Privacy Policy

Introduction

TendTo ("we," "us," or "our") is operated by Thoughtful Labs, LLC. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use TendTo.ai (the "Service"), an elder-care coordination platform for family caregivers.

By using TendTo, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Information We Collect

Personal Information

• Name and email address (account registration)
• Profile information you choose to provide

Health Information

• Medications, dosages, and schedules
• Medical appointments and provider information
• Medical records and documents you upload
• Health notes and journal entries
• Emergency medical information
• Clinical data imported from connected health systems via FHIR APIs (see "FHIR Connections" below)

Financial Information

• Bill amounts and due dates
• Account numbers (encrypted with AES-256-GCM)
• Payment information (processed by Stripe — we do not store card numbers)

Documents

• Files you upload (medical records, insurance documents, legal documents, etc.)

Usage Information

• Device type, browser, and operating system
• Pages visited and features used
• Error logs and performance data

How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Process your care management data (medications, appointments, bills, documents)
• Power AI features including the care assistant, document analysis, and drug interaction checks
• Send service-related notifications (appointment reminders, bill due dates, medication alerts)
• Process payments and manage subscriptions
• Respond to support requests
• Detect and prevent fraud or abuse

Our use of your data is limited to what you have expressly consented to and is consistent with the context in which you provided the information. We do not use your data for purposes you would not reasonably expect.

AI Data Processing

TendTo uses artificial intelligence to power features like the care assistant, document analysis, drug interaction checking, and intelligent search. To provide these features, certain data you enter or upload may be sent to our AI providers:

• Anthropic (Claude) — Powers the AI care assistant and document analysis
• Google (Gemini) — Powers document processing and embeddings
• OpenAI — Optionally powers blog hero image generation (no health data sent)

These providers process data solely to deliver responses to your requests. They operate under data processing agreements with us and do not use your data to train their AI models. Data sent to these providers is transmitted securely via TLS encryption.

For clinical data imported via FHIR (see below), AI processing requires separate, explicit consent per care circle. You can grant or revoke this consent at any time from your settings.

Automated Decision-Making

We use automated systems to:

• Surface drug interaction warnings based on your medication list
• Suggest reminders, summaries, and care recommendations
• Detect anomalous patterns in vitals or notes that may warrant attention

These systems assist your decisions; they do not make legal or significant decisions on your behalf. We do not use automated decision-making to deny services, change pricing, or determine eligibility for any benefit. AI-generated suggestions are advisory only and should never replace professional medical judgment. You may disable AI features at any time from your settings.

We Never Sell Your Data

TendTo does not sell, rent, or trade your personal information to third parties. Ever. This includes health information, financial information, and any other data you entrust to us. We do not engage in targeted advertising and we do not share data with advertisers, data brokers, or analytics resellers.

Data Sharing

We share your information only with:

• AI Providers (Anthropic, Google, optionally OpenAI) — To power AI features, as described above
• Stripe — To process payments. Stripe's privacy policy governs payment data.
• Supabase — Our database and authentication provider, hosted in the United States. Bound by a data processing agreement.
• Resend — Transactional email delivery (account notifications, digests). Bound by a data processing agreement.
• Cloudflare — Bot-protection challenge during sign-up (Turnstile). No health data is sent.
• Vercel — Hosting and infrastructure. Bound by a data processing agreement.
• Your Care Circle — Data you enter is shared with other members of your care circle, as that is the core function of TendTo
• Recipients of Share Links — When you generate a SMART Health Card, share token, or emergency URL, anyone with that link can view the included clinical information until the link expires or is revoked
• Legal Requirements — If required by law, subpoena, or court order

Our subprocessors are contractually bound to use your data only for the services they provide to us, and to apply security measures consistent with the commitments made in this policy. A complete list with links to each subprocessor's data processing terms is published at /legal/subprocessors.

FHIR Connections (Medicare Blue Button & Other Connectors)

TendTo can connect to your health insurer's or provider's FHIR API to import your clinical data on your behalf. This is called consumer-directed exchange — you are exercising your individual right of access under HIPAA, with TendTo acting as your authorized agent.

What we request

For Medicare Blue Button 2.0, we request only these scopes:

• patient/Patient.read — your beneficiary record
• patient/ExplanationOfBenefit.read — your Part D claims
• patient/Coverage.read — your coverage details

We do not request access to other scopes. CMS — not TendTo — authenticates you on Medicare.gov; we never see your Medicare credentials.

Persistent collection

Once connected, TendTo automatically refreshes your data approximately every six hours so it stays current. Medicare requires you to re-authorize the connection every 60 days. We will surface a reminder in the app before your authorization expires.

Where the data goes

Imported data is stored in our database alongside your other care-circle records and is visible only to circle members. Access tokens are encrypted at rest using AES-256-GCM. We do not redistribute imported clinical data to any third party other than the subprocessors named above.

Disconnecting and deleting imported data

You can disconnect a FHIR connection at any time. When you disconnect:

• We attempt to revoke your authorization at the source (e.g., CMS)
• The OAuth tokens are deleted from our database
• You may choose to also delete the imported clinical data, or to leave it in place for your care circle's ongoing reference. The disconnect screen offers both options.

If you do not delete the imported data at disconnect, you can request its deletion later from Settings → Privacy & Consent or by emailing [email protected]. Imported data is also removed if you delete your account.

SMART Health Cards & Share Links

You can package your care-circle data into a SMART Health Card (SHC), a SMART Health Link, or a time-limited share token. These are designed for you to send to a doctor, insurer, or family member.

• SMART Health Cards contain only the resources you select before issuance (medications, allergies, appointments, vitals, coverage). They are signed by TendTo so the recipient can verify the data has not been tampered with.
• Share tokens grant time-limited (default 24 hours, max 30 days) access to a snapshot of your FHIR Bundle. You can revoke any active share token at any time from the share panel.
• Anyone with the link can view the included data while it is active. Treat share URLs like passwords. We track when a link is opened and how many times, but we do not authenticate the recipient.

Each share or export is logged in our FHIR activity log, which is visible to your care circle.

Third-Party Individuals (Care Recipients)

TendTo is built so that family caregivers can manage information about a care recipient. In many cases, the person whose health data is stored (the "care recipient") is not the same person as the account holder. The care recipient is a third-party data subject in our records.

Caregivers are responsible for confirming they have legal authority — for example, a power of attorney, a guardianship, or the care recipient's informed consent — before entering or importing the care recipient's health data. Caregivers must not use TendTo to gather data on a person without that person's knowledge or consent (where consent is legally required). We do not sell or use a care recipient's data for marketing under any circumstance.

If you are a care recipient and believe your data has been entered into TendTo without your authorization, contact [email protected] and we will investigate and, where appropriate, remove the data.

De-identified or Pseudonymized Data

We do not currently de-identify or pseudonymize your data for any secondary use, research, analytics, or sale. If we ever introduce such a use case, we will update this policy with advance notice and offer you the option to opt out before the change takes effect. Any de-identification we perform in the future will follow 45 C.F.R. § 164.514(b) and will be paired with contractual prohibitions on re-identification by recipients.

Cookies and Tracking

We use minimal cookies, strictly for functionality:

• Authentication cookies (Supabase) — Essential for keeping you signed in
• Security cookies (Cloudflare Turnstile) — Used during signup to prevent automated abuse
• OAuth state cookies — Short-lived cookies that protect FHIR connection flows from CSRF attacks

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. For more details, see our Cookie Policy.

Data Security

We take the security of your data seriously:

• Encryption at rest — Sensitive fields (passwords, account numbers, FHIR access & refresh tokens) are encrypted with AES-256-GCM
• Encryption in transit — All data is transmitted over TLS
• Infrastructure — Data is hosted in the United States via Supabase
• Access controls — Row-level security ensures users only access data within their care circles
• OAuth hardening — FHIR connection flows use PKCE (S256) and HMAC-signed state tokens with short expirations
• Audit logging — Every FHIR import, export, and share is recorded in an audit log visible to your care circle. Administrative access is recorded in a separate, append-only log
• Re-identification prohibition — Our internal policies and our agreements with subprocessors prohibit any attempt to re-identify de-identified or pseudonymized data

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Breach Notification

In the event of a security incident affecting your unsecured personal health information, TendTo will notify you in accordance with the FTC Health Breach Notification Rule (16 C.F.R. Part 318) and any other applicable federal or state law. Notice will be sent to your registered email within 60 days of discovery, will describe the nature of the breach, the categories of data involved, the steps you can take, and the steps we are taking to prevent recurrence. We will also notify the FTC and, if required by the size of the incident, prominent media outlets.

Data Retention and Deletion

• Your data is retained as long as your account is active
• You may request account deletion at any time by contacting [email protected] or from Settings → Privacy & Consent
• Upon deletion request, all your data will be permanently removed within 30 days
• If you are the sole admin of a care circle, deleting your account will delete all circle data unless ownership has been transferred
• You may also request export of your data in a portable format (FHIR Bundle) before deletion
• Inactive accounts: if your account has been inactive for 18 months, we will email you a warning. After an additional six months of inactivity, we will suspend the account; after an additional six months, we will permanently delete the account and its data

You have the right to be forgotten with respect to any future use or disclosure of your personal data, except where retention is required by law (for example, for tax records).

What Happens After You Withdraw Consent

When you withdraw a specific consent (for example, AI processing of FHIR-imported data, or a Blue Button connection):

• The action covered by that consent stops immediately. AI features that depend on FHIR data become unavailable for that care circle. New imports stop.
• You may choose whether to retain or delete any data that was previously collected under that consent. Both options are presented at the moment you withdraw.
• If you withdraw all consents, your account remains active but most features become read-only or unavailable. You can close the account at any time.

Your Rights

You have the right to:

• Access — view all the data you have provided or that has been imported on your behalf
• Correct — flag inaccurate or incomplete data and request correction. For data sourced from a HIPAA-covered entity (e.g., Medicare claims), you also have the right to request amendment from that entity directly. We provide a "Report inaccurate data" control on imported records and link out to the relevant covered-entity correction process.
• Delete — request deletion of your data, subject to legal retention requirements
• Export — receive your data in a portable format (FHIR Bundle)
• Withdraw consent — at any time, with the consequences described above
• Choose third-party recipients — when generating a share link, you decide who receives it. We do not pre-populate recipients
• Lodge a complaint — with us at [email protected] or with the FTC, your state Attorney General, or another applicable regulator

Material Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — that is, changes that affect how your data is used or disclosed in ways you would not reasonably expect — we will:

• Email you at the address on file at least 30 days before the change takes effect
• Display an in-app banner asking you to affirmatively re-consent
• Allow you to close your account or export your data before the change takes effect, in which case we will not apply the new terms to your data

Non-material changes (such as clarifying existing language or adding a subprocessor with equivalent commitments) are reflected by updating the "Last Updated" date at the top of this page.

Business Transfer or Wind-Down

If TendTo is acquired, merged, or otherwise transfers ownership, or if we cease operations, we will:

• Notify you in advance and explain what is happening to your data
• Offer you at least one of the following: (i) the ability to securely download your data, (ii) the ability to securely transmit your data to another service, (iii) confirmation that the successor entity has agreed in writing to honor commitments at least as protective as this policy, or (iv) the ability to close your account before the transfer takes effect
• Securely dispose of any data we cannot lawfully transfer or retain

Children's Privacy

TendTo is designed for family caregivers managing elder care. While we do not impose age restrictions on the account holder (caregivers can be any age the law permits to enter into a contract), the Service is not directed at children under 13 and we do not knowingly collect personal information from children under 13 as account holders. We comply with the Children's Online Privacy Protection Act (COPPA) where applicable. If you believe a child under 13 has registered an account, please contact us at [email protected] and we will delete the account promptly.

For care recipients under 13, the caregiver must have parental authority and the child's data must only be processed in service of caregiving.

California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information — though we never sell your data
• Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at [email protected]. We will respond within 45 days.

HIPAA Disclaimer

TendTo is a personal health management tool for family caregivers — similar to consumer health apps like Apple Health or CareZone. TendTo is not a covered entity or business associate under HIPAA(the Health Insurance Portability and Accountability Act). We are not a healthcare provider, health plan, or healthcare clearinghouse. We are likely a "PHR-related entity" subject to the FTC's Health Breach Notification Rule.

While the HIPAA regulatory framework does not directly apply to us, we voluntarily commit to the CARIN Alliance Code of Conduct for Consumer-Facing Applications and the Code of Fair Information Practices. Read our full attestation at /legal/carin.

CARIN Trust Framework Commitment

TendTo endorses the CARIN Alliance Code of Conduct for Consumer-Facing Applications. Our public attestation, including the eight Code of Fair Information Practice principles we commit to (Transparency, Consent, Use & Disclosure, Individual Access, Security, Provenance, Accountability, Education), is published at /legal/carin.

Our designated executive officer responsible for these commitments is identified there. Any user, regulator, or member of the public may report a concern to [email protected].

Privacy Officer & Contact

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, contact:

We will acknowledge complaints within five business days and respond substantively within 30 days. If you are not satisfied with our response, you may also file a complaint with the U.S. Federal Trade Commission, your state Attorney General, or any other applicable regulator.