water intake and other wellness metrics as configured in the Client App.
• Journaling: free‑text journal entries created by the user, which are treated as sensitive mental health information.
• AI companion interactions:
  • Messages sent to the in‑app AI "therapist" and saved snippets the user chooses to store.
  • Confirmation that the user has acknowledged and accepted the waiver explaining that this is an AI tool, not a human professional.
• Scheduling and appointments: appointment bookings, rescheduling and cancellation data, reminders, and related notifications.
• Teleconferencing and messaging: session metadata (date, time, duration, participants) and messages exchanged through in‑app chat; if session audio or video is recorded, this will be clearly indicated and subject to explicit consent.
• Consent and sharing settings: records of whether and when a user has granted or withdrawn consent for their therapist to see summaries of their habits, journaling or other wellness data.
• Technical information: device identifiers, operating system, app version, crash logs, and anonymized or pseudonymized analytics data (configured to minimize personal information where possible).

4. How data is encrypted and pseudonymized

All sensitive content stored in our databases, including journal entries, habit details, and clinical notes, is encrypted on the client side before transmission and remains encrypted at rest in our databases.

Our technical design ensures that databases do not contain a single piece of information that, by itself, can directly identify an individual; identifiers are separated and/or pseudonymized and combined only at the application layer.

We use industry‑standard encryption protocols in transit (e.g., TLS) and strong cryptographic algorithms for data at rest.

Encryption keys and access to decrypted content are limited to authorized users (e.g., the professional and the client) through role‑based access controls and authentication mechanisms.

A lawyer may want you to add specific algorithms, key‑management details, and hosting locations once finalized.

5. How we use information

We use personal information for the following purposes, acting either as a processor for professionals or as a controller for service operations:

• Providing and maintaining the Professional Platform and Client App:
  • Creating and managing user accounts, authentication, and security.
  • Enabling scheduling, teleconferencing, messaging, and secure document and materials sharing between professionals and clients.
• Supporting clinical workflows:
  • Allowing professionals to record, organize, and search their clinical notes and session summaries, including AI‑assisted draft notes.
  • Allowing clients to track habits, journaling, and wellness data and, where they consent, share summaries of this data with their therapist.
• AI features:
  • Generating draft notes and summaries from session data for clinicians to review and approve.
  • Operating the AI companion in the Client App to provide supportive, non‑diagnostic responses, clearly presented as an AI tool.
• Notifications: sending push notifications, email or SMS confirmations and reminders for upcoming appointments, messages, or tasks, according to user settings and legal requirements for consent.
• Service improvement and security: monitoring system performance, detecting abuse or security incidents, and improving user experience using aggregated or de‑identified data whenever possible.
• Legal and compliance: maintaining audit logs of access to health and social services information when required by Québec law, and responding to legal requests, regulatory obligations, and risk management needs.

We do not use client health information for advertising or sell personal information in the sense prohibited by Law 25 or similar privacy laws.

6. Legal bases for processing (GDPR, if applicable)

Where the GDPR applies, our legal bases include:

• Performance of a contract: to provide the Professional Platform and Client App to professionals and their clients.
• Legitimate interests: to secure our systems, prevent abuse, and improve services, provided these interests are not overridden by individuals' rights and freedoms.
• Consent: for certain processing of sensitive data (e.g., health information), for AI features, and for electronic marketing communications, where required.
• Legal obligations: to comply with privacy, health information, and other applicable laws in Québec, Canada, and other jurisdictions.

Professionals are responsible for identifying their own legal bases when they decide how to use the Platform with their clients.

7. Data sharing and international transfers

We may share personal information with:

• Service providers and subprocessors: hosting providers, teleconferencing vendors, AI infrastructure providers, notification services, payment processors and security services, bound by confidentiality and data protection obligations.
• Professionals and organizations: information a client chooses to share with their therapist or clinic (e.g., summaries of habits, journals or AI companion snippets) will be visible to those professionals according to the user's consent and the professional's configuration.
• Legal and regulatory authorities: where required by law, court order, or regulatory authority, or to protect our rights, users, or the public.
• Corporate transactions: in connection with a merger, acquisition, or other reorganization, subject to safeguards and continued protection of personal information.

If personal information is transferred outside Québec or Canada, we will conduct privacy impact assessments and ensure that appropriate safeguards and contractual protections are in place, as required by Law 25 and PIPEDA.

8. Data retention

We retain personal information for as long as necessary to provide the services to professionals and clients, to comply with legal obligations (including professional record‑keeping obligations where our customers rely on our platform), to resolve disputes, and to enforce our agreements.

Professionals may control retention and deletion settings for their practice where permitted by law; they are responsible for complying with any minimum and maximum retention rules applicable to their practice.

When we no longer need personal information, we will delete it or irreversibly de‑identify it in accordance with our policies and legal requirements.

9. Security measures

We implement physical, organizational, and technological safeguards appropriate to the sensitivity of the information, including:

• Client‑side encryption of sensitive content before it leaves the device.
• Encryption in transit and at rest, strong authentication, and role‑based access controls.
• Access logging for health and social services information as required under Québec law, and regular review of these logs for unauthorized activities.
• Procedures to detect, investigate, and mitigate security and confidentiality incidents, including breach notification to affected individuals and regulators where required.

No method of transmission or storage is perfectly secure; however, we strive to follow recognized standards for health information security and will continue to improve our safeguards over time.

10. Your rights

Depending on your location and the role we play, you may have rights over your personal information, including:

• Right of access: to know whether we hold personal information about you and to obtain access to that information.
• Right to correction: to request correction of inaccurate or incomplete information.
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time, without affecting prior processing.
• Right to data portability and deletion: in certain circumstances, to request copies of your data or its deletion, subject to legal and professional obligations.
• Rights under GDPR: where applicable, the right to object to processing, restrict processing, and lodge a complaint with a data protection authority.

Clients of professionals should normally direct requests to their therapist or clinic, who may then use our tools to respond. We will assist professionals in fulfilling such requests as required by law and our agreements.

11. Children and minors

The Platform is designed for use under the direction of licensed professionals and may be used with minors according to applicable law and the professional's policies.

We rely on professionals to obtain any necessary parental or guardian consent before collecting or using personal information from minors through the Client App.

12. AI features and limitations

• The AI scribe/notes feature is designed to assist professionals by generating draft notes or summaries; professionals are responsible for reviewing, correcting, and approving all content before using it clinically.
• The AI companion in the Client App is clearly presented as an AI, not a human therapist, and is intended only as a supportive, non‑emergency tool; clients must acknowledge a waiver explaining its limitations before use.
• AI outputs may be logged and used in de‑identified or aggregated form to improve models and safety, subject to applicable law and user consents.

13. Cross‑border and sector‑specific compliance note

• Québec: We design our practices to align with the Act respecting the protection of personal information in the private sector (as amended by Law 25) and the new Act respecting health and social services information, including governance, privacy by default, and logging obligations.
• Canada: We align with PIPEDA's principles of accountability, consent, limiting collection, use and disclosure, safeguards, openness, and individual access.
• HIPAA (U.S.): When our customers are HIPAA covered entities or business associates, we can enter into Business Associate Agreements, and our platform is designed to support their compliance programs; however, each customer remains responsible for configuring the system and using it in accordance with HIPAA and any state or provincial health information laws.
• SOC 2: We aim to implement controls consistent with SOC 2's Trust Services Criteria (security, availability, confidentiality, processing integrity, and privacy), and may engage independent auditors to assess these controls periodically.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our services, legal requirements, or privacy practices.

When we make material changes, we will notify users through the Platform, our website, or by email, and indicate the date of the latest revision at the top of this document.

15. Contact information

If you have questions or requests about this Privacy Policy or our privacy practices, you can contact:

You also have the right to contact the Commission d'accès à l'information du Québec or the Office of the Privacy Commissioner of Canada if you are not satisfied with our response to a privacy request.