Privacy Policy - CareSwaps

1. Overview and Scope

CareSwaps, LLC ("Company," "we," "us," or "our") respects the privacy of families and loved ones who use the CareSwaps Platform. We are committed to protecting health information and personal data in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Colorado Privacy Act (CPA), and applicable state and federal privacy laws.

This Privacy Policy describes what information we collect from families, how we use it, how we protect it, and the rights you have regarding your information.

HIPAA Notice: When you submit health information through CareSwaps, we act as a Business Associate under HIPAA. Your use of CareSwaps is governed by our Business Associate Agreement and our separate HIPAA Notice of Privacy Practices. This Privacy Policy supplements but does not replace those documents. For complete HIPAA rights, see our HIPAA Notice at /hipaa.

2. Information We Collect

2.1 Health Information (Protected Health Information)

When you submit a transfer intake form, you provide health information about your loved one, including:

Name, date of birth, age, and contact information
Current care setting and medical conditions
Primary care needs and transfer goals
Insurance information and payer status
Preferred transfer timeline and location preferences
Contact information for family members or representatives

2.2 Account and Profile Information

When you create a CareSwaps account, we collect:

Your name, email address, and phone number
Your relationship to the patient (family member, guardian, advocate)
Username and hashed password
Billing and payment information (processed securely by Stripe)
Account creation date and login history

2.3 Facility Information

We collect information about facilities in the CareSwaps network:

Facility name, location, and contact information
Bed availability and facility capacity (de-identified)
Payer acceptance and insurance profiles
Public facility information and accreditation status

2.4 Usage and Technical Data

We automatically collect information about how you use the platform:

IP address and device information (browser type, operating system)
Login times and platform activity
Pages accessed and features used
Search queries and facility exploration activities
Cookies and similar tracking technologies

3. How We Use Your Information

3.1 Health Information Uses

Health information you submit is used exclusively for:

Executing matching algorithm queries to identify relevant facilities
Sharing information with destination facilities you select
Providing customer support and account management
Maintaining your profile and transfer status monitoring
HIPAA compliance and audit logging

We do not use your health information for marketing, research, analytics, or any secondary purpose without your explicit consent.

3.2 Account and Profile Information Uses

Account information is used to:

Authenticate you and secure your account
Process subscription payments and billing
Send account notifications and support communications
Provide customer service

3.3 Facility Information Uses

Facility network information is used to:

Operate the matching algorithm and display facility options
Enable you to contact facilities for information
Maintain the facility directory
Generate network-wide analytics and insights (de-identified)

3.4 Usage and Technical Data Uses

Technical data is used to:

Improve platform performance and user experience
Detect technical issues and security threats
Analyze platform usage patterns (aggregated, not individual)
Comply with legal obligations

4. How We Share Your Information

4.1 Sharing With Facilities

When you submit a transfer request and select a destination facility, CareSwaps shares relevant health information with that facility. You control which facilities receive your information through your explicit selection. Facilities use this information to assess whether they can meet your loved one's needs.

4.2 Sharing With Service Providers

CareSwaps uses service providers (vendors) to operate the platform. These vendors have signed agreements requiring them to:

Use your information only to provide services to CareSwaps
Implement appropriate security safeguards
Comply with HIPAA and privacy laws

Current service providers:

Service Provider	Service Type	Information Access	Agreement Type
Google Workspace (Email, Sheets, Drive, Apps Script)	Email, cloud storage, automation	Yes — Health information	Business Associate Agreement
Jotform	Intake form collection	Yes — Health information	HIPAA Gold BAA
Paubox	Encrypted email transmission	Yes — Health information emails	Business Associate Agreement
Stripe	Payment processing	No — Billing information only	Data Processing Agreement
Airtable	Facility and swap data management	No — De-identified data only	No BAA required
Make.com	Workflow automation and integrations	No — De-identified data only	No BAA required

Note on De-Identification: Airtable and Make.com do not maintain BAAs because they receive only de-identified data. Under HIPAA (45 CFR § 164.514(b)), de-identified data is not Protected Health Information and is not subject to HIPAA requirements. Data provided to these platforms includes facility names, swap IDs, bed counts, and dates — but never resident names, contact information, diagnoses, or other individual identifiers. De-identification controls are verified through quarterly audits.

4.3 Legal Requirements

We may disclose information if required by law, court order, subpoena, or government request. We will notify you of such disclosures unless legally prohibited.

4.4 No Sale of Information

We do not sell your health information or personal data to any third party. We do not use your information for advertising or marketing to other companies.

5. Data Security and Protection

5.1 Security Measures

All health information and personal data is protected using industry-standard security measures:

Encryption at Rest: All data stored on CareSwaps servers is encrypted using AES-256 encryption
Encryption in Transit: All data transmitted to or from CareSwaps uses TLS 1.3 or higher
Access Controls: Access to your information is restricted to authorized CareSwaps personnel and requires multi-factor authentication
Audit Logging: All access to your information is logged for security and compliance purposes
Regular Security Testing: We conduct regular security assessments and penetration testing

5.2 Data Retention

Your health information is retained for 7 years following termination of your account to comply with healthcare record retention requirements. After that period, your information is securely deleted or de-identified.

5.3 Data Deletion

You may request deletion of your account and associated information at any time. We will delete your information within 30 days, except as required by law or if a legal hold is in place.

6. Cookies and Tracking

6.1 Cookies We Use

CareSwaps uses cookies and similar technologies for:

Maintaining your login session and authentication
Remembering your preferences
Analyzing platform usage (Google Analytics with IP anonymization)
Detecting and preventing unauthorized access

6.2 Cookie Management

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using some platform features.

7. Your Privacy Rights

7.1 HIPAA Rights

Under HIPAA, you have the right to:

Access: Obtain a copy of your health information (within 30 days)
Amendment: Request correction of inaccurate information
Accounting: Request a list of disclosures of your information
Restriction: Request limits on use or disclosure of your information
Confidential Communication: Request alternative contact methods

7.2 Colorado Privacy Act Rights

Under the Colorado Privacy Act, you have the right to:

Know: Request what personal information we collect
Access: Request a copy of your personal information
Delete: Request deletion of your information
Correct: Request correction of inaccurate information

7.3 Exercising Your Rights

To exercise any of these rights, contact us at [email protected] with your request. We will respond within 30 days.

8. Children's Privacy

CareSwaps is designed for adults and families, not for children under 13. We do not intentionally collect information from children under 13. If you believe a child has provided information, please contact [email protected] immediately.

9. Changes to This Privacy Policy

9.1 Policy Updates

CareSwaps may update this Privacy Policy at any time. Material changes will be communicated with 30 days' notice. Continued use of the platform constitutes acceptance of the updated policy.

9.2 Current Version

The current version of this Privacy Policy is always available at careswaps.com/privacy.

9.5 Governing Law and State Compliance

This Privacy Policy is governed by federal law including HIPAA (45 CFR Parts 160 and 164) and applicable state law including the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) and Colorado Medicaid Anti-Kickback provisions (C.R.S. § 24-31-809).

10. Contact Information

10.1 Privacy Questions

For questions about this Privacy Policy or how we handle your information:

Email: [email protected]
Address: CareSwaps, LLC, Denver, Colorado

10.2 Complaints

You may file a complaint with:

HIPAA: HHS Office for Civil Rights at [email protected] or 1-800-368-1019
Colorado Privacy: Colorado Attorney General at [email protected]