Privacy Policy

Effective Date: April 11, 2026

TraceCare (“we,” “us,” or “our”) operates the web application at tracecare.health. This Privacy Policy describes how we collect, use, store, share, and protect your information and your child’s information when you use our platform.

TraceCare is designed for families and care teams supporting children with autism, ADHD, developmental delays, and other neurodevelopmental differences. We take the privacy of your child’s information seriously.

1. Information We Collect

Account Information

When you create an account, we collect your email address. We use passwordless authentication (magic link) — we do not collect or store passwords.

Child Profile Information

When you create a child profile, you may provide:

• Child’s name and age
• Diagnosis information
• Communication methods and modalities
• Reinforcers, antecedents, and skill targets
• Sensory notes and daily routine
• Intervention history and outcomes

All profile fields are optional. You control what information you share.

Behavioral and Wellness Data

As TraceCare evolves, you may have the option to log additional data types to improve the personalized guidance your child receives. These may include:

• Sleep patterns (bedtime, wake time, quality, night wakings, melatonin timing)
• Sensory experiences and sensory load ratings across multiple domains
• Mood and emotional regulation check-ins (caregiver-observed and, where age-appropriate, child self-report)
• Routine changes, schedule disruptions, and environmental context
• Crisis events, de-escalation strategies attempted, and outcomes
• Other health and wellness observations you choose to share

All logging is voluntary. You choose what to track and can stop at any time.

Connected Device Data

TraceCare may offer optional integrations with health platforms such as Apple HealthKit or Google Health Connect. If you enable these integrations, TraceCare will access only the specific data types you authorize (such as sleep data). You can disconnect these integrations at any time. We will never access connected device data without your explicit opt-in.

Conversation Data

When you use the chat feature, your messages and the AI’s responses are processed to provide personalized guidance. The AI uses your child’s profile information, calibration settings, and relevant intervention history to generate responses. Chat history within a session is used for conversational context but is not permanently stored as a searchable archive.

Intervention Outcomes

When the AI suggests an intervention and you provide feedback on how it worked (through follow-up cards), we store that outcome data in your child’s profile. This data is used to improve future suggestions for your specific child and is a core part of how TraceCare learns over time.

Usage and Technical Data

We collect standard technical data necessary to operate the platform, including browser type, device information, and error logs. We use localStorage in your browser to store non-sensitive preferences such as your selected role and calibration settings. We do not use tracking cookies, third-party analytics, or advertising pixels.

2. How We Use Your Information

We use the information we collect to:

• Provide personalized, evidence-based behavioral guidance specific to your child
• Generate progress reports, weekly summaries, and clinical documentation
• Improve AI responses over time based on what has worked for your child (the learning loop)
• Calculate predictive behavioral risk scores when predictive features are available
• Generate personalized crisis de-escalation protocols based on your child’s profile
• Identify patterns across behavioral, sleep, sensory, and wellness data to surface actionable insights
• Enable authorized care team members to access and contribute to your child’s profile
• Send you transactional emails (magic link login, team invitations)
• Improve the TraceCare platform and develop new features

Our Data Commitments

We do not sell, rent, or share your personally identifiable information or your child’s identifiable profile data with any third party for their own purposes. No third party will ever receive your name, your child’s name, or any information that could identify your family from TraceCare, except the service providers listed in Section 4 who process data on our behalf to operate the platform.

We do not display advertisements. Your data is never used for ad targeting or shared with advertisers. TraceCare will never introduce advertising as a revenue model.

3. De-Identified Data, Research, and Aggregate Insights

TraceCare’s long-term mission includes advancing the understanding of what works for children with neurodevelopmental differences. Over time, our platform accumulates intervention outcome patterns that can contribute meaningfully to research and improve care for all children.

By using TraceCare, you consent to our use of de-identified, aggregate data — from which all personally identifying information has been permanently removed — for the following purposes:

• Improving TraceCare’s AI recommendations, predictive models, and platform features
• Identifying population-level patterns (e.g., “Children with similar profiles respond better to intervention X than Y”)
• Contributing to peer-reviewed academic research on neurodevelopmental interventions
• Supporting value-based care reporting for the broader behavioral health field
• Developing new tools and products that serve the neurodevelopmental community

What de-identified means: De-identification permanently removes all information that could identify a specific child or family, including names, email addresses, dates of birth, geographic identifiers, and any other data points defined under HIPAA Safe Harbor standards (45 CFR § 164.514(b)). No individual child or family can be identified from de-identified aggregate data.

If we establish formal research partnerships with academic institutions, IRB (Institutional Review Board) oversight will be obtained where required. For research involving identifiable data (which we do not currently conduct), we will seek your explicit, informed consent separately. We will update this policy and notify you before any material changes to how aggregate data is used.

4. Third-Party Services

TraceCare uses the following third-party services to operate:

• Supabase — Database hosting, authentication, and data storage. Your data is stored in a PostgreSQL database hosted by Supabase with encryption at rest and in transit.
• Anthropic (Claude API) — AI processing. Your child’s profile data and your chat messages are sent to Anthropic’s API to generate responses. Anthropic processes this data according to their API data policy and does not use API inputs to train their models. Anthropic’s data retention policies for API requests are governed by their terms of service.
• OpenAI — Text embedding generation for our clinical knowledge base only. Your child’s personal data is not sent to OpenAI. Only clinical reference documents are processed.
• Resend — Email delivery for authentication links and team invitations.
• Render — Application hosting.

As TraceCare grows, we may integrate additional service providers, which may include payment processors (for subscription billing), health data platforms (HealthKit, Google Health Connect), school communication systems, or EHR integration partners. We will update this policy to reflect any new third-party services that access your data before they are activated, and will obtain your consent where required.

5. Data Sharing and Access

You control who can access your child’s profile. As the profile owner, you can invite care team members (parents, RBTs, BCBAs, extended support) to view your child’s profile. Each invited user receives a specific role with defined, server-enforced permissions. You can revoke access at any time.

We will not share your identifiable data with any party not listed in Section 4 without your explicit consent, except as required by law (such as a valid subpoena, court order, or mandatory reporting obligation).

Future Sharing Contexts

As TraceCare expands, additional sharing contexts may include:

• School personnel you authorize to access relevant portions of your child’s data
• Clinical documentation shared with insurance providers at your explicit request
• Health system integrations (EHR) that you authorize
• Asynchronous clinical review by BCBAs you select

In every case, sharing your identifiable data with any new party will require your explicit, informed consent. We will never share your identifiable information without your authorization.

6. Data Security

We implement the following security measures to protect your data:

• All data is encrypted in transit using TLS/HTTPS
• Data is encrypted at rest in our database
• Passwordless authentication eliminates password-related vulnerabilities
• Row-level security ensures users can only access their own data
• Server-side role enforcement prevents unauthorized access escalation
• API keys are stored as environment variables, never in client-side code
• Regular key rotation and security reviews

As we expand into clinical use cases, we will implement additional safeguards including session timeouts and automatic logout, comprehensive audit logging with defined retention periods, multi-factor authentication for clinical users, Business Associate Agreements (BAAs) with all vendors that handle protected health information, formal security risk assessments, and incident response procedures.

While we take reasonable measures to protect your information, no internet-based service can guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law (see Section 11).

7. Data Retention and Deletion

Your child’s profile data and intervention history are retained as long as your account is active. This data is what enables TraceCare to provide increasingly personalized guidance over time — the longer it’s retained, the more specific the guidance becomes.

You may request complete deletion of your account and all associated data (including all child profiles, intervention history, care team invitations, and conversation data) at any time by emailing support@tracecare.health. We will process deletion requests within 30 days and confirm deletion via email.

Upon deletion:

• All personally identifiable data is permanently removed from our systems
• We will instruct our third-party service providers to delete your data in accordance with their retention policies
• Any previously de-identified aggregate data that was derived from your usage cannot be traced back to you and is not subject to deletion requests, as it contains no identifying information
• Backup copies may persist in encrypted backups for up to 90 days before being automatically purged

8. Children’s Privacy and COPPA Compliance

TraceCare is a tool for parents and caregivers — it is not designed for use directly by children. All accounts must be created by individuals who are at least 18 years old.

We collect information about children only as provided by their parent or legal guardian through the child profile feature. We do not knowingly collect information directly from children under 13. If we learn that information has been collected from a child under 13 without verifiable parental consent, we will delete that information promptly.

The child profile data you provide is treated with the highest level of care. It is used exclusively to provide the TraceCare service to you and is never sold, rented, or shared for marketing purposes.

9. Your Rights

Regardless of where you live, you have the right to:

• Access all data stored in your child’s profile at any time through the app
• Update or correct any profile information at any time
• Export your data via the PDF report feature (with additional export formats planned)
• Revoke access for any invited team member at any time
• Opt out of any optional connected device integrations
• Request complete deletion of your account and all identifiable data
• Receive notification of material changes to this Privacy Policy
• Withdraw consent for optional data collection features at any time without affecting the core service

10. State and Regional Privacy Rights

California Residents (CCPA/CPRA): If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights.

Other U.S. States: Several U.S. states have enacted comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, and others). If you are a resident of a state with applicable privacy legislation, you may have additional rights regarding your personal information. We will honor valid requests consistent with applicable law.

International Users: TraceCare is currently operated from the United States. If you access TraceCare from outside the United States, your data will be transferred to and processed in the United States. By using TraceCare, you consent to this transfer. If you are located in a jurisdiction with data protection laws (such as the EU/EEA under GDPR), we will comply with applicable legal requirements for cross-border data transfers.

To exercise any of these rights, contact us at support@tracecare.health. We will respond to verified requests within the timeframes required by applicable law.

11. Data Breach Notification

In the event of a security breach that compromises your personally identifiable information or your child’s profile data, we will:

• Investigate and contain the breach as quickly as possible
• Notify affected users via email within 72 hours of confirming the breach, or within the timeframe required by applicable law, whichever is shorter
• Provide a clear description of what information was affected and what steps we are taking
• Report the breach to relevant regulatory authorities as required by applicable law
• Offer guidance on steps you can take to protect yourself and your child

12. Healthcare Compliance

TraceCare is currently in a parent-only phase. A parent managing their own child’s data for personal use is not a covered entity under HIPAA, and HIPAA does not currently apply to TraceCare’s operations.

When TraceCare introduces clinical features that enable healthcare providers to document sessions, make clinical decisions, generate insurance documentation, or otherwise use the platform as part of clinical care delivery, we will implement full HIPAA compliance, including:

• Business Associate Agreements (BAAs) with all vendors that process protected health information (PHI)
• Comprehensive audit logging of all access to PHI
• Session timeouts and automatic logout for clinical users
• Formal security risk assessments conducted and documented annually
• Breach notification procedures compliant with the HIPAA Breach Notification Rule
• Workforce training documentation for any employees or contractors with PHI access

We will notify you of any material changes to our compliance posture before they take effect.

13. Not a Substitute for Professional Care

TraceCare is a clinical support tool. It does not replace professional medical advice, diagnosis, or treatment from qualified healthcare providers including BCBAs, physicians, or therapists. AI-generated content may contain errors and should always be verified with your child’s care team before being used as the basis for treatment decisions. Always consult with your child’s care team before making significant changes to their treatment plan.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the email address associated with your account at least 15 days before the changes take effect. Your continued use of TraceCare after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may discontinue use and request account deletion.

We will maintain an archive of prior versions of this Privacy Policy, available upon request.

15. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or want to request data deletion, contact us at:

Email: support@tracecare.health
Website: tracecare.health