CareCrowd Privacy Policy

Effective Date: March 23, 2026
Last Updated: March 23, 2026

1. Introduction

Suade Holdings, Inc. d/b/a CareCrowd ("CareCrowd," "we," "our," or "us") values your trust. This Privacy Policy explains how we collect, use, store, share, and protect your information when you access or use the CareCrowd platform, website, mobile applications, and related services (collectively, the "Platform").

By creating an account, accessing, or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.

This Privacy Policy should be read together with our Terms of Use and [General Platform Terms], which are incorporated by reference.

2. Important Disclaimers

2.1 CareCrowd Is Not a Healthcare Provider

CareCrowd is a physician-led advocacy and navigation platform. We are not a healthcare provider, health plan, or healthcare clearinghouse as defined under the Health Insurance Portability and Accountability Act ("HIPAA"). CareCrowd does not diagnose, treat, prescribe, or deliver medical care. No physician-patient or clinician-patient relationship is established between you and any Physician Advocate through the Platform.

2.2 CareCrowd Is Not an Electronic Health Record (EHR) System

CareCrowd is not an EHR system, medical record custodian, or designated system of record for any healthcare provider. We do not maintain, manage, or serve as the official repository for your medical records.

2.3 Not a HIPAA Covered Entity

CareCrowd is not a HIPAA "covered entity". However, we voluntarily adopt security and privacy safeguards consistent with HIPAA standards to protect the health-related information you share with us. Where we engage third-party service providers who access health-related data, we require them to enter into appropriate data protection agreements.

3. Information We Collect

We collect information in the following categories:

3.1 Information You Provide Directly

  • Account Information: Name, email address, phone number, mailing address, date of birth, and account credentials.
  • Payment Information: Billing details processed securely through our third-party payment processor (Stripe). CareCrowd does not directly store full credit card numbers.
  • Health-Related Documents: Medical records, discharge summaries, prescriptions, care plans, lab results, insurance information, or other documents you voluntarily upload to the Platform.
  • Communications: Messages, notes, and session content exchanged with your Physician Advocate(s) through the Platform, including chat messages, video/audio session content, and any files shared during advocacy sessions.
  • Caregiver Information: If you use the Platform on behalf of another person (e.g., a family member, dependent, or patient), you provide information about that individual. You represent and warrant that you have the authority to provide such information and to consent to its processing on their behalf.
  • Feedback and Surveys: Responses to surveys, reviews, feedback, and communications you send to us.

3.2 Information Collected from Physician Advocates

  • Advocacy notes, session summaries, and communications exchanged with Members.
  • Scheduling and session history.
  • Presence and engagement metrics.

3.3 Information Collected Automatically

  • Device and Log Data: IP address, device type, operating system, browser type and version, unique device identifiers, and access timestamps.
  • Usage Data: Pages or screens visited, features used, click patterns, session duration, and interaction data.
  • Cookies and Tracking Technologies: We use cookies, web beacons, pixel tags, and similar technologies to collect information about your interactions with the Platform. See Section 11 (Cookies and Tracking Technologies) for details.
  • Location Data: General geographic location inferred from your IP address. We do not collect precise geolocation unless you expressly consent.

3.4 Information from Third-Party Sources

  • Integrated Health Data: If you authorize connections to third-party health data sources (e.g., electronic health record portals, wearable devices, health monitoring applications), we may receive health-related data through those integrations. You control these connections and may revoke access at any time through your account settings.
  • Identity Verification: We may use third-party services to verify your identity during account creation.

4. How We Use Your Information

We use the information we collect to:

  • Provide Services: Deliver physician advocacy, navigation support, and related services through the Platform.
  • Facilitate Communication: Enable secure communication between Members, Caregivers, and Physician Advocates.
  • Process Payments: Process subscription payments, manage billing, and administer the credit system.
  • Maintain and Improve the Platform: Monitor performance, troubleshoot issues, develop new features, and improve user experience.
  • Personalize Your Experience: Customize content, recommendations, and advocacy matching based on your profile and preferences.
  • CareGraph and Analytics: Build and maintain our proprietary CareGraph — a structured data model that maps the relationships between Members, Advocates, health context, and advocacy interactions — to improve service quality, advocacy matching, and platform performance. CareGraph data is used to generate Presence Scores and other engagement metrics.
  • AI-Assisted Features: Power AI-assisted features including (as available): intelligent advocacy matching, proactive check-in recommendations, contextual nudges for Physician Advocates, natural language processing of member inquiries, and voice-based triage. AI features are designed to support — never replace — physician-led judgment. See Section 5 for more details.
  • De-Identified Analytics: Generate de-identified, aggregated analytics to improve healthcare navigation, advocacy outcomes, and to produce research insights. De-identified data cannot reasonably be used to identify you.
  • Safety and Security: Detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
  • Legal Compliance: Comply with applicable laws, regulations, legal processes, and governmental requests.
  • Communications: Send you service-related notices, updates, security alerts, and (with your consent where required) promotional communications.

5. Artificial Intelligence and Automated Processing

5.1 How We Use AI

CareCrowd uses artificial intelligence and machine learning technologies to enhance — not replace — the physician-led advocacy experience. Our AI-assisted features may include:

  • Advocacy Matching: Algorithms that suggest Physician Advocates based on your health context, preferences, and needs.
  • Contextual Intelligence: Processing advocacy session data to surface relevant context, medical terminology clarification, and preparation materials for your Advocate.
  • Proactive Engagement: Signal analysis and pattern recognition to identify when proactive outreach from your Advocate may be beneficial (e.g., following a procedure, medication change, or significant health event).
  • Voice and Chat Processing: Natural language processing of voice and text interactions to route inquiries, support triage, and improve response quality.
  • Quality and Safety Monitoring: Automated review of interactions to ensure adherence to our Code of Conduct and safety standards.

5.2 Human Oversight

All AI-generated recommendations, nudges, and outputs are designed to be reviewed and acted upon by licensed physicians or qualified professionals. CareCrowd does not use fully automated decision-making that produces legal or similarly significant effects on you without human review.

5.3 Your Rights Regarding AI

You may request information about the AI-assisted processing of your data, including the logic involved and the significance of such processing for you, by contacting us at privacy@mycarecrowd.com. You may also opt out of certain AI-driven personalization features through your account settings, though this may limit some Platform functionality.

6. Temporary Storage of Member-Uploaded Documents

  • Medical documents you upload are stored solely to facilitate advocacy services during your active engagement.
  • CareCrowd is not a permanent archive for medical records. You and your healthcare providers remain solely responsible for maintaining official copies of all medical records.
  • We store uploaded documents using encryption at rest and in transit.
  • Upon account closure, termination, or at your request, uploaded medical documents are permanently and securely deleted in accordance with our retention schedule (see Section 7).

7. Data Retention and Deletion

We retain different categories of information for different periods based on business need and legal requirements:

Data Category Retention Period
Uploaded medical documents Duration of active account + 90 days after account closure, then permanently deleted
Advocacy session records and communications Duration of active account + 90 days after account closure, then permanently deleted
CareGraph relationship and interaction data Duration of active account + 90 days after account closure, then de-identified or deleted
Account information (name, email, etc.) Duration of active account + 1 year for legal and audit purposes
Payment and transaction records As required by tax and financial regulations (typically 7 years)
De-identified/aggregated analytics Retained indefinitely (cannot be used to re-identify you)
Minimal audit metadata (e.g., "document uploaded on [date]") Retained for compliance and security purposes; contains no medical details

Upon account closure, you will receive confirmation that your data deletion process has been initiated. You may request expedited deletion of specific data categories by contacting privacy@mycarecrowd.com.

8. Sharing of Information

We may share your information with the following categories of recipients:

8.1 Physician Advocates

Your Physician Advocate(s) receive access to the information necessary to deliver advocacy services, including uploaded documents, health context, and communication history.

8.2 Service Providers

We engage trusted third-party service providers who process data on our behalf, including:

  • Payment Processing: Stripe, Inc. (payment and subscription management)
  • Cloud Infrastructure: Amazon Web Services (HIPAA-eligible hosting environment)
  • Authentication: Identity verification and authentication providers
  • Analytics: Platform usage analytics providers (processing de-identified data only)
  • Communication: Secure messaging and video session providers

All service providers are contractually required to protect your information and may only use it to perform services on our behalf.

8.3 Legal and Regulatory Authorities

We may disclose information if required by law, subpoena, court order, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of CareCrowd, our users, or the public.

8.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your information.

8.5 With Your Consent

We may share information with other third parties when you provide express consent.

8.6 What We Do Not Do

  • We do not sell your personal information to third parties.
  • We do not share your personal information for cross-context behavioral advertising.
  • We do not provide your identifiable health-related information to insurers, employers, or data brokers.

9. Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

  • Encryption: Data is encrypted in transit (TLS) and at rest (AES-256).
  • Access Controls: Role-based access controls ensure that only authorized personnel and Physician Advocates can access member data.
  • Infrastructure: We host data on HIPAA-eligible cloud infrastructure with SOC 2 compliance.
  • Audit Logging: All access to sensitive data is logged and monitored.
  • Data Purge Compliance: We maintain automated systems to enforce our data retention and deletion policies.
  • Incident Response: We maintain a security incident response plan and will notify affected individuals and authorities as required by applicable law in the event of a data breach.

Despite these safeguards, no method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for notifying us immediately of any unauthorized use.

10. Data Breach Notification

In the event of a security breach that compromises your personal information, we will:

  • Investigate and contain the breach promptly.
  • Notify affected individuals without unreasonable delay, and in any event within the timeframes required by applicable state and federal law.
  • Notify relevant regulatory authorities as required.
  • Provide information about the nature of the breach, the data affected, and steps you can take to protect yourself.

11. Cookies and Tracking Technologies

11.1 What We Use

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for Platform functionality (e.g., authentication, session management, security).
  • Analytics Cookies: Help us understand how users interact with the Platform to improve performance and features.
  • Preference Cookies: Remember your settings and preferences.

11.2 Your Choices

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality. We honor Global Privacy Control (GPC) signals and Do Not Track (DNT) signals where required by applicable law.

11.3 Third-Party Analytics

We may use third-party analytics services (e.g., Google Analytics) that use cookies to collect usage data. These services have their own privacy policies governing their use of your data.

12. Your Privacy Rights

12.1 General Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to certain exceptions.
  • Portability: Request a copy of your data in a structured, commonly used, machine-readable format.
  • Restrict Processing: Request that we limit certain processing activities.
  • Object: Object to certain processing activities, including automated profiling.
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent.

12.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected, the sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: We do not sell your personal information or share it for cross-context behavioral advertising. If this changes, we will provide a conspicuous opt-out mechanism.
  • Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information (including health information) beyond what is necessary to provide the services, you may request that we limit such use.
  • Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of Personal Information Collected (per CCPA):

CCPA Category Examples Collected
IdentifiersName, email, phone, IP addressYes
Personal information (Cal. Civ. Code § 1798.80)Name, address, phoneYes
Protected classification characteristicsAge, gender (if provided)Yes
Commercial informationSubscription and transaction recordsYes
Internet or network activityUsage data, browsing history on PlatformYes
Geolocation dataApproximate location from IP addressYes
Sensory dataAudio/video from advocacy sessionsYes
Professional or employment informationN/A (not collected from Members)No
Education informationN/ANo
InferencesAdvocacy preferences, health contextYes
Sensitive personal informationHealth-related information you provideYes

12.3 Virginia, Colorado, Connecticut, and Other State Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out of certain processing. We will respond to verifiable requests in accordance with applicable state law.

12.4 European Economic Area and United Kingdom (GDPR)

If you are located in the EEA or UK, additional provisions under the General Data Protection Regulation ("GDPR") apply. Our legal bases for processing include: performance of contract, legitimate interests, consent, and legal obligation. You have the right to lodge a complaint with a supervisory authority.

12.5 How to Exercise Your Rights

To submit a privacy rights request, contact us at:

  • Email: privacy@mycarecrowd.com
  • Mail: Suade Holdings, Inc. (d/b/a CareCrowd), 3480 Peachtree Rd NE, Suite 104, Atlanta, GA 30326

We will verify your identity before processing your request and respond within the timeframes required by applicable law (generally 45 days, with possible extension). You may also designate an authorized agent to make requests on your behalf by providing written authorization.

13. Caregivers and Family Members

CareCrowd is designed to support both individuals managing their own healthcare and caregivers managing the healthcare of family members or dependents.

  • Caregiver Accounts: If you create an account as a caregiver, you represent and warrant that you have legal authority to act on behalf of the individual whose health information you provide (e.g., parent/legal guardian of a minor, healthcare power of attorney, authorized representative).
  • Shared Information: Information you provide about another person will be treated with the same protections as your own personal information.
  • Patient Rights: The individual on whose behalf you act retains all privacy rights described in this Privacy Policy and may exercise them independently (or through a different authorized representative) at any time.

14. Children's Privacy

The Platform is not intended for individuals under 18 years of age to use independently. We do not knowingly collect personal information directly from children under 13 (or under 16 where applicable law requires additional protections).

However, because CareCrowd serves families, a parent, legal guardian, or authorized caregiver may use the Platform to manage advocacy services on behalf of a minor. In such cases, the parent or guardian provides consent on the minor's behalf and is responsible for the minor's information.

If we learn that we have collected personal information from a child without appropriate parental or guardian consent, we will delete that information promptly. If you believe we have inadvertently collected such information, please contact us at privacy@mycarecrowd.com.

15. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, or services that are not operated by CareCrowd. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform.

16. International Data Transfers

CareCrowd is based in the United States, and your information is stored and processed in the United States. If you access the Platform from outside the United States, you understand and consent to the transfer of your information to the United States, where data protection laws may differ from those of your jurisdiction.

Where required by applicable law, we implement appropriate safeguards for international data transfers, including standard contractual clauses or other mechanisms approved by relevant authorities.

17. Do Not Track / Global Privacy Control

We honor Global Privacy Control (GPC) signals as a valid opt-out request under applicable state privacy laws. We also respect Do Not Track (DNT) browser signals where required by law.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Post the updated Privacy Policy on the Platform with a new "Last Updated" date.
  • Notify you by email or through the Platform prior to the changes taking effect.
  • Where required by law, obtain your consent to material changes.

Your continued use of the Platform after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Suade Holdings, Inc. (d/b/a CareCrowd)
3480 Peachtree Rd NE, Suite 104
Atlanta, GA 30326

Email: privacy@mycarecrowd.com

For privacy rights requests, see Section 12.5.

This Privacy Policy is effective as of March 23, 2026.