1. Scope
CareSwift, Inc. (“CareSwift,” “we,” “us,” “our”) provides AI‑powered EMS documentation tools and related websites (together, the “Service”), including:
The CareSwift EPCR plugin, desktop application, and mobile applications used by EMS agencies (“Customers”) and their workforce.
The public website at https://www.careswift.com and any sales, support, or other marketing interactions that originate there.
CareSwift acts as a HIPAA Business Associate and executes a Business Associate Agreement (BAA) with every Covered‑Entity Customer. A SOC 2 Type 2 audit is scheduled for Q4 2025.
2. Information We Collect and Handle
Category | Typical Elements | Source | Retention |
Transient Clinical Data (PHI/PII) | NEMSIS fields, vitals, narrative audio or text, images | Crew via plugin, desktop, or mobile app | Deleted immediately upon EPCR submission or, at most, eight hours after initial use |
Operational Metadata (non‑PHI) | Session ID, first‑keystroke timestamp, submission time, anonymized performance metrics | Platform logs | Five years by default (configurable) |
Account and Admin Data | Name, work email, role, credentials | Customer admin or SSO portal | Contract term plus 90 days |
Website and Marketing Data | IP address, cookies, form data, newsletter preferences | Visitor browser | Per cookie‑banner settings |
Support Content | Ticket text, call recordings | You ↔ CareSwift | Ninety days after resolution |
We may also collect standard browser‑supplied “Log Data” (IP address, browser type, pages visited, and time spent) and analytics data from third‑party tools such as Google Analytics.
3. How We Use Information
Purpose | Involves PHI/PII? | Legal or Contractual Basis |
Populate EPCR fields and run QA/QI checks | Yes (kept ≤ 8 h) | Contract performance |
Measure documentation time and platform performance | No (operational metadata only) | Legitimate interest |
Product research and development, including AI model tuning | No (operational metadata only) | Legitimate interest |
Billing and contract management | No | Contract performance |
Security, audit, and fraud prevention | No | Legal obligation |
Marketing communications (opt‑in only) | No | Consent |
CareSwift never sells PHI/PII, uses it for advertising, or leverages it—identified or de‑identified—for product improvement.
3‑A. Zero PHI/PII in Product Improvement
Engineering environments for operational metadata are technically and logically isolated from production stores containing PHI or PII.
BAAs and Master Service Agreements explicitly forbid any PHI/PII use for model training, feature development, or marketing.
4. Cookies and Tracking Technologies
We use cookies to remember your settings, deliver requested features, and improve the website. You may refuse cookies in your browser; certain site functions may stop working if cookies are disabled.
Do Not Track
The Service does not currently respond to browser‑based Do Not Track signals.
5. Sharing and Disclosure
We disclose information only to:
Authorized Customer users through role‑based access controls.
HIPAA‑compliant sub‑processors listed at https://compliance.careswift.com/subprocessors and bound by BAA‑equivalent terms.
Regulators or law enforcement when required by law.
Successor entities in a merger, acquisition, or asset sale, with advance notice.
No PHI/PII leaves United States infrastructure.
6. Security Measures
Encryption in transit (TLS 1.2+) and at rest (AES‑256).
Ephemeral processing queues purge PHI/PII within eight hours after submission.
SSO plus MFA for CareSwift workforce; least‑privilege IAM and quarterly access reviews.
Continuous monitoring with 24 × 7 alerts; critical patch SLA is 24 hours.
HIPAA Privacy, Security, and Breach Rules fully implemented; SOC 2 Type 2 fieldwork begins October 2025.
7. Data Retention and Deletion
Data Type | Maximum Retention | Deletion Method |
PHI/PII in EPCR | Up to eight hours after “Submit” | Cryptographic wipe of S3 objects; queue tokens shredded |
Operational Metadata | Five years (configurable) | Logical delete followed by database vacuum |
Support Tickets and Calls | Ninety days post‑resolution | Ticket‑system purge |
Customers may trigger immediate deletion via the admin console or API.
8. State Privacy Rights
Because PHI is deleted within hours, only limited account data remains subject to CPRA, CCPA, and similar laws. To exercise access, correction, or deletion rights, email privacy@careswift.com or call (844) 624‑0341. We respond within the legally mandated timelines.
9. Changes to This Policy
We may update this policy from time to time. Material changes will be emailed to each Customer’s contract administrator and shown in‑app at least 30 days before they take effect. Continued use of the Service after those changes constitutes acceptance.
10. Contact Us
CareSwift, Inc.
8 The Green, #17323
Dover, DE 19901‑3618 USA
Email: privacy@careswift.com
Phone: (844) 624‑0341
11. Opt‑In Programs
Integration Partner Program
If you join the Integration Partner Program, CareSwift will share relevant demographic details about you and your organization, plus any information you provide on the program web page, with technology partners such as ePCR vendors and billing‑system providers. Each partner receives only the data needed to evaluate or implement interoperability and must not reuse it for other purposes.
You can withdraw from marketing or partner communications at any time by emailing support@careswift.com with “unsubscribe” in the subject line.
13. Mission, Values, Vision
CareSwift’s mission is to improve patient outcomes by streamlining EMS documentation. We believe our success depends on the success of EMS professionals and on fostering an environment where every team member thrives.