Privacy & Security

Private by design. Shared only by choice.

CareTrove is built around local-first records, explicit exports, user-initiated iCloud backup, and careful boundaries for website and employer data.

Local-first

Core care records start on the device.

Care profiles, medications, appointments, notes, tasks, documents, loops, and many review records are designed around local organization. Local-first is not the same as absolute local-only. Export, share, iCloud backup, App Store services, and configured sharing workflows are explicit exceptions.

iCloud

Backup is explicit and uses the user's Apple account.

Plus backup and restore are user-initiated through Apple iCloud when configured and available. Backup language stays qualified because attached document files may remain device-local in metadata-only backup behavior.

ActionWho initiatesWhat is storedWhat is not promised
Enable backupThe user through app settings where configured.Eligible app records in the user's Apple iCloud context.Employer access, CareTrove web account storage, or automatic provider sync.
Restore backupThe user on their own device and Apple account.Eligible backed-up record data.Guaranteed recovery of every attached document file byte.
Export separatelyThe user when they choose an export path.Selected PDF, text, JSON, or Health Bundle output.Automatic sharing or submission.

User-controlled sharing

Exports and summaries are selected.

CareTrove can support selected text shares, PDF packets, local JSON export, and Health Bundle export. Users should review exports before sending them. CareTrove does not turn private records into a public web account.

ChoiceUser controlBoundary
Text shareSelect the content and recipient.Not an automatic sync or ongoing feed.
PDF packetChoose the packet scope and review before sending.Not an official medical record.
Local JSONExport where entitlement and configuration allow.Not a clinical exchange guarantee.
Health BundleCreate a selected structured export.FHIR-inspired organization, not certified FHIR.
Care CircleGrant limited sharing where configured.Not whole-archive exposure by default.

Privacy architecture

Device, optional backup, explicit sharing.

The privacy model is intentionally simple: organize on the device, opt into user-controlled backup where available, and share only selected information. Employers sit outside the private care-record boundary.

Device
Core care records, notes, documents, tasks, and review context begin under user control.
Optional iCloud
Backup and restore use the user's Apple account when configured and initiated by the user.
Explicit share
Packets, exports, summaries, and Care Circle sharing happen only through selected user actions.

Outside the private record boundary

Employer sponsorship, website contact data, support messages, and first-party analytics do not grant access to app medical records.

Employer boundary

Organizations do not receive employee care records.

CareTrove for Employers is framed around private employee access. Employers should not ask for medications, diagnoses, documents, family messages, individual care activity, or private notes through CareTrove.

Website data

Website forms are not for health records.

The website collects contact, consent, routing, source, and general inquiry information. It warns visitors not to submit medical records or private health details. First-party analytics are allowlisted and should not include names, emails, free text, or medical details.

Data areaPurposeBoundary
App recordsPersonal care organization in the iOS app.Not collected through website forms.
Website contact dataRespond to access, support, employer, partner, press, or privacy requests.No health records, diagnoses, medication details, patient names, or document contents requested.
Employer relationship dataManage organizational access conversations and follow-up.No employee medical records or individual care activity.

Controls and boundaries

Only real controls are claimed.

CareTrove can rely on iOS protections, local storage behavior, explicit sharing choices, app settings, local delete controls, source references, and review history. The website does not claim unsupported certifications or guarantees.

App lock and iOS protections
CareTrove relies on the user's device and operating-system protections rather than claiming unsupported certification.
Explicit sharing
Exports, packets, and Care Circle sharing depend on user choice and review.
Source review
Source-aware tools help people notice what needs confirmation without making clinical decisions.
Deletion
Local app data controls and website data request flows are handled separately.

Privacy FAQ

Trust questions.

Does everything stay local?

CareTrove is local-first by default. Explicit exceptions can include export, sharing, iCloud backup, App Store services, and configured collaboration flows. Those actions depend on user choice, entitlement, and available configuration. Users should review the destination and scope before moving information off the device.

Does the website collect medical records?

No. Website forms are for general contact, support, employer, and related requests. They warn visitors not to submit records, diagnoses, medication details, patient names, or document contents. Messages should remain general and non-medical.

Can an employer view employee records?

No. CareTrove does not position employer access as medical-record access. Employee care information remains private and user controlled. Employer discussions are limited to organizational access, communication, support, and evaluation topics.

Is CareTrove a certified EHR?

No. CareTrove is a private care-organization product, not a certified electronic health record. It does not replace official provider systems or source records. Users should confirm important information with original documents and qualified professionals.

Does CareTrove sell health data?

CareTrove does not describe its website as a marketplace for health records. Website operations focus on contact, support, employer, limited analytics, and data-request flows. Forms are not intended to collect medical records or private health details. The privacy policy explains the website data that may be processed for those functions.

Can I delete app data?

The app includes local data safety controls. Available deletion actions depend on the data and app workflow involved. Users should review the confirmation shown before deleting information. Important source documents should be retained wherever they are officially maintained.

Can I request deletion of website data?

Yes. Use the data request page for website lead or contact data. Provide enough contact information for CareTrove to identify and route the request. Do not include medical records or private health details in the request.

Is backup automatic?

No. Backup is explicit and user initiated when it is configured and available. Its scope can depend on the app version, entitlement, and backup behavior. Users should confirm the current status and included data inside the app.

Policies and requests

Detailed policies in one place.

Use this section when you need the formal website policy, app privacy details, legal terms, accessibility information, or a website data request.