CRMO Care Privacy Policy

At a Glance

CRMO Care ("CRMO Care," "we," "our," or "us") is a wellness and information management platform that helps individuals and families organize health-related information and track symptoms and treatment progress.

Key points:

• You control your data (view, edit, delete; request export).
• We do not sell or rent your information.
• We use encryption in transit and at rest.
• We do not provide medical advice, diagnosis, or treatment.
• Voice recordings and transcripts are retained indefinitely unless you request deletion.
• CRMO Care is not a HIPAA Covered Entity; we apply HIPAA-aligned safeguards.

1) Scope and Definitions

This Privacy Policy describes:

• What information we collect
• How we use and share it
• How we protect it
• Your rights and choices

Not a healthcare provider: CRMO Care is not a healthcare provider, medical device, or HIPAA-covered entity. We nonetheless apply HIPAA-aligned privacy, security, and de-identification safeguards to protect your information.

2) Information We Collect

2.1 Account Information

We collect:

• Name or display name
• Email address
• Login credentials (hashed)
• Authentication tokens from third-party providers (e.g., Apple Sign-In, Google Sign-In)

Why we collect it: account creation, authentication, account administration, and support.

2.2 Wellness and User-Entered Data

We collect:

• Symptom logs, pain entries, mood, fatigue, activity levels
• Medication schedules, treatment notes, flare frequency
• Sleep quality and daily check-ins
• PROMIS assessment responses
• Appointments, care team information, diagnoses
• Optional child/dependent profile information (entered by caregivers)

Why we collect it: to provide charts, trends, and summaries that help you track patterns.

Your control: you may view, edit, or delete entries from within your account.

2.3 Voice Recordings and Transcriptions

We collect:

• Voice recordings captured via the voice journal feature
• Transcribed text derived from voice recordings (using OpenAI Whisper)
• Extracted structured data (e.g., symptoms, pain levels, medications, triggers, mood)

Why we collect it:

• Hands-free entry and accessibility
• Converting spoken updates into structured, searchable wellness information

Retention (important):

Voice recordings and transcripts are retained indefinitely unless you request deletion.

Deletion requests: you may request deletion of specific recordings or all voice data by contacting info@crmo-care.app.

2.4 Technical and Usage Data

We collect:

• Device type and operating system (e.g., iPhone model, iOS version)
• App version and build number
• Crash logs and error reports (with PHI scrubbing)
• Basic feature usage metrics (e.g., screen views, button interactions)
• Session duration and timestamps

Why we collect it: reliability, debugging, security monitoring, and product improvement.

We do not collect:

• Advertising identifiers
• Third-party advertising analytics
• Location data (unless you explicitly enable location services for a specific feature)

PHI protection: error logs are scrubbed of protected health information before being sent to our error tracking service (Sentry).

2.5 Communications and Feedback

We collect:

• Support communications (emails/messages)
• Survey responses
• Optional usability feedback

Why we collect it: customer support and product improvement.

3) How We Use Information

We use collected information to:

• Provide core app functionality (tracking, charts, summaries)
• Authenticate users and secure accounts
• Provide voice transcription and structuring features
• Maintain, troubleshoot, and improve performance
• Protect against fraud, abuse, and security incidents
• Communicate with you (support, policy updates, operational notices)

4) How We Share Information

We never sell or rent your data. We share information only in these circumstances:

4.1 Service Providers (Vendors)

We share information with vendors who provide essential services:

• Supabase — database hosting (PostgreSQL), authentication, and file storage
• OpenAI — voice transcription and text processing
• Sentry — error tracking (with PHI scrubbing)

Service providers are bound by confidentiality and security obligations.

4.2 With Your Consent

We share information when you explicitly choose to:

• Export your data
• Share information with a connected service
• Authorize sharing through specific app features

4.3 Legal Requirements

We may disclose information when required to comply with valid legal process (e.g., subpoenas, warrants, court orders).

5) Security

5.1 Infrastructure

CRMO Care uses U.S.-based infrastructure, including:

• Supabase (database/auth/storage)
• Mobile platforms (iOS App Store and Google Play distribution)
• Backend services (lightweight APIs for AI processing)

5.2 Security Controls

We use administrative, technical, and operational measures, including:

• Encryption in transit: TLS 1.3
• Encryption at rest: AES-256
• Row-Level Security (RLS): access controls to limit data to the authorized user
• Access controls: role-based permissions and multi-factor authentication
• Secure credential storage: device secure storage (iOS Keychain / Android Keystore)
• Audit trails: logging for access and modifications
• Vulnerability management: periodic assessment and remediation
• Incident response: NIST-aligned procedures

5.3 Voice Processing Security

Voice recordings are:

• Uploaded to encrypted storage
• Transcribed via Supabase Edge Functions calling OpenAI Whisper
• Structured using OpenAI models (e.g., GPT-4o-mini) with minimum-necessary principles

Note: These controls are designed to align with HIPAA-grade safeguards; CRMO Care is not itself a HIPAA-covered entity.

6) Children's Privacy

CRMO Care is intended for adults and caregivers acting on behalf of minors.

Caregivers may:

• Create child/dependent profiles
• Enter wellness data, medications, and treatments
• Manage appointments and care team information
• Import/manage information they are legally authorized to access

No independent accounts for children under 13: we do not knowingly allow minors under 13 to create accounts independently.

If you believe a child's information was entered without authorization, contact info@crmo-care.app for resolution or deletion.

7) Your Rights and Choices

You may request to:

• Access a copy of your personal data
• Export your data in a standard electronic format
• Correct inaccurate data
• Delete your account and associated data
• Delete specific voice recordings or all voice data
• Withdraw consent for processing (where applicable)

To exercise these rights: email info@crmo-care.app.

Response timeline: within 30 days after identity verification.

8) Data Retention

9) Your Responsibilities and Consent

By using CRMO Care, you acknowledge and agree that:

• You have the lawful right to submit any information you enter
• You will not enter another person's health information without proper authorization
• Voice recordings and transcripts persist indefinitely unless you request deletion
• The app is for wellness tracking and information management—not diagnosis or treatment

10) Beta Program Terms

If you participate in the CRMO Care Beta:

• Additional terms apply under the CRMO Care Beta User Agreement (Version 2.6)
• Beta data may be reset, migrated, or anonymized
• Features may be incomplete or experimental
• Functionality may change without notice

11) Medical Disclaimer

CRMO Care is not a healthcare provider, diagnostic tool, or medical device. Information in the app is for wellness tracking and informational purposes only.

• Do not rely on CRMO Care for diagnosis or treatment decisions
• Consult qualified healthcare professionals for medical questions
• For emergencies, call 911

12) Changes to This Policy

We may update this Privacy Policy as our services evolve.

If we make material changes:

• We will notify you by email and/or in-app notice
• The revised policy will include an updated Effective Date
• Continued use after notice means you accept the updated policy

You can view the current policy in the app under Menu → Legal.

13) Contact

Privacy questions or access requests: info@crmo-care.app

Security inquiries: security@crmo-care.app