Privacy Policy

Effective Date: March 16, 2026

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, phone number, password, agency name, and licensing credentials.
  • Agency Profile Data: Business address, service areas, certifications, insurance information, and billing details.
  • Client Data: Names, addresses, phone numbers, care notes, and health-related information that you enter into the Platform for your clients.
  • Caretaker Data: Names, certifications, compliance documents, availability, and work history for caretakers you manage.
  • Shift Backup Data: Shift details, clinical briefs, caretaker nominations, and payment information related to shift marketplace activity.

1.2 Information We Collect Automatically

  • Device information (browser type, operating system, screen size).
  • Usage data (pages visited, features used, timestamps).
  • IP address and approximate geographic location.
  • Cookies and similar tracking technologies for session management and analytics.

1.3 Information From Third Parties

  • Publicly available agency licensing data from state registries (e.g., CDSS) and federal sources (CMS).
  • Payment processing data from Stripe (transaction status, not full card numbers).

2. How We Use Your Information

  • Operate and maintain the Platform, including the agency directory, scheduling tools, and Shift Backup marketplace.
  • Verify agency licensing status and display accurate directory listings.
  • Process payments and send transaction-related communications.
  • Send shift alerts, nomination notifications, and operational updates via email and SMS.
  • Match Shift Backup shift requests with eligible partner agencies based on location and certifications.
  • Improve the Platform through anonymized usage analytics.
  • Comply with legal obligations and respond to law enforcement requests.

3. How We Share Your Information

We do not sell your personal information. We share data only as follows:

  • Public Directory: Agency names, addresses, licensing status, and administrator names sourced from public records are displayed in our directory. Agencies that claim their profiles control what additional information is shown.
  • Shift Backup Partners: When you post or fill a shift, limited information is shared with the partner agency as described in the Shift Backup Service Agreement (neighborhood before acceptance; full address after acceptance).
  • Service Providers: We use third-party services for hosting (Vercel), database (Neon), payment processing (Stripe), and SMS delivery. These providers access data only as needed to perform their services.
  • Legal Compliance: We may disclose data if required by law, subpoena, or government request, or to protect the rights, safety, or property of HomeCareAtlas, our users, or the public.

4. Client Health Information

Agency owners may enter health-related information about their clients (diagnoses, mobility status, care notes) into the Platform. This information is:

  • Accessible only to the agency that entered it (and, for Shift Backup shifts, to the partner agency after acceptance).
  • Encrypted in transit using TLS and at rest using AES-256 on SOC 2 compliant infrastructure.
  • Protected by role-based access controls (only your agency's authenticated users can access your data).
  • Never used for advertising, marketing, or shared with third parties for non-operational purposes.

HomeCareAtlas is not HIPAA compliant. While we use healthcare-grade security practices (encryption, access controls, SOC 2 hosting), we have not completed a HIPAA compliance audit and do not sign Business Associate Agreements (BAAs). If your agency is a HIPAA covered entity, you should evaluate whether entering Protected Health Information (PHI) into the Platform is appropriate for your compliance program.

You are responsible for obtaining your client's consent before entering their information and for complying with HIPAA and any applicable state privacy laws.

5. Data Retention

  • Account data: Retained as long as your account is active. Upon deletion, personal data is removed within 30 days (some data may be retained for legal or audit purposes for up to 7 years).
  • Client and caretaker data: Retained as long as your agency account is active. You may delete individual records at any time.
  • Shift Backup records: Shift history and payment records are retained for 7 years for tax and compliance purposes.
  • Public directory data: Sourced from public records and retained indefinitely as public information.

6. Your Rights

Depending on your location, you may have the right to:

  • Access, correct, or delete your personal data.
  • Opt out of non-essential communications (you may not opt out of transactional notifications).
  • Request a copy of your data in a portable format.
  • Withdraw consent for data processing (where consent is the legal basis).

California residents have additional rights under the CCPA/CPRA. To exercise any rights, contact privacy@homecareatlas.com.

7. Security

We implement industry-standard security measures, including HTTPS encryption, database encryption at rest, role-based access controls, and regular security audits. No system is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential.

8. Cookies

We use essential cookies for authentication and session management. We may use analytics cookies (e.g., Google Analytics) to understand Platform usage. You can manage cookie preferences in your browser settings.

9. Children's Privacy

The Platform is not intended for use by individuals under 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or a prominent notice on the Platform. The "Effective Date" at the top indicates the latest revision.

11. Contact

Privacy questions or data requests? Contact us at privacy@homecareatlas.com.