Privacy Policy

How DivineCare Service collects, uses, and protects information.

Effective date: January 1, 2026 · Last updated: January 1, 2026

This page is a general privacy notice for the DivineCare Service platform. It is not legal advice. Healthcare agencies using the platform remain the data controllers for their patients' information and should pair this notice with their own jurisdiction-specific policies.

Contents

Scope
Information we collect
How we use information
Protected health information (PHI)
Sharing & sub-processors
Security
Data retention
Your rights
Cookies
Changes to this policy
Contact us

1. Scope

This Privacy Policy applies to the DivineCare Service web application, public marketing site, and embeddable onboarding widget (collectively, the “Service”). It describes how we handle information for visitors, agency staff users, and the individuals whose care records are managed in the platform.

2. Information we collect

Account & profile data — name, email, phone, role, and company you belong to.
Patient & care records — entered by agency staff: demographics, clinical notes, medications, documents, appointments, and related care data.
Usage & security data — sign-in timestamps, IP address, and browser/device information used to secure accounts and show login history.
Communications — demo requests, contact-form messages, and support correspondence.

3. How we use information

To provide and operate the Service for your healthcare agency.
To authenticate users, enforce access control, and maintain audit trails.
To send transactional notifications (e.g. appointment reminders, account alerts).
To respond to enquiries and provide customer support.
To detect, prevent, and investigate security incidents.

We do not sell personal information, and we do not use patient data for advertising.

4. Protected health information (PHI)

Where DivineCare Service processes protected health information on behalf of a healthcare agency, we act as a processor / business associate under that agency's instructions. PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256 for stored documents), access is role-restricted, and all access and changes are recorded in a tamper-evident audit log.

We share information only with sub-processors necessary to run the Service — such as cloud hosting, encrypted file storage, email, and SMS providers — each bound by confidentiality and data-protection obligations. We disclose information when required by law or to protect the rights and safety of users.

6. Security

Encryption in transit (TLS 1.2+) and at rest (AES-256 for documents).
Role-based access control and multi-factor authentication for staff accounts.
Immutable audit logging of data access and changes.
Secrets managed outside source code; least-privilege database access.

7. Data retention

We retain information for as long as your agency maintains an active account and as required to meet healthcare record-retention obligations. Records may be pseudonymised rather than deleted where legal retention applies. On account closure, data is deleted or returned per the governing agreement.

8. Your rights

Depending on your jurisdiction (e.g. GDPR, UK GDPR, CCPA), you may have rights to access, correct, export, or request deletion of your personal data. For patient records, please direct requests to the healthcare agency that manages your care; we will support them in fulfilling verified requests.

9. Cookies

We use strictly necessary cookies for authentication and session management. The marketing site may use minimal analytics cookies. We do not use third-party advertising cookies.

10. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by an updated “Last updated” date and, where appropriate, in-app notice.

11. Contact us

Questions about this policy or your data? Use our contact form and we'll respond within one business day.