Privacy

Privacy Policy

Effective 2026-04-28. How Carevoices handles personal information, panelist data, and Protected Health Information.

1. Introduction

This Privacy Policy describes how Carevoices ("Carevoices," "we," "us," or "our") collects, uses, discloses, and safeguards personal information that we receive in connection with the operation of our website at carevoices.health (the "Site") and our AI-moderated qualitative research platform (the "Service").

Carevoices operates in the United States and our customer base consists primarily of pharmaceutical, medical device, healthcare SaaS, hospital system, and healthcare advertising agency organizations. Our clinician panelist base consists of nurses, nurse practitioners, physician assistants, physicians, specialists, and other licensed healthcare professionals primarily located in the United States.

2. Definitions Specific to Carevoices

  • Covered Entity — A health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form, as defined under HIPAA.
  • Business Associate — Carevoices acts as a Business Associate under HIPAA when processing Protected Health Information (PHI) on behalf of a Covered Entity customer.
  • Protected Health Information (PHI) — Individually identifiable health information held or transmitted by a Covered Entity or Business Associate, as defined under HIPAA.
  • Clinician Panelist — A licensed healthcare professional who has signed up to participate in research conducted via the Carevoices platform.
  • Customer — An organization (pharmaceutical company, medical device manufacturer, hospital system, agency, or similar) that has contracted with Carevoices to conduct research.

3. Information We Collect

3.1 From Customers

When a Customer engages our Service, we may collect: organizational information, billing details, study briefs, stimuli for research (subject to compliance review), and any other information the Customer provides in the course of an engagement. Some Customer-provided information may include Protected Health Information, in which case our Business Associate Agreement governs handling.

3.2 From Clinician Panelists

To verify panelists and route them to relevant research, we collect: name, email, phone, professional license information (state license number, NPI), specialty, practice setting, employer attestation, payment information for honoraria, and tax identification for IRS reporting. We do not collect patient-specific health information from clinician panelists.

3.3 From Site Visitors

When you visit the Site, we collect standard web analytics: IP address (anonymized at processing), browser type, pages visited, referring URL, and timestamps. We use cookies and similar technologies as described in Section 8.

3.4 During Research Interviews

When a Clinician Panelist participates in a research interview, our AI moderator records audio, video, and transcribed text. Recordings are stored under our Business Associate Agreement with the Customer who commissioned the research. Identifiers within transcripts are stripped using HIPAA Safe Harbor methodology before any output is delivered to the Customer.

4. How We Use Information

Carevoices uses collected information to: provide and improve the Service, operate the clinician panel (recruitment, verification, payment), conduct research engagements on Customer behalf, generate de-identified deliverables, and meet our legal and contractual obligations. We do not sell personal information.

Important: We do not use Customer interview data, transcripts, or panelist personal information to train artificial intelligence models. Our AI moderator uses base models from third-party providers (Anthropic, OpenAI, Google) under contractual terms that prohibit training on our customer or panelist data.

5. HIPAA and PHI Handling

For engagements involving Protected Health Information, Carevoices acts as a Business Associate of the Customer Covered Entity. Our handling is governed by our standard Business Associate Agreement (BAA), which includes:

  • Limitations on use and disclosure of PHI
  • Safeguards to prevent unauthorized access
  • Breach notification obligations matching HHS guidance
  • Customer audit rights
  • Subcontractor restrictions
  • Termination and PHI return / destruction provisions

De-identification is performed using HIPAA Safe Harbor methodology — all 18 categories of identifiers are detected and redacted before transcript delivery. Re-identification keys are held by Carevoices under the BAA and are not shared with Customers absent specific contractual agreement.

6. Sunshine Act / Open Payments

When a pharmaceutical or medical device Customer pays Carevoices for a study that includes payments to physician or other covered-recipient panelists, the Customer may have Open Payments reporting obligations under Section 6002 of the Affordable Care Act. We support Customer Open Payments compliance by capturing necessary panelist data (NPI, license, specialty, address) at intake and providing CMS-format export data on request. For default-blinded studies, the Customer typically does not learn participant identity and corresponding transfers of value generally do not trigger reporting; consult the BAA for engagement-specific terms.

7. Data Sharing and Disclosure

We disclose information: to Customers (de-identified deliverables under BAA terms), to service providers under written agreements (cloud infrastructure, payment processors, identity verification, analytics), and as required by law. We do not sell personal information to third parties.

8. Cookies and Tracking

The Site uses cookies and similar technologies for essential functionality, analytics, and conversion measurement. We do not deploy advertising trackers (Meta Pixel, Google Ads conversion tags, or similar) on pages that may be associated with health-related content.

9. Data Residency

All Carevoices data is stored, processed, and transmitted within United States regions of AWS and GCP. We do not route data through international processing. Backups are also US-region locked. Region commitments are confirmed in writing in customer contracts.

10. Data Retention

Customer engagement data (transcripts, recordings, study artifacts) is retained for the duration specified in the engagement contract, typically 12-36 months post-engagement, after which data is destroyed unless extended retention is contractually agreed. Panelist personal information is retained while the panelist is active and for 7 years following deactivation to meet IRS recordkeeping requirements for honoraria payments.

11. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal information, or to object to or restrict its processing. Contact privacy@carevoices.health to exercise these rights. Clinician Panelists have additional rights specifically detailed in the Panelist Agreement.

12. International Considerations

Carevoices currently operates exclusively under US data residency. Engagements involving panelists or patients outside the United States are accommodated under our Data Processing Agreement (DPA) with appropriate Standard Contractual Clauses (SCCs); see /data-processing-agreement/.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective" date at the top reflects the most recent revision. Material changes will be communicated to active Customers and Clinician Panelists through email and prominent Site notice.

14. Contact

Questions about this Privacy Policy or our practices: privacy@carevoices.health. For HIPAA-specific requests, including BAA copies, breach inquiries, or de-identification methodology documentation: compliance@carevoices.health.