Privacy Policy
1. Introduction and Scope
This Privacy Policy describes how Mykare Technologies Inc., operating as Mykare AI (“Mykare”, “Mykare AI”, “we”, “us”, or “our”), collects, uses, discloses, and protects information in connection with: (a) the public website located at mykare.ai (the “Website”); and (b) our AI-powered healthcare automation platform, KareOS, including AI voice and text agents, integrations, dashboards, telephony services, and related support services for hospitals, clinics, and healthcare providers (together, the “Services”).
This Privacy Policy is governed by the laws of the State of Delaware, United States, and applicable U.S. federal law (including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”)). Additional U.S. state, European, and Indian privacy laws may apply to specific categories of personal information, as described in Sections 19 through 22.
By using the Website or Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Website or Services.
If you have any questions, please contact our Privacy Office at support@mykare.ai.
2. Definitions
For purposes of this Privacy Policy:
- “Personal Information” or “Personal Data” means information that identifies, relates to, or could reasonably be linked with an identified or identifiable natural person, as defined under applicable law (including the California Consumer Privacy Act, as amended (“CCPA”), the EU and UK General Data Protection Regulations (“GDPR” and “UK GDPR”), and India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”)).
- “Sensitive Personal Information” means special categories of data, including health information, biometric identifiers, government identifiers, precise geolocation, racial or ethnic origin, and similar categories as defined under applicable law.
- “Protected Health Information” or “PHI” has the meaning given in 45 C.F.R. § 160.103 under HIPAA.
- “Customer” means a hospital, clinic, healthcare provider, or other organization that has been onboarded to use the Services.
- “Data Subject” means the individual whose Personal Information is processed, including patients, prospective patients, accompanying attendants, Website visitors, and Customer personnel.
3. Our Role Under Applicable Privacy Laws
3.1 HIPAA — Business Associate
For U.S. Customers that are Covered Entities or Business Associates under HIPAA, Mykare AI generally acts as a Business Associate and enters into a Business Associate Agreement (“BAA”) with each such Customer. Under the BAA, we process PHI solely to provide the Services and as permitted by the BAA, applicable law, and the Customer’s written instructions. We do not use PHI for our own marketing purposes, and we do not sell PHI.
3.2 U.S. State Privacy Laws — Service Provider / Processor
Where applicable, with respect to Personal Information that is not PHI, Mykare AI generally acts as a “Service Provider” under the CCPA and as a “Processor” under the comparable laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, and other U.S. states with similar laws (collectively, “U.S. State Privacy Laws”), and processes such information only on behalf of and in accordance with the Customer’s instructions.
3.3 GDPR / UK GDPR — Processor
To the extent we process Personal Data of individuals located in the European Economic Area, the United Kingdom, or Switzerland on behalf of a Customer, Mykare AI generally acts as a “Processor” under the GDPR / UK GDPR, and the Customer acts as the “Controller.” We enter into a Data Processing Addendum (“DPA”) with such Customers.
3.4 DPDP Act — Data Processor
To the extent we process Personal Data of individuals located in India on behalf of a Customer, Mykare AI generally acts as a “Data Processor” under the DPDP Act and the Customer acts as the “Data Fiduciary.”
3.5 Independent Controller / Data Fiduciary Role
For information collected through the Website (for example, from visitors or prospective customers) and for business contact information of Customer personnel, we act as an independent controller (or, in the GDPR context, “Controller,” and in the DPDP context, “Data Fiduciary”) determining the purposes and means of processing in line with this Privacy Policy.
4. Information We Collect
4.1 Website Visitors and Prospects
When you visit the Website or interact with us as a prospective customer, we may collect:
- Contact information you provide: name, business email address, phone number, hospital or clinic name, role/title, country of operation, and the content of inquiries submitted through forms, scheduling tools, email, or similar channels.
- Technical and usage information: IP address, browser type, operating system, device identifiers, referring URLs, pages viewed, and timestamps.
- Cookies and similar technologies: as described in Section 8.
4.2 Customer Personnel
For employees and other authorized personnel of our Customers, we may collect business contact details (name, business email, phone, role/title, department, hospital affiliation), account and credential information, and activity logs, audit trails, configuration settings, and communications with our support and operations teams.
4.3 Patient Information (PHI, Personal Data, and Related Data)
As part of providing our AI-powered patient intake, sales, guest relations, international patient, and feedback services to our Customers, we process data about patients and prospective patients, which may include PHI under HIPAA, sensitive personal information under U.S. state laws, special category data under the GDPR, and sensitive personal data under the DPDP Act. This information is provided by our Customers, captured during conversations with our AI agents, or collected from patients on behalf of our Customers, and can include:
- Identifiers and contact data: name, phone number, email, address, country, language preference, age, gender, and similar identifiers necessary to respond to inquiries and coordinate care.
- Clinical and treatment-related information: symptoms or conditions described, specialty of interest, medical reports or images shared by patients for verification, second-opinion requests, doctor or hospital preferences, and appointment details.
- Insurance and payment-related information: payer or sponsor details, coverage information, and estimates or quotations shared with patients, to the extent provided by the patient or Customer.
- International patient and travel data: for medical travel workflows, passport or government identification details, visa information, flight and hotel preferences, currency exchange requests, accompanying attendant details, and other logistics information shared by the patient.
We do not collect patient identifiers directly from the public Website for our own purposes. All patient data is received or accessed in the context of the Services and processed on behalf of our Customers under applicable contracts, BAAs, and DPAs.
4.4 Audio, Voice, Call Data, Transcripts, and Documents
In connection with our AI-powered voice and text workflows and our human quality-assurance processes, we may process:
- Audio recordings and transcripts: of inbound and outbound calls handled by our AI voice agents and, where applicable, calls escalated to human team members, as necessary to deliver the Services, perform emotion and intent detection, and support quality assurance and governance.
- Chat and message logs: from text-based agents across supported channels, including web chat, WhatsApp, SMS, and other messaging integrations enabled by the Customer.
- Documents and other content: uploaded by patients or Customers, such as medical reports, lab results, imaging, identification documents, and itineraries, used to fulfill the requested workflow.
See Section 14 for important information about call recording, AI agent disclosure, and consent.
4.5 Biometric Information
Our voice agents process audio recordings of human voices in order to perform speech recognition, transcription, and natural-language understanding. To the extent that voice processing creates or stores voice prints, voice templates, or other identifiers that qualify as “biometric information” or “biometric identifiers” under applicable law (including the Illinois Biometric Information Privacy Act (“BIPA”), the Texas Capture or Use of Biometric Identifier Act, and Washington’s biometric privacy statute), such processing is performed solely on behalf of and pursuant to the instructions of the Customer, and only with consents obtained by the Customer from the relevant individuals as required under applicable law. See Section 15 for additional information.
4.6 Categories We Do Not Intentionally Collect Directly
We do not directly collect or store payment card information through the Website or Services; payments are handled through other channels or third-party providers determined by our Customers. We do not intentionally collect Social Security numbers, Aadhaar numbers, or similar sensitive government identifiers outside the specific contexts described above, and only to the limited extent provided by or on behalf of our Customers under applicable agreements and laws.
5. How We Collect Information
We collect information directly from you (forms, email, scheduling tools); automatically through cookies and similar technologies; from our Customers and their systems (via integrations, APIs, secure file uploads); from patients interacting with our AI agents through voice, chat, SMS, WhatsApp, and other channels enabled by the Customer; and from service providers and partners (telephony, messaging, translation, travel-coordination) we engage to operate the Services.
6. How We Use Information
We use the information we collect for the following purposes:
- To provide and operate the Services: answering patient enquiries, qualifying leads, booking and confirming appointments, assisting domestic and international patients, capturing feedback, and writing back into Customers’ CRM and operational systems.
- To configure, maintain, and improve the Services: including operating AI agents, models, and governance guardrails; performing emotion detection, intent classification, error detection, performance monitoring, and call analytics; and, where permitted, using de-identified data (de-identified under the HIPAA Safe Harbor method, 45 C.F.R. § 164.514(b)(2), or by Expert Determination under § 164.514(b)(1)), aggregated data, or non-PHI data to refine and improve our models and internal tools. Customers may opt out of the use of their data for model improvement as described in Section 13.5.
- To provide customer support and communicate: respond to inquiries; communicate with Customers and prospects about onboarding, service updates, and account information.
- To send marketing communications: product updates, event information, and similar materials; you may opt out at any time using the unsubscribe link or by contacting us.
- To maintain security and integrity: authentication, access control, logging, monitoring, abuse and fraud prevention, incident response, and protection of our rights and the rights of our Customers and Data Subjects.
- To comply with legal, regulatory, and contractual obligations: including those under HIPAA, the GDPR, U.S. State Privacy Laws, the DPDP Act, BAAs, DPAs, and other applicable laws and agreements.
We do not use PHI or Sensitive Personal Information for cross-selling or third-party advertising, and we do not sell PHI or Sensitive Personal Information.
7. Legal Bases for Processing (GDPR / UK GDPR / DPDP)
Where the GDPR, UK GDPR, or DPDP Act applies and we act as Controller / Data Fiduciary, we rely on the following legal bases:
- Performance of a contract: to deliver the Services to Customers and respond to inquiries.
- Legitimate interests: to operate, secure, and improve the Website and Services; to communicate with prospective Customers; and to defend legal claims, balanced against the rights and freedoms of Data Subjects.
- Consent: for marketing communications, optional cookies, and where otherwise required by law (including for the processing of sensitive personal data and the recording of calls in jurisdictions that require consent).
- Legal obligation: to comply with applicable laws, regulations, and lawful requests.
For PHI and patient data processed on behalf of Customers, the Customer (as Controller / Data Fiduciary / Covered Entity) is responsible for determining the lawful basis and obtaining required notices and consents from Data Subjects.
8. Cookies, Analytics, and Similar Technologies
We use cookies and similar technologies on the Website and, where applicable, within the Services. The general categories are:
| Category | Purpose | Typical retention |
|---|---|---|
| Strictly necessary | Security, load balancing, session management. Cannot be disabled. | Session / up to 12 months |
| Analytics | Understand how visitors interact with the Website and Services to improve performance and content. | Up to 24 months |
| Marketing | Measure campaign effectiveness and, where permitted, tailor outreach. | Up to 13 months |
| Functional | Remember preferences such as language and region. | Up to 12 months |
You can manage cookie preferences through the cookie banner and preference center provided on the Website and via your browser settings. We honor Global Privacy Control (“GPC”) signals where required by applicable law. If you disable certain cookies, some features may not function properly.
9. How We Share Information
We share information in the limited ways described below:
- Customers and their authorized users: to deliver outputs of the Services, including call recordings, transcripts, lead and booking data, feedback summaries, and analytics.
- Service providers and subprocessors: supporting our infrastructure and operations, including cloud hosting, content delivery and security, telephony and messaging, large language model (LLM) and speech providers, translation services, email delivery, analytics, and CRM and marketing tools. We maintain a current list of subprocessors and will notify Customers of material changes in accordance with the applicable DPA. The current subprocessor list is available at mykare.ai/trust-center.
- Travel, logistics, and payment partners: for international and domestic patient coordination, where the Customer or patient has requested such services.
- Professional advisors: such as auditors, lawyers, accountants, and consultants, under duties of confidentiality.
- Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards and continued protection of information.
- Legal compliance and protection of rights: when required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Mykare AI, our Customers, or others.
We do not sell Personal Information, and we do not “sell” or “share” Personal Information for cross-context behavioral advertising as those terms are defined under U.S. State Privacy Laws.
10. International Transfers
Mykare AI operates from the United States. Information may be transferred to, stored in, or accessed from countries other than the country in which it was originally collected. We rely on the following mechanisms, as applicable:
- EU → U.S. transfers: the EU–U.S. Data Privacy Framework (“DPF”) where Mykare AI is certified, and/or the European Commission’s Standard Contractual Clauses (“SCCs”) supplemented by appropriate technical and organizational measures.
- UK → U.S. transfers: the UK Extension to the DPF where applicable, and/or the UK International Data Transfer Agreement (“IDTA”) or UK Addendum to the SCCs.
- Swiss → U.S. transfers: the Swiss–U.S. DPF where applicable, and/or the SCCs.
- Other transfers: contractual safeguards consistent with applicable law, including DPDP cross-border transfer requirements as notified by the Indian government from time to time.
Copies of the relevant transfer mechanisms are available on request from support@mykare.ai.
11. Data Retention
We retain Personal Information only for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with legal, regulatory, and contractual requirements, to resolve disputes, and to enforce our agreements. For Customer Data processed as part of the Services, retention is further governed by the BAA, DPA, and master services agreement with the Customer. Indicative default retention periods are set out below; specific terms may differ under a Customer agreement:
| Category | Default retention |
|---|---|
| Website inquiry / lead data (independent) | 24 months from last interaction |
| Marketing list data | Until opt-out, plus suppression-list retention |
| Customer Personnel account data | Term of agreement, plus 90 days |
| Patient data / PHI (as Business Associate) | Per Customer instruction and BAA; default 6 years after end of agreement, consistent with 45 C.F.R. § 164.530(j) |
| Call recordings and transcripts | Per Customer instruction; default 12 months |
| Security and audit logs | 12 to 24 months |
| De-identified / aggregated data | Retained indefinitely as permitted by law and agreement |
Customers may request earlier deletion or export of data in accordance with the applicable Customer agreement and applicable law.
12. Security
We maintain administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information, consistent with industry standards and our internal compliance program. Our program is aligned with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), SOC 2 Type II (audit in progress), the NIST 800-66 / NIST CSF frameworks, and the DPDP Act’s reasonable security safeguard requirements. Controls include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
- Role-based access controls and least-privilege provisioning
- Multi-factor authentication for administrative access
- Logging, monitoring, and anomaly detection
- Regular vulnerability assessment and penetration testing (VAPT)
- Secure software development life cycle (SSDLC)
- Personnel background checks, training, and confidentiality obligations
- Subprocessor due diligence and contractual safeguards
- Incident response and business continuity planning
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a security incident affecting your Personal Information, we will notify affected parties without undue delay and consistent with applicable law, including HIPAA Breach Notification Rule timelines (notification to Covered Entities without unreasonable delay and no later than 60 days from discovery), GDPR (72 hours to supervisory authority where applicable), DPDP Act (as prescribed by the Data Protection Board), and applicable U.S. state breach-notification laws.
13. AI, Automated Processing, and Voice Agents
13.1 How Our AI Agents Work
Our Services use multiple specialized AI agents — including voice and text agents, intent and emotion detection, language translation, and quality-assurance agents — combined with human oversight, governance guardrails, and call analytics, to perform patient intake, sales, guest relations, international patient coordination, feedback collection, and related workflows. AI components process Personal Information, including PHI, Sensitive Personal Information, and insurance data, only to the extent necessary to provide the Services on behalf of our Customers and as permitted by the applicable BAA, DPA, and Customer agreement.
13.2 AI Agent Disclosure
Where required by applicable law (including California Business and Professions Code § 17941 (“BOT” law), the Colorado AI Act, and similar regulations), our AI agents disclose at the beginning of an interaction that the individual is communicating with an automated AI assistant deployed on behalf of the Customer. Customers are responsible for ensuring that any custom scripts or configurations preserve this disclosure.
13.3 Synthetic and Cloned Voices
Our voice agents may use synthetic (computer-generated) voices to communicate with patients. We do not knowingly use voices that imitate identifiable real persons (including clinicians, celebrities, or public figures), and our Customer agreements prohibit Customers from instructing or causing the Services to do so.
13.4 Automated Decision-Making and Human Review
AI outputs and conversations are subject to human review and quality checks as part of our governance program. The Services do not make decisions that produce legal or similarly significant effects on Data Subjects without human involvement, and clinical, billing, immigration, and care decisions are made by the Customer’s qualified personnel, not by the AI. Where applicable law (including GDPR Article 22) provides a right to human review of automated decisions, that right may be exercised by contacting the Customer and, where appropriate, Mykare AI.
13.5 Model Training and Opt-Out
Mykare AI may use Personal Information processed in the Services to train, fine-tune, or otherwise improve our models only where permitted under the applicable Customer agreement. Customers may opt out of the use of their data for model improvement by contacting support@mykare.ai. PHI is only used for model improvement after de-identification consistent with HIPAA, or in accordance with a separately executed limited data set or authorization.
13.6 No Medical Advice; No FDA Clearance
The Services are administrative and operational in nature. They are not intended to provide, and do not constitute, medical diagnosis, treatment, or independent clinical advice, and they have not been evaluated or cleared by the U.S. Food and Drug Administration as a medical device. Patients should always consult a licensed clinician for medical advice.
14. Call Recording, AI Disclosure, and TCPA Notice
Calls handled by our voice agents may be recorded for quality assurance, training, regulatory compliance, dispute resolution, and the operation of the Services.
- Call recording consent: Recording of calls is performed on behalf of, and at the instruction of, our Customers. Where the patient or other call participant is located in a jurisdiction that requires all-party consent to recording (including California, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington), the Customer is responsible for ensuring that the call-opening script includes a clear notice that the call is being recorded, and that consent is obtained before the recording continues.
- AI agent disclosure: The call-opening script also discloses that the participant is interacting with an automated AI assistant, as described in Section 13.2.
- TCPA and similar laws: Outbound calls and text messages are placed by Mykare AI as a service provider to the Customer, which is solely responsible for compliance with the U.S. Telephone Consumer Protection Act (“TCPA”), the Federal Communications Commission’s rules (including the February 2024 declaratory ruling on artificial or prerecorded voice technology), the federal and state Do Not Call lists, state telemarketing and autodialer laws, and (for international communications) applicable foreign laws, including obtaining any required prior express written consent. Mykare AI maintains commercially reasonable technical controls to support Customer compliance (including suppression lists, calling-window controls, and STOP / unsubscribe handling for SMS), but does not represent or warrant compliance on the Customer’s behalf.
If you wish to opt out of recordings or AI-handled calls in connection with a specific Customer, please contact the Customer (your hospital or provider) directly. You may also reply STOP to any SMS message to opt out of future text messages from that sender.
15. Biometric Information
To the extent voice processing by our Services involves the creation or storage of voice prints, voice templates, or other biometric identifiers, the following applies:
- Purpose: Such processing is performed solely to provide speech recognition, transcription, voice authentication (where configured), and quality assurance functions of the Services.
- Consent: Customers are responsible for obtaining all consents required under applicable law (including Illinois BIPA, Texas CUBI, Washington H.B. 1493, and other applicable state biometric laws) from individuals whose voices are processed.
- Retention: Biometric identifiers are retained only for as long as necessary to provide the Services and in any event for no longer than three (3) years after the individual’s last interaction with the Customer, unless a shorter period is required by law or contract.
- No sale: We do not sell biometric identifiers and do not disclose them except as necessary to operate the Services and as permitted by applicable law.
16. Children’s Privacy and COPPA
The Website is intended for professional users (such as hospital and clinic personnel) and is not directed to children under the age of consent under applicable law (under 13 years of age in the United States under the Children’s Online Privacy Protection Act (“COPPA”), under 16 under the GDPR (or lower as Member States permit), and under 18 years of age in India under the DPDP Act). We do not knowingly collect Personal Information directly from children via the Website. If we learn that we have inadvertently collected such information, we will promptly delete it.
Any PHI or Personal Information relating to minors that we process is handled only as part of the Services to professional Customers and is governed by HIPAA, COPPA, the GDPR, the DPDP Act, BAAs, DPAs, and other applicable agreements and laws, including parental or guardian consent requirements.
17. Language Access (Section 1557 of the Affordable Care Act)
To the extent the Services are deployed by a Customer that is subject to Section 1557 of the Patient Protection and Affordable Care Act, the Services support over twenty (20) languages in voice and text (including Spanish, French, German, Italian, Portuguese, Russian, Japanese, and major Indian languages). Customers are responsible for posting required language taglines and meaningful access notices to their patient populations. We will reasonably support Customers in meeting these obligations.
18. Your Privacy Rights — General
Depending on applicable law, you may have rights with respect to your Personal Information, including the rights to:
- Access the Personal Information we hold about you
- Correct inaccurate or incomplete Personal Information
- Delete Personal Information
- Restrict or object to certain processing
- Receive a copy of your Personal Information in a portable format
- Withdraw consent where processing is based on consent
- Opt out of the sale or sharing of Personal Information and of targeted advertising
- Limit the use or disclosure of Sensitive Personal Information
- Appeal a denial of a rights request, where required by applicable law
- Lodge a complaint with a competent supervisory authority
To exercise these rights, submit a request to support@mykare.ai. We respond within the timeframes required by applicable law (generally 45 days under the CCPA, with one 45-day extension where reasonably necessary; 30 days under the GDPR, with up to two additional months for complex requests; and within the period prescribed under the DPDP Act). We will verify your identity using reasonable methods before fulfilling a rights request. Authorized agents may submit requests on your behalf with documented authority. For Personal Information processed on behalf of a Customer (including PHI), we may need to direct your request to the Customer and will support the Customer in responding consistent with our contractual and legal obligations.
We will not discriminate or retaliate against you for exercising any of these rights.
19. California Privacy Rights (CCPA / CPRA)
19.1 Categories Collected, Sources, Purposes, Disclosures
In the preceding 12 months, we have collected the following categories of Personal Information as described in this Privacy Policy: identifiers; commercial information; internet or other electronic network activity information; geolocation data (general, not precise); audio, electronic, visual, or similar information (call recordings and transcripts); professional or employment-related information (for Customer personnel); and Sensitive Personal Information (PHI processed on behalf of Customers; biometric identifiers from voice processing; government identifiers for international travel).
We collect this information from the sources described in Section 5, use it for the business purposes described in Section 6, and disclose it for the business purposes described in Section 9 (including to our subprocessors operating as service providers under the CCPA). We do not knowingly collect Personal Information of consumers under the age of 16 for sale or sharing.
19.2 No Sale; No Sharing for Cross-Context Behavioral Advertising
We do not sell Personal Information for monetary or other valuable consideration, and we do not share Personal Information for cross-context behavioral advertising, as those terms are defined under the CCPA. We honor opt-out preference signals (including Global Privacy Control) where required.
19.3 Limit the Use of Sensitive Personal Information
You have the right to direct us to limit the use of Sensitive Personal Information to purposes permitted under California Civil Code § 1798.121. Because we use Sensitive Personal Information only for the purposes permitted by that section (including to provide the Services and to maintain security), no further limitation is generally required, but you may submit a request as described in Section 18.
19.4 California “Shine the Light”
We do not share Personal Information with third parties for those third parties’ direct marketing purposes within the meaning of California Civil Code § 1798.83.
19.5 Notice of Financial Incentive
We do not offer financial incentives or price or service differences in exchange for Personal Information.
19.6 “Do Not Sell or Share My Personal Information”
Because we do not sell or share Personal Information, no “Do Not Sell or Share My Personal Information” link is required. If our practices change, we will update this Privacy Policy and provide a clear opt-out mechanism.
20. Other U.S. State Privacy Rights
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida (where applicable thresholds are met), Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, and other states with comprehensive privacy laws have the rights described in Section 18, subject to the specifics of each state’s law (including exemptions for HIPAA-regulated PHI, which is governed by HIPAA rather than state privacy law). Residents of Colorado, Connecticut, Virginia, and certain other states may appeal a denial of a rights request by replying to our response or contacting support@mykare.ai with the subject line “Appeal.” If your appeal is denied, you may contact your state attorney general.
21. European Privacy Rights (GDPR / UK GDPR)
If you are located in the EEA, UK, or Switzerland and are a Data Subject of Personal Data for which we act as Controller, you have the rights described in Section 18 as well as the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or place of the alleged infringement. You may also contact our designated representative in the EU and UK, where appointed (details available on request from support@mykare.ai). Where we process Personal Data as Processor on behalf of a Customer, please contact the Customer (Controller) directly.
22. India Privacy Rights (DPDP Act)
If you are a Data Principal under the DPDP Act, you have the rights described in Section 18, including the right to access information about your Personal Data, correction and erasure, grievance redressal, and nomination. Our Grievance Officer for DPDP-related queries may be contacted at support@mykare.ai with the subject line “DPDP Grievance.” Where Mykare AI processes Personal Data as a Data Processor on behalf of a Customer (Data Fiduciary), we will direct your request to the Customer and support their response consistent with the DPDP Act.
23. Third-Party Sites and Services
The Website may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of those third parties, and this Privacy Policy does not apply to information collected by them. You should review the privacy policies of any third-party sites or services you use.
24. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Effective as of” date at the top of this page. In the case of material changes, we will provide additional notice (such as posting a prominent notice on the Website or, for Customers, communicating directly), consistent with our contractual obligations and applicable law. A history of prior versions is available on request from support@mykare.ai.
25. Contact Us
Privacy Office:
Mykare Technologies Inc. (operating as Mykare AI)
Attn: Privacy Officer / HIPAA Privacy Officer
251 Little Falls Drive, Wilmington, New Castle County, Delaware 19808, USA
Email (all privacy, DSAR, HIPAA, and security inquiries): support@mykare.ai