Privacy Policy

When you register on CareUnity, we collect information necessary to create and manage your account:

• Full name, email address, and password (stored as a cryptographic hash)
• Role designation (patient, doctor, pharmacist, nurse, lab technician, receptionist, clinic admin, insurance agent, admin)
• Professional credentials: medical license number, specialization, years of experience (for clinical staff)
• Pharmacy license number and organisation type (for pharmacy users)
• Phone number and physical address
• Profile picture (optional)
• Google OAuth identifier if you register via Google Sign-In
• Date of birth and gender (for patients)

As a healthcare platform, we collect and process health data on behalf of healthcare organisations and their patients. This includes:

• Medical records: diagnoses, treatments, procedures, clinical notes, and follow-up instructions created by clinicians
• Prescription data: medication names, dosages, frequency, duration, and prescribing clinician
• Laboratory results and test orders
• Vital signs, blood type, allergies, and current medications
• Mental health screening questionnaire responses
• Anonymous counseling session transcripts (linked to session tokens, not directly to identity by default)
• Video consultation metadata: session IDs, duration, and participation records
• AI health recommendations and risk assessments
• Appointment history, reason for visit, clinical notes, and patient-reported information
• Insurance policy numbers, insurer identifiers, and claim data
• Pharmacy purchase history and dispensing records

Billing and payment processing is handled through Stripe, a PCI DSS Level 1 certified processor. We do not store full credit card numbers, CVV codes, or bank account credentials on our servers. We retain:

• Stripe payment intent IDs and customer tokens
• Transaction status, amount, currency, and timestamp
• Invoice references and payment method type (e.g., card brand)
• Co-payment and insurer-portion breakdowns for insurance billing
• Refund and dispute records

• In-platform chat messages between users (stored with soft-delete support; deleted messages retain a deletion tombstone)
• Notifications: delivery status and read receipts for in-app, email, and SMS notifications
• Community forum posts, comments, and reactions
• Health education article interactions
• Video consultation session participation records (we do not record video content)

We automatically collect technical information when you access the platform to ensure security, detect anomalies, and maintain service quality:

• IP address, browser type and version, operating system, and device type
• Session tokens, login timestamps, and authentication events
• Pages visited, features used, and navigation patterns (aggregated and anonymised for analytics)
• API request logs (retained for security auditing)
• Error reports and crash diagnostics (without PHI)
• Full audit trail: every access to, creation of, or modification of PHI is logged with user ID, timestamp, and action type

Where enabled, CareUnity stores cryptographic hashes of health records on a distributed ledger for tamper-evident verification. The on-chain data contains only a hash and a timestamp — no PHI is written to the blockchain directly. The original record remains on our secured servers.

• Authenticating your identity and maintaining your account
• Providing role-appropriate dashboards, workflows, and features
• Enabling appointment booking, confirmation, and management
• Facilitating medical record creation, access, and sharing between authorised clinicians
• Processing pharmacy transactions, dispensing records, and inventory management
• Conducting video consultations via Jitsi Meet
• Delivering real-time chat between patients and their care team
• Processing and reconciling payments and insurance claims
• Generating AI-assisted health recommendations with your explicit consent
• Supporting anonymous counseling sessions

• Maintaining comprehensive audit logs of all PHI access to satisfy HIPAA requirements
• Detecting and preventing unauthorised access, fraud, and abuse
• Responding to security incidents and notifying affected parties as required by law
• Meeting mandatory healthcare record retention obligations
• Enforcing rate limits and preventing denial-of-service attacks
• Verifying professional credentials and role assignments

• Analysing aggregated, de-identified usage patterns to improve platform features
• Diagnosing and fixing software errors
• Conducting internal research to improve care coordination workflows
• Training machine learning models using strictly anonymised, aggregated datasets — never individual PHI

• Sending appointment reminders, confirmations, and status updates
• Delivering in-app, email, and SMS notifications you have subscribed to
• Responding to your support requests
• Sending critical security and platform update notices (these cannot be opted out of)

Healthcare is inherently collaborative. We enable controlled, role-restricted sharing between users within the same organisation or care relationship:

• Clinicians can access their own patients' medical records and appointment history — not records of patients not under their care without explicit access grants
• Clinic administrators can view organisational-level data (aggregated and per-patient where operationally necessary)
• Pharmacists access prescription and dispensing records relevant to their pharmacy
• Patients can grant named clinicians access to their records via our access-request workflow
• Linked pharmacies can receive prescription data from authorised clinic organisations

We engage carefully vetted third-party processors who handle data solely on our behalf, under binding data processing agreements that prohibit independent use:

• Stripe Inc. — payment processing (PCI DSS Level 1)
• Google LLC — authentication (Google OAuth) and, optionally, AI services
• HuggingFace / OpenAI — AI chatbot inference (requests are sent without persistent PHI identifiers)
• Jitsi / 8×8 — video consultation infrastructure (no video content is stored by CareUnity)
• Cloud infrastructure provider — encrypted hosting, database, object storage, and Redis caching
• Email and SMS delivery providers — transactional notifications only

We may disclose data when required by law, court order, or governmental authority, including:

• Mandatory reporting obligations under public health law
• Valid legal process (subpoena, court order, or regulatory demand)
• Immediate threat to life or safety where disclosure is necessary to prevent harm

Where legally permissible, we will notify affected users before complying with such requests.

In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred to the successor entity. We will notify you via email and a prominent platform notice at least 30 days in advance. The successor entity must agree to honour this Privacy Policy or provide equivalent protections.

We apply the HIPAA minimum necessary standard throughout the platform. Access controls, role-based permissions, and data segmentation ensure that users can only access the PHI that is directly relevant to their role and active patient relationships. No user can access PHI beyond what their role and explicit authorisation permit.

Every access to, creation of, modification of, or deletion of PHI is recorded in an immutable audit log containing: the user identity, timestamp, IP address, action type, and the record affected. Audit logs are retained for a minimum of six years and are available to your organisation on request for compliance purposes.

In the event of a security incident involving unauthorised acquisition, access, use, or disclosure of PHI, CareUnity will:

• Notify affected covered entities within 60 days of discovery (or sooner as required by applicable law)
• Provide notification to affected individuals and regulatory authorities as required
• Document the breach, its scope, and the remediation steps taken
• Cooperate fully with any regulatory investigation

We may create de-identified datasets from PHI using the Expert Determination or Safe Harbor methods defined by HIPAA. De-identified data is no longer considered PHI and may be used for aggregate analytics, research, or service improvement. We never re-identify de-identified data.

• Data in transit: TLS 1.2 or higher on all connections; HSTS enforced
• Data at rest: AES-256 encryption for all databases, file storage, and backups
• Password storage: Argon2id (or bcrypt) one-way hashing — we never store plaintext passwords
• JWT tokens: signed with RS256; short-lived access tokens with refresh token rotation

• Role-based access control (RBAC) enforced at the API and database level
• Multi-factor authentication (MFA) supported and recommended for all accounts
• Principle of least privilege: every system component and employee has access only to what is strictly necessary
• Production database access restricted to named engineers with time-limited credentials
• All internal administrative actions are logged and reviewed

• Isolated production environments with network segmentation
• Automated vulnerability scanning and dependency auditing in CI/CD pipeline
• Web Application Firewall (WAF) and DDoS mitigation
• Rate limiting on all mutation endpoints (100 attempts per 300 seconds per IP)
• Regular penetration testing by an independent third party
• Automated encrypted backups with tested restoration procedures

• Background checks for all employees with access to production systems
• Annual security awareness training for all staff
• Formal incident response plan with defined escalation procedures
• Data Protection Officer (DPO) appointed and accessible at [email protected]
• Regular privacy impact assessments for new features handling PHI

You may request a complete copy of the personal data we hold about you. We will respond within 30 days. Your health records are also accessible directly through your patient dashboard in machine-readable format.

You may correct inaccurate personal information via your profile settings at any time. For corrections to clinical records, please contact your treating clinician or the clinic administrator.

You may request deletion of your account and personal data. Deletion will be processed within 30 days. Note that healthcare records may be retained for the legally required minimum period even after account deletion; during that period they are flagged as inactive and inaccessible for operational purposes.

You may ask us to restrict processing of your data (e.g., while we verify accuracy or the basis of processing) without deletion.

You may request your data in a structured, machine-readable format (JSON or PDF) to transfer to another provider. Medical records can be exported from your dashboard at any time.

You may object to processing based on legitimate interests. You may always opt out of non-essential communications in your notification settings.

Where processing is based on consent (e.g., AI-assisted recommendations), you may withdraw consent at any time from your account settings. Withdrawal does not affect the lawfulness of prior processing.

If you believe we have infringed your data protection rights, you may lodge a complaint with:

• Rwanda: National Cyber Security Authority (NCSA) — the supervisory authority for personal data protection
• Your local data protection authority if you are located outside Rwanda
• Our DPO directly at [email protected]