CRMO Care - Terms of Service

Introduction

Welcome to CRMO Care ("CRMO Care," "we," "our," or "us"). These Terms of Service ("Terms") govern your use of the CRMO Care mobile app, website, and related services (collectively, the "Service").

By accessing or using the Service, you agree to these Terms and our Privacy Policy. If you do not agree, please do not use the Service.

1. Overview & Purpose

CRMO Care is a wellness and information-management platform that helps individuals and families:

• Track daily symptoms, medications, wellness trends, flare-up frequency, sleep quality, and activity levels
• Use voice recording to capture health information hands-free
• Interact with an AI-powered chat assistant for personalized health insights
• Organize and visualize information gathered from multiple sources
• Retrieve and store copies of their own medical records under the HIPAA Right of Access
• Optionally contribute de-identified data to CRMO research efforts

CRMO Care is not a healthcare provider, insurer, or covered entity under HIPAA. It does not provide medical advice, diagnosis, or treatment. Always consult a licensed medical professional for health-related decisions or emergencies.

2. Eligibility & Accounts

To use the Service, you must:

• Be 18 years of age or older (or have verified guardian consent)
• Provide accurate registration information
• Maintain the confidentiality of your login credentials
• Accept responsibility for all activity that occurs under your account

We may suspend or terminate accounts that violate these Terms or applicable law.

3. User Data & Ownership

a. Your Data

You own all information that you upload, enter, or authorize CRMO Care to retrieve, including:

• Personal wellness logs and structured clinical data
• Voice recordings and transcripts
• AI chat interactions
• Medical records obtained via your HIPAA Right of Access

CRMO Care does not claim ownership of your data.

b. License to Operate the Service

You grant CRMO Care a limited, revocable license to host, store, and process your data solely to provide and improve the Service. This includes:

• Transcribing voice recordings through HIPAA-compliant AI services (OpenAI with Business Associate Agreement)
• Extracting structured data from audio using minimum-necessary PHI principles
• Processing voice data through BAA-covered endpoints only
• Generating AI insights (with user review required before saving)
• Displaying charts and summaries

AI Processing Safeguards: All AI processing of Protected Health Information (PHI) occurs through vendors with Business Associate Agreements in place. User review and approval is required before any AI-extracted data is saved to your account.

We do not sell or monetize user data.

c. Voice Recordings and Transcripts

Voice recordings and transcripts are retained per user preference. You have full control over your voice data:

• You can delete recordings at any time from your account settings
• You can review, edit, and correct all AI-extracted data before saving
• Transcription quality is validated before clinical use
• Voice data never sent to non-BAA-covered services

You may also request deletion by emailing info@crmo-care.app.

d. AI Chat Interactions

AI chat queries and responses may be retained for debugging and quality improvement. AI insights are informational only and not medical advice. You may request deletion of your chat history at any time.

e. HIPAA Right of Access

When you use CRMO Care to retrieve your own medical records under your HIPAA Right of Access, CRMO Care acts as your personal health record tool at your direction. We are not acting as a Business Associate in this capacity, but rather as your agent helping you organize your own data.

f. Accuracy of External Records

Records retrieved from third-party portals are provided "as is." CRMO Care is not responsible for the completeness or accuracy of records obtained from healthcare providers or plans. If you discover an error in a record, contact the provider directly to request a correction.

g. Right to Delete or Export

You may request account closure and data deletion at any time by emailing info@crmo-care.app. We will delete identifiable data within 30 days unless required by law to retain it longer.

Deletion includes:

• Account information
• Wellness logs and symptom data
• Voice recordings and transcripts
• AI chat history
• Imported medical records

You may also export a copy of your data through the Service where available.

4. Privacy & Security

We implement HIPAA-aligned security measures to protect your health information.

Security Measures

• TLS 1.3 encryption in transit and AES-256 encryption at rest
• Row-Level Security (RLS) ensuring complete database-level data isolation between users
• Database queries fail-closed (deny by default) if RLS is misconfigured
• PHI-free logging—application logs contain only user IDs and metadata, never health data
• Error tracking (Sentry) configured with PHI scrubbing
• U.S.-based, SOC 2 Type II compliant infrastructure (Supabase)
• Multi-factor authentication for internal systems
• Role-based access controls and comprehensive audit logging (7-year retention)
• Separate development, staging, and production environments (no real PHI in testing)
• NIST-aligned incident response plan with 72-hour breach notification

Voice & AI Processing

• Voice recordings encrypted in transit and at rest
• Business Associate Agreement (BAA) in place with OpenAI for HIPAA compliance
• AI processing through BAA-covered endpoints only
• Minimal necessary PHI principle applied to AI prompts (IDs and metadata only)
• AI processing logs contain no PHI (only request IDs, latency, error codes)
• User review and editing required before any AI-structured data is saved
• Voice recordings never sent to non-BAA-covered analytics tools

Third-Party Service Providers

All third-party services that process Protected Health Information (PHI) are covered by Business Associate Agreements (BAAs) to ensure HIPAA-aligned protection of your data.

See our Privacy Policy and Security page for complete details.

5. Research Databank (Optional)

Participation in the CRMO Care Research Databank is voluntary and opt-in.

CRMO Care supports two distinct research pathways, each with different data handling:

Clinical Trial Participation (Pathway A)

• Uses coded participant identifiers (subject IDs) with controlled re-identification capability
• Follows ICH GCP (International Council for Harmonisation Good Clinical Practice) standards
• Requires separate trial-specific informed consent beyond these Terms
• Data retention follows protocol-specific regulatory requirements (often 2-25 years)
• Supports safety monitoring, adverse event follow-up, protocol compliance, and regulatory submissions
• Withdrawal requests processed according to trial-specific procedures
• CRMO Care maintains secure re-identification keys under strict access controls

General Research Data Sharing (Pathway B)

• Fully de-identified using HIPAA Safe Harbor or Expert Determination standards
• All 18 HIPAA PHI identifiers removed
• No re-identification capability exists for this pathway
• k-anonymity enforcement: Minimum cohort size required before data export
• Data shared with academic researchers, medical centers, rare disease organizations
• You can withdraw at any time; previously shared anonymized data cannot be retrieved from external researchers

Research Data Architecture

• Clinical and research data stored in separate database projects
• Automated, auditable de-identification/pseudonymization processes
• Batch ETL processes transfer data (not real-time)
• Research API rate limiting per institutional customer
• Consent verification before inclusion in research datasets

What May Be Shared

(Varies by pathway)

• Wellness logs and patient-reported outcomes (PROs)
• De-identified voice transcripts (not audio recordings)
• De-identified AI chat interactions
• De-identified Right-of-Access medical records
• Treatment logs and medication history

Your Rights

• Opt in or out of either pathway at any time
• Prevent future sharing
• Request deletion of identifiable data
• Continue using the app regardless of participation
• Clinical trial data retention follows trial-specific regulatory requirements
• General research data: standard deletion rights apply

See the CRMO Care Research Databank Proposal and Beta User Agreement (Version 2.6, Section 12) for complete details.

6. Acceptable Use

You agree not to:

• Use the Service for unlawful, fraudulent, or malicious purposes
• Upload harmful code or interfere with the Service's operation
• Access another user's account without authorization
• Attempt to circumvent security controls or reverse-engineer the App
• Enter identifiable information about others without their consent
• Use voice recordings or AI chat to violate others' privacy
• Violate any law or regulation in connection with your use

Violation of this section may result in immediate suspension or termination of your account.

7. Third-Party Services

The Service relies on integrations and infrastructure from trusted vendors, including:

• Supabase (database hosting)
• Vercel and Render (deployment)
• Third-party transcription services (voice processing)
• Third-party AI language models (chat assistance)
• App stores (distribution)

Use of those services is subject to their own terms and privacy policies. CRMO Care is not responsible for any downtime or issues caused by third-party providers.

8. Beta Features & Updates

Some features may be released as Beta Features for limited testing. By using Beta Features, you acknowledge that they may contain bugs or change without notice.

Participants in the Beta Program must also agree to the Beta User Agreement (Version 2.6, effective November 19, 2025).

Beta Agreement Section 12 distinguishes:

• Clinical trial participation (Section 12A): pseudonymized data with re-identification capability
• General research sharing (Section 12B): fully anonymized data

We may update these Terms or the Service at any time. Continued use after updates constitutes your acceptance of the revised Terms.

9. Intellectual Property

All software, graphics, logos, and content in the Service are owned by CRMO Care or its licensors and protected by intellectual property laws. You may not copy, modify, or create derivative works without our written permission.

10. Feedback

We welcome your feedback and suggestions. By submitting feedback, you grant CRMO Care a royalty-free, perpetual license to use that feedback to improve our products and services, without obligation or compensation.

11. Suspension & Termination

We may suspend or terminate your access to the Service at any time if:

• You violate these Terms or applicable law
• You engage in fraudulent or harmful behavior
• We discontinue the Service or any part of it

Upon termination, your data will be deleted or anonymized according to our Privacy Policy, including voice recordings, AI chat history, and any data contributed to the Research Databank.

12. Limitation of Liability

To the maximum extent permitted by law:

• CRMO Care and its founders or affiliates are not liable for indirect, incidental, special, or consequential damages arising from use of the Service
• We do not guarantee uninterrupted access or error-free performance
• We are not liable for inaccuracies in voice transcription or AI-generated insights
• We are not liable for the accuracy of medical records retrieved from third-party systems
• Your sole remedy for dissatisfaction is to stop using the Service

13. Dispute Resolution & Governing Law

These Terms are governed by the laws of the Commonwealth of Massachusetts, without regard to conflict-of-law rules. You agree to the exclusive jurisdiction of state and federal courts located in Massachusetts. Any claims must be brought individually and not as part of a class action.

14. Non-Clinical Disclaimer

The Service is a wellness and information management tool for personal use only. It is not a substitute for professional medical advice, diagnosis, or treatment.

Important Disclaimers:

• Voice-recorded notes are transcribed but not medically reviewed
• AI chat responses are for informational purposes only and are not medical advice
• Charts and insights are for self-reflection, not clinical decision-making
• Always consult a licensed healthcare professional for medical decisions
• If you have a medical emergency, call 9-1-1 or seek immediate medical care

15. Fair Credit Reporting Act Notice

CRMO Care is not a consumer reporting agency and its data may not be used to determine eligibility for credit, insurance, employment, or housing.

16. Modifications & Continuity

We may revise these Terms from time to time. If changes are material, we will notify you via the App or email before they take effect. Your continued use after the effective date means you accept the changes.

17. Acceptance

By using the CRMO Care Service, you confirm that:

• You have read and agree to these Terms
• You agree to the Privacy Policy (Version 4.0)
• If applicable, you agree to the Beta User Agreement (Version 2.6)
• If you opt into the Research Databank, you understand the distinction between clinical trial participation and general research data sharing
• If you opt into research, you agree to the Research Databank terms and consent

Updates to This Terms of Service

We may update these Terms as we enhance our security measures or in response to changing legal requirements. We will notify you of material changes via:

• Email notification
• In-app notification
• Notice on our website

The "Last Updated" date at the top of this page indicates when changes were last made.

Questions or Concerns?

If you have questions about our security practices or wish to report a security concern:

Security Issues: security@crmo-care.app

General Inquiries: info@crmo-care.app

Privacy Questions: See our Privacy Policy

We take all security concerns seriously and will respond promptly to your inquiries.