Privacy Policy

LoupeCare, Inc. ("LoupeCare," "we," "us") operates a personal health record and care-coordination platform. LoupeCare is not a HIPAA covered entity or business associate. Health information you store is a Personal Health Record (PHR) maintained by you for personal use, governed by the FTC Health Breach Notification Rule, not HIPAA.

Information you provide:

• Account registration details (name, email address, password)
• Care circle information: health records, care logs, medications, appointments, documents, and notes you choose to store
• Communications with us (support emails, feedback)
• Consent attestation records (timestamp, IP address, version)

Information collected automatically:

• Log data: IP addresses, browser type, pages visited, timestamps
• Device information: operating system, device type
• Usage data: features used, AI tool interactions, session duration
• Push notification tokens (if you enable push notifications)

We use your information to:

• Provide, operate, and improve the Service
• Process your care data to deliver AI-powered features you request
• Send transactional notifications and emails (e.g., care reminders, account alerts)
• Respond to support requests
• Maintain security, detect fraud, and enforce our Terms of Service
• Comply with legal obligations, including the FTC Health Breach Notification Rule
• Maintain immutable consent attestation records

AI features (chat assistant and AI tools) are powered by Google Vertex AI. We have a Business Associate Agreement (BAA) in place with Google Cloud covering this processing. Specifically:

• Prompts and responses are processed in a Google Cloud environment covered by the BAA
• Your care information is not used to train or improve Google's base AI models
• AI interactions are subject to Google Cloud's data processing terms

All AI outputs are AI-generated and may contain errors. They are not medical advice. Always verify with a qualified healthcare professional before acting.

We implement industry-standard security measures including:

• AES-256 encryption at rest with customer-managed encryption keys (CMEK) via Google Cloud KMS
• TLS 1.2+ in transit for all data transfers
• Role-based access controls — members only access what they are permitted to see
• Short-lived signed URLs for document access (files are never publicly exposed)
• Audit logging for all document access events
• Firebase Authentication for account security

No security system is perfect. In the event of a breach involving your personal health information, we will notify you in accordance with the FTC Health Breach Notification Rule.

We retain your data as long as your account is active. If you delete your account, your data is removed from our production systems within 30 days. Certain records (consent attestations, billing records) may be retained longer as required by applicable law.

Backup copies may be retained for up to 30 days following deletion from production systems, after which they are purged in the normal backup rotation cycle.

We use the following categories of third-party subprocessors to operate the Service:

• Google Cloud Platform — infrastructure, storage, database (Firestore), AI (Vertex AI)
• Firebase — authentication, push notifications
• Stripe — payment processing (we do not store full card numbers)

We do not sell or rent your data to any subprocessor for their own marketing purposes. Subprocessors are contractually bound to protect your data.

We use session cookies necessary for authentication and to maintain your logged-in state. We do not use third-party advertising cookies or cross-site tracking technologies.

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and associated data (subject to legal holds)
• Export your data in a machine-readable format
• Withdraw consent for optional data uses

To exercise any of these rights, contact us at legal@loupecare.com. We will respond within 30 days.

LoupeCare is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 14 days before the changes take effect. The "Effective" date at the top reflects the most recent update.

Questions about this Privacy Policy or our data practices? Contact us at legal@loupecare.com.