Privacy Policy
Last updated: May 23, 2026.
1. Who we are
Homecaria is a software platform (SaaS) for home care agencies in Latin America. It is operated by Homecaria SpA (in formation), domiciled in Santiago, Chile. For the purposes of Chile's Law 19.628 on the Protection of Private Life, Homecaria acts as a data processor for the data that client agencies (data controllers) upload to the platform.
2. What data we process
We process the following categories of personal data:
- Identification of agency users (owners, coordinators, caregivers): name, email address, phone number, assigned role.
- Patient identification: name, date of birth, sex, national ID or passport, address, geographic coordinates of the address.
- Patient health data (sensitive data under art. 2 letter g of Law 19.628): vital signs recorded during shifts, clinical notes, observations, incidents, medication administered, transcriptions of handwritten notes.
- Patient photographs (biometric data): images uploaded by the caregiver during the shift, only when there is recorded express consent from the guardian (see section 5).
- Data of responsible family members: name, relationship, phone number.
- Operational data: shift schedules, start/end check-ins with optional geolocation, assignments, billing and payment amounts.
- Technical metadata: IP address of the last access, browser, log of critical actions (audit log).
3. Why we process the data
We process the data exclusively to:
- Provide the service contracted by the agency (shift management, clinical records, communication with the family).
- Generate the specific features that the agency enables: AI-assisted transcription, extraction of vital signs from dictation or photo, dashboards.
- Comply with legal obligations (audit log, the data subject's right of access, right to be forgotten).
- Improve the security and availability of the service (error monitoring, anonymous usage metrics).
We do not use the data for advertising, we do not sell it, and we do not share it with third parties for commercial purposes. Nor do we train general AI models with your patients' clinical data.
4. Legal basis for processing
Processing is carried out under the following legal bases:
- Consent of the patient's guardian for health data and biometric data (art. 4 and 10 of Law 19.628; art. 11 LGPD Brazil).
- Performance of the contract between Homecaria and the client agency for operational data and user identification data.
- Legitimate interest for technical metadata strictly necessary to operate and secure the service.
5. Consent to share patient photographs
Patient photographs are sensitive biometric data. That is why we apply an additional control: the caregiver can only upload photos when the system records that the patient's guardian has granted express consent (the photos_consent_at field in our database). Until that consent exists, the database security rules block any insertion, even if a client tried to bypass the validation.
The guardian can revoke this consent at any time by contacting the agency. The revocation takes effect in less than 24 hours and removes future access to photos (photos already uploaded are deleted if the guardian expressly requests it).
6. Who can see your data
- Isolation by agency. One agency's data is never accessible to another agency. This is enforced at the database level (Row-Level Security in PostgreSQL), not just in the application.
- Isolation by role. A caregiver only sees the shifts assigned to them; never the agency's full patient list.
- Families. Each family member accesses only the information of the patient linked to their unique link. Links expire and can be rotated or revoked by the agency.
7. Subprocessors
To operate the platform we use the following external services, all subject to their own privacy policies and to data processing agreements:
- Supabase Inc. — database, authentication, file storage (servers in the United States / European Union depending on the project's region).
- Anthropic PBC — provider of the Claude artificial intelligence model, used to transcribe voice, extract vital signs and read handwritten notes. Anthropic does not train its models with data sent through the API.
- Google LLC — geocoding (converting addresses into coordinates) and optional authentication via Google.
- Resend — sending transactional emails.
- Firebase Hosting (Google) and Vercel Inc. — hosting of the application and the website.
Some of these providers process data on servers outside Chile. We take the necessary contractual safeguards so that the processing remains compliant with Law 19.628.
8. Artificial intelligence
When a caregiver dictates a note by voice or takes a photo of a handwritten note, we send the audio or image to Anthropic's Claude model to transcribe it and extract vital signs. These transmissions:
- Are not used to train the model (contractual policy with Anthropic).
- Are recorded in our audit log with the operator, date, patient and type of operation.
- Are subject to the same monthly quota configurable per agency.
- The transcription is always returned to the caregiver for review before being saved in the clinical record — the AI never records clinical data without human verification.
9. Retention period
Data is retained as long as the agency keeps its account active and for the additional period required by applicable legislation for clinical records (in Chile, a minimum of 15 years for clinical files, under MINSAL Technical Standard No. 196). Once that period expires, the data is irreversibly deleted.
When an agency cancels its account, its data remains available for export for 30 days and is then deleted.
10. Your rights as a data subject
If your data is in Homecaria as a patient or family member, you can exercise the following rights:
- Access: request a copy of your personal data.
- Rectification: correct inaccurate data.
- Cancellation / erasure: delete your data. This request is executed in less than 7 business days and deletes the patient's data and all its references (photos, clinical notes, assignments).
- Objection: object to processing on legitimate grounds.
- Withdrawal of consent to share photographs or any other processing based on consent.
Request any of these rights at privacidad@homecaria.com. If your request concerns a specific patient, it will be forwarded to the agency that cares for them, since that agency is the primary data controller.
11. Security
- All communications are encrypted with TLS 1.2 or higher.
- Data at rest is encrypted with AES-256 at the provider level.
- Passwords are stored with bcrypt; we never have access to passwords in plain text.
- Photographs are only served through signed URLs that expire after 1 hour.
- Critical actions (deletion of patients, rotation of family tokens, access to photos) are recorded in an immutable audit log.
12. Minors
Homecaria is intended for staff of adult care agencies. We do not intentionally process data of minors under 14 years of age as users of the platform. If a patient is a minor, consent for the processing of their data must be granted by their legal representative.
13. Changes to this policy
If we materially modify this policy, we will notify client agencies by email at least 15 days in advance. The "last updated" date at the top of the document always reflects the current version.
14. Contact
Questions, requests or complaints about privacy: privacidad@homecaria.com.