Privacy Policy

This policy covers two distinct groups: visitors to this marketing website (https://carehubos.com) and customers using the CareHubOS healthcare platform (the product itself). The data we collect about each group is different and processed for different purposes; relevant sections below call out which audience they apply to.

When you visit this website we collect a small amount of analytics data — page paths viewed, anonymised country, anonymised device category, referrer. We do not set advertising cookies, we do not fingerprint, and we do not sell or share this data with third parties. See the cookie section below for the specifics.

When you submit a form (early-access signup, demo request, contact) we collect the fields you fill in: name, work email, organisation, number of branches, role, and any free-text message. We use these to respond to your request and, with your explicit consent, to contact you about CareHubOS updates.

When a hospital or clinic group uses the CareHubOS platform, they remain the data controller for the patient and clinical records they enter into the system. CareHubOS acts as a data processor, handling the data strictly according to the contractual agreement (DPA) and the customer's instructions.

We do not access patient-identifiable data for product improvement, analytics, or any other secondary use. Aggregated operational telemetry (uptime, request rates, error counts) is collected for service health monitoring; no patient identifiers are included in this telemetry.

The website uses a minimal set of cookies and browser storage:

• Essential: a small localStorage entry recording your cookie consent choice so the banner does not reappear on every page. No personal data.
• Analytics (opt-in): if you consent, we load a privacy-friendly analytics script (Plausible by default; GA4 alternative available in self-hosted deployments) that records anonymised page-view events. No cross-site tracking, no advertising cookies.
• Marketing (opt-in): currently unused. The consent toggle is present so we don't have to add it later if we introduce remarketing pixels.

You can change your choice at any time by clicking the “Cookie settings” link in the footer.

Website data: hosted on Vercel (United States and Europe edge regions) and Resend (email delivery, EU region by default). Form submissions are stored in our CRM (currently a Notion database in the EU region) until the sales follow-up is complete.

Product data: hosting region is part of the contractual agreement with each customer. Customers in regulated jurisdictions (NHIS-accredited facilities, GDPR-bound deployments) can choose regional or on-premise hosting; default is the geographically closest supported region.

Depending on your jurisdiction you have some or all of the following rights: access, rectification, erasure, restriction, objection, portability, and (where consent was the legal basis) withdrawal of consent. To exercise any of these rights, email [email protected] from the address you used to sign up. We respond within 30 days.

The marketing website is not directed at children under 16 and we do not knowingly collect personal data from anyone under that age. The product itself processes paediatric records as part of normal clinical operations — that processing is governed by the contractual DPA between CareHubOS and the controlling facility.

If you believe you have found a security issue, please email [email protected]. A PGP key is available on request. We aim to acknowledge reports within one business day and to publish a fix within an agreed coordinated-disclosure window.

Material changes to this policy will be announced at least 14 days before they take effect, via email to active early-access subscribers and a prominent banner on this site. Non-material updates (typo fixes, format changes) take effect immediately and update the “Last reviewed” date at the top.

For privacy-specific questions, email [email protected]. For everything else, the contact page has the right inbox.