Privacy Policy

SplenDoor Care

Effective Date: July 1, 2026  |  Last Updated: July 1, 2026

This Privacy Policy (the “Policy”) explains how SplenDoor In Home Care LLC (“SplenDoor,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards your information when you use the SplenDoor Care mobile application (the “App”), visit our website at https://splendoorcare.com (the “Site”), access our administrative portal, or otherwise interact with our in-home care coordination services (together, the “Services”).

We take your privacy and the security of your information seriously — especially because our Services involve health-related information, and we provide those Services only in California. Please read this Policy carefully. By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with it, please do not use the Services.

Summary. We coordinate in-home care in California between clients, their family and emergency contacts, caregivers, and staff. We collect account, contact, health and care-plan, document, optional-location, and payment information, and we use it to deliver and coordinate care, process payments, secure the Services, and comply with law. We do not sell your personal information and we do not share it for cross-context behavioral advertising. We handle health information (including Protected Health Information, or “PHI”) under HIPAA and the California Confidentiality of Medical Information Act (CMIA); our PHI practices are also described in our separate Notice of Privacy Practices (NPP). We encrypt data in transit (TLS) and are implementing encryption at rest and other HIPAA-grade safeguards as we harden our infrastructure; any vendor that will handle PHI must sign a Business Associate Agreement (BAA) before it processes PHI. You can access, correct, and delete your information, including at https://api.splendoorcare.com/delete-account. The Services are offered only in the State of California.

1. About SplenDoor and This Policy

SplenDoor In Home Care LLC (“SplenDoor,” “we,” “us,” “our”) provides technology and services supporting the delivery and coordination of non-medical and health-related in-home care in the State of California. Our users include clients (care recipients), their family, emergency, and “concerning-care” contacts, caregivers, and SplenDoor administrative staff.

SplenDoor is the business responsible for the personal information described in this Policy, except where we act as a service provider or as a business associate under HIPAA. This Policy applies to the SplenDoor Care mobile application (the “App”), our website at https://splendoorcare.com (the “Site”), our administrative portal, and our related in-home care coordination services (together, the “Services”). It does not apply to third parties we do not control.

2. Health Information and HIPAA

When SplenDoor provides or coordinates in-home care and handles your health information, it does so as a HIPAA covered entity (a health care provider) under the federal Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations. Some of the information we handle is Protected Health Information (“PHI”) — for example your name, address, date of birth, gender, blood type, care needs and care plans, and the medical, vaccination, first-aid, and license or credential documents you or your care network provide.

We handle medical information in accordance with HIPAA and the California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code § 56 et seq., as well as other applicable federal and California health-privacy laws.

Our uses and disclosures of PHI are also described in our separate Notice of Privacy Practices (“NPP”), which sets out your rights regarding your PHI and how we may use and disclose it. If anything in this Privacy Policy conflicts with our NPP or with applicable health-privacy law with respect to PHI, the NPP and applicable law control.

When we engage a vendor to store or process PHI on our behalf, that vendor acts as our business associate, and we require a signed Business Associate Agreement (“BAA”) with that vendor before it processes PHI. Where HIPAA-required safeguards (for example, encrypted cloud storage and email delivery under a BAA) are still being implemented, we describe our current practices and our commitments in the How We Protect Your Information section below, and we do not represent that a safeguard is in place before it is operational.

3. Information We Collect

We collect information that you provide to us, information about a client that is provided by an authorized caregiver, family member, or staff member, information collected automatically when you use the Services, and information we receive from service providers such as our payment processor.

3.1 Information You Provide to Us

  • Account and identity information — the username you choose (login to the App is by username), your name, email address, phone number, and a password (which we store only in hashed form).
  • Profile and care-recipient details — date of birth, gender, blood type, care goals, and remarks or notes relevant to care.
  • Address information — your home address and the address and details of your emergency contact(s).
  • Emergency and “concerning-care” contacts — the name, relationship, and contact details of family members or others you designate. If you provide information about another person, you confirm that you are authorized to do so.
  • Health and care information — care needs, concerns, requested care, and care plans, together with related notes.
  • Documents and files — files you or your care team upload, which may include medical records, vaccination records, first-aid certificates, caregiver licenses or credentials, and similar sensitive documents.
  • Payment information — billing details and invoice records. Card payments are processed by our payment processor (Stripe); we do not collect or store your full payment card number (see Section 6).
  • Reviews, feedback, and communications — reviews or ratings you submit, and the content of messages you send us for support or other inquiries.

3.2 Information Collected Automatically

  • Device and usage data — device type and model, operating system and version, unique device or installation identifiers, app version, language and region settings, and how you interact with the Services.
  • Log and diagnostic data — IP address, access times, screens viewed, actions taken, and crash and performance diagnostics used to detect, prevent, and fix problems and to secure the Services.
  • Location information (optional) — if you grant permission, we may use your device location to support features such as entering or confirming a service address or coordinating care. You can enable or disable location access at any time through your device settings. Disabling it may limit certain features.
  • Cookies and similar technologies — primarily on the Site (see Section 7).

3.3 Information From Third Parties

  • Payment processor — our payment processor provides us with transaction confirmations, payment status, and limited billing details (such as the card brand and last four digits) to reconcile invoices. We do not receive your full card number.
  • Your care network — caregivers, staff, family members, or emergency contacts you are connected with may provide information about you in order to coordinate and deliver care.

3.4 Categories of Information at a Glance

The table below summarizes the categories of information we may process, to help you understand our practices and to correspond with app-store data-safety disclosures.

Category Examples Primary purposes Shared with
Identity & accountUsername, name, hashed passwordCreate and secure your accountCloud hosting provider
ContactEmail, phone, home & emergency addressCommunications, care coordinationCloud hosting; care team; email provider
Health & careDOB, gender, blood type, care needs, plans, remarksDeliver and coordinate careCloud hosting; care team
DocumentsMedical, vaccination, first-aid, license filesVerify eligibility and deliver careCloud file storage
FinancialInvoices, billing records, card metadataProcess payments; recordkeepingPayment processor (Stripe); cloud hosting
Location (optional)Device location, service addressService address entry; coordinationCloud hosting
Usage & deviceIP, device IDs, app activity, diagnosticsSecurity, reliability, supportCloud hosting; diagnostics providers

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Services — create and manage your account, coordinate and deliver in-home care, match clients with caregivers, build and maintain care plans, and manage scheduling.
  • Process payments — generate invoices, process transactions through our payment processor, and maintain financial records.
  • Communicate with you — send service-related messages, verify your email address, respond to your requests, and send administrative notices. Where required, we obtain your consent before sending marketing communications.
  • Health and safety — support care delivery and respond to emergencies, including contacting your designated emergency contacts where appropriate.
  • Secure and improve the Services — authenticate users, prevent fraud and abuse, maintain audit logs, monitor performance, debug, and develop new features.
  • Comply with law — meet our legal, regulatory, tax, accounting, and recordkeeping obligations, and enforce our terms and agreements.

We do not use your information to make solely automated decisions that produce legal or similarly significant effects about you without human involvement.

5. How We Share Your Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share your information only as follows:

  • Your care team. With the caregivers, staff, and the family, emergency, and “concerning-care” contacts involved in your care, to coordinate and deliver the Services.
  • Service providers. With vendors that operate the Services on our behalf — such as cloud hosting and file storage, payment processing, and email delivery — under written contracts that limit them to using your information only to perform services for us and on our instructions. Any vendor that will handle PHI must sign a Business Associate Agreement (BAA) with us before it receives PHI.
  • Legal and safety. To comply with law, legal process, or a governmental request; to enforce our terms; to detect, prevent, or address fraud, security, or technical issues; and to protect the rights, property, or safety of our users, the public, or SplenDoor.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality; we will notify you of any material change to how your information is handled.
  • With your direction or consent. When you ask us to share your information or otherwise consent.

5.1 Key Service Providers

We rely on a limited set of providers to operate the Services, including cloud hosting and storage, payment processing, and email delivery. Any provider that will store or process PHI is engaged under a Business Associate Agreement (BAA), executed before that provider receives PHI.

  • Payment processing — Stripe, Inc. processes card payments; we do not receive or store your full card number. See https://stripe.com/privacy.
  • Cloud hosting and file storage. We use a cloud infrastructure provider to host the Services and store records and uploaded documents. As part of our HIPAA-hardening program, we are migrating to BAA-backed cloud hosting and access-controlled file storage.
  • Email delivery. We use an email service to send transactional messages, such as account and service notices, and we are migrating to a BAA-backed email provider for any messages that involve PHI.

We may add or change providers over time and will maintain comparable contractual and security protections, including a BAA where the provider will handle PHI.

6. Payment Processing

Payments are processed by Stripe, Inc. When you make a payment, your card details are collected and processed directly by Stripe in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). SplenDoor does not receive or store your full card number. We retain invoice and transaction records for accounting, tax, and legal purposes. Stripe processes your information in accordance with its own privacy policy, available at https://stripe.com/privacy.

7. Cookies and Similar Technologies

Our Site may use cookies and similar technologies to operate the Site, remember your preferences, maintain sessions, and understand how the Site is used. Our mobile App uses local storage and device identifiers to keep you signed in and to operate core features rather than third-party advertising cookies.

You can control cookies through your browser settings. Because there is no common industry standard for “Do Not Track” signals, our Site does not currently respond to them. Blocking some cookies may affect how the Site functions.

8. Mobile App Permissions

The App may ask your permission to access certain device features. You can grant or revoke these permissions at any time in your device settings.

  • Camera and photos / media — to upload documents, credentials, or profile images.
  • Location — optional; to support address entry and care coordination (see Section 3.2).
  • Notifications — to send you service-related alerts and reminders.

Denying a permission will not prevent you from using the App generally, but some features that rely on that permission may be unavailable.

9. Data Retention

We retain your information while your account is active and afterward only as long as necessary for the purposes described in this Policy, including legal, tax, accounting, and recordkeeping obligations, resolving disputes, and enforcing our agreements.

Medical and care records. We retain medical and care records, and the documents you provide (for example, medical, vaccination, first-aid, and license or credential records), for at least the minimum period required by applicable California and federal law, after which we securely destroy or de-identify them. We retain HIPAA-required compliance documentation for at least six (6) years as required by 45 CFR § 164.316(b)(2).

Other categories. We generally retain account identifiers for the life of the account plus up to 24 months unless a longer period is legally required; financial and invoice records for the periods required for accounting, tax, and legal purposes (generally up to 7 years); and limited security and diagnostic logs typically for up to 12 months.

When you delete your account, we deactivate it and remove or de-identify your information, except records we are required or permitted to retain (such as financial and invoice records, limited audit and security logs, and medical records we must retain under applicable law).

10. How We Protect Your Information

We use administrative, technical, and physical safeguards designed to protect your information, and we are actively hardening these safeguards as we scale our health-data infrastructure.

In place today:

  • Encryption in transit using TLS for data sent between the App or Site and our servers.
  • Access controls on a least-privilege, role-based basis, with authentication required for access to accounts and records.
  • Passwords hashed using Argon2 and never stored in plaintext.

Commitments we are implementing as part of our HIPAA-hardening program:

  • Encryption at rest for stored records and uploaded documents.
  • Private, access-controlled storage for uploaded files and documents.
  • Audit logging of access to sensitive records.
  • Business Associate Agreements (BAAs) and security requirements with any vendor that will handle PHI, executed before that vendor processes PHI.

No method of transmission or storage is 100% secure. In the event of a breach of unsecured PHI or of personal information, we will notify affected individuals — and applicable regulators — as required by law, including the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414), the California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56 et seq.), and California Civil Code § 1798.82.

11. Your California Privacy Rights and Choices

SplenDoor In Home Care LLC operates only in the State of California, and the Services are available only to California residents. This section describes your rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”).

Notice at Collection

The table below lists the categories of personal information we collect, why we collect them, their sources, whom we disclose them to, and how long we keep them. We do not sell your personal information and we do not share it for cross-context behavioral advertising — so there is nothing to opt out of for sale or sharing. Some of the information below is Protected Health Information (PHI) or medical information governed by HIPAA and the CMIA; that information is handled under those laws (see “How health information fits in” below).

Category (CCPA) Examples Sources Business purpose Disclosed to Sold / Shared? Retention
Identifiers & account Username, name, email, phone, hashed password, device/installation IDs You; your care network; automatically Create and secure your account; authenticate you; communicate about the Services Cloud hosting/infrastructure provider; email-delivery provider No Life of account + up to 24 months, unless a longer period is legally required
Contact & emergency-contact information Home address, emergency and “concerning-care” contact names, relationships, and contact details You; your care network Coordinate and deliver in-home care; reach emergency contacts Your care team; hosting provider No Life of account, then deleted or de-identified except records we must retain
Health & care information (PHI / CMIA) DOB, gender, blood type, care needs/goals/concerns, care plans, care notes You; your care network Deliver and coordinate care; health and safety Your care team; PHI-handling providers under written data-protection terms No Per HIPAA/CMIA and our record-keeping obligations
Documents & files (PHI / CMIA) Medical, vaccination, first-aid, and caregiver license/credential documents You; caregivers Verify eligibility/credentials; deliver care File-storage provider; your care team No Per HIPAA/CMIA and legal record-keeping requirements
Financial / commercial Billing and invoice records; card brand + last four (full card number processed by Stripe, not stored by us) You; Stripe Process payments; maintain accounting/tax records Stripe (payment processor) No Retained for accounting/tax/legal periods (generally up to 7 years)
Precise geolocation (optional, sensitive) Device location, only if you enable the permission You (device) Address entry/confirmation and care coordination Hosting provider No Not retained beyond the purpose; controllable in device settings
Internet/device & usage activity Device type/OS, app version, IP, access times, screens/actions, crash/diagnostic data Automatically Secure, operate, debug, and improve the Services Hosting/diagnostics providers No Log-dependent; typically up to 12 months
Audio/visual Photos/documents you upload; profile images You Store your documents and profile image File-storage provider No Life of account, then deleted or de-identified

Sensitive personal information. We collect the following sensitive personal information: health/medical information, and precise geolocation (only if you enable it). We use sensitive personal information only to perform the Services you request and for related purposes that are exempt from the “right to limit” under Cal. Civ. Code § 1798.121(d) and 11 CCR § 7027(m) (for example, providing the service you asked for, ensuring security and integrity, and complying with law). We do not use or disclose sensitive personal information to infer characteristics about you or for any purpose that would give rise to the right to limit, so we do not offer a separate “Limit the Use of My Sensitive Personal Information” control.

How health information fits in

Much of what we handle is Protected Health Information (PHI) or medical information governed by HIPAA and the CMIA (Cal. Civ. Code § 56 et seq.). Under Cal. Civ. Code § 1798.145(c), PHI handled under HIPAA and medical information handled under CMIA are exempt from the CCPA — but you are not left without rights. That information is protected under HIPAA and CMIA, which give you separate rights (including to access your medical information, request corrections or amendments, receive an accounting of certain disclosures, and have it kept confidential), described in our Notice of Privacy Practices. The CCPA rights below apply to the personal information we hold that is not exempt — such as your account identifiers, device and usage data, and billing records.

Your CCPA rights

Subject to the exemptions above, you have the right to:

  • Know / Access — request the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties to whom we disclose it, and to receive a copy in a portable format.
  • Delete — request deletion of personal information we collected from you, subject to legal exceptions (for example, information we must keep for tax, accounting, security, or legal-compliance reasons).
  • Correct — request correction of inaccurate personal information.
  • Opt out of sale or sharing — we do not sell your personal information and we do not share it for cross-context behavioral advertising, so there is nothing to opt out of. If this ever changes, we will update this policy and provide a “Do Not Sell or Share My Personal Information” link first. Because we do not sell or share personal information, we do not act on opt-out preference signals such as the Global Privacy Control (GPC).
  • Limit the use of sensitive personal information — we use sensitive personal information only for purposes that are exempt from the right to limit (see the Notice at Collection above), so no separate limit control is needed.
  • Non-discrimination — we will not deny you services, charge you a different price, or provide a different level of service because you exercised any of these rights.

California minors

We do not sell or share personal information, and we do not knowingly sell or share the personal information of consumers under 16 years of age. Where a care recipient is a minor, their information is provided and managed by a parent, guardian, or authorized adult.

How to submit a request (at least two methods)

You may exercise your rights by:

Verification. To protect your information, we will take reasonable steps to verify your identity before responding — usually by confirming that you control the account or the email/username associated with it. For deletion or access of sensitive information we may ask for additional confirmation.

Authorized agents. You may use an authorized agent to submit a request. We will ask the agent for written permission that you signed authorizing them to act for you (for example, a signed authorization or power of attorney), and we may still contact you directly to confirm the request.

Our response. We will confirm receipt of your request within 10 business days and respond within 45 days. If we need more time, we may extend by up to another 45 days (90 days total) and will tell you why. There is no charge unless a request is excessive or repetitive.

For any question about your rights, contact us using the details in Section 17.

12. Deleting Your Account

You can delete your account and request deletion of your associated personal data at any time:

When you delete your account, we deactivate it and remove or de-identify your personal data, except limited records we are required or permitted to retain (for example, financial and invoice records for tax and accounting, limited security or audit logs, and medical records we must retain under applicable law), as described in Section 9. Health information is retained only as long as required by applicable law and our agreements.

13. Geographic Scope of Our Services

We provide the Services only in California. SplenDoor In Home Care LLC is based in the United States, and the Services are offered solely to individuals located in the State of California, USA. Our in-home care model requires caregivers to physically visit clients’ homes in California, and the Services are not available to, or directed at, anyone located outside California.

  • Where your data is processed. We and our service providers store and process your information in the United States. By using the Services, you understand that your information will be handled in the U.S. under U.S. and California law.
  • No EEA/UK/EU offering. We do not offer the Services to, and do not monitor the behavior of, individuals in the European Economic Area, the United Kingdom, or the European Union. If you are located outside California, please do not use the Services or submit personal information to us.

Questions about where your data is handled? Contact us using the details in Section 17.

14. Children’s Privacy

The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children for their own use without appropriate consent. Where a care recipient is a minor, their information is provided and managed by a parent, guardian, or other authorized adult in connection with the care being coordinated. If you believe a child has provided us with personal information without proper authorization, please contact us and we will take appropriate steps to delete it.

15. Third-Party Links and Services

The Services may contain links to, or integrate with, third-party websites and services (such as our payment processor). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third party before providing your information.

16. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last Updated” date above and, where appropriate, provide additional notice through the App, the Site, or by email. Your continued use of the Services after an update becomes effective constitutes your acknowledgment of the revised Policy.

17. Contact Us

If you have questions about this Privacy Policy or how we handle your information, or if you wish to exercise your privacy rights, contact us:

info@splendoorcare.com is our single point of contact for privacy requests; we do not maintain a separate privacy inbox. We will respond within a reasonable time and within any timeframe required by applicable law (see Section 11).