CareVillage Support Networks LLC (“we,” “us,” or “our”) is committed to protecting your privacy and safeguarding any Protected Health Information (PHI) and personally identifiable information (PII) you provide to us. This Privacy Policy describes how we collect, use, store, disclose, and protect your information when you use our services, including participating in video-based consultations or support groups via our website at www.carevillage.io.
Because licensed CareVillage Counselors (CVCs) provide support services through our platform, certain information we handle may constitute Protected Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We are committed to complying with applicable HIPAA requirements and maintaining appropriate safeguards for all PHI.
We collect the following categories of information:
a. Personal Identifiable Information (PII)
Full name
Email address
Phone number (if provided)
Date of birth
Gender
Occupation
Location / address
Profile image
b. Health-Related and Protected Health Information (PHI)
The following information may constitute PHI under HIPAA. We collect it to match you with appropriate support services and facilitate your care:
Caregiving role and relationship to care recipient
Care recipient age and health condition(s)
Meeting notes recorded during consultations
Messages exchanged between caregivers and CareVillage Counselors
Consultation preferences and scheduling information
Group session participation history
c. CVC Professional Information
Professional license type, number, and state
License documentation (uploaded files)
Years of experience and profession
Identity verification results
Background check disclosures
d. Technical Information
IP address
Device and browser type
Usage activity (e.g., login timestamps)
Session tokens and authentication data
e. Financial Information
Payment method details (processed securely via Stripe; we do not store card numbers)
Identity verification data (processed via Plaid)
Payout account information for CareVillage Counselors
We use your information to:
Schedule and facilitate video consultations and group support sessions
Match caregivers with appropriate CareVillage Counselors and support groups
Send appointment confirmations, reminders, and important updates via email and SMS
Process payments and CVC payouts
Verify CVC professional licenses and identity
Maintain audit logs for HIPAA compliance and security monitoring
Improve platform performance, safety, and user experience
Comply with legal and regulatory obligations
We do not sell, rent, or trade your personal information or PHI to third parties.
We share limited information with trusted third-party service providers (“Business Associates” under HIPAA) solely to operate our platform. Each Business Associate that handles PHI is required to enter into a Business Associate Agreement (BAA) with us, ensuring they protect your information in accordance with HIPAA requirements.
Our Business Associates include:
Zoom Video Communications, Inc. — HIPAA-compliant video platform for consultations and group sessions (BAA in place)
Amazon Web Services (AWS) — Cloud infrastructure, encrypted database hosting, and file storage (BAA in place)
Stripe, Inc. — Secure payment processing (PCI-DSS compliant)
Twilio, Inc. — SMS reminders and notifications (BAA in place)
Resend — Transactional email delivery
Nylas — Calendar synchronization for CVC scheduling
Plaid, Inc. — Identity verification for CVCs
All third-party processors are bound by confidentiality obligations and data protection agreements. We only share the minimum necessary information required for each service to function.
We implement administrative, technical, and physical safeguards to protect your information as required by HIPAA:
Technical Safeguards
All data transmitted via HTTPS/TLS encryption (in transit)
Database encryption at rest using AES-256 (AWS RDS)
File storage encryption at rest (AWS S3)
All secrets and credentials stored in AWS Systems Manager Parameter Store with KMS encryption
Role-based access controls (caregiver, CVC, admin) enforced at middleware and API levels
Session authentication via NextAuth with secure, httpOnly cookies
Passwords hashed using bcrypt
Audit logging of all PHI access events
No video session recordings are stored
Administrative Safeguards
Designated HIPAA Privacy Officer and Security Officer
Annual security risk assessments
CVC onboarding includes HIPAA awareness training
Workforce access limited to minimum necessary information for each role
Incident response and breach notification procedures
Physical Safeguards
Infrastructure hosted in AWS data centers with SOC 2, ISO 27001, and HIPAA certifications
No PHI stored on local devices or physical media
We retain your information as long as your account is active or as needed to:
Provide ongoing services
Comply with legal and regulatory obligations (including HIPAA record retention requirements)
Resolve disputes
Enforce our agreements
Meeting metadata and audit logs are retained for a minimum of six (6) years as required by HIPAA. You may request deletion of your account data at any time, subject to our legal retention obligations.
We use essential cookies for login sessions, role-based access, and meeting functionality. We do not use tracking cookies for advertising or behavioral targeting. No third-party analytics or advertising trackers are present on our platform.
If your information qualifies as PHI under HIPAA, you have the following rights:
Right to Access — You may request a copy of your PHI that we maintain.
Right to Amendment — You may request corrections to your PHI if you believe it is inaccurate or incomplete.
Right to an Accounting of Disclosures — You may request a list of certain disclosures we have made of your PHI.
Right to Request Restrictions — You may request restrictions on how we use or disclose your PHI, though we are not always required to agree.
Right to Confidential Communications — You may request that we communicate with you about your health information through alternative means or at alternative locations.
Right to a Copy of This Notice — You may request a paper or electronic copy of this Privacy Policy at any time.
To exercise any of these rights, email us at services@carevillage.io.
Regardless of HIPAA applicability, all users may:
Access or update your account information at any time through your profile settings
Request deletion of your data and account
Withdraw consent to optional data processing
Opt out of non-essential communications
In the event of a breach of unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, where required, the media, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Notifications will be provided without unreasonable delay and no later than 60 calendar days following discovery of the breach.
CareVillage is not intended for users under the age of 18 without parental or guardian consent. We do not knowingly collect information from children under 13.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. Changes will be posted on this page with the updated effective date. Continued use of our services after changes constitutes acceptance of the updated policy.
For any privacy-related questions, HIPAA inquiries, or to exercise your rights, please contact:
CareVillage HIPAA Privacy Officer
CareVillage Support Networks LLC
services@carevillage.io
If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/hipaa/filing-a-complaint. We will not retaliate against you for filing a complaint.