Privacy Policy

KareMate AI ("we", "our", "us") is the data controller for personal data processed through this service. We are subject to UK GDPR and the Data Protection Act 2018.

Data Protection Officer: dpo@caremate.ai

To exercise your rights or raise a concern, contact us at the address above. You may also lodge a complaint with the ICO (Information Commissioner's Office).

• Account data: name, email address, password hash (via Firebase Authentication)
• Patient / care recipient data: name, date of birth, medical conditions, allergies, medications, GP contact details, emergency contacts, care logs, appointment records, crisis plans, discharge summaries
• Carer wellbeing data: mood scores, stress scores, sleep hours, break status, notes
• Benefits data: benefit names and renewal dates
• Usage data: AI chat messages, agent execution logs
• Payment data: subscription tier (payment details handled by Stripe and never stored by us)

Health and care data is special category data under UK GDPR Article 9. We only process it with your explicit consent (Article 9(2)(a)), obtained at account registration.

To generate care summaries, appointment preparation notes, crisis plans, and AI chat responses, we transmit patient data to Google Gemini (Vertex AI), operated by Google LLC. This involves a transfer of personal data to the United States. We rely on Google's Data Processing Agreement and Standard Contractual Clauses (UK Addendum) as the transfer safeguard under UK GDPR Article 46.

You consented to this transfer at account registration. You may withdraw consent at any time by contacting dpo@caremate.ai — note that withdrawing AI processing consent will disable AI features.

• Firebase / Google Cloud: Authentication and database hosting. DPA in place.
• Google Vertex AI (Gemini): AI language model for care assistance. DPA + SCCs in place.
• Stripe: Payment processing. DPA in place. Stripe does not receive health data.

• Patient / care records: 3 years from last activity, then permanently deleted
• Care logs and medications: 3 years from creation
• Wellbeing logs: 1 year from creation
• Benefits renewal records: 6 months after the renewal date
• AI agent execution logs: 2 years (retained for audit and accountability)
• Account data: until account deletion + 30-day grace period

Under UK GDPR you have the right to:

• Access — request a copy of all personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and all associated data
• Portability — receive your data in machine-readable JSON format
• Restriction — request that processing is paused while a dispute is resolved
• Objection — object to processing based on legitimate interests
• Withdraw consent — including for AI processing of health data

Exercise any right via Settings → Account → Data & Privacy, or by emailing dpo@caremate.ai. We respond within 30 days.

We use two strictly necessary session cookies (km-auth and km-admin) to keep you signed in. These are exempt from consent under PECR. We do not use advertising, analytics, or tracking cookies.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Google Cloud default encryption). Access is controlled via Firebase Authentication tokens. We maintain an access audit log for all operations on patient data.

Our service may be used to coordinate care for children. If a patient is under 16, the account holder (carer) confirms they have appropriate parental or guardian authority to input that data. We do not knowingly allow children under 16 to create their own accounts.

We will notify you by email of any material changes at least 14 days before they take effect. The current version is always available at this URL.