Draft — For review
All documents in this library are drafts and must be reviewed by qualified legal counsel before being published or shared with users. Engage a HIPAA-specialized attorney to review the Privacy Policy, Notice of Privacy Practices, and Terms of Service before beta launch.
Trust & Safety · Public-Facing
Privacy Policy
Effective date: May 23, 2026 · Last reviewed: May 23, 2026 · Version 1.0
KGR Solutions, Inc. (“we,” “our,” or “us”) operates the Living Care platform (“Living Care,” “the Service”) accessible at livingcare.app. We are committed to protecting the privacy and security of the personal information and health-related data you share with us.
This Privacy Policy explains what information we collect, how we use it, who we share it with, your rights, and how to contact us. Living Care is not a covered entity under HIPAA. However, we have designed our technical architecture and data practices to exceed HIPAA standards as a matter of trust and ethical responsibility. No raw medical images or scanned document files are ever stored on our systems — only structured data extracted from them.
1
Information we collect
1.1 Account information
- Name, email address, and password (hashed; we never store plaintext passwords)
- Workspace role (Admin, Contributor, Viewer, or Member)
- Authentication tokens managed by Supabase Auth
1.2 Care recipient information
- Name, preferred name, date of birth, primary language, and care setting
- Relationship of the care recipient to the account holder
1.3 Health and care data (entered by users)
- Medications: name, dosage, frequency, prescriber, refill dates
- Vitals logs: blood pressure, weight, glucose, oxygen saturation, heart rate, pain level, mood
- Appointment records: date, time, provider, location, transportation needs
- Activity log entries: care tasks completed, wellness check-in responses, medication adherence events
- Care Protocol data: routines, nutrition guidance, wellness preferences, legal/end-of-life planning notes
- AI-generated Recommendations (pending human approval before any write to clinical data)
1.4 Document processing (scan and discard)
When you upload a document (PDF, JPG, or PNG) to Living Care:
- The file is read into memory on our server for the duration of a single API request.
- The file is passed to an AI extraction engine (Claude, via the Anthropic API) using an encrypted HTTPS connection.
- Structured text data extracted from the document is saved to your account.
- The original file — the image or PDF itself — is permanently discarded and never written to disk, never stored in our database, and never retained in any form.
Hard architectural constraint
We never store raw medical images, prescription photos, or scanned document files. This is enforced at the API route layer — not merely a policy preference.
1.5 Usage and technical data
- Browser type, operating system, and device type
- Pages visited and features used (no third-party advertising trackers)
- IP address and approximate location (used for fraud detection only)
- Error logs (contain no PHI)
2
How we use your information
- To provide, operate, and improve the Living Care platform
- To coordinate care among members of your Care Circle
- To generate AI-powered Recommendations for human review and approval
- To compute longitudinal trend analysis in the Care+ Insights feature
- To send transactional emails (appointment reminders, care circle invitations, wellness alerts)
- To send SMS wellness check-ins via Twilio (when enabled, and only with BAA in place)
- To detect and prevent fraud, abuse, and security incidents
- To comply with applicable law
What we do not do
We do not sell your personal information. We do not use your health data to train AI models. We do not serve advertising.
3
Who we share your information with
3.1 Care Circle members
Members of your workspace's Care Circle can view information according to their assigned role. Admins and Contributors can read and write care data. Viewers can read but not modify. Providers (physicians) have read-only access to clinical data relevant to the care recipient.
3.2 Service providers (subprocessors)
| Vendor | Purpose | Data shared | BAA status |
|---|---|---|---|
| Supabase | Database & Auth | All structured care data | PENDING — required before PHI |
| Vercel | Application hosting | Request payloads in transit | PENDING — required before PHI |
| Anthropic | Document extraction & AI | Document contents (transient, not stored by Anthropic) | PENDING |
| Twilio | SMS wellness check-ins | Phone number + check-in content | PENDING — required before SMS |
| Resend | Transactional email | Name, email, care-related content | PENDING |
HIPAA gate
No real Protected Health Information (PHI) will be processed through any of the above vendors until all required Business Associate Agreements (BAAs) are executed. This is a hard gate, not a recommendation.
3.3 Legal disclosures
We may disclose information if required by law, court order, or to protect the rights and safety of users or third parties.
4
Data retention
- Account and care data is retained for the life of the workspace, plus 7 years after termination (HIPAA-aligned).
- Activity log entries are append-only and are never deleted (audit integrity).
- Uploaded files (documents, images) are never retained — they are discarded within the same HTTP request.
- Waitlist email addresses are retained until the user requests removal or the waitlist closes.
5
Your rights
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your data, subject to legal retention requirements.
- Portability: Receive your data in a machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdrawal of consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@livingcare.app or use our privacy request page. We will respond within 30 days.
6
Security
- All data is encrypted in transit using TLS 1.2 or higher.
- All database data is encrypted at rest (Supabase AES-256).
- Row-Level Security (RLS) is enforced at the database layer — no user can access data outside their workspace.
- Multi-factor authentication (MFA) is enforced for all users with write access.
- Audit logging records all PHI access and modification events in an append-only log.
- Document uploads are processed and discarded without touching disk or persistent storage.
See our Notice of Privacy Practices for additional health information rights.
7
Children
Living Care is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, contact us immediately.
8
Changes to this policy
We will notify registered users of material changes to this policy by email at least 30 days before the change takes effect. Continued use of the Service after that date constitutes acceptance.
9
Contact
Privacy requests: privacy@livingcare.app
Security incidents: security@livingcare.app
General support: support@livingcare.app
Mailing address: KGR Solutions, Inc., Sunnyvale, CA
© 2026 KGR Solutions, Inc. · Living Care Privacy Policy · v1.0 · May 23, 2026