Privacy Policy
CareForceOne Privacy Policy
Effective Date: May 18, 2025
1. Who We Are
Jimeta Systems LLC (“we,” “our,” “CareForceOne”) provides cloud-based web and mobile software that helps home-care agencies manage staffing, electronic visit verification (“EVV”), mobile timesheets, nurse-note transcription, applicant tracking, and related services.
2. Scope of This Policy
This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you:
- use the CareForceOne web or mobile apps;
- interact with our public websites (e.g., careforceone.net);
- connect via our APIs, integrations, and Directus-based backend; or
- communicate with our support or sales teams.
It covers workforce data (e.g., staff accounts, timecards, GPS location during EVV), patient/client data (including protected health information or “PHI”), and visitor data (cookies, device IDs, etc.).
3. Information We Collect
Category | Examples | Source |
Account data | Name, email, role, password hash, social-login IDs | You / your employer |
Workforce & schedule data | Time entries, visit notes, GPS check-in/out, signatures | You / mobile app |
Patient & clinical data | Patient identifiers, care plans, vitals, nurse notes, voice recordings for transcription | You / agency EMR import |
Device & usage data | IP address, browser type, device ID, crash reports, usage logs | Automatically |
Payment & billing data | Agency billing contact, plan selection, Stripe transaction IDs | You / payment processor |
Support correspondence | Emails, chat transcripts, call recordings | You |
We do not intentionally collect data about children under 13 on public sites. Patient or caregiver minors’ data entered by agencies is handled under HIPAA as described below.
4. How We Use Data
Purpose | Legal Basis* |
Provide and secure the platform (account creation, authentication, role-based access, backups) | Performance of contract |
Workforce management (scheduling, EVV, timesheets) | Performance of contract |
Health-care operations (documentation, care plans, nurse-note transcription powered by OpenAI Whisper) | HIPAA Business-Associate functions Performance of contract |
AI-assisted features (drafting notes, analytics) using OpenAI GPT-4-o and AnythingLLM RAG engine | Legitimate interests / contract; PHI processed under HIPAA BAAs |
Billing, account management, fraud prevention | Legitimate interests / legal obligation |
Product analytics, UX improvement (aggregated & de-identified) | Legitimate interests |
Marketing communications to business contacts (you may opt out) | Consent / legitimate interests |
*For residents of the EEA, UK, or other regions with similar laws.
5. HIPAA & Business-Associate Assurances
When we host or process PHI on behalf of a covered entity (your agency), we act as a Business Associate under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”). We will:
- sign a Business Associate Agreement (“BAA”) on request;
- implement administrative, physical, and technical safeguards required by 45 C.F.R. §§ 164.308, 310, 312;
- use encryption in transit (TLS 1.2+) and at rest (AES-256 for databases, S3-bucket encryption for file storage);
- restrict PHI access via role-based controls;
- log and monitor system access;
- notify covered entities of any breach without unreasonable delay and in no case later than 60 days.
6. Disclosure & Sharing
We never sell personal data. We share it only:
- With service providers who perform services for us (AWS, DigitalOcean, Vercel, Twilio, Stripe, OpenAI, etc.) under written contracts that require equivalent protections.
- Within Jimeta Systems LLC for internal administration.
- As directed by you—e.g., when you export data to a third-party EMR or accounting system.
- For legal reasons—to comply with subpoenas, court orders, or lawful requests; to protect rights, safety, or property.
- In business transactions—if we merge, acquire, or sell assets; affected users will be notified and given choices.
7. International Transfers
We host primary infrastructure in the United States (currently AWS us-east-1). If you access CareForceOne from outside the U.S., you consent to transferring data to the U.S., which may have different data-protection laws. For EEA/UK users, we rely on Standard Contractual Clauses to legitimize transfers.
8. Data Security
- Network isolation via VPCs and least-privilege IAM roles.
- Separate production and staging environments.
- Automated vulnerability scanning and regular penetration tests.
- Continuous backup with point-in-time-recovery (PITR) for PostgreSQL.
- Multi-factor authentication for all privileged accounts.
- Annual HIPAA Security Rule risk analysis.
9. Retention
We retain data for the shortest period necessary:
- Workforce & patient records: as required by applicable state/federal regulations or agency contract (typically 6–7 years for clinical documentation).
- Logs & device data: up to 12 months.
- De-identified analytics: indefinitely.
- You may request early deletion where allowed by law and contract.
10. Your Rights
Depending on your jurisdiction, you may have rights to:
- access, correct, or delete personal data;
- receive an electronic copy (data portability);
- restrict or object to certain processing;
- withdraw consent at any time;
- lodge a complaint with a supervisory authority (e.g., HHS OCR, GDPR Data Protection Authority).
Requests should be sent to privacy@careforceone.net or through in-app settings. We will verify identity before fulfilling requests.
11. Cookies & Tracking
We use first-party cookies and localStorage to keep you logged in and remember preferences, plus limited third-party analytics (Matomo, Plausible, or similar privacy-focused tools). You can block cookies, but core features may stop working (e.g., session authentication).
12. Third-Party Links & Integrations
Our platform may link to or integrate with third-party services (Google Calendar, payroll, etc.). Their privacy practices govern the data they collect; review their policies before enabling integrations.
13. Children’s Privacy
CareForceOne is intended for professional users. We do not knowingly collect personal information directly from children under 13. Agencies entering pediatric patient data remain responsible for obtaining necessary consents and complying with COPPA, HIPAA, and state laws.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If changes are material, we will notify account owners via email or in-app alert at least 30 days before the new terms take effect. Continued use after the effective date constitutes acceptance.
15. Contact Us
For questions, requests, or complaints, contact:
Jimeta Systems LLC / CareForceOne Privacy Office
87 Benjamin Ave, Hicksville, NY 11801, USA
✉ privacy@careforceone.net
☎ +1 (516) 259-1393
Last reviewed: May 18, 2025