Privacy & Security
Private by design. Shared only by choice.
CareTrove is built around local-first records, explicit exports, user-initiated iCloud backup, and careful boundaries for website and employer data.
Local-first
Core care records start on the device.
Care profiles, medications, appointments, notes, tasks, documents, loops, and many review records are designed around local organization. Local-first is not the same as absolute local-only. Export, share, iCloud backup, App Store services, and configured sharing workflows are explicit exceptions.
iCloud
Backup is explicit and uses the user's Apple account.
Plus backup and restore are user-initiated through Apple iCloud when configured and available. Backup language stays qualified because attached document files may remain device-local in metadata-only backup behavior.
| Action | Who initiates | What is stored | What is not promised |
|---|---|---|---|
| Enable backup | The user through app settings where configured. | Eligible app records in the user's Apple iCloud context. | Employer access, CareTrove web account storage, or automatic provider sync. |
| Restore backup | The user on their own device and Apple account. | Eligible backed-up record data. | Guaranteed recovery of every attached document file byte. |
| Export separately | The user when they choose an export path. | Selected PDF, text, JSON, or Health Bundle output. | Automatic sharing or submission. |
User-controlled sharing
Exports and summaries are selected.
CareTrove can support selected text shares, PDF packets, local JSON export, and Health Bundle export. Users should review exports before sending them. CareTrove does not turn private records into a public web account.
| Choice | User control | Boundary |
|---|---|---|
| Text share | Select the content and recipient. | Not an automatic sync or ongoing feed. |
| PDF packet | Choose the packet scope and review before sending. | Not an official medical record. |
| Local JSON | Export where entitlement and configuration allow. | Not a clinical exchange guarantee. |
| Health Bundle | Create a selected structured export. | FHIR-inspired organization, not certified FHIR. |
| Care Circle | Grant limited sharing where configured. | Not whole-archive exposure by default. |
Privacy architecture
Device, optional backup, explicit sharing.
The privacy model is intentionally simple: organize on the device, opt into user-controlled backup where available, and share only selected information. Employers sit outside the private care-record boundary.
- Device
- Core care records, notes, documents, tasks, and review context begin under user control.
- Optional iCloud
- Backup and restore use the user's Apple account when configured and initiated by the user.
- Explicit share
- Packets, exports, summaries, and Care Circle sharing happen only through selected user actions.
Outside the private record boundary
Employer sponsorship, website contact data, support messages, and first-party analytics do not grant access to app medical records.
Employer boundary
Organizations do not receive employee care records.
CareTrove for Employers is framed around private employee access. Employers should not ask for medications, diagnoses, documents, family messages, individual care activity, or private notes through CareTrove.
Website data
Website forms are not for health records.
The website collects contact, consent, routing, source, and general inquiry information. It warns visitors not to submit medical records or private health details. First-party analytics are allowlisted and should not include names, emails, free text, or medical details.
| Data area | Purpose | Boundary |
|---|---|---|
| App records | Personal care organization in the iOS app. | Not collected through website forms. |
| Website contact data | Respond to access, support, employer, partner, press, or privacy requests. | No health records, diagnoses, medication details, patient names, or document contents requested. |
| Employer relationship data | Manage organizational access conversations and follow-up. | No employee medical records or individual care activity. |
Controls and boundaries
Only real controls are claimed.
CareTrove can rely on iOS protections, local storage behavior, explicit sharing choices, app settings, local delete controls, source references, and review history. The website does not claim unsupported certifications or guarantees.
- App lock and iOS protections
- CareTrove relies on the user's device and operating-system protections rather than claiming unsupported certification.
- Explicit sharing
- Exports, packets, and Care Circle sharing depend on user choice and review.
- Source review
- Source-aware tools help people notice what needs confirmation without making clinical decisions.
- Deletion
- Local app data controls and website data request flows are handled separately.
Privacy FAQ
Trust questions.
Does everything stay local?
CareTrove is local-first by default. Explicit exceptions can include export, sharing, iCloud backup, App Store services, and configured collaboration flows. Those actions depend on user choice, entitlement, and available configuration. Users should review the destination and scope before moving information off the device.
Does the website collect medical records?
No. Website forms are for general contact, support, employer, and related requests. They warn visitors not to submit records, diagnoses, medication details, patient names, or document contents. Messages should remain general and non-medical.
Can an employer view employee records?
No. CareTrove does not position employer access as medical-record access. Employee care information remains private and user controlled. Employer discussions are limited to organizational access, communication, support, and evaluation topics.
Is CareTrove a certified EHR?
No. CareTrove is a private care-organization product, not a certified electronic health record. It does not replace official provider systems or source records. Users should confirm important information with original documents and qualified professionals.
Does CareTrove sell health data?
CareTrove does not describe its website as a marketplace for health records. Website operations focus on contact, support, employer, limited analytics, and data-request flows. Forms are not intended to collect medical records or private health details. The privacy policy explains the website data that may be processed for those functions.
Can I delete app data?
The app includes local data safety controls. Available deletion actions depend on the data and app workflow involved. Users should review the confirmation shown before deleting information. Important source documents should be retained wherever they are officially maintained.
Can I request deletion of website data?
Yes. Use the data request page for website lead or contact data. Provide enough contact information for CareTrove to identify and route the request. Do not include medical records or private health details in the request.
Is backup automatic?
No. Backup is explicit and user initiated when it is configured and available. Its scope can depend on the app version, entitlement, and backup behavior. Users should confirm the current status and included data inside the app.
Policies and requests
Detailed policies in one place.
Use this section when you need the formal website policy, app privacy details, legal terms, accessibility information, or a website data request.