Privacy Policy

1. Who We Are

Carely ("Carely," "we," "us," or "our") is a medication reminder and wellness application operated as an independent product. Our registered contact is hello@carely.fit. We are based in British Columbia, Canada.

This Privacy Policy applies to the Carely mobile application (iOS and Android), the website at carely.fit, and any related services (collectively, the "Service").

2. Information We Collect

2.1 Information You Provide

• Account information: First name, last name, email address, and password when you create an account.
• Medicine information: Medicine names, nicknames you create, dose amounts, schedules, and pill types you enter into the app.
• Caregiver information: Email addresses of caregivers you invite.
• Doctor information: Doctor name and clinic email address if you use the doctor connection feature.
• Chat messages: Messages you send to the AI Caretaker feature.
• Billing information: Payment details are handled by Stripe. We do not store full credit card numbers. We receive confirmation of successful payment and your subscription status.

2.2 Information Collected Automatically

• Usage data: When you log doses (taken, skipped, missed), adherence percentages, and streak counts.
• Device information: Device type, operating system version, push notification token (for sending reminders).
• Timezone: Used to send reminders at the correct local time.
• App activity: Features used and general interaction patterns to improve the service.

2.3 Information We Do NOT Collect

• We do not collect your location data.
• We do not collect biometric data.
• We do not collect data from other apps on your device.
• We do not build advertising profiles.

3. How We Use Your Information

• To provide the Service: Sending dose reminders, tracking adherence, generating reports.
• AI Caretaker messages: We pass your first name, medicine nicknames (not real drug names), and anonymised adherence statistics to OpenAI's GPT-4o API to generate personalised check-in messages. We never send your actual medicine names, diagnosis, dose amounts, or any other personally identifying information to OpenAI.
• Caregiver alerts: Sending push notifications to linked caregivers when a dose is missed.
• Doctor reports: Generating and emailing weekly adherence summaries to your connected doctor's clinic.
• Account management: Authenticating your account, managing your subscription, and communicating with you about the Service.
• Service improvement: Analysing anonymised usage patterns to improve features.
• Legal compliance: Meeting our obligations under applicable law.

4. How We Share Your Information

We do not sell your personal information. We share it only in the following limited circumstances:

4.1 Service Providers

• Supabase: Database hosting (servers in the United States).
• OpenAI: AI message generation. Only anonymised data is sent (first name + nicknames + adherence stats).
• Firebase (Google): Push notification delivery.
• SendGrid (Twilio): Transactional email delivery.
• Stripe: Payment processing.
• Railway: Backend API hosting.
• Upstash: Caching and job queuing.

All service providers are contractually bound to use your information only to provide services to us and are prohibited from using it for their own purposes.

4.2 Caregivers You Invite

If you invite a caregiver, they will receive missed dose notifications and can view your medicine schedule and adherence percentages. They cannot see dose amounts, doctor notes, or any information you have not explicitly shared through the caregiver feature.

4.3 Your Doctor

If you connect a doctor, Carely will email them weekly adherence reports containing your name, medicine list, and dose adherence percentages. You control this connection and can revoke it at any time.

4.4 Legal Requirements

We may disclose your information if required by law, court order, or government authority, or to protect the rights, property, or safety of Carely, our users, or the public.

4.5 Business Transfers

If Carely is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

5. Data Retention

• Active accounts: We retain your data for as long as your account is active.
• Dose logs: Retained for up to 2 years to power streaks, history, and reports.
• Account deletion: When you delete your account, we delete your personal information within 30 days, except where we are required by law to retain it.
• Backups: Anonymised or aggregated data may be retained in backups for up to 90 days after deletion.

6. Your Rights

For Canadian Residents (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate personal information.
• Withdraw consent for the collection, use, or disclosure of your information (subject to legal or contractual restrictions).
• File a complaint with the Office of the Privacy Commissioner of Canada.

For California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to:

• Know what personal information we collect, use, disclose, and sell.
• Delete personal information we have collected (with certain exceptions).
• Opt out of the sale of personal information. (We do not sell personal information.)
• Non-discrimination for exercising your privacy rights.

To exercise any of these rights, contact us at hello@carely.fit. We will respond within 30 days.

7. Data Security

We implement appropriate technical and organisational measures to protect your information, including:

• Encryption of data in transit (TLS/HTTPS).
• Encryption of sensitive data at rest.
• Row-level security on all database tables, ensuring each user can only access their own data.
• bcrypt password hashing with 12 rounds.
• JWT-based authentication with 30-day expiry.
• Regular security reviews.

No method of internet transmission is 100% secure. If you discover a security vulnerability, please report it to hello@carely.fit before public disclosure.

8. Children's Privacy

Carely is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

Users between 13 and 17 years of age may use Carely only with parental or guardian consent.

9. International Data Transfers

Your information may be transferred to and processed in the United States, where our service providers maintain servers. By using Carely, you consent to this transfer. We ensure all transfers are protected by appropriate contractual safeguards.

10. Push Notifications

Carely uses Firebase Cloud Messaging (iOS and Android) and Apple Push Notification Service (iOS) to send dose reminders. You can disable push notifications at any time in your device settings. This will stop reminder notifications but will not affect other features.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice in the app at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.