A. Purpose. Public Consulting Group, Inc. (“PCG”) offers the Careify™ electronic visit verification system (“Careify”) to state governments, managed care organizations, and home healthcare providers to allow Home and Community Based Services (“HCBS”) an electronic means of documenting and verifying when and where services were provided, and to satisfy the requirements of the 21st Century Cures Act. PCG seeks to protect the privacy of those who use Careify, as set forth in this Privacy Policy.

B. Fundamental Principles. Your privacy is very important to PCG. Here are a few of our fundamental principles:

1. Collection of information is done with consideration of the importance of what we have requested from you.
2. Access to your personal information is provided on a need-to-know basis, consistent with legal requirements.
3. We take our obligation to secure your information seriously.
4. Transparency is provided on how we gather, use, and under certain circumstances, share your personal information.

C. Purpose. This Privacy Policy describes how we gather information, why we gather it, the types of data and information that we access, collect, and retain, and the steps we take to ensure that your privacy is maintained.

A. Applicability. This Privacy Policy applies to personal information received by Careify or collected when you use:

1. The Careify website (Careify.com) and all associated subdomains; or
2. Our mobile applications (including the Careify mobile app for Android and iOS).

B. Definitions. The following terms are used in this policy:

1. “I,” “Me,” “Our,” “Us,” and “We” refer to PCG, the developers and owners of Careify.
2. “Careify Client” refers to the state governments or agents of state governments that purchase and utilize Careify in order to fulfil the Electronic Visit Verification (EVV) mandates of the 21st Century Cures Act, including state agencies and managed care organizations (“MCO”).
3. “Patient” or “Member” refers to the individual enrolled in the State’s Medicare or Medicaid program receiving care from the provider.
4. “User” or “You” refers to you, the end user of the Careify application and/or the Careify website (e.g. providers, caregivers, or Careify Client employees).
5. “Services” will refer to the Careify website and mobile applications collectively.

A. When Information is Collected. PCG collects information when there is a business reason to do so, such as: (i) to provide our Services; (ii) to allow us to communicate with you; or (iii) to improve our Services.

B. What Information is Collected. PCG collects two main types of information:

1. Device and application specific information gathered during your usage of the Service. This information is used to identify and verify the originating source of visit-related data.

Data Category	Data Element	Why We Collect It
Device Make and Model
	Manufacturer	Visit Verification Technical Support
	Make
	Model
Device Identifiers	Universally Unique Identifier (UUID)	Visit Verification
	Serial Number
Device Operating System	Operating System (OS)	Techincal Support Data Integrity
	OS Version
	OS Certificate
Device Settings	Time Zone	Technical Support
	Font Scale
	Time Scale
	Language
Device Hardware Capabilities	Storage Space	Service Usage Technical Support
	Memory
	API Access
Device Usage Information	Carrier	Technical Support
	Country
	Local
Careify App Usage Data	Build Number	Service Usage Technical Support
	Install Reference
	Date of Last Update
	User Agent
	Version Number



2. Personal Information captured through Careify and the Careify website, including name, address, and social security number.

Data Element	Why We Collect
Name	Visit Verification Service Usage Personnel Integrity Employment
Address
Date of Birth
Social Security Number
Licenses - if applicable
Associations - if applicable
Preferred Language
Agency (Employer)

A Patient or Member’s information may also be captured as a consequence of the use of our Services. For example, a Patient’s location may be recorded when a User uses the Careify application. We may disclose this information to the Careify Client to which that information is tied. Once that information is disclosed to the Careify Client, we have no control over the Careify Client’s use of that information.

C. How Information is Collected. PCG collects this information in three ways: (i) you provide it to us; (ii) we receive it automatically through operation of our Services; and (iii) we receive it from outside sources such as your respective Careify Client.

D. Information Provided to PCG. The amount and type of information that we request from you depends on the context and purpose of such information:

1. Basic Account Information. In order to have a Careify account, certain basic information is required to complete the initial setup, including your name, email address, and phone number.
2. Employment Information. Once you have established a Careify account, we may collect certain required information related to your employment, including: company/organization information (name, address, etc.), social security number, immunizations, known allergies, and mobile device identifier.
3. Content Information. Depending on the Services used, you may also provide personal information within published content. For example, if you add a visit note within Careify including biographic information, we will then have that information, as will personnel with access to your employer’s Services (e.g., office administrators or agents of Careify Clients).
4. Credentials. Depending on the Services used, you may provide us credentials for other web services to provide additional functionality. For example, in order to use our 3rd Party Aggregator, credentials such as your SSH, FTP, and SFTP username and password may be required.
5. Communication with PCG. You may also provide us information when you communicate with PCG, such as, when you respond to a survey or communicate with our technical support team.

E. Information Collected Automatically. Our Services may also collect certain types of information automatically:

1. Location Information. For example, your exact location upon the start and end of a visit based on the GPS coordinates of your mobile device. This is collected only upon direct action taken in the mobile app and is not used to track you. Your approximate location, based on the IP address of your device, may also be collected and used (via whitelisting) to restrict access to our Services. This information is needed to ensure the validity of visits through electronic visit verification.
2. Log Information. When you use your Services, we also collect certain log information, including: browser type, IP address, unique device identifiers, language preference, referring site, date and time of access, operating system, and mobile network information. For example, when you complete an onsite visit or generate business reports, a record of that action is logged.
3. Usage Information. We collect information about Service usage so that we may improve it. In other words, who did what, when they did it, and to what thing within our Services (e.g., [Careify username] edited “[visit start time]” at [time/date]). We also gather information about your device (e.g., screen size, name of cellular network, and mobile device manufacturer). This information provides insight on how users are employing the Services so that we may refine them over time.
4. Interactions with Other User Information. Admin users may access other user information through their monitoring of employment and personnel information. We may collect information about these interactions while Admin users are utilizing our Services. For example, we collect and log the actions to update an employee’s phone number or email address or make changes to schedule availability.
5. Information from Cookies and Other Technologies. A cookie is a string of information stored on your computer when you visit a website and which is provided back to that website the next time you visit it. Pixel tags (also called web beacons) are small blocks of code placed on websites and in emails. We may use cookies and other technologies like pixel tags to identify and log visitors to our website, monitor and track website usage, to allow access to preferences for our Services, and track email campaign effectiveness. Third parties may serve content or applications on our website and may also use cookies and other technologies to collect information about you, including personal information or information associated with your personal information. We do not control third party tracking technologies or how they may be used.

F. Information We Collect from Other Sources. Because PCG manages a variety of user roles with different relationships (employer/employee, caretaker/patient), we may also receive your personal information from other sources, such as:

1. Admin users will be able to enter in new employee information during setup; or
2. Information from Careify Clients, including information from a state’s from a state’s Medicaid Management Information System (MMIS). Examples of information from a state’s MMIS includes personal information necessary to create your Careify account, such as your userID and profile information.

The specific information that we receive depends on which Services you are authorized to use, which features and permissions you are granted, and any additional options based upon your user role.

A. Service-Related Purposes. We may use your information for the following service-related purposes:

1. To provide our Services. For example, your information is used to set up, maintain, and manage access to your account, and to host, back up, and restore Services;
2. To further develop and improve our Services. For example, your information may be used to add new features and enhancements to develop and enhance our Services;
3. To monitor and analyze trends. For example, your information may be used to further our understanding how users interact with our Services, for purposes of improving and making them easier to use;
4. To measure, gauge, and improve user retention and attrition. For example, your information may be used to analyze how many individuals use a new feature after receiving an email announcement;
5. To monitor and protect our Services. For example, your information may be used to help prevent problems with our Services, protect their security, detect and prevent fraudulent transactions and other illegal activities, fight spam, and protect the rights and property of PCG and others;
6. To communicate. Your information may be used for communications such as email communications. We may let you know about new features, classes or training material we think would be of interest to you, ask for your feedback, or keep you up to date on our Services; and
7. Personalization. For example, your information may be used to personalize your experience using our Services, provide relevant content, and target our messaging to groups of users.

B. Other Purposes. There are certain additional purposes for which we may use your information:

1. The use is necessary to fulfill our commitments to you under our Careify Terms and Conditions or other agreements with you or which is necessary to administer your account. For example, in order to enable access to our website on your device;
2. The use is necessary for compliance with a legal obligation;
3. The use is necessary to protect your vital interests or those of another person; or
4. You have provided consent. For example, before we use location services on your device in order to query your location information.

A. How We Share Information. PCG does not sell the private personal information of Careify users. However, there are limited circumstances where PCG may share your information with third parties, with appropriate privacy safeguards.

1. Careify Client. We may disclose your information to the Careify Client to which your use of our Services is tied. Once your information is disclosed to the Careify Client, we have no control over the Careify Client’s use of that information.
2. PCG Subsidiaries and Employees. We may disclose your information to our subsidiaries or our employees when they need to know the information to provide our Services or to process information on our behalf. Our subsidiaries and employees are obligated to follow this Privacy Policy for any personal information that they receive.
3. Trading Partners. We may share your information with trading partners requiring it to provide their services to us or you. This includes trading partners that help us provide our Services (such as SmartyStreets, which processes and validates location information for onsite visits) and those that help us understand and enhance our Services (like accessibility auditors). Any trading partners who receive your data will be required to provide commercially reasonable protection.
4. Legal Requests. We may disclose your information in response to a subpoena, court order, or other governmental request.
5. To Protect Rights, Property, and Others. We may disclose your information when we believe, in good faith, that disclosure is necessary to protect the property or rights of PCG, third parties, or the public at large. For example, if we have a good faith belief that there is an imminent danger of death or serious physical injury, we may need to disclose information related to the emergency without delay.
6. Business Transfers. In connection with a merger, sale of company assets, or acquisition of all or a portion of our business by another company, or in the event that PCG goes out of business or enters bankruptcy, user information may be transferred or acquired by a third party.
7. With Your Consent. We may share and disclose information with your consent or at your direction. For example, we may share your information with third parties where you authorized us to do so, such as home care management software or scheduling services that you utilize.
8. Non-Personal Information. Non-personal information is any information that does not reveal an individual’s specific identity, does not directly related to an individual, and cannot be readily connected back to an individual. We may share non-personal information, including information that has been aggregated or reasonably deidentified, such that the information could not reasonably be used to identify you. For instance, we may publish aggregate statistics about the use of our Services.
9. Published Support Requests. If you send us a request (e.g., via a support email or one of our feedback mechanisms), we may publish that request (without naming you) to help clarify or respond to your request or to help support other users.

B. Information Shared Publicly. Our System is a closed system and not publicly shared. However, if you choose to make information public outside of our control, it may be indexed by search engines or used by third parties.

We retain your personal information for a duration of time that depends on the requirements of our contract with the Careify Client.

• A. We undertake to destroy your information when we or the Careify Client no longer needs the information for the purposes for which we collect and use it (as described above), and we are not legally required to keep it.
• B. For example, we retain visit audit logs for the duration specified in our contract with the Careify Client. These logs record information regarding onsite visits, including your name, location, device type, and operating system.
• C. Deleted content may remain on our backups and caches until purged.

PCG cares about protecting the online privacy of children. We will not intentionally collect any personal information (such as a child’s name or e-mail address) from children under the age of 13 without their parents’ consent. If you think that we have collected personal information from a child under the age of 13, please contact us at privacy@careify.com.

While no service is 100% secure, PCG exercises commercially reasonable efforts to protect your information against unauthorized access, use, alteration, or destruction, and we monitor our Services for potential vulnerabilities and attacks. To enhance the security of your account, we require the use of certain advanced security settings, including Two-Step Authentication, and encrypt data transmission and storage among other safeguards.

You have certain choices available when it comes to your information, including the following:

1. A. Limit Access to Information on Your Mobile Device. Your mobile device operating system may be configured to restrict the sending of notifications or collection of location information via our mobile apps. If you do so, you may not be able to use our apps or certain features of such apps. For example, our mobile apps require a device PIN to safeguard of personal health information (PHI). You must enable a device level PIN before gaining access to our app.
2. B. Set Your Browser to Reject Cookies. At this time, Careify does not respond to “do not track” signals across all our Services. However, you may be able to configure your browser to remove or reject browser cookies before using Careify’s websites. Certain features of Careify’s websites may not function properly without the aid of cookies.
3. C. Close Your Account. Account management is handled by PCG administrative users and the Careify Client. In the event that your account is closed, we may continue to retain your information as described in Section 6 above. For example, this information may be used if needed to comply with (or demonstrate our compliance with) legal obligations such as law enforcement requests, or reasonably needed for our legitimate business interests.
4. D. Unsubscribe. In the event that you receive e-mail or other mail from PCG and you wish to unsubscribe from PCG’s mailing list, please press the unsubscribe button on any of our e-mails or contact us at privacy@careify.com.

California Civil Code Section § 1798.83 permits Users, Patients, or Members that are California residents to request certain information if PCG discloses personal information to third parties for their direct marketing purposes. To make or inquire about such a request, please send an e-mail to privacy@careify.com.

We may provide links to other companies through our Services. These external website addresses contain information that was published by organizations that are independent from us. They are used to provide additional information in connection with our Services.

We are not responsible for the content of the linked websites, other links that are found on such websites, or changes or updates to such websites. We do not review, control, or monitor the privacy practices of these websites, and this Privacy Policy does not apply to them. Such websites might use cookies to collect data or use this data in a way that we do not. We are not responsible for privacy policies or information or materials on these other websites. Please read the privacy policies of these websites for information about their standards. The presence of these external links must not be seen as support for the content or opinions they contain.

Your personal data is accessible through the account settings that we offer. You may also submit a direct request for further information by contacting us pursuant to Section 13 below.

If you have questions regarding this Privacy Policy, please contact us at:
Public Consulting Group, Inc.
148 State Street
Boston, MA 02199
Attention: Makana Dumlao
Email: privacy@careify.com

PCG may revise this Privacy Policy from time to time. We encourage visitors to frequently check this page for any changes. If we make changes, we may provide notification by revising the change log below, and, in some cases, we may provide additional notice (such as adding a statement to our homepage or blog or sending you a notification through email or your dashboard). Your further use of the Services after a change to this Privacy Policy will be subject to the updated policy.

11/3/2020: Updated formatting and links.
5/23/2019: Initial version published.