Privacy Policy

Introduction

Welcome to Karing, operated by Our Dragonfly, LLC ("Company," "we," "us," or "our"). We are committed to protecting your privacy and the privacy of those in your care.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Karing mobile application and any related website, service, or platform (collectively, the "Service"). It also describes your rights regarding your information and how you can exercise those rights.

By accessing or using our Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

Who We Are

Our Dragonfly, LLC is a limited liability company organized under the laws of the State of Indiana, with its principal place of business at PO Box 131, Batesville, IN 47006.

Karing is a caregiving management application designed to help caregivers, families, and self-advocates track health data, behavioral patterns, appointments, and care-related records for their dependents.

For questions about this Privacy Policy or our data practices, please contact our Privacy Officer at legal@karing.io.

Information We Collect

We collect several categories of information to provide and improve our Service.

Information You Provide Directly

• Account Information: Your name, email address, phone number, and password when you create an account.
• Profile Information: Your role (caregiver, parent, therapist, self-advocate, etc.) and preferences.
• Dependent Information: Name, age range, and other details about individuals in your care that you voluntarily enter into the app.
• Health and Care Logs: Information you log about behavior, sleep patterns, nutrition, therapy sessions, medications, interventions, and other care-related data.
• Appointment Information: Details about medical and therapy appointments including dates, times, providers, and locations.
• Documents: Medical records, care plans, school IEPs, lab results, and other documents you upload to the Service.
• Communications: Messages you send through the AI Assistant or to our support team.
• Payment Information: Billing details processed through our third-party payment processor. We do not store your full credit card number.

Information Collected Automatically

• Device Information: Device type, operating system, unique device identifiers, and mobile network information.
• Usage Data: Features used, pages viewed, actions taken within the app, and frequency of use.
• Log Data: IP address, access times, app crashes, and other system activity.
• Location Data: General location based on IP address. We do not collect precise GPS location unless you explicitly grant permission for appointment features.

Information from Third Parties

• If you connect a third-party calendar or health app, we may receive information from those services as permitted by your settings with them.
• Family members or care team members who you invite to share access may add information about dependents.

How We Use Your Information

We use the information we collect for the following purposes:

To Provide the Service

• Create and manage your account and profile
• Store and display your care logs, documents, and appointment information
• Generate AI-powered insights, pattern detection, and reports
• Facilitate family sharing and care team collaboration
• Process subscription payments and manage billing
• Send appointment reminders and care-related notifications

To Improve the Service

• Analyze usage patterns to improve app functionality and user experience
• Develop new features based on how users interact with the Service
• Troubleshoot technical issues and fix bugs
• Conduct research to improve our AI models (using only anonymized, de-identified data)

To Communicate With You

• Send essential service notifications (account changes, security alerts)
• Respond to your support requests and questions
• Send product updates and new feature announcements (you may opt out)

To Comply With Legal Obligations

• Meet our obligations under HIPAA and applicable privacy laws
• Respond to lawful requests from government authorities
• Enforce our Terms of Service and protect our legal rights

HIPAA & Protected Health Information

Karing handles information that may qualify as Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.

Our HIPAA Obligations

To the extent that Karing functions as a Business Associate under HIPAA, we are committed to:

• Using and disclosing PHI only as permitted by our Business Associate Agreement and applicable law
• Implementing appropriate administrative, physical, and technical safeguards to protect PHI
• Reporting any breach of unsecured PHI to affected individuals and, where required, to the U.S. Department of Health and Human Services (HHS)
• Making our internal practices available to HHS for purposes of determining compliance
• Returning or destroying PHI upon termination of the business relationship, where feasible

Notice of Privacy Practices

If we are a Covered Entity or Business Associate under HIPAA, you have certain rights with respect to your PHI. These include the right to:

• Access and obtain a copy of your health information
• Request corrections to inaccurate or incomplete information
• Receive an accounting of disclosures of your PHI
• Request restrictions on how we use and disclose your PHI
• Receive communications about your PHI in a confidential manner
• File a complaint with HHS if you believe your privacy rights have been violated

De-Identified Data

We may de-identify health information in accordance with HIPAA's de-identification standards (45 CFR § 164.514). De-identified data is no longer considered PHI and may be used for research, analytics, and service improvement purposes.

Business Associate Agreements

We enter into Business Associate Agreements (BAAs) with our third-party service providers that handle PHI on our behalf, including but not limited to our cloud infrastructure provider, database services, and AI processing vendors. A list of our current Business Associates is available upon request.

How We Share Your Information

We do not sell, trade, or rent your personal information. We may share your information only in the following limited circumstances:

With Your Consent

• When you invite family members or care team members to access a dependent's profile, they will have access to the logs, documents, and information you have shared for that dependent.
• When you generate and share a report with a healthcare provider, therapist, or school, you are authorizing that disclosure.

Service Providers (Business Associates)

We share information with trusted third-party service providers who assist us in operating our Service, subject to confidentiality agreements and, where applicable, Business Associate Agreements. These include:

• Cloud Infrastructure: Hostinger — for secure data storage and processing
• Payment Processing: Apple In-App Purchase and Google Play — for subscription billing
• AI / Machine Learning: OpenAI — for AI insights and report generation
• Analytics: OpenAI — for anonymized usage analytics
• Customer Support: OpenAI — for responding to support requests
• Email / Notifications: OpenAI — for sending reminders and alerts

Legal Requirements

We may disclose your information when required by law, including to:

• Comply with a subpoena, court order, or other legal process
• Respond to a government or regulatory authority request
• Protect the rights, property, or safety of our Company, our users, or the public
• Investigate potential violations of our Terms of Service

Business Transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

Aggregate and De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analytics, or industry reporting purposes.

Data Security

Protecting your health and care data is our highest priority. We implement the following security measures:

Technical Safeguards

• Encryption at Rest: All data stored on our servers is encrypted using AES-256 encryption
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• End-to-End Encryption: Sensitive health records and documents are protected with end-to-end encryption
• Authentication: Multi-factor authentication options are available for all accounts
• Access Controls: Role-based access controls limit who can access your data within our systems
• Audit Logging: We maintain logs of who accesses PHI and when

Administrative Safeguards

• Designated Privacy Officer and Security Officer
• Regular HIPAA training for all employees with access to PHI
• Background checks for employees handling sensitive data
• Documented security policies and incident response procedures
• Regular internal and third-party security audits

Physical Safeguards

• Data processed in SOC 2 Type II certified data centers
• Physical access controls at all facilities where data is processed
• Secure workstation policies for all employees

Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

• Account Data: Retained for the duration of your account and for 3 years after account deletion, as required by applicable law.
• Health and Care Logs: Retained for the duration of your account. Upon deletion, logs are permanently purged within 90 days.
• Documents: Retained until you delete them or close your account, after which they are permanently deleted within 90 days.
• Backup Copies: Encrypted backup copies may be retained for up to 30 days after deletion for disaster recovery purposes, after which they are permanently destroyed.
• Financial Records: Billing and payment records are retained for 7 years as required by tax and accounting laws.
• Legal Holds: We may retain data longer if required for litigation, regulatory investigation, or legal compliance.

You may request deletion of your account and data at any time by contacting us at legal@karing.io or through the "Delete Account" feature in the app's Profile settings.

Your Rights

Depending on your location, you may have the following rights with respect to your personal information:

Right to Access

You have the right to request a copy of the personal information we hold about you. You can access most of your data directly within the app.

Right to Correction

You have the right to request correction of inaccurate or incomplete personal information. Most information can be edited directly in the app's Profile and settings sections.

Right to Deletion

You have the right to request deletion of your personal information ("right to be forgotten"), subject to certain legal exceptions. Use the "Delete Account" feature in the app or contact us directly.

Right to Data Portability

You have the right to request a copy of your data in a structured, machine-readable format. Contact us at legal@karing.io to request a data export.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal information in certain circumstances.

Right to Object

You have the right to object to our processing of your personal information for direct marketing purposes. You can opt out of marketing communications at any time through your notification settings.

Right to Withdraw Consent

Where we rely on your consent to process your information, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before your withdrawal.

How to Exercise Your Rights

To exercise any of these rights, contact our Privacy Officer at legal@karing.io. We will respond to all requests within 90 days. We may need to verify your identity before processing your request.

Children's Privacy

Karing is intended for use by adults (18 years of age or older) who are caregivers, parents, family members, or self-advocates managing their own care.

Our Service is not directed to children under the age of 13, and we do not knowingly collect personal information directly from children under 13. However, users may enter health and care information about minors in their care (such as a child with a disability or medical condition) as dependents within the app. This information is entered and controlled by the adult account holder.

If you are a parent or guardian and believe your child under 13 has directly created an account or submitted personal information, please contact us immediately at legal@karing.io and we will delete that information promptly.

If you are between 13 and 18 years of age and wish to use the Service as a self-advocate, you must have parental or guardian consent. Please have a parent or guardian contact us at legal@karing.io to set up access.

Third-Party Services

Our Service may contain integrations with or links to third-party services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you use.

App Store Platforms

When you download Karing from the Apple App Store or Google Play Store, those platforms may collect certain information about you subject to their own privacy policies.

Third-Party Login

If we offer the ability to log in using a third-party account (such as Apple ID or Google), those providers will have access to information you share with them and their privacy policies will apply.

Calendar Integration

If you choose to sync appointments with your phone's calendar, your device's calendar application and its associated platform will have access to that appointment information.

Cookies & Tracking Technologies

Our mobile application does not use browser cookies. However, we and our service providers may use the following tracking technologies:

• Mobile Analytics SDKs: To understand how users interact with the app, diagnose crashes, and measure feature usage.
• Device Identifiers: Such as advertising IDs (IDFA on iOS, GAID on Android), which you can reset or limit through your device settings.
• Session Tokens: To keep you logged in securely between app sessions.

Our website (if applicable) may use cookies for functionality and analytics. You can control cookie settings through your browser preferences. Note that disabling cookies may affect certain website features.

We do not use tracking technologies to serve you targeted advertising based on your health data.

Data Breach Procedures

Despite our security measures, no system is completely immune to breaches. In the event of a data breach involving your personal information or PHI, we will:

Detection & Containment

• Immediately investigate and contain the breach upon discovery
• Engage our incident response team within 24 hours of discovery
• Preserve evidence for investigation and regulatory reporting

Notification to You

• Notify affected users without unreasonable delay and within the timeframe required by applicable law
• For HIPAA breaches affecting 500 or more individuals, notify affected individuals within 60 days of discovery
• Notifications will be sent via email to the address on your account and via prominent in-app notice
• Each notice will describe: what happened, what information was involved, what we are doing, what you can do to protect yourself, and how to contact us

Regulatory Reporting

• Report breaches to the U.S. Department of Health and Human Services (HHS) as required by HIPAA's Breach Notification Rule (45 CFR §§ 164.400-414)
• Report to state attorneys general and other regulatory authorities as required by applicable state breach notification laws
• For breaches affecting 500 or more residents of a state, provide notice to prominent media outlets in that state

Remediation

• Take steps to prevent recurrence and improve security controls
• Offer appropriate remediation to affected users, which may include credit monitoring services where appropriate
• Document the breach, our response, and all notifications for regulatory compliance purposes

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: The right to know what personal information we collect, use, disclose, and sell about you.
• Right to Delete: The right to request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: The right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: The right to opt out of the sale or sharing of your personal information. We do not sell your personal information.
• Right to Limit Use of Sensitive Personal Information: The right to limit our use of sensitive personal information, including health data.
• Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising your privacy rights.

To exercise your California privacy rights, contact us at legal@karing.io or call hello@karing.io (email preferred). We will verify your identity and respond within 45 days.

California residents may also designate an authorized agent to make requests on their behalf. Authorized agents must provide written authorization or a power of attorney.

International Users

Karing is operated in the United States. If you access our Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

By using the Service, you consent to the transfer of your information to the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please note that we transfer data in compliance with applicable data transfer mechanisms, including Standard Contractual Clauses approved by the European Commission where required.

[NOTE TO ATTORNEY: If you plan to serve EU users, additional GDPR compliance measures including a Data Processing Agreement and appointment of an EU Representative may be required.]

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other business reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email at the address associated with your account
• Display a prominent in-app notice for at least 30 days before the changes take effect
• For changes involving PHI, provide at least 60 days advance notice

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must stop using the Service and may request deletion of your account.

We encourage you to review this Privacy Policy periodically. Previous versions of this Privacy Policy are available upon request.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

To File a HIPAA Complaint

If you believe your privacy rights under HIPAA have been violated, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights: