CareLead, Inc.
Effective Date: April 21, 2026 | Last Updated: April 21, 2026
CareLead, Inc. (“CareLead,” “we,” “us,” or “our”) provides a patient-governed care operations platform that helps individuals and their authorized caregivers organize health information, prepare for appointments, manage medications, track bills, and coordinate follow-through. CareLead is offered through our mobile applications, the website at https://carelead.app, and related services (collectively, the “Services”).
This Privacy Policy explains what information we collect, how we use and protect it, when we share it, and the rights you have over it. It applies to anyone who uses the Services, including account holders, dependents whose information is managed inside a household, and authorized caregivers.
By creating an account or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please do not use the Services.
CareLead, Inc. is a Delaware corporation headquartered at:
CareLead, Inc.
406 E Tuscaloosa St., Unit 01
Florence, AL 35630
United States
For privacy questions, data requests, security reports, or any other inquiry related to this policy, contact us at:
Email: support@carelead.app
Website: https://carelead.app
CareLead is a consumer-facing health technology platform. Whether the federal Health Insurance Portability and Accountability Act (“HIPAA”) applies to a particular use of CareLead depends on the relationship under which the Services are being used. When you use CareLead directly as an individual consumer, CareLead is generally not acting as a HIPAA “covered entity” or “business associate.” In those cases, the protected health information (“PHI”) you place into CareLead is governed by this Privacy Policy and applicable consumer health privacy laws, including the Federal Trade Commission’s Health Breach Notification Rule (16 C.F.R. Part 318) and applicable state laws.
When CareLead is offered through, or in coordination with, a healthcare provider, employer, health plan, or similar entity that requires us to operate as a Business Associate under HIPAA, we sign a Business Associate Agreement (“BAA”) and the use of your information under that arrangement is governed by HIPAA, the BAA, and any applicable notice of privacy practices provided by that entity.
Independent of legal classification, CareLead is designed with HIPAA-aligned technical and administrative safeguards because we handle sensitive health information. Section 12 describes those safeguards in more detail.
This Privacy Policy covers information processed by CareLead through the Services. It does not cover:
Websites, applications, or services operated by third parties that we link to or integrate with, even if you reach them from CareLead;
Healthcare providers, pharmacies, insurers, or other entities you communicate with using CareLead, each of which has its own privacy practices;
Information you choose to share with other people directly outside the Services.
The categories of information we collect depend on how you use the Services. We try to collect only what is necessary to provide and improve CareLead.
When you create or maintain an account, we collect information such as your name, email address, mobile phone number, password (stored as a salted hash, never in clear text), authentication tokens, and account preferences.
CareLead is organized around a household that contains one or more profiles. A profile may represent you (a self profile) or a person you care for (a dependent profile). For each profile, you or an authorized caregiver may add information such as legal name, date of birth, sex, contact details, relationships, language, emergency contacts, and care team members.
CareLead is designed to hold the kinds of information patients and families need to manage care. Depending on which features you use, this may include:
Allergies, medical conditions, surgical history, family history, and immunization records;
Medications, dosages, schedules, supply, refill information, and adherence events such as taken, skipped, or snoozed;
Lab results, imaging reports, and other clinical reports you upload or enter;
Appointments, visit preparation notes, agendas, post-visit recaps, and follow-up tasks;
Bills, Explanations of Benefits, denial letters, itemized statements, payments, refunds, and appeal materials;
Insurance details, member identifiers, plan information, and pharmacy details;
Routine logs you choose to record, such as blood pressure, glucose, or weight;
Goals, care plans, preventive care items, and reminders.
Some of this information is regulated as PHI when handled by a HIPAA-covered entity, and as sensitive personal information under various state laws. We treat it as highly sensitive regardless of legal classification.
You may upload documents and photos (for example, scans of bills, lab reports, prescription labels, and insurance cards). We extract structured information from these files using optical character recognition and language models so that we can present it back to you in a usable form. Originals are stored in private, encrypted object storage and are accessible only through short-lived signed URLs.
Several CareLead features use voice. Specifically:
Voice Retrieval and Ask Profile. You may speak a question to CareLead. Audio is converted to text by a speech-to-text provider and is not stored once the transcript is produced. You confirm the transcript before it is used to retrieve information.
During Visit capture. You may take notes by typing during a visit, or, if you explicitly enable Recording Mode and attest to having any required consent, you may record audio of a visit. Audio you record is stored in private encrypted storage, transcribed, and retained according to the retention preferences in your settings. You may delete a session at any time, which removes the associated audio, transcript, recap, and exports on a best-effort basis.
Calling Agent. The MVP Calling Agent operates in Bridge Mode. CareLead does not record calls and does not store call transcripts. We store only operational call events (status changes, timestamps, end reason) and any outcome notes you choose to enter.
If you invite a caregiver, or accept an invitation to be a caregiver, we collect information needed to manage that relationship: invitation status, the profiles to which access is granted, the permission template selected, the date and time consent was granted or revoked, and audit events recording each transition.
We collect limited technical information to operate, secure, and improve the Services, such as device type, operating system version, application version, language and locale, time zone, push notification tokens, crash reports, and non-PHI event metadata describing how you interact with features. We deliberately exclude PHI from these payloads using redaction and allowlisted event schemas.
If you contact our support team, we collect the contents of your message, your contact information, and any attachments you choose to share. We use this information to respond to you and to improve the Services.
We do not knowingly collect biometric identifiers (such as fingerprints or facial geometry), precise geolocation data, or content from third-party patient portals unless you explicitly upload or paste such content. We do not collect children’s personal information for use of the Services because the Services are limited to adults (see Section 17).
We use the information described in Section 5 to:
Provide, maintain, secure, and improve the Services;
Process documents, transcribe voice, extract structured fields, and generate drafts that you review and confirm before they are committed to your profile or saved as tasks, reminders, or exports;
Coordinate caregiver access, enforce consent, and apply household and profile permissions;
Send you product, transactional, and security communications, such as appointment reminders, refill reminders, account notices, and security alerts;
Respond to support requests, troubleshoot issues, and prevent fraud or abuse;
Generate aggregated, de-identified, or non-PHI analytics that help us understand product usage and reliability without exposing your health information;
Comply with applicable law, lawful requests, and our legal obligations.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use your protected health information to train artificial intelligence models, and we contractually require our AI subprocessors not to do so either.
Where the Services are offered in the United States, we process information based on your consent (when you create an account, upload documents, grant caregiver access, or enable optional features), to perform our contract with you (the Terms of Use), to comply with our legal obligations, and to pursue our legitimate interests in operating, securing, and improving the Services in a manner consistent with your reasonable expectations.
CareLead uses artificial intelligence to draft, extract, summarize, and organize information. Our AI features are designed around three commitments:
Review before commit. AI may produce drafts and proposals, but no consequential action (such as creating a task, updating a profile, generating an export, or initiating a call) is persisted until you review and confirm an Intent Sheet. You remain in control of what becomes part of your record.
Minimization. We send the minimum information necessary to our AI providers to perform the requested function. We do not log prompts or responses outside of non-PHI run metadata used for reliability and debugging.
No model training on your data. We do not use your information to train, fine-tune, or otherwise improve generalized AI models. We require our AI subprocessors not to use your information for their own model training under our service terms.
CareLead’s AI features assist with administration and organization. They do not provide medical advice, diagnosis, or treatment recommendations and should not be relied on as a substitute for professional clinical judgment.
We rely on a limited set of service providers to operate the Services. These providers act on our behalf, only for the purposes we direct, and are bound by appropriate confidentiality and security obligations. Where required, we sign Business Associate Agreements with providers that handle PHI. Current categories and primary providers include:
Cloud database and storage: Supabase (database, authentication, and private object storage).
Artificial intelligence: Anthropic (large language model and document understanding) and other model providers as needed for OCR, speech-to-text, and text-to-speech.
Telephony: Twilio (Calling Agent voice connectivity).
Transactional email: Resend (account, security, and transactional email delivery).
Error tracking and observability: Tools configured to exclude PHI from logs and crash payloads.
We may add, change, or remove subprocessors as the Services evolve. A current list is available on request by emailing support@carelead.app.
We share information only as described below.
You can invite caregivers to access specified profiles within your household, with permissions defined by the template you choose. Caregiver access is gated by an explicit consent record and may be revoked at any time, with revocation taking effect immediately on the next request.
We share information with the service providers identified in Section 9 to the extent necessary for them to perform services on our behalf.
If you choose to share an export, packet, or summary with a clinician, pharmacy, insurer, or other entity, that information leaves CareLead under your direction and is then governed by that entity’s privacy practices.
We may disclose information when we believe in good faith that disclosure is required by law, legal process, or government request, or is necessary to protect the rights, property, or safety of CareLead, our users, or others. We will challenge requests we believe to be overbroad or unlawful where appropriate.
If CareLead is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction. We will require any successor to honor the commitments in this Privacy Policy or to provide you notice and a meaningful opportunity to delete your information before any material change in how it is handled.
We may share aggregated or de-identified information that cannot reasonably be used to identify you or your household for product improvement, research, or partner reporting. We do not re-identify de-identified information and we contractually prohibit recipients from doing so.
The Services are currently offered in the United States only. We do not direct the Services to users outside the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those of your country.
CareLead implements administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your information. Our controls are designed to map to the HIPAA Security Rule and to general consumer health privacy expectations. Key safeguards include:
Encryption of data in transit using TLS, and encryption of data at rest by our managed database and storage providers;
Private storage buckets with short-lived signed URLs for any access to PHI files;
Server-side authorization checks on every read and write of profile-scoped data, supported by Postgres row-level security where applicable;
A consent gate that controls caregiver access to dependent profile data and supports immediate revocation;
An Intent Sheet commit gate that prevents AI from silently committing actions to your account;
An append-only audit trail that records significant actions and supports investigation;
PHI-safe telemetry that excludes PHI from logs, crash reports, and analytics;
Secure development practices, vendor minimization, and bounded retries on AI provider calls.
No security program can guarantee absolute protection. If we learn of a security incident affecting your information, we will notify you and applicable regulators as required by law, including the FTC Health Breach Notification Rule and applicable state breach notification laws.
We retain information for as long as your account is active and as needed to provide the Services. You may delete individual artifacts (such as documents, sessions, or appointments) at any time. Some information has product-defined expiration windows:
Generated exports expire automatically after a default retention window and are deleted from storage;
If you enable visit Recording Mode, recorded audio and transcripts follow the retention windows you set in your privacy settings, and are deleted on session deletion;
Calling Agent operational events are retained for product reliability and audit purposes; calls are not recorded in the MVP.
When you delete your account or a household, we delete or de-identify your information from our active systems within a commercially reasonable period. We may retain limited information for legitimate business purposes such as fraud prevention, legal compliance, billing reconciliation, and audit, in which case we will continue to apply this Privacy Policy to that information.
Audit events are append-only by design. We retain audit metadata for a reasonable period to support investigation and compliance. Audit metadata is non-PHI.
Subject to applicable law, you have the following rights with respect to your information:
Access. You can view information stored about you and your household profiles inside the application.
Correction. You can edit profile facts, documents, and other information directly in the application.
Export. You can generate a private export archive of your household data; the archive is delivered through a short-lived signed link and expires automatically.
Deletion. You can delete individual items, profiles, or your entire account from the application or by emailing support@carelead.app.
Consent management. You can grant, modify, or revoke caregiver access at any time. Revocation is immediate.
Opt out of non-essential communications. You can opt out of marketing emails using the unsubscribe link in those messages. Transactional and security communications cannot be opted out of while you maintain an account.
Complaint. You may file a complaint with us at support@carelead.app, with your state attorney general, with the Federal Trade Commission, or, where applicable, with the U.S. Department of Health and Human Services Office for Civil Rights.
To exercise any of these rights, contact us at support@carelead.app. We may need to verify your identity before responding to your request and may decline requests where doing so would compromise the privacy or security of others.
CareLead is designed for shared family healthcare reality. If you act as a caregiver for another adult, you are responsible for ensuring that you have the authority to access and manage that person’s information, and for using the Services in a manner consistent with that person’s wishes and any applicable legal authority (such as a power of attorney, healthcare proxy, or similar instrument). If you create a dependent profile for a child or other person, you are responsible for any necessary consents and for compliance with applicable law.
Caregivers can only see and act on profiles they have been explicitly granted access to, with the scope defined by the permission template chosen by the household owner or admin. Profile owners and admins can revoke caregiver access at any time.
The Calling Agent (currently in Bridge Mode) is a patient-directed feature. It is initiated only when you confirm a Call Intent Sheet that specifies who is being called, why, and what CareLead is permitted to say. CareLead stores an immutable consent snapshot of what you approved. The Calling Agent does not record calls and does not store transcripts in the MVP. Operational events (such as dialing, hold, answered, bridged, ended, and end reason) and any outcome notes you enter are stored to provide reliability, audit, and follow-through. CareLead does not use the Calling Agent for emergency calling and will refuse calls where emergency language is detected.
The Services are intended for individuals 18 years of age or older. We do not knowingly allow anyone under 18 to create an account. Adults may create dependent profiles for minors they care for, in which case the adult account holder is the responsible party for those profiles and for any consents required under applicable law, including the Children’s Online Privacy Protection Act (“COPPA”) where it applies.
If we learn that we have collected personal information from a person under 18 who has created an account directly, we will delete that information promptly. If you believe a minor has created an account, please contact us at support@carelead.app.
This section provides additional disclosures for residents of certain U.S. states with comprehensive privacy laws. To the extent these disclosures conflict with the rest of this Privacy Policy for residents of the named state, the disclosures in this section control.
This section applies to California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”). It does not apply to information that is exempt from the CCPA, including PHI processed by a HIPAA-covered entity or business associate, medical information governed by California’s Confidentiality of Medical Information Act (“CMIA”), or information collected as part of a clinical trial.
Categories of personal information we collect (as defined in Cal. Civ. Code § 1798.140) include: identifiers; customer records; characteristics of protected classifications (where you provide them, such as date of birth or sex); commercial information (such as in-app purchases); internet or other electronic network activity; geolocation (general, not precise); audio information (where you use voice features); professional or employment-related information (where you provide it); and inferences drawn from any of the above. We also collect categories of “sensitive personal information,” including account login credentials, contents of communications, and information concerning health.
We use sensitive personal information only for the purposes permitted under Cal. Civ. Code § 1798.121, including providing the Services you request, security, and short-term, transient use. We do not use sensitive personal information to infer characteristics about you for purposes other than providing the Services.
Sources of personal information include: you (directly), authorized caregivers and household members, documents and files you upload, and our service providers. Purposes are described in Section 6.
We do not sell or share personal information as those terms are defined under the CCPA. We have not done so in the preceding twelve months.
California residents may request to know, delete, correct, and limit the use of sensitive personal information; opt out of sale or sharing (which we do not engage in); and not be discriminated against for exercising these rights. To submit a request, email support@carelead.app. You may designate an authorized agent to act on your behalf, subject to verification.
Notice of Financial Incentive: We do not offer financial incentives in exchange for your personal information.
Residents of states with comprehensive consumer privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana) may have rights to access, delete, correct, and obtain a portable copy of their personal data, to opt out of targeted advertising, sale, and certain profiling, and to appeal denials of these requests. We do not engage in targeted advertising or sales of personal data. To exercise these rights, contact us at support@carelead.app. If we deny your request, you may appeal by replying to our response email; if we deny your appeal, you may contact your state attorney general.
Residents of Washington and Nevada are afforded additional protections for consumer health data under the Washington My Health My Data Act and Nevada SB 370. We collect, use, and disclose consumer health data as described in this Privacy Policy. We will obtain your affirmative consent before sharing consumer health data outside the purposes described here, and we will not sell consumer health data without a valid authorization.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email, in-app notice, or another reasonable means before the changes take effect. The “Last Updated” date at the top of this policy reflects the most recent revision. Your continued use of the Services after a change becomes effective constitutes your acceptance of the updated Privacy Policy.
If you have questions, concerns, or requests related to this Privacy Policy or how CareLead handles your information, contact us at:
CareLead, Inc.
Attn: Privacy
406 E Tuscaloosa St., Unit 01
Florence, AL 35630
Email: support@carelead.app