Introduction
MLPipes LLC ("we," "our," or "us") operates the myCARI mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.
We take your privacy seriously, especially given the sensitive nature of health information. Please read this Privacy Policy carefully. By using myCARI, you agree to the collection and use of information in accordance with this policy.
Related Documents:
Information We Collect
Personal Information
When you create an account, we collect:
- Account Information: Name, email address, phone number, date of birth
- Profile Information: Profile photo, height, weight, sex, blood type
- Authentication Data: Encrypted passwords, biometric authentication preferences
Health and Medical Information
With your explicit consent, we collect:
From Apple HealthKit
- Heart rate and resting heart rate
- Blood pressure readings
- Blood glucose levels
- Oxygen saturation (SpO2)
- Respiratory rate
- Body measurements (weight, BMI)
- Sleep data (duration, stages, quality)
- Step count and activity data
- Workout and exercise data
- Electrocardiogram (ECG) data
Manually Entered Health Data
- Vital sign measurements
- Medication information (names, dosages, schedules)
- Medical appointments
- Medical history and conditions
- Allergy information
AI-Analyzed Data
- Meal Photos: Images you photograph are processed by AI to identify foods, estimate portion sizes, and calculate nutritional content (calories, protein, carbohydrates, fats, fiber)
- Health Insights: Your vitals, activity, sleep, and medication data are analyzed to generate personalized daily health coaching and goal recommendations
- Pattern Detection: AI identifies trends, anomalies, and correlations in your health data
Healthcare Provider Data (FHIR Integration)
When you connect your healthcare provider accounts (Epic MyChart, Cerner, athenahealth, etc.), we import:
- Laboratory results and reference ranges
- Medication lists and prescriptions
- Diagnoses and problem lists
- Immunization records
- Allergy and intolerance information
- Clinical notes and visit summaries
- Imaging and procedure reports
This data is imported via secure SMART on FHIR protocols with OAuth 2.0 authentication.
Care Team Information
If you use care team features:
- Care team member relationships and permission levels
- Shared health data (as configured by you)
- Messages between care team members (individual and group)
- Invitation and acceptance records
- Care team member consent acknowledgments
Message Retention
- Messages are stored securely for care coordination purposes
- You can delete messages from your view at any time
- Important: For HIPAA compliance and care continuity, original message content may be retained in audit logs even after deletion from your view
- "Unsent" messages preserve original content in secure audit storage
- Message audit logs are retained for a minimum of 6 years as required by law
Device and Usage Information
- Device type and operating system
- App usage patterns and features accessed
- Crash logs and performance data
- Push notification tokens
Location Information
With your consent, we may collect:
- Location data for safety features
- Location for emergency response services
How We Use Your Information
We use your information to:
Provide Core Services
- Display and track your health metrics
- Manage medications and send reminders
- Schedule and track medical appointments
- Generate personalized health insights
- Enable care team collaboration and communication
Improve Our Services
- Analyze app usage to improve features
- Develop new health tracking capabilities
- Fix bugs and improve performance
Safety and Security
- Enable emergency response features
- Detect and prevent fraud
- Ensure account security
Communications
- Send medication reminders and health alerts
- Notify you of appointment reminders
- Send care team messages and notifications
- Provide customer support
Apple HealthKit Data
We handle Apple HealthKit data with special care:
- We DO NOT use HealthKit data for advertising or marketing purposes
- We DO NOT sell HealthKit data to third parties
- We DO NOT share HealthKit data with third parties for their marketing purposes
- HealthKit data is only used to provide health tracking features within the App
- HealthKit data may be shared with care team members only with your explicit consent
How We Share Your Information
Care Team Sharing
You control what health information is shared with your care team members:
- Basic View: Medications, appointments, emergency alerts
- Full View: Above plus vitals, medical records
- Professional Caregiver: Professional access with audit logging
You can modify or revoke care team permissions at any time.
Service Providers
We share information with third-party service providers who assist in operating our App:
| Provider | Purpose | Data Shared |
|---|
| Google Cloud Platform | Backend infrastructure, data storage | Encrypted health data, account data |
| Firebase (Google) | Authentication, real-time messaging | Email, authentication tokens, messages |
| Apple | Push notifications, HealthKit | Device tokens, HealthKit data (on-device) |
These providers are bound by contractual obligations to protect your data.
Legal Requirements
We may disclose your information if required by law or in response to:
- Valid legal process (subpoenas, court orders)
- Government requests
- Protection of our legal rights
- Emergency situations involving potential harm
With Your Consent
We may share your information with third parties when you explicitly consent to such sharing.
Data Storage and Security
Storage Location
- Your data is stored on secure servers in the United States
- We use Google Cloud Platform with encryption at rest and in transit
Security Measures
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Secure authentication with Firebase
- Biometric authentication support (Face ID, Touch ID)
- Regular security audits and updates
Data Retention
- Active account data is retained while your account is active
- You can request deletion of your data at any time
- Backup data is retained for up to 30 days after deletion
- Some data may be retained longer for legal compliance
Your Rights and Choices
Access and Portability
- View all your health data within the App
- Export your data in standard formats
- Request a copy of all data we hold about you
Correction
- Update your profile and health information at any time
- Correct inaccurate health records
Deletion
- Delete individual health records
- Request complete account deletion
- Upon deletion, we remove your data from active systems within 30 days
Consent Withdrawal
- Revoke HealthKit permissions in iOS Settings
- Disable care team data sharing
- Opt out of non-essential communications
Manage Permissions
- Control which care team members can view your data
- Modify permission levels at any time
- Remove care team members
Children's Privacy
myCARI is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.
International Data Transfers
If you access myCARI from outside the United States, your information may be transferred to and processed in the United States. By using the App, you consent to this transfer.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of changes by:
- Posting the new Privacy Policy in the App
- Updating the "Last Updated" date
- Sending a notification for material changes
Your continued use of the App after changes constitutes acceptance of the updated policy.
California Privacy Rights (CCPA)
California residents have additional rights:
- Right to Know: Request what personal information we collect
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information
- Non-Discrimination: We will not discriminate against you for exercising your rights
HIPAA Compliance
While myCARI is not a "covered entity" under HIPAA (as we are not a healthcare provider, health plan, or healthcare clearinghouse), we recognize the sensitive nature of health information and voluntarily implement security practices consistent with HIPAA standards.
We provide a separate HIPAA Authorization Notice that details:
- The specific Protected Health Information (PHI) we collect
- How we use and disclose your PHI
- Your rights regarding your health information
- Our security measures for protecting PHI
- How to revoke your authorization
By using myCARI, you acknowledge and consent to the practices described in both this Privacy Policy and the HIPAA Authorization Notice.
Electronic Signatures and Consent Records
When you accept this Privacy Policy, the Terms of Service, and the HIPAA Authorization Notice during account creation, you are providing your electronic signature pursuant to the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) and the Uniform Electronic Transactions Act (UETA).
What We Record
Your consent record includes:
- Your email address
- Your unique user ID
- Timestamp of consent (ISO 8601 format)
- Version numbers of documents you accepted
- Your IP address and device identifier (for verification)
Re-Consent for Material Changes
If we make material changes to this Privacy Policy:
- We will notify you via in-app notification and/or email
- You may be required to review and accept the updated policy
- Your continued use after notification constitutes acceptance
- You may delete your account if you do not agree to changes
Consent
By using myCARI, you consent to:
- The collection and use of your information as described in this Privacy Policy
- The sharing of health data with care team members you authorize
- The processing of your data in the United States
- The use of AI to analyze your health data and meal photos
- The import of medical records from connected healthcare providers
Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
MLPipes LLC
For privacy-related requests, please email privacy@carihealth.ai with the subject line "Privacy Request."