Privacy Policy — CareFlow AI

mdcareflow.com and the CareFlow AI platform are owned and operated by Revly LLC, a U.S. limited liability company (“Revly LLC”, “we”, “us”, or “our”). All references in this Privacy Policy to the “Service” mean the website and platform offered by Revly LLC. This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Service.

Mobile information privacy commitment. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subcontractors in support of the services to which the user has agreed is not considered third-party sharing for marketing or promotional purposes. All other categories of personal information are subject to the disclosures below.

1. Scope and how this Policy interacts with HIPAA

CareFlow AI is a healthcare platform used by medical practices to deliver Chronic Care Management (CCM), Remote Patient Monitoring (RPM), and related services. When we process Protected Health Information (PHI) on behalf of a healthcare practice (a “Customer”), we do so as a Business Associate under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), pursuant to a Business Associate Agreement (“BAA”) executed with that Customer.

For PHI, the BAA and the Customer’s own Notice of Privacy Practices govern the collection, use, disclosure, and patient rights regarding that information. This Privacy Policy describes how we handle non-PHI information collected bymdcareflow.com (for example, marketing-site visitors, prospective customers, and general support inquiries) and how the Service processes information generally.

2. Information we collect

We collect the following categories of information:

Account information. Name, work email, role, practice affiliation, and authentication credentials managed by our identity provider (Clerk).
Practice and provider information. Practice name, NPI, tax ID, address, phone, fax, EMR system, and similar business contact data provided by Customer Users.
Patient information (PHI). When a Customer adds a patient to the Service, we receive demographic data, contact information, diagnoses, medications, allergies, vital-sign readings, lab results, encounter notes, care-management minutes, and similar clinical information necessary to deliver care. This information is PHI and is governed by the BAA between Revly LLC and the Customer.
Mobile / SMS information. If a Patient User opts in to receive SMS messages, we collect the mobile telephone number, opt-in timestamp, opt-in source (registration form, keyword text, etc.), message delivery status, and any keywords (such as STOP, HELP) the patient sends.
Device and usage data. Standard log information including IP address, browser type, operating system, pages viewed, referring URL, and timestamps. We use this for security, analytics, and service improvement.
Cookies and similar technologies. We use cookies and similar technologies to keep you signed in, remember preferences, and measure traffic. You can manage cookies through your browser settings.
Communications with us. If you contact support, sales, or legal, we keep a record of your inquiry and our response.

3. How we use information

We use information to:

provide, maintain, secure, and improve the Service;
authenticate users, prevent fraud, and detect abuse or security incidents;
deliver care-coordination workflows requested by the Customer practice, including scheduled SMS reminders, vital-reading prompts, education content, and provider-initiated messages;
generate AI-assisted clinical decision-support content (care plans, risk narratives, summaries) for review by qualified care team members;
respond to support requests and communicate about the Service;
comply with legal obligations, enforce our agreements, and protect rights, property, or safety;
produce de-identified analytics (de-identified in accordance with 45 CFR § 164.514) for product, research, and aggregate reporting.

4. SMS / mobile information — specific commitments

We send SMS messages to a patient only after that patient has provided prior express opt-in consent, recorded on their patient record by the healthcare practice that delivers their care. We do not send marketing or promotional SMS, and we do not enable Customer practices to use the SMS Program for marketing or promotional purposes.

How consent is captured. Opt-in is captured by the patient’s practice through one of the following mechanisms: (a) a written or electronic consent form signed during patient registration; (b) the patient texting a designated keyword (e.g. START) to a practice-assigned number; (c) confirmation via the patient portal; or (d) verbal consent recorded by a staff member with attestation. Each opt-in record stores the consent language presented to the patient, the timestamp, the source, and the recording staff member.
Right to revoke at any time. A patient may revoke consent at any time by replying STOP, END, CANCEL, UNSUBSCRIBE, or QUIT to any SMS message. The opt-out is honored immediately, the patient receives one confirmation message, and no further SMS Program messages are sent until the patient affirmatively opts back in.
No third-party marketing sharing. We do not sell or share mobile telephone numbers, opt-in records, or SMS message content with third parties or affiliates for marketing or promotional purposes. No exception to this commitment applies — including affiliate sharing, data-broker sharing, or analytics resale.
Service providers only. We share mobile information only with the SMS carrier (Twilio) and our hosting and security subprocessors, and only to the extent strictly necessary to deliver the messages the patient has consented to receive. These subprocessors are contractually bound to use the information only for that purpose.
Audit on request. A patient may request a copy of their SMS consent and opt-out history at any time by emailing privacy@mdcareflow.com or by contacting their healthcare practice.
Recordkeeping. We retain consent and opt-out records as required by TCPA, HIPAA, CTIA messaging principles, and applicable carrier rules.

5. How we share information

We share information only as described below:

With the Customer practice. All clinical and care-coordination data is shared back to the Customer practice that owns the patient relationship.
With service providers (subprocessors). We use vetted service providers to host and operate the Service, including Amazon Web Services (hosting, AI inference via Amazon Bedrock), Clerk (authentication), Twilio (SMS delivery), and similar infrastructure providers. Each is bound by written agreements that require appropriate confidentiality, security, and (where applicable) HIPAA Business Associate obligations.
For legal reasons. We may disclose information when required by law, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to protect rights, safety, or property.
Business transfers. If Revly LLC is involved in a merger, acquisition, or sale of assets, information may be transferred to the successor entity, which will continue to be bound by this Policy or by substantially similar protections.
With your consent. Any other sharing requires your consent or, in the case of PHI, the consent or instruction of the Customer practice as permitted by HIPAA.

We do not sell personal information. We do not sell mobile telephone numbers or any other personal information.

6. Data security

We implement administrative, physical, and technical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS) and at rest, access controls, audit logging, role-based permissions, and regular security reviews. No system is impenetrable; you are responsible for protecting your account credentials and notifying us at privacy@mdcareflow.com of any suspected compromise.

7. Data retention

We retain information for as long as needed to provide the Service, comply with legal obligations (including HIPAA recordkeeping), resolve disputes, and enforce our agreements. PHI retention is governed by the applicable BAA and Customer Agreement. Marketing-site logs are retained for a shorter period consistent with security and analytics needs.

8. Your choices and rights

Account information. You can update your profile through the Service or by contacting your practice administrator.
Marketing emails. You can unsubscribe from marketing emails using the unsubscribe link in any marketing message.
SMS messages. Reply STOP to opt out.
Patient health-record rights. Patient Users have rights under HIPAA and applicable state law (including access, amendment, and accounting of disclosures). To exercise those rights, contact the Customer practice that maintains your record. We support practices in fulfilling those requests.
State privacy rights. Residents of California, Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have rights to access, delete, correct, and opt out of certain processing of personal information. PHI is excluded from most of these laws and is governed by HIPAA. To exercise non-PHI rights, email privacy@mdcareflow.com.

9. Children

mdcareflow.com is not directed to children under 13. The Service may be used to deliver care to pediatric patients only when the Customer practice has obtained appropriate parental or guardian consent and complies with applicable laws.

10. International users

The Service is operated from the United States. If you access the Service from outside the U.S., you understand that your information will be processed in the U.S., which may have different data-protection rules than your country of residence.

11. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated Policy with a new effective date at this URL. For material changes we will provide reasonable advance notice (e.g., email or in-product notice).

12. Contact us

For privacy questions, requests, or to report a concern, contact:

Privacy email: privacy@mdcareflow.com
General support: support@mdcareflow.com
Phone: [FILL IN: support phone, e.g. +1 (XXX) XXX-XXXX]
Mail: Revly LLC, [FILL IN: Revly LLC mailing address, City, State ZIP]