Privacy Policy

CASELOGS PRIVACY POLICY

Effective Date: June 25, 2026
Last Updated: June 25, 2026

This Privacy Policy explains how ArqaOne LLC. ("CaseLogs," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our case management platform (the "Service"). It applies to organization administrators, authorized staff users, and any other individuals who interact with the Service.

IMPORTANT: The Service is used by HCBS case management organizations to manage records relating to their clients. Those clients are patients or individuals whose health information is Protected Health Information (PHI) under HIPAA. If you are such an individual and have questions about how your information is handled, please contact the case management organization that serves you directly.

─────────────────────────────────────────

1. INFORMATION WE COLLECT

1.1 Organization and Account Information
When an organization registers for the Service, we collect the organization's name, address, phone number, fax number, website, National Provider Identifier (NPI), Tax ID (EIN), agency type, MN DHS license number, and the name and email address of the registering user. This information is used to configure your account, process billing, and communicate with you.

1.2 User Information
For each authorized staff member, we collect their name, email address (via Google Workspace OAuth), assigned role, phone number, and individual NPI/UMPI if provided. We do not collect or store Google account passwords.

1.3 Client Data and Protected Health Information (PHI)
Case management organizations use the Service to store and manage information about their clients, which may include names, dates of birth, PMI numbers, addresses, phone numbers, email addresses, counties, waiver program enrollments, case notes, service agreements, service codes, uploaded documents, tasks, and milestone records.

This information constitutes Protected Health Information under HIPAA. CaseLogs processes this information as a Business Associate under its executed Business Associate Agreement (BAA) with each Covered Entity customer. All PHI handling is governed by the BAA and applicable HIPAA regulations.

1.4 Usage and Technical Data
We automatically collect certain technical information when you use the Service, including IP addresses, browser type and version, operating system, pages visited, session duration, and feature usage patterns. This information is used to operate, maintain, and improve the Service and does not include PHI.

1.5 Audit Log Data
The Service automatically records an audit trail of actions taken by users, including records accessed, created, updated, or deleted, along with timestamps, user identifiers, and IP addresses. Audit logs are maintained for HIPAA compliance and security purposes.

1.6 Billing Information
Payment processing is handled entirely by Stripe, Inc. CaseLogs does not store full credit card numbers or payment card data. We receive and retain subscription metadata from Stripe, including plan type, billing status, and transaction identifiers.

─────────────────────────────────────────

2. HOW WE USE INFORMATION

2.1 To Provide the Service. We use the information we collect to create and manage organization accounts, authenticate users, store and retrieve client records, process documents, generate audit logs, and deliver all platform features.

2.2 To Process Payments. We use billing information to manage subscriptions, process charges, handle plan changes, and communicate billing-related notifications through Stripe.

2.3 To Communicate With You. We use your email address to send account-related notifications, product updates, security alerts, and customer support communications. You may opt out of non-essential communications at any time.

2.4 To Improve the Service. We use aggregated, de-identified usage data to analyze how the Service is used, identify performance issues, prioritize product improvements, and develop new features. We never use PHI for these purposes.

2.5 For Safety and Security. We use technical and audit data to detect fraud, investigate security incidents, enforce our Terms of Use, and protect the rights and safety of our customers and third parties.

2.6 For Legal Compliance. We may process your information to comply with applicable laws, respond to lawful legal process, fulfill our HIPAA obligations as a Business Associate, and resolve disputes.

─────────────────────────────────────────

3. HOW WE SHARE INFORMATION

We do not sell, rent, or trade your information or PHI to third parties for marketing purposes. We share information only as described below.

3.1 Subprocessors and Service Providers
We engage third-party vendors who process data on our behalf under appropriate contractual obligations, including data processing agreements and, where applicable, Business Associate Agreements:

   • Amazon Web Services (AWS S3) — encrypted cloud storage for uploaded documents and files. PHI stored in S3 is encrypted using AES-256 server-side encryption.
   • Stripe, Inc. — payment processing and subscription management. Stripe is PCI DSS Level 1 certified.
   • Resend — transactional email delivery for account notifications and invitation emails. Email content does not include PHI.
   • Google LLC — identity provider via Google Workspace OAuth for user authentication.
   • Slack Technologies (optional) — webhook-based notification delivery when configured by the organization owner. Organizations choose what notifications are sent to Slack. We recommend that Slack notifications not include PHI.

3.2 Within Your Organization
Information you input is accessible to authorized users within your organization based on their assigned role and permissions. Owners and Supervisors have broader access than Case Managers and Auditors. CaseLogs enforces role-based access controls at the application level.

3.3 Legal Requirements
We may disclose information if required by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our legal rights, prevent fraud, or protect the safety of any person.

3.4 Business Transfers
If CaseLogs undergoes a merger, acquisition, or sale of all or substantially all of its assets, your information may be transferred to the successor entity, subject to the same privacy commitments in this Policy and applicable law. We will notify you prior to any such transfer.

3.5 With Your Consent
We may share information for other purposes with your explicit consent.

─────────────────────────────────────────

4. PROTECTED HEALTH INFORMATION

4.1 CaseLogs operates as a Business Associate under HIPAA for each customer that is a Covered Entity. Our handling of PHI is governed by the executed BAA between CaseLogs and your organization.

4.2 We access, process, and store PHI only as directed by your organization and as necessary to provide the Service. We do not use PHI for marketing, advertising, or any purpose beyond service delivery and as permitted by the BAA.

4.3 Each organization's data is logically isolated in a multi-tenant architecture. Technical controls prevent one organization's data from being accessible to another.

4.4 In the event of a data breach affecting PHI, we will notify affected Covered Entity customers in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and the terms of the BAA.

─────────────────────────────────────────

5. DATA SECURITY

5.1 CaseLogs employs industry-standard security measures designed to protect the confidentiality, integrity, and availability of your data, including:

   • Encryption in transit using TLS 1.2 or higher for all data transmitted between your browser and our servers.
   • Encryption at rest using AES-256 for all documents and files stored in AWS S3.
   • Role-based access controls limiting data access to authorized users based on their assigned role.
   • Comprehensive audit logging of all PHI access, creation, modification, and deletion events, with immutable records retained for compliance purposes.
   • Secure authentication through Google Workspace OAuth, eliminating the storage of plaintext passwords.
   • Routine monitoring for unauthorized access attempts and security anomalies.

5.2 While we implement robust security measures, no system is completely secure. You are responsible for maintaining the security of your Google Workspace accounts and notifying us promptly of any suspected security incident.

─────────────────────────────────────────

6. DATA RETENTION

6.1 We retain your organization's data for the duration of your active subscription and for sixty (60) days following termination or cancellation, during which you may request a data export.

6.2 After the sixty (60)-day post-termination retention window, your data is deleted from our production systems. Audit logs may be retained for up to seven (7) years to satisfy HIPAA documentation requirements, unless a shorter period applies to specific records.

6.3 We may retain certain non-PHI data (billing records, account information) for longer periods as required by law, for tax and accounting purposes, or to enforce our agreements.

─────────────────────────────────────────

7. YOUR RIGHTS AND CHOICES

7.1 Access and Correction. Authorized administrators may access, update, or correct organization and user profile information directly within the Service. Contact support@caselogs.io for assistance.

7.2 Data Export. You may request an export of your organization's data at any time by contacting us. We will provide a machine-readable export within thirty (30) days.

7.3 Account Deletion. You may request deletion of your organization's account and all associated data by contacting us. Deletion requests are processed within sixty (60) days, subject to any applicable legal retention requirements.

7.4 Client PHI Rights. Rights of individual clients to access, amend, or receive an accounting of disclosures of their PHI are the responsibility of your organization as the Covered Entity. CaseLogs will assist in fulfilling these requests as required by the BAA.

7.5 Communication Preferences. You may opt out of non-essential marketing and product emails by clicking "unsubscribe" in any such email or contacting privacy@caselogs.io.

─────────────────────────────────────────

8. COOKIES AND TRACKING

8.1 The Service uses session cookies to maintain your authenticated login state. These cookies are essential to the operation of the Service and are deleted when you sign out or when your session expires.

8.2 We do not use third-party advertising cookies, tracking pixels, or behavioral analytics tools that share data with advertisers.

8.3 We may use first-party analytics to understand aggregate usage patterns and improve performance. Such analytics are de-identified and do not include PHI.

─────────────────────────────────────────

9. CHILDREN'S PRIVACY

The Service is not directed to individuals under the age of 18 acting in their own capacity. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will delete it promptly.

Note: The Service may store records of minor clients (individuals under 18 enrolled in waiver programs). Such records are managed by case management organizations as Covered Entities and are subject to HIPAA and the BAA.

─────────────────────────────────────────

10. MINNESOTA-SPECIFIC RIGHTS

10.1 Minnesota residents may have additional rights under the Minnesota Government Data Practices Act (Minn. Stat. Chapter 13) to the extent applicable. Contact privacy@caselogs.io to submit a request.

10.2 CaseLogs complies with all applicable Minnesota Health Records Act (Minn. Stat. §144.291 et seq.) requirements to the extent we qualify as a health care provider or entity holding health records.

─────────────────────────────────────────

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent in-app notice at least fourteen (14) days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

─────────────────────────────────────────

12. CONTACT US

For questions, requests, or concerns about this Privacy Policy or our data practices:

ArqaOne LLC.
Privacy: privacy@caselogs.io
General: support@caselogs.io