Privacy Policy

1. Information We Collect

Account Information

When you register for AjutaCare, we collect information necessary to create and manage your account, including:

• Agency name, address, state, and license number
• Administrator name, email address, and phone number
• Billing information (processed securely through our payment processor)
• Login credentials (passwords are hashed and never stored in plain text)

Usage Information

We collect information about how you use AjutaCare, including:

• Pages visited and features used within the platform
• Log data including IP addresses, browser type, and access times
• Device information including operating system and screen resolution

Clinical and Operational Data

As part of providing our service, we store data that agencies enter into the platform, including resident records, medication administration records (MAR), vitals, incident reports, staff schedules, and billing records. This data is owned by the agency and may constitute Protected Health Information under HIPAA.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the AjutaCare platform
• Process transactions and send related information including confirmations and invoices
• Send administrative messages, technical notices, and security alerts
• Respond to support requests and provide customer service
• Send onboarding and product update communications (you may opt out at any time)
• Monitor and analyze usage patterns to improve the platform
• Detect and prevent fraudulent, unauthorized, or illegal activity
• Comply with legal obligations

We do not use your data or your residents' data for advertising purposes. We do not sell data to third parties.

3. Protected Health Information (PHI)

AjutaCare acts as a Business Associate under HIPAA when processing Protected Health Information on behalf of Covered Entities (home care agencies). As a Business Associate:

• We only use and disclose PHI as permitted by our Business Associate Agreement (BAA) and applicable law
• We implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
• We report any breaches of unsecured PHI to the Covered Entity without unreasonable delay
• We ensure that any subcontractors or agents that handle PHI agree to the same restrictions
• We make PHI available to individuals who request access to their own records, as required by HIPAA
• We return or destroy PHI upon termination of the Business Associate Agreement

Each agency's data is stored in a separate, isolated database. No agency can access another agency's data.

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information or your residents' health information to third parties. We may share information in the following limited circumstances:

Service Providers

We work with trusted third-party service providers who assist in operating our platform, subject to confidentiality obligations. These include cloud hosting providers, email delivery services, and payment processors. All service providers are carefully vetted and prohibited from using your data for their own purposes.

Legal Requirements

We may disclose information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a legal process.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, user information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our platform of any change in ownership.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: Sensitive data is encrypted at rest in our databases
• Access controls: Role-based access controls ensure users only access data relevant to their role
• Two-factor authentication: Available for all provider accounts
• Audit logging: All access to Protected Health Information is logged with user identity, timestamp, and IP address
• Daily backups: Automated daily backups with 30-day retention
• Session management: Automatic session timeout after 30 minutes of inactivity

While we implement these safeguards, no security system is impenetrable. In the event of a data breach affecting PHI, we will notify affected Covered Entities within 60 days of discovery as required by HIPAA.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Upon account termination:

• Agency administrators may request a full export of their data within 30 days of cancellation
• Clinical records (PHI) are retained for a minimum of 6 years from the date of creation or last effective date, as required by HIPAA
• Account data is deleted within 90 days of account closure, except where retention is required by law
• Backup copies may persist for up to 30 additional days following deletion

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Portability: Request a machine-readable export of your data
• Opt-out: Opt out of non-essential marketing communications at any time

For residents whose PHI is stored in AjutaCare, requests for access, amendment, or accounting of disclosures should be directed to the home care agency (the Covered Entity) that manages their care.

To exercise your rights, contact us at privacy@ajutacare.com.

8. Cookies and Tracking

AjutaCare uses cookies and similar technologies to operate the platform:

• Essential cookies: Required for authentication and session management. These cannot be disabled.
• Preference cookies: Remember your settings and preferences within the platform.
• Analytics cookies: Help us understand how the platform is used so we can improve it. No personal health information is included in analytics data.

We do not use third-party advertising cookies. You can control cookie settings through your browser preferences, though disabling essential cookies will prevent you from logging in.

9. HIPAA Compliance

AjutaCare is designed to support HIPAA compliance for home care agencies. As a Business Associate, we:

• Enter into a Business Associate Agreement (BAA) with each agency customer
• Implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule
• Maintain policies and procedures for handling PHI in accordance with the HIPAA Privacy Rule
• Train our workforce on HIPAA requirements
• Conduct regular risk assessments of our systems and processes

Agencies using AjutaCare remain responsible for their own HIPAA compliance as Covered Entities, including training their staff, obtaining patient authorizations where required, and implementing their own policies and procedures.

To request a Business Associate Agreement, contact us at compliance@ajutacare.com.

10. Children's Privacy

AjutaCare is designed for use by home care professionals and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at privacy@ajutacare.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Sending an email to the administrator email address on file
• Displaying a prominent notice within the AjutaCare platform
• Updating the "Last updated" date at the top of this page

Your continued use of AjutaCare after changes become effective constitutes acceptance of the revised policy. We encourage you to review this policy periodically.

12. Contact Us