Privacy Policy

Effective: May 6, 2026 · Last updated: May 6, 2026

This Privacy Policy explains how CareCo Technologies Corp., a Delaware corporation ("CareCo", "we", "us"), collects, uses, discloses, and protects information from visitors to CareCo.ai (the "Site"). CareCo provides software for healthcare organizations; this policy covers our public marketing website only. Use of our product platform (app.careco.ai) is governed by separate written agreements with our customers.

1. Audience

CareCo.ai is a business-to-business marketing site. We expect visitors to be healthcare operators, clinical leaders, and administrators evaluating our software in a professional capacity. We do not provide consumer health services through this Site, and we do not knowingly collect health information about you as an individual.

2. Information we collect

2.1 Information you provide

  • Demo and contact requests — name, work email, company name, phone (optional), organization type, team size, revenue range, clinical specialty, and free-text fields you choose to fill in.
  • Email correspondence — content of messages you send us.

2.2 Information collected automatically

  • Device and connection — IP address, user agent, browser language, screen size, timestamps.
  • Usage — pages viewed, navigation paths, clicks, form interactions, scroll depth, and approximate location derived from IP (city/region level).
  • Click identifiers — when you arrive from a paid ad we may store the click ID (e.g. gclid, fbclid, li_fat_id) in a first-party cookie so we can attribute resulting demo bookings back to the originating campaign.
  • Diagnostic — error reports and performance metrics (Core Web Vitals).
  • Session recordings — limited replay of page interactions, with all input fields masked and sensitive elements suppressed.

2.3 Information from third parties

We may receive information from advertising partners (Meta, Google, LinkedIn) confirming whether a particular conversion event matches a campaign, and from B2B identification providers that supply company-level (not individual-level) firmographic context based on visitor IP.

3. Categories of personal information (California)

For California residents, the table below maps the categories of personal information we collect, as defined by the CCPA (Cal. Civ. Code § 1798.140), to the data described above. We collect, use, and disclose these categories for the business and commercial purposes listed in §4.

  • Identifiers — name, email, phone, IP address, online identifiers, cookies, click IDs.
  • Customer-records information (Cal. Civ. Code § 1798.80(e)) — contact and employment information you submit on forms.
  • Commercial information — interest in CareCo products, demo bookings, qualification data.
  • Internet or other electronic network activity — pages viewed, clicks, referrers, session interactions.
  • Geolocation data — approximate location derived from IP (city/region).
  • Professional or employment-related information — company, role, organization type, team size, revenue range.
  • Inferences — fit score, qualification status, and similar attributes derived from the above to prioritize sales follow-up.

We do not knowingly collect "sensitive personal information" (as defined by Cal. Civ. Code § 1798.140(ae)) through this Site, and we do not use any personal information for purposes that would trigger the right to limit use of sensitive personal information.

4. How we use information

  • To respond to demo requests and other inquiries.
  • To schedule, run, and follow up on sales meetings.
  • To prioritize sales follow-up using fit scoring.
  • To measure marketing performance — including by sending hashed conversion events to advertising platforms so we can attribute campaign spend.
  • To improve the Site and our product.
  • To detect, prevent, and respond to abuse and fraud.
  • To comply with legal obligations.
  • To enforce our agreements and protect the rights, property, and safety of CareCo, our customers, and others.

5. Legal bases (EEA, UK, Switzerland)

For visitors in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under GDPR / UK GDPR:

  • Consent (Art. 6(1)(a)) — for non-essential cookies and similar tracking technologies, and for marketing communications. You may withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)) — for responding to inquiries you initiate, securing the Site, detecting abuse, and conducting limited measurement necessary to operate our business. You may object at any time as described in §10.
  • Compliance with legal obligations (Art. 6(1)(c)) — when required by applicable law.

6. Cookies and similar technologies

We use cookies, local storage, and pixel tags to operate the Site, measure performance, and attribute marketing campaigns. See our Cookies & Tracking page for the full inventory and opt-out instructions. Visitors in the EEA, UK, and Switzerland are asked for affirmative consent before any non-essential cookies are set.

7. Disclosures to third parties

We disclose the categories listed in §3 to the following categories of recipients:

  • Service providers who process information on our behalf under written contracts limiting their use, including: PostHog (product analytics, session replay), Google Analytics and Tag Manager (web analytics), Vercel (hosting), Supabase (lead storage), Cal.com (demo scheduling).
  • Advertising partners for measurement and audience operations: Meta, LinkedIn, Google. We send these partners hashed contact identifiers (SHA-256) and event metadata, not raw email addresses.
  • B2B identification providers (Vector) that return company-level firmographic context for sales follow-up.
  • Professional advisors (lawyers, auditors, accountants).
  • Government, regulators, and law enforcement when required by law or to protect rights, property, and safety.
  • Acquirers in connection with a merger, acquisition, financing, or sale of assets, with notice as required by law.

We do not sell personal information for monetary consideration. Some of our sharing with advertising partners for cross-context behavioral advertising may qualify as a "sale" or "sharing" under the California Privacy Rights Act and analogous state laws. You may opt out via the "Do Not Sell or Share My Personal Information" mechanism on our Cookies & Tracking page or by sending a recognized opt-out preference signal (such as Global Privacy Control).

8. International transfers

CareCo is based in the United States, and the service providers listed above are predominantly US-based. When we transfer personal information from the EEA, UK, or Switzerland to the United States or another jurisdiction outside their respective borders, we rely on Standard Contractual Clauses approved by the European Commission (or the UK International Data Transfer Addendum) and supplementary measures as appropriate. Copies are available on request.

9. Data retention

  • Marketing leads (visitors who submit a form but do not become customers) — up to 24 months from your last interaction with us, after which we delete or anonymize the record.
  • Booked demos that did not convert — up to 36 months from the booking date.
  • Customer records — for the duration of the customer relationship and for up to 7 years thereafter for legal, tax, and accounting purposes.
  • Web analytics — per the retention defaults of the underlying provider (PostHog: 1 year; Google Analytics 4: 14 months).
  • Session recordings — 1 month, then automatically deleted by the provider.
  • Server logs — up to 90 days.

We may retain information longer when required by law, or for the establishment, exercise, or defense of legal claims.

10. Your rights

10.1 California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know the specific pieces and categories of personal information we have collected about you, the sources, the business or commercial purposes for collection, and the categories of third parties to whom we disclose it (covering the preceding 12-month period, with the option to request disclosure beyond that period).
  • Delete personal information we collected from you, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of sale or sharing for cross-context behavioral advertising — see §7.
  • Limit use of sensitive personal information — not applicable to us, as we do not process sensitive PI from Site visitors for purposes that would trigger this right.
  • Non-discrimination — we will not deny services, charge different prices, or provide a different level of quality because you exercised a privacy right.

10.2 EEA, UK, Switzerland (GDPR / UK GDPR)

You have the right to:

  • Access the personal data we hold about you and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erasure ("right to be forgotten") in the circumstances set out in Art. 17 GDPR.
  • Restriction of processing in the circumstances set out in Art. 18 GDPR.
  • Portability — receive your data in a structured, commonly used, machine-readable format.
  • Object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint with your supervisory authority — the list is published at edpb.europa.eu (EEA), the Information Commissioner's Office (UK), or the Federal Data Protection and Information Commissioner (Switzerland).

10.3 Other US states

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and other states with comprehensive privacy laws may have rights similar to those described above, including the right to appeal a denied request. We honor verifiable requests under applicable state laws.

10.4 How to exercise your rights

You may submit a request by either of the following methods:

  • Email privacy@careco.ai with the subject line "Privacy Request."
  • Mail a written request to the address in §13.

We will verify your identity using information already in our records and respond within the time required by applicable law (generally 45 days under CCPA, with one 45-day extension available; one month under GDPR, extendable by two further months for complex requests). An authorized agent may submit a request on your behalf with a written authorization that we may verify directly with you.

11. Data security

We use commercially reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. No system is perfectly secure; we cannot guarantee the security of any information.

12. Children

CareCo.ai is not directed to children under 16 (or under 13 for purposes of the US Children's Online Privacy Protection Act). We do not knowingly collect personal information from children. If you believe a child has provided information to us, please contact us and we will delete it.

13. Contact

For privacy questions or to exercise your rights:

Email: privacy@careco.ai

Postal mail:

CareCo Technologies Corp.354 Wyoming AveKingston, PA 18704United States

14. Changes

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the current version. Material changes will be communicated by posting a prominent notice on the Site or, where required, by email.