Privacy Policy

1. Scope and Roles

This Privacy Policy applies to Cares.AI websites, platform services, implementation, and support for senior living operators.

In most deployments, the facility organization acts as data controller and Cares.AI acts as a service provider/processor under client instructions.

2. Information We Process

We process only information needed to deliver contracted services and maintain security.

• Resident and operational records (meal events, alerts, activity logs, safety workflows)
• Staff account data (role, authentication metadata, permissions)
• Technical and security telemetry (IP metadata, device/browser logs, audit trails)
• Customer support and implementation communications

3. Health and Sensitive Data

Where protected health information is involved, we apply safeguards designed for regulated healthcare-adjacent operations.

We process sensitive data solely to provide services, secure systems, and meet legal or contractual obligations.

4. Legal and Regulatory Alignment (U.S. and Quebec)

For U.S. clients, controls are designed to support HIPAA-aligned privacy, security, and incident-handling requirements where applicable.

For Quebec operations, governance is designed to align with the Act respecting the protection of personal information in the private sector (as amended by Law 25), and related Canadian privacy expectations.

5. Use of Data

We use information to provide, secure, improve, and support the platform. We do not sell resident data.

• Service delivery and reliability
• Access control, monitoring, and incident response
• Compliance support and audit exports
• Contract administration and billing

6. Cookies, Similar Technologies, and Subprocessors

Our website uses required technical cookies for core functionality. Optional analytics cookies and similar technologies are disabled by default and activated only after consent.

Our optional analytics may measure and profile aggregate usage patterns on this website (pages visited, session frequency, navigation paths). This technology is disabled by default and is only activated after your explicit consent. You may activate or deactivate it at any time via the Cookie Settings button. We do not use profiling to make automated decisions about individuals.

We share data only with authorized subprocessors necessary to operate the service, under confidentiality and security obligations.

Subprocessors are contractually restricted to approved processing purposes.

7. Security, Retention, and Incidents

We implement layered controls including role-based access, encryption controls, logging, and operational monitoring.

Data is retained according to the following schedule: website analytics data (if consented) up to 13 months; platform operational records for the duration of the client contract plus 7 years for audit purposes; security and access logs for 12 months. Data is then securely deleted or anonymized using industry-standard methods.

When a confidential incident presents a risk of serious injury to individuals, Cares.AI notifies the Commission d'accès à l'information (CAI) within 72 hours of becoming aware of the incident, and notifies affected individuals without delay, in accordance with Quebec Law 25. For applicable U.S. clients, incident handling also follows relevant federal and state notification obligations. A register of confidentiality incidents is maintained as required by law.

8. Rights and Requests (Including Quebec Law 25)

Where required by law, individuals may request access, correction, deletion, portability, and withdrawal of consent for optional technologies.

As we often act as processor/service provider, requests may be routed through the relevant facility controller.

Privacy Officer: Meaghan Pellerin, Interim Privacy Officer — privacy@cares.ai | Legal requests: legal@cares.ai

• Cookie and optional analytics consent can be changed at any time via Cookie Settings.
• Privacy requests should include your full name, organization, contact email, and request type.
• We may verify identity before processing requests involving personal information.
• We respond to privacy requests within 30 days as required by Quebec Law 25. Complex requests may be extended once, with written notice.

9. Cross-Border Processing

Depending on deployment architecture, processing may occur in Canada, the United States, or other approved jurisdictions with appropriate contractual and technical safeguards.

10. Updates

We may update this policy to reflect legal, regulatory, and operational changes. Material revisions will be posted with an updated date.

This policy is informational and does not replace organization-specific legal advice.

11. Privacy Officer and Supervisory Authority

Cares.AI has designated a Privacy Officer responsible for overseeing compliance with applicable privacy laws, including Quebec Law 25.

Privacy Officer: Meaghan Pellerin, Interim Privacy Officer — privacy@cares.ai

If you are located in Quebec and believe your privacy rights have not been respected, you have the right to file a complaint with the Commission d'accès à l'information du Québec (CAI) — the supervisory authority responsible for privacy matters in Quebec.

Commission d'accès à l'information du Québec (CAI): www.cai.gouv.qc.ca | Tel: 1 888 528-7741

12. Privacy Complaints Procedure

If you believe your personal information has been handled in a manner that does not comply with applicable privacy law, you may submit a complaint using the steps below.

• Step 1 — Submit internally: Email privacy@cares.ai with your full name, contact information, and a description of your concern. Include "Privacy Complaint" in the subject line.
• Step 2 — Acknowledgment: We will acknowledge receipt within 5 business days.
• Step 3 — Response: We will investigate and respond with our findings within 30 days. Complex cases may be extended once, with written notice.
• Step 4 — External escalation: If unsatisfied, you may file a complaint with the CAI at www.cai.gouv.qc.ca.