Privacy Policy

Carewise Health Statement of Privacy

Last Modified: February 20, 2026

Introduction

Carewise Health, Inc. (“Company” or “We”) respects your privacy and is committed to protecting it in accordance with this Statement. This Statement explains the types of personal information we collect in two ways:

  • Information collected directly from you when you visit or interact with our website at www.CarewiseHealth.com; and
  • Information about you provided to us by our clients—such as your health plan, provider, or employer group—when we process data on their behalf through our products and services.

This Statement also describes our practices for collecting, using, maintaining, protecting, and disclosing both categories of information.

This policy applies to information we collect:

  • Through our Products, or in email, text, and other electronic messages between you and our Products;
  • About you from our customers and affiliates when we process data on their behalf; and
  • When you interact with our advertising or applications on third-party websites and services that include links to this Statement.

This policy does not apply to information collected by:

  • Us offline or through any other means, including on any other website operated by the Company or any third party (including our affiliates and subsidiaries); or
  • Any third party (including our affiliates and subsidiaries), including through any application or content (including advertising) that may link to or be accessible from or on this Website.

Please read this policy carefully to understand our practices regarding your information and how we handle it. If you do not agree with our policies and practices, please do not use our Website or Products. We may update this policy from time to time to reflect changes in our practices or applicable laws. When we make updates, we will post the revised version on this page with an updated “Last Modified” date.

Changes to Our Statement of Privacy

We may update this Statement from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will post the updated version on this page and revise the “Last Modified” date at the top of the Statement. If we make material changes that affect how we handle personal information, we will provide additional notice—such as by posting a notice on the Company Website or Product home page. We encourage you to review this Statement periodically to stay informed about how we protect your information.

Personal Data Collected Through This Carewise Health Website

Children under the Age of Eighteen

This website is not intended for children under 18 years of age. No one under age 18 may provide any personal information through this website. We do not knowingly collect personal information from children under 18. If you are under 18, do not use or provide any information on this website or through any of its features, including your name, address, telephone number, email address, or any username you may use. If we learn that we have collected or received personal information from a child under 18 without appropriate consent, we will delete that information. If you believe we may have information from or about a child under 18, please contact us using the information provided in the Contact Information section of this Statement.

California residents under 18 years of age may have additional rights regarding the collection of their personal information. Please see Your Privacy Rights for more information.

Information We Collect Automatically and Your Choices About Tracking

As you navigate and interact with this website, we may automatically collect certain technical and usage information about your visit. This may include your IP address, browser type, device and operating system details, referring URLs, pages viewed, and general browsing patterns. We may collect this information through cookies, web beacons, and similar tracking technologies.  [CR-1608]

We also collect information in the following ways:

  • Directly from you, when you submit a form or otherwise interact with features on this website.
  • From third parties, such as business partners that support website functionality, analytics, or advertising services.

Automatically collected information may include personal information, and we may associate it with information you provide to us or with data received from third parties. This information helps us operate, maintain, and improve this website and provide a more personalized user experience. Examples include:

  • Estimating audience size and usage patterns;
  • Storing information about your preferences;
  • Improving search speed and responsiveness;
  • Recognizing you when you return to the website.

We use the following technologies for automatic data collection:

  • Cookies. A cookie is a small file placed on your device. You may refuse cookies by adjusting your browser settings; however, disabling cookies may limit your ability to access certain features of this website. Unless disabled, cookies will be issued when you visit the website.
  • Web Beacons. Pages of the website and certain emails may contain small electronic files (such as clear gifs, pixel tags, or single‑pixel gifs) that allow us to count users who visit specific pages or open emails and generate related statistics.

Our website provides cookie‑management tools that allow you to disable marketing, advertising, and other optional tracking technologies. These controls allow you to object to the use of your personal information for online tracking or automated means associated with direct marketing. You may change your preferences at any time through the Cookie Settings link on this website or by adjusting your browser’s privacy controls. [CR-1609]

Do Not Track Signals

Your browser may offer a “Do Not Track” setting to indicate your preference regarding behavioral tracking. At this time, our website does not respond to Do Not Track signals; however, you may manage tracking technologies and preferences through the Cookie Settings link or your browser’s privacy controls.

How We Use Information Collected Through This Website

We use the information collected through this website, including any personal information, for the following purposes:

  • To provide you with information or services that you request from us;
  • To respond to inquiries or communications you submit through this website;
  • To fulfill the purpose for which you provide the information;
  • To improve and personalize your experience on this website, including through analytics and cookie‑based preferences;
  • To communicate with you about topics, resources, or services that may be of interest to you, where permitted by law and your preferences;
  • For any other purpose disclosed to you when you provide the information;
  • For any additional purpose with your consent.

If you do not want us to use your information for optional communications, you may opt out by using any mechanism provided on the form where your information is collected or by contacting us using the details provided in the Contact Information section of this Statement. [CR-1608]

Choices About How We Use and Disclose Your Information

We provide several choices regarding the personal information collected through this website. These controls allow you to manage how certain data is used for analytics, marketing, and communications.

Tracking Technologies and Cookies

You may configure your browser to refuse all or some browser cookies, or to alert you when cookies are being set. Please note that disabling cookies may limit the functionality of certain features on this website.

Optional analytics, marketing, and advertising cookies may also be managed through the Cookie Settings link on this website.

Promotional Communications

If you do not wish to receive promotional emails or other optional communications from us, you may opt out by using the mechanism provided on the form where your information is collected or by contacting us using the information provided in the Contact Information section of this Statement. If you receive a promotional email from us, you may reply requesting removal from future communications.

Targeted Advertising

If you do not want us to use information collected through this website for advertising tailored to your interests, you may adjust your cookie preferences through the Cookie Settings link or set your browser to block cookies.

We do not control the collection or use of your information by third parties for their own advertising purposes. Many advertising providers offer opt‑out mechanisms, including the Network Advertising Initiative (NAI) at https://thenai.org/opt‑out/.

Your Privacy Rights

California Residents

If you are a California resident, you may have additional rights regarding the personal information collected through this website. These rights may include access, deletion, correction, and the right to opt out of certain data uses, depending on the nature of your interaction with this website.

More information about these rights is available at: https://oag.ca.gov/privacy/ccpa.

California’s “Shine the Light” law (Civil Code § 1798.83) permits California residents to request information regarding our disclosure of certain personal information to third parties for their direct marketing purposes. To make such a request, please contact us using the information provided in the Contact Information section of this Statement.

Nevada Residents

Nevada residents may submit a request to opt out of the sale of certain personal information under Nevada Revised Statutes Chapter 603A by contacting us using the information in the Contact Information section of this Statement.

However, we do not currently sell personal information in a manner that triggers Nevada’s opt‑out requirements.

Your Right to Object to Direct Marketing

You may object at any time to the use of your personal information collected through this website for direct marketing purposes, including any profiling related to such marketing. If you submit an objection, we will stop using your personal information for direct marketing unless required by law to continue.

To make such a request, please contact us using the details provided in the Contact Information section of this Statement.

Company Website Data Security

The transmission of information over the internet is not completely secure. Although we implement measures designed to protect the personal information collected through this website, we cannot guarantee the security of information transmitted to or from the website. Any transmission of personal information is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures implemented on this website.

Carewise Health Processing of Client-Provided Personal Data

Information We Collect to Provide Our Products and Services

Carewise Health does not collect personal information directly from individuals for use in our products. All identifiable information used in connection with our analytics or operational services is provided to us exclusively by our clients—such as health plans, providers, employer groups, or their authorized business associates—and is processed solely under their documented instructions. [CR-1593] [CR-1849]

We may collect limited personal information from client‑authorized users in order to administer access to secure portals, platforms, or tools. This information may include: [CR-1849]

  • Contact information, such as name, email address, phone number, job title, or organizational affiliation, provided by the client or by the user as part of account setup;
  • Authentication and access‑related information, such as usernames, user‑role assignments, and password credentials (stored in accordance with security requirements); and
  • Operational or support‑related information, such as records of communications or support requests submitted by client personnel.

In addition, our clients may transmit personal data—including PHI/PII—to Carewise Health for processing as part of contracted services. This data may include: [CR-1849]

  • Identifiable health information, eligibility details, claims data, encounter data, or other information required for analytics;
  • Identifiers or demographic attributes required to match or link records for processing purposes;
  • Files, datasets, or feeds transmitted through secure channels as part of normal data‑exchange operations.

Carewise Health does not automatically collect information about client users’ devices, browsers, or online activity for product‑delivery purposes and does not use cookies or web‑tracking technologies in the operation of its analytics products.

All personal data used for product delivery is processed, stored, and secured in accordance with contractual requirements and applicable privacy and security laws.

Notice at Collection and Real‑Time or Layered Notice

Carewise Health does not collect personal information directly from individuals in its role as a data processor. All identifiable information we process is provided exclusively by our clients—such as health plans, providers, employer groups, or their authorized partners—who act as the data controllers for that information. [CR-1596] [CR-1597]

Because we do not directly collect personal information from individuals, real‑time or layered notices at the point of collection are not applicable to our operations. Our clients and participating providers are responsible for supplying any required notices under applicable privacy laws at the time they collect information from their members, patients, or employees.  [CR-1849]

Carewise Health supports this requirement through contractual obligations that require each client to attest that they:

  • provide appropriate and legally compliant notices at the time of collection;
  • inform individuals of the purposes for which their personal information is collected; and
  • ensure compliance with all applicable privacy regulations governing notice obligations.

In our role as a processor, Carewise Health handles personal information solely in accordance with the documented instructions of our clients and only for the purposes defined in the governing agreements. [CR-1796] [CR-1849]

How We Use Client‑Provided Personal Data (Processor Role)

We use personal data provided to us by our clients—or their authorized partners—solely to deliver our products and services in accordance with the contracts and written instructions issued by those clients. Our uses include:

  • Operating, maintaining, and presenting our products and their contents as required to support analytics, reporting, modeling, or other services specified in the client agreement;
  • Carrying out our obligations and enforcing our rights under the agreements we enter into with clients, including service delivery, support, auditing, and security;
  • Notifying client‑authorized users about changes to our products or services, such as updates, enhancements, or required actions;
  • Fulfilling the purposes for which the client provided the information, including data ingestion, validation, transformation, analysis, and output generation;
  • Any other purpose described in the governing agreement or documented client instructions; and
  • Any additional purpose for which the client, acting as the data controller, instructs us or provides consent.

We do not use client‑provided personal data for any independent purpose, and we do not use it for advertising, marketing, or profiling unrelated to the services we provide.

Disclosure of Client‑Provided Personal Data (Processor Role)

We may disclose aggregated or de‑identified information about individuals without restriction, including analytics outputs that no longer identify any person. [CR-1849]

We may disclose client‑provided personal data, including PHI/PII, only as permitted by our agreements with clients and applicable law. These disclosures may include:

  • To subsidiaries and affiliates that support delivery of our products and services;
  • To contractors, service providers, subprocessors, and other third parties we engage to support our operations, provided they are bound by contractual obligations to safeguard personal information and to use it solely as instructed;
  • To a buyer or successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other transaction involving transfer of Company assets;
  • To fulfill the purposes for which the client provided the information, including data processing, analytics, or other services performed under client instructions;
  • For any additional purpose described in the governing agreement or documented client instructions; or
  • For any other purpose with the client’s authorization or consent.

We may also disclose client‑provided personal data:

  • To comply with a court order, law, subpoena, or regulatory requirement, including obligations under HIPAA or other privacy regulations;
  • To enforce or apply our contracts with clients, including Business Associate Agreements and service agreements; or
  • To protect the rights, property, or safety of Carewise Health, our clients, or others, consistent with legal and contractual requirements.

We do not disclose client‑provided personal data for marketing, advertising, or any independent purpose.

Subprocessors and Countries of Processing

Carewise Health uses a limited number of subcontractors (“subprocessors”) to support delivery of its products and services. These subprocessors provide infrastructure, security, analytics, or operational support services. Subprocessors engaged by Carewise Health are contractually required to meet or exceed Carewise Health’s privacy and security obligations, including restrictions on the use, disclosure, and protection of personal data, and they may process personal data only as instructed by Carewise Health in accordance with client agreements.

All subprocessors engaged by Carewise Health process personal data exclusively within the United States, consistent with Carewise Health’s data residency commitments and technical architecture.

Carewise Health will disclose the names or categories of subprocessors to clients upon request and maintains processes that allow controllers to assess and approve Subprocessor use in accordance with contractual requirements. [CR-1596]

Availability of Subprocessor Information Under Confidentiality

Carewise Health evaluates whether public disclosure of subcontractor or subprocessor information could create unacceptable security risk. When such disclosure is not appropriate for public posting, Carewise Health will provide the names or categories of subprocessors to clients upon request and under an appropriate nondisclosure agreement. Carewise Health informs clients that subprocessor information is available and maintains processes that allow controllers to assess and approve subprocessor use in accordance with contractual obligations. [CR-1597]

Your Rights Regarding Client‑Provided Personal Data

Carewise Health processes personal data—including identifiable health information—solely on behalf of its clients such as health plans, providers, employer groups, or their business associates. Because we act as a data processor (and, under HIPAA, a Business Associate), individuals must exercise their privacy rights through the applicable client, who acts as the data controller or covered entity. [CR-1593] [CR-1596] [CR-1597] [CR-1849]

Depending on the laws and regulations that apply to your data, the client responsible for your information may allow you to exercise rights such as: [CR-1849]

  • Requesting access to personal information maintained about you;
  • Requesting corrections to inaccurate or incomplete information;
  • Requesting deletion of personal information, subject to legal or contractual requirements;
  • Requesting limits on certain uses or disclosures of your information;
  • Requesting confidential communications, or communications by alternative means or locations;
  • Requesting an accounting of certain disclosures, as allowed under HIPAA; and
  • Requesting a copy of the Notice of Privacy Practices issued by your health plan or provider.

Under HIPAA, these rights are detailed in the Notice of Privacy Practices provided by your health plan or provider. Carewise Health does not maintain the authoritative designated record set and does not respond directly to HIPAA rights requests.

If you contact us with a request relating to personal data we process on behalf of a client, we will identify the appropriate client and direct your request to them for response. [CR-1592]

Carewise Health will never require you to waive any rights related to receiving breach notifications for unsecured PHI. Your eligibility for benefits, enrollment in a health plan, access to care, or payment for services will never depend on agreeing to waive any HIPAA rights. If a breach involving your PHI occurs, you will receive all notices required by law. [CR-1508]

Your Right to Object to Direct Marketing

In our role as a data processor and Business Associate, Carewise Health does not use client‑provided personal data for direct marketing or for profiling related to such marketing. If we receive an objection relating to direct marketing based on client‑provided data, we will identify the appropriate data controller and route the request to them for handling. [CR-1608]

Automated Processing

Carewise Health does not use automated decision‑making processes that produce legal or similarly significant effects about individuals. Any automated analytics or modeling we perform is conducted solely on behalf of, and under the documented instructions of, our clients.

If you believe an automated process has affected you, you must submit your request or objection directly to the applicable client (the data controller or covered entity), who is responsible for evaluating and responding to such requests. If you contact us directly, we will identify the appropriate client and direct your inquiry to them. [CR-1609] [CR-1849]

International Data Transfers and Safeguards

Carewise Health processes personal data only on behalf of its clients and only when such data is provided to us by them or their authorized partners. All personal data is processed and stored exclusively within the United States. We do not transfer personal data outside the U.S., including to the European Economic Area (EEA) or any other international jurisdiction. [CR-1849]

If data about an EEA‑based individual is provided to us incidentally by a client, it is still processed only within the United States. Because we do not engage in international transfers, mechanisms such as Standard Contractual Clauses, adequacy decisions, or derogations are not required. [CR-1609]

EU Representative for GDPR Inquiries

If you are located in the European Economic Area (EEA), you may contact our designated EU Representative with questions or regulatory inquiries regarding our processing of personal data under the GDPR. [CR-1849]

EU Representative:
BH Consulting
30–31 Francis Street
Dublin 8, D08 N2C5, Ireland
Website: https://bhconsulting.ie/
Email: tbd@bhconsulting.ie

Because Carewise Health acts solely as a data processor, any GDPR rights requests will be forwarded to the appropriate client (controller) for response in accordance with our Privacy Process. [CR-1849]

Data Security

We maintain administrative, technical, and physical safeguards designed to protect client‑provided personal information against unauthorized access, use, disclosure, alteration, or destruction. These safeguards include:

  • Secure hosting within protected U.S. data centers;
  • Role‑based access controls;
  • Encryption of data in transit and at rest;
  • Network and perimeter security protections;
  • Continuous monitoring and logging;
  • Strong authentication requirements.

Access to client personal data is limited to authorized personnel performing work on behalf of clients.

Users with credentials for secure client portals are responsible for maintaining the confidentiality of their passwords and must not share them with others. [CR-1609]

How We May Use or Disclose Client‑Provided HIPAA‑Covered Information

Carewise Health receives identifiable protected health information (“PHI”) only when it is provided to us by our clients—such as health plans, providers, or their business associates—and we use or disclose that PHI solely as permitted by our contracts and as required by law. We do not use or disclose PHI for any independent purposes.

We may use or disclose PHI:

  • To perform data processing, analytics, reporting, or other services for the client, as described in the applicable agreement or written instructions;
  • To support the client’s health care operations, but only to the extent such activities are permitted for business associates under HIPAA and authorized by the client;
  • To our subcontractors or service providers who assist in delivering services, provided they are bound by written HIPAA‑compliant obligations;
  • As required by law, such as responding to a valid court order or regulatory request; and
  • For any other use or disclosure authorized in writing by the client.

We do not make independent disclosures of PHI for:

  • public health reporting,
  • law enforcement,
  • abuse/neglect reporting,
  • coroners/medical examiners,
  • health oversight,
  • national security,
  • workers’ compensation, or
  • other covered‑entity functions.

If a law requires such a disclosure, we will notify the client unless prohibited by law and will follow any lawful instructions provided.

State‑specific limitations (such as heightened protections for mental health, HIV status, reproductive health, or substance‑use information) will be applied in accordance with the applicable contract and law.

Your Rights to Access Your Health Information

Because Carewise Health receives and processes identifiable HIPAA Covered Information only when it is provided by our clients, there are cases where we do not hold individually identifiable information about you. When the data we receive has been anonymized, de‑identified, or otherwise cannot be associated with your identity, we are unable to link you to any health information we process.

To exercise your rights under the HIPAA Privacy Rule—such as accessing, amending, or receiving an accounting of disclosures for your identifiable health information—you must contact the covered entity that maintains your designated record set, typically your health plan or provider. If you contact us directly, we will identify the appropriate covered entity and direct your request accordingly.

How to Request Access to Personal Data We Process on Behalf of Our Clients

Carewise Health processes personal data only on behalf of its clients and does not maintain the authoritative identifying records for individuals. As a result, individuals seeking access to their personal data must submit their requests directly to the applicable client—typically a health plan, provider, employer group, or other organization that serves as the data controller.

If you contact us with an access request, we will identify the client associated with your information and provide you with the appropriate contact details so that the request may be handled by the organization responsible for your records. Once the client validates the request and issues instructions to us, Carewise Health will act in accordance with those instructions.

Denials of Access Requests

In some circumstances, a client acting as the data controller or covered entity may determine that access cannot be granted. When this occurs, the client is responsible for notifying the individual, providing the reasons for the denial, and informing the individual of any available appeal rights under applicable law.

Because Carewise Health does not interact directly with individuals and processes personal data solely under client instruction, any communication regarding the approval, limitation, or denial of an access request is handled directly by the client. Carewise Health supports its clients by supplying any information necessary for them to fulfill their legal obligations. [CR-1617]

Individuals will also be informed of the appeal or complaint route provided by the applicable controller or covered entity, who is responsible for reviewing and responding to any challenges to the denial.

Access Right Exceptions

The right of access to personal data processed by Carewise Health on behalf of its clients may be limited in certain circumstances. As the data controllers or covered entities, Carewise Health’ clients determine whether access can be granted. Access may be restricted where: (a) the burden or expense of providing access would be unreasonable or disproportionate to the privacy risk; (b) disclosure of the information is prohibited by law or would create legal or security risks; or (c) disclosure would violate the privacy rights of persons other than the requester. When such limitations apply, the controller is responsible for communicating the reasons for the restriction and any available remedies. Carewise Health supports its clients by supplying information necessary for them to fulfill these obligations. [CR-1613]

Requests Under GDPR or Other Privacy Laws

For personal data protected by the GDPR or other privacy laws, Carewise Health continues to act only as a processor. If a data subject contacts us directly to request access or exercise other rights, we will identify the appropriate client and provide the individual with the correct point of contact. All data subject rights requests must be submitted to the client, who is responsible for validating the request and issuing instructions to us. [CR-1611]

Once the client provides direction, Carewise Health will act solely in accordance with the client’s instructions.

Your Right of Access and Correction Under Applicable Privacy Laws

Individuals may have rights under certain privacy laws to access their personal information, request corrections, or review its accuracy. Because Carewise Health processes personal data only on behalf of its clients and does not maintain the authoritative source of member records, we cannot fulfill these requests directly.

If you contact us with an access or correction request, we will identify the client associated with your information and provide you with the appropriate contact information so your request may be handled by the organization responsible for your records. Once the client validates the request and issues instructions, Carewise Health will act in accordance with the client’s direction.

When directed by a client, Carewise Health supports access or correction requests by processing updated data received through standard data‑submission channels and ensuring the integrity of that data within our systems. [CR-1612]

Obligations of the Company

Carewise Health is committed to protecting the confidentiality, integrity, and availability of the personal information—including identifiable health information—that we process on behalf of our clients. In our role as a Business Associate and data processor, we are responsible for:

  • Safeguarding personal information through administrative, technical, and physical controls appropriate to the sensitivity of the data;
  • Using and disclosing personal information only as permitted by our agreements with clients and as required by law;
  • Supporting our clients’ privacy and security obligations, including providing information necessary for them to meet their legal responsibilities;
  • Acting on documented instructions from clients, including instructions relating to access, correction, or deletion requests; and
  • Complying with all applicable privacy and security requirements under HIPAA, applicable state laws, and contractual commitments.

Carewise Health does not issue a Notice of Privacy Practices, negotiate restrictions directly with individuals, or communicate PHI to individuals by alternative means or at alternative locations. These responsibilities remain with the applicable health plan, provider, or other covered entity.

Carewise Health General Privacy Information

How to Contact Us About Privacy Matters

Our organization makes its privacy contact details publicly available so individuals and regulators can reach us regarding questions or concerns about the handling of personal information. Please refer to the Contact Information section below for ways to contact us. [CR-1806] [CR-1849]

Changes to Our Statement of Privacy

We may update this Statement from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will post the updated version on this page and revise the “Last Modified” date at the top of the Statement. If we make material changes that affect how we handle personal information, we will provide additional notice—such as by posting a notice on the Company Website or Product home page. We encourage you to review this Statement periodically to stay informed about how we protect your information.

Contact Information

Use of this contact information will result in sending your message to our compliance team, which includes a representative for privacy‑related inquiries and communications who is without prejudice to any legal actions that may be initiated against the organization. [CR-1805]

To ask questions or comment about this Statement or our privacy practices, or to register a complaint or concern, you may contact us at: [CR-1592]  [CR-1849]

Compliance Department
Carewise Health, Inc.
9200 Shelbyville Road, Suite 300
Louisville, KY 40222
Email: contact@CarewiseHealth.com
Toll-free: +1 888‑356‑6934

International Calls:
Our toll‑free number may not be reachable from outside the United States, and international calling charges may apply. Individuals located in the European Economic Area (EEA) may contact our EU Representative or reach us via email, which is accepted for all privacy inquiries.

Contact Us

Connect

sales@carewisehealth.com

9200 Shelbyville Road, Louisville, KY 40222

1-800-762-7360

502.420.5590

© 2026 Carewise Health