Privacy Policy

Last updated: May 4, 2026

1. Who this applies to

This policy describes how Cardioplace and the participating pilot clinics handle your personal and health information when you use the Cardioplace app. By signing in, you agree to the practices described here.

2. What we collect

The information we hold about you falls into a few groups:

  • Identity and contact β€” your name, date of birth, email address, and (optionally) a phone number.
  • Health profile β€” conditions, medications, allergies, pregnancy status if applicable, and the clinic / provider assigned to you.
  • Readings and check-ins β€” blood-pressure values, pulse, symptoms, and short notes you write in the daily check-in.
  • Chat and voice transcripts β€” the messages and voice transcripts of conversations you have with the Cardioplace assistant.
  • Audit metadata β€” sign-in events, alert decisions, escalation steps, and care-team responses. This is required for clinical record-keeping.
  • Device and technical β€” a device identifier generated in your browser, your timezone, and basic request logs (IP address, user-agent) used to keep the service secure.

3. How we use it

  • To run the alert engine and decide whether a reading or symptom needs attention.
  • To produce the patient, caregiver, and physician messages tied to each alert.
  • To let your assigned care team review readings, verify your medication list, and follow up on alerts.
  • To send you notifications by email or push when the clinical rules trigger an escalation.
  • To keep an audit trail of every alert and every clinician action, as required for patient-safety review.
  • To improve the rules and the user experience β€” using de-identified, aggregated data only, with clinical sign-off.

4. Who sees it

Your information is shared with a small, defined group:

  • Your assigned care team at the participating clinic β€” the clinicians, nurses, and care coordinators whose role is to review your readings.
  • The Cardioplace operations team β€” a limited number of staff who keep the service running, on a strict need-to-know basis.
  • Service providers under contract β€” for example our hosting provider and our email/SMS provider. These providers are bound by HIPAA-compliant Business Associate Agreements where applicable.

We do not sell your information. We do not use it for advertising. We do not share it with employers, insurers, or third parties for marketing.

5. Where it lives and how it's protected

Your information is stored in encrypted databases hosted in the United States. Connections between your device and our servers are encrypted in transit (HTTPS / TLS).

Access to your record is logged. We use role-based access control so that, for example, content moderators cannot read your clinical readings, and clinicians at one practice cannot read patients assigned to a different practice.

6. How long we keep it

Clinical records are kept for the period required by the participating clinic's record-retention policy and by applicable medical-record law (typically several years after your last interaction). Audit logs are kept for at least the duration required by Joint Commission and HIPAA standards. When you ask us to delete your account, we remove identifiable profile data and de-identify any information that must be retained for clinical or audit reasons.

7. Your rights

You have the right to:

  • See what personal and health information we hold about you.
  • Ask us to correct anything that is wrong.
  • Request a copy of your information in a portable format.
  • Ask us to delete your account and your data, subject to the medical-record retention rules described in Β§6.
  • Withdraw your participation in the pilot at any time, without affecting the care you receive at your clinic.

To exercise any of these rights, email privacy@healplace.com. We will respond within 30 days.

8. Cookies and tracking

Cardioplace uses a small number of essential cookies and a device identifier stored in your browser to keep you signed in and to recognise your device for security. We do not use advertising or analytics trackers from third parties.

9. Children

Cardioplace is for adults aged 18 and older. We do not knowingly collect data from children. If you believe a child has signed up, please email privacy@healplace.com and we will delete the account.

10. Breach notification

If a security incident affects your protected health information, we will notify you and the participating clinic in line with HIPAA breach-notification rules and applicable state law.

11. Changes to this policy

We may update this policy as the pilot evolves. If we make a meaningful change we will tell you in the app or by email before the change takes effect.

12. Contact

Privacy questions, requests, and complaints can be sent to privacy@healplace.com. You may also raise a privacy complaint with the U.S. Department of Health and Human Services Office for Civil Rights.