Privacy & Data Handling Notice

Care Align is a provider discovery and referral platform. It helps patients find healthcare providers based on non-clinical preferences such as location, specialty, insurance carrier, and care style. It is not a healthcare provider, health plan, or healthcare clearinghouse.

Care Align does not provide clinical services, process medical claims, transmit clinical health information, or act as a business associate to any covered entity under HIPAA. As a result, HIPAA's Privacy and Security Rules do not currently apply to Care Align in the same way they apply to covered entities.

Even though HIPAA does not currently apply to Care Align as a covered entity, we have intentionally designed the platform to minimize the collection of sensitive health information:

• The patient intake form collects only non-clinical preference data (location, specialty, insurance, care style preferences). It does not ask for symptoms, diagnoses, medical history, medications, or any clinical information.
• We do not store or transmit clinical health records.
• We do not integrate with EHR (Electronic Health Record) systems.
• When you book an appointment, you are redirected to the provider's own external scheduling system. Any clinical information you provide during that booking process is governed by the provider's privacy practices, not ours.

Care Align collects the following categories of information:

• Account information: Name and email from your Manus OAuth login
• Preference data: ZIP code, specialty, insurance carrier, appointment timing preference, and care style preferences
• Provider profile data: Credentials, practice location, specialty, and booking information submitted by providers
• Usage data: Pages visited, referral clicks, and session data for platform improvement

None of the above categories constitute Protected Health Information (PHI) under HIPAA.

If Care Align expands in the future to include workflows that involve Protected Health Information — such as clinical data exchange, direct EHR integration, or acting as a business associate to a covered entity — we will:

• Update this notice and our Privacy Policy accordingly
• Implement appropriate HIPAA-required safeguards (administrative, physical, and technical)
• Execute Business Associate Agreements (BAAs) where required
• Notify users of material changes to our data handling practices

Until such time, Care Align operates as a privacy-conscious platform that avoids PHI collection by design.

We implement reasonable technical and organizational security measures to protect the information we do collect. This includes encrypted data transmission (HTTPS), access controls, and secure credential storage. However, no system is completely immune to security risks, and we encourage users to practice good account security hygiene.

Regardless of HIPAA applicability, we respect your privacy rights. You may request access to, correction of, or deletion of your account data by contacting us through the platform's support channels.

If you have questions about our data handling practices or this notice, please contact us through the platform's support channels. We are committed to transparency about how we handle your information.