Privacy Policy

Synetic.care ("Company," "we," "us," or "our") is committed to protecting the privacy of our users ("User," "you," or "your"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered caregiving platform and legacy vault ("Service"). Please read this Privacy Policy carefully. By using the Service, you consent to the practices described in this policy.

1. Information We Collect

We collect several types of information to provide and improve our Service:

1.1 Account Information

When you create an account, we collect:

• Full name and email address
• Password (stored in hashed form)
• Profile information (photo, role in care team)
• Account preferences and settings

1.2 Health and Care Data

When you use our caregiving features, we collect:

• Daily health logs (vitals, symptoms, mood, activities, nutrition)
• Medication records (names, dosages, schedules, adherence data)
• Appointment details (dates, providers, notes, outcomes)
• Care notes and observations entered by care team members
• Health reports and summaries generated by the platform

1.3 Legacy Vault Data

When you use the Legacy Vault, we collect and store:

• Written stories and family memories
• Uploaded photographs and documents
• Audio recordings and transcriptions
• Metadata associated with vault items (dates, tags, descriptions)

1.4 Usage Data

We automatically collect certain information when you use the Service:

• Device information (type, operating system, browser)
• IP address and approximate location
• Pages visited and features used
• Date and time of access
• Referring URLs and search terms
• Interaction patterns with the AI assistant

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and maintain the Service — including health logging, medication tracking, appointment management, and legacy vault functionality
• Power the AI assistant — using your data to generate personalized, context-aware insights and responses through RAG and PKG technologies
• Enable care team collaboration — sharing relevant information with care team members you have authorized
• Send notifications — including medication reminders, appointment alerts, and care updates
• Improve the Service — analyzing usage patterns to enhance features, fix bugs, and develop new capabilities
• Ensure security — detecting and preventing fraud, unauthorized access, and other harmful activities
• Communicate with you — responding to your inquiries, providing support, and sending service-related updates
• Comply with legal obligations — fulfilling legal requirements and responding to lawful requests

3. Data Storage and Security

We take the security of your data seriously and implement robust measures to protect it:

3.1 Infrastructure

Your data is stored on Supabase, a secure, enterprise-grade database platform. Our infrastructure includes:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Regular automated backups with point-in-time recovery
• Geographically distributed infrastructure for redundancy

3.2 Access Controls

We enforce strict access controls to ensure your data is only accessible by authorized parties:

• Row Level Security (RLS) policies ensure users can only access their own data and data shared with their care team
• Multi-factor authentication is available for all accounts
• Role-based access controls within care teams
• Employee access to production data is strictly limited and audited

3.3 Security Practices

• Regular security audits and penetration testing
• Vulnerability scanning and patch management
• Incident response plan with defined escalation procedures
• Security awareness training for all team members

4. AI Data Processing

Our AI assistant uses two key technologies to provide personalized assistance:

4.1 Retrieval-Augmented Generation (RAG)

RAG allows the AI to reference your stored data (health logs, care notes, vault items) when generating responses. Your data is converted into vector embeddings and stored securely. When you ask the AI a question, relevant information is retrieved from your data to provide contextual, accurate answers. This data is processed in real-time and is not stored beyond the session context.

4.2 Personal Knowledge Graph (PKG)

PKG builds a structured understanding of relationships, events, and patterns within your care data. This graph is unique to your account and is used exclusively to improve the AI's understanding of your specific caregiving context. The knowledge graph is stored securely and is only accessible by you and your authorized care team members.

4.3 Third-Party AI Processing

We use Google Gemini AI to power our language model capabilities. When you interact with the AI assistant, your query and relevant context are sent to Google's API for processing. We have a data processing agreement with Google that ensures your data is not used for training their models and is handled in compliance with our privacy standards.

5. Health Data (HIPAA Compliance)

Synetic.care recognizes the sensitive nature of health information and is designed with HIPAA-aligned practices. We treat all health-related data entered into the platform as Protected Health Information (PHI) and apply the following safeguards:

5.1 Administrative Safeguards

• Designated privacy and security officers
• Workforce training on PHI handling and privacy practices
• Documented policies and procedures for data access, use, and disclosure
• Regular risk assessments and compliance audits

5.2 Technical Safeguards

• Unique user identification and authentication
• Automatic session timeout and logout
• Encryption of all PHI at rest and in transit
• Audit logs tracking access to health data
• Emergency access procedures

5.3 Physical Safeguards

• Data hosted in SOC 2 Type II certified data centers
• Restricted physical access to infrastructure
• Proper disposal procedures for hardware containing PHI

We will notify you of any breach of unsecured PHI as required by the HIPAA Breach Notification Rule, including notification within 60 days of discovery.

6. Data Sharing

We may share your information only in the following limited circumstances:

• With your care team — Information is shared with care team members you have explicitly authorized. You control who has access and can revoke access at any time.
• Service providers — We work with trusted third-party processors (Supabase, Google Cloud, payment processors) who process data on our behalf under strict contractual obligations and data processing agreements.
• Legal requirements — We may disclose your information if required by law, regulation, legal process, or governmental request.
• Safety — We may disclose information when we believe in good faith that disclosure is necessary to protect the safety of our users or the public.
• Business transfers — In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.
• Aggregated data — We may share anonymized, aggregated data that cannot be used to identify you for research, analytics, or reporting purposes.

7. Your Rights

You have the following rights regarding your personal information:

• Right to Access — You can request a copy of all personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format within 30 days.
• Right to Correction — You can request correction of any inaccurate or incomplete personal data. You can also update most information directly through your account settings.
• Right to Deletion — You can request deletion of your personal data. We will comply within 30 days, except where retention is required by law or necessary for legitimate business purposes.
• Right to Export — You can request a full export of your data, including health logs, care notes, and legacy vault items, in standard formats (JSON, CSV, or PDF).
• Right to Restrict Processing — You can request that we limit the processing of your personal data under certain circumstances.
• Right to Object — You can object to the processing of your personal data for certain purposes, including direct marketing.
• Right to Withdraw Consent — Where processing is based on consent, you can withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at support@synetic.care. We will respond to your request within 30 days.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18 without verified parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@synetic.care so we can take appropriate action.

9. Cookies and Tracking

We use cookies and similar tracking technologies to enhance your experience on the Service:

9.1 Essential Cookies

These cookies are necessary for the Service to function properly. They include session cookies for authentication, security tokens, and user preference cookies. These cannot be disabled.

9.2 Analytics Cookies

We use analytics cookies to understand how users interact with the Service. This helps us improve features and user experience. Analytics data is aggregated and does not include personal health information.

9.3 Your Cookie Choices

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of the Service. We do not use third-party advertising cookies or tracking pixels. We honor Do Not Track (DNT) browser signals.

10. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Account data — Retained while your account is active, deleted within 30 days of account termination
• Health data and care logs — Retained while your account is active; may be retained for up to 6 years after termination for HIPAA compliance
• Legacy vault items — Retained while your account is active; can be transferred to other authorized family members upon account closure
• Usage and analytics data — Retained in anonymized form for up to 2 years
• AI interaction logs — Retained for up to 90 days for quality improvement, then deleted
• Backup data — Purged from backup systems within 90 days of deletion from primary systems

When data is no longer needed, we securely delete or anonymize it using industry-standard methods.

11. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from your jurisdiction.

When we transfer data internationally, we implement appropriate safeguards to ensure your data is protected, including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Data Processing Agreements with all third-party processors
• Ensuring recipients maintain adequate data protection standards
• Encryption of data during transfer

For users in the European Economic Area (EEA), we comply with GDPR requirements for cross-border data transfers. For users in California, we comply with CCPA requirements.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email or through a prominent notice on the Service at least 30 days before changes take effect
• Obtain your consent where required by applicable law

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

For HIPAA-related inquiries or to report a potential data breach, please email us at support@synetic.care with "HIPAA Inquiry" or "Data Breach Report" in the subject line.