AI Data Use Disclosure & User Consent
Last updated: March 13 2026
The AI Data Use Disclosure & User Consent, User Terms, Privacy Policy, Data Processing Agreement, User Consent Policy, Records and Data Erasure Policy, and User Consent Agreement Policy describe how Caire (“we,” “our,” or “us”) collects and uses information when you use the Caire mobile application and related services, and how users grant consent to use the app’s services including AI processing.
____________________________________________________________________
1. What Data the App Collects
The app collects voice data when used for voice check-ins, questions the user asks the app as basic text inputs, images that the user may choose to upload, approximate geolocation data when the user has enabled location access for the application, Apple ID login information used for account authentication and user identification, and the user’s device identifier. The app collects a user’s electronic signature when the user consents to the use of the app and agrees to the applicable terms and policies, including the AI Data Use Disclosure & User Consent, User Terms, Privacy Policy, Data Processing Agreement, User Consent Policy, Records and Data Erasure Policy, and User Consent Agreement Policy referenced herein.
The app does not intentionally collect additional medical records, sensitive health records, or additional device information beyond what is required to operate the Service
2. How We Collect the Data
Data is collected directly from the user when they interact with the application. Users authenticate through Apple ID sign-in and provide consent to the applicable policies during account setup.
Voice inputs are collected through the device microphone when the user chooses to use voice functionality. Text inputs are collected when the user submits messages within the application interface.
E-signatures are collected during onboarding through the in-app consent process.
3. What Data Will Be Sent
User inputs required to operate the Service may be transmitted to secure infrastructure used to process and operate application features. Voice inputs, text prompts, and related interaction data may be transmitted to infrastructure hosted by Amazon Web Services (AWS) including AWS S3 and AWS EC2.
Certain text inputs or processed voice interactions may also be transmitted to artificial intelligence services provided by OpenAI in order to generate application responses.
Where voice synthesis is required to provide audio responses to users, ElevenLabs may be used to generate synthetic voice output, but no data is sent.
E-signature data is sent to Amazon Web Services (AWS) for storage and can be erased per the erasure terms below.
4. Who the Data Is Sent To
Data used to operate the Service may be transmitted to the following infrastructure providers:
• Amazon Web Services (AWS) — cloud infrastructure used to host application systems and store application data
• OpenAI — artificial intelligence infrastructure used to generate conversational responses within the application
• ElevenLabs — voice rendering infrastructure used to apply accents or voice characteristics to generated responses. ElevenLabs does not receive or process user personal data.
5. All Uses of the Data
Data collected through the application is used solely for the purpose of operating, maintaining, and improving the Service.
This includes processing user inputs, generating AI responses, maintaining system functionality, supporting user authentication, monitoring system reliability, and improving application performance.
Data collected through the Service is not sold, licensed, or used for advertising marketplaces.
Electronic signatures are used to confirm the user’s consent to the use of the app and agreement to its Privacy Policy, Terms of Service, and AI data processing practices.
6. User Permission Before Sharing Data
Before any personal data is transmitted for AI processing or third-party infrastructure services, the user must provide explicit consent through the application interface by accepting the applicable policies and confirming their agreement through the in-app consent process.
Users give permission before any data is shared through an electronic signature during onboarding, where the user consents to the use of the app and agrees to the applicable terms and policies, including the AI Data Use Disclosure & User Consent, User Terms, Privacy Policy, Data Processing Agreement, User Consent Policy, Records and Data Erasure Policy, and User Consent Agreement Policy referenced herein. This permission is required immediately after download and before the user is able to access or use the app.
7. Third-Party Protection Standards
Third-party infrastructure providers used to support the operation of the Service are required to maintain security protections consistent with industry-standard cloud infrastructure and data protection practices.
These providers maintain security, encryption, and access control protections designed to safeguard data processed through their systems.
Third-party protection standards are outlined in the applicable sections below.
8. Explanation of What Data Is Sent
Data transmitted to third-party services may include:
• user text prompts
• processed voice inputs converted to text
• system interaction data required to generate AI responses
• limited operational metadata necessary to deliver application functionality
This data is transmitted only for the purpose of generating responses or operating application functionality.
9. Identification of Third-Party Recipients
Data may be transmitted to the infrastructure providers identified above, including Amazon Web Services (AWS) and OpenAI, solely for the purposes required to operate application functionality. ElevenLabs may be used to render voice accents but does not receive or process personal user data.
Where data is processed through third-party infrastructure providers:
• AWS infrastructure (S3 / EC2) may retain operational storage and system logs for 24–48 hours during erasure processing, with certain system logs taking up to 72 hours to be removed as part of infrastructure lifecycle management.
• OpenAI service logs may retain processing records for up to 30 days for abuse monitoring and system integrity purposes, after which the data is removed according to OpenAI infrastructure policies.
10. How Caire Defines Personal Data
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), as defined under applicable privacy laws including the General Data Protection Regulation (GDPR).
Within this policy, the terms “Personal Data” and “Data” may be used interchangeably to refer only to the categories of information described in the section “AI Data Use Disclosure & User Consent.” These terms are used for consistency with international privacy frameworks and do not imply that the Service collects additional personally identifiable information beyond what is explicitly described in that section.
Under GDPR, Personal Data may include information that can identify an individual directly or indirectly, such as names, identification numbers, location data, device identifiers, electronic signatures, or online identifiers. Caire AI Inc. collects only the specific data categories described in the section “AI Data Use Disclosure & User Consent.”
If additional categories of data are introduced in the future, the “AI Data Use Disclosure & User Consent” section will be updated accordingly.
This definition is also provided in the Terms and Definitions below.
11. User Permission for Third-Party AI Processing
The application requires the user to provide explicit consent before any personal data is transmitted to third-party AI services.
By accepting the in-app consent request and continuing to use the Service, the user authorizes the application to process their inputs using the third-party AI infrastructure described above.
Users may erase their account and request erasure of their personal data at any time through the application. Upon erasure, data is immediately removed from Caire AI Inc. systems and subsequently removed from third-party infrastructure according to the processing timelines described above.
Users give permission before any third-party AI processing through an electronic signature during onboarding, where the user consents to the use of the app and agrees to the applicable terms and policies, including the AI Data Use Disclosure & User Consent, User Terms, Privacy Policy, Data Processing Agreement, User Consent Policy, Records and Data Erasure Policy, and User Consent Agreement Policy referenced herein. This permission is required immediately after download and before the user is able to access or use the app.
User Terms, Privacy Policy, and Data Processing Agreement
Last updated: March 13 2026
This User Terms, Privacy Policy, and Data Processing Agreement policy describes how Caire (“we,” “our,” or “us”) collects and uses information when you use the Caire mobile application and related services.
____________________________________________________________________
This document constitutes the complete User Terms and Conditions, Privacy Policy, and Data Processing Agreement governing the use of the Caire AI Inc. platform, applications, services, and related infrastructure (collectively, the “Service”).
By accessing, using, registering for, or otherwise interacting with the Service, the user acknowledges and agrees that they have read, understood, and consent to the terms, conditions, policies, and data processing practices described in this document.
User consent may be provided through actions including, but not limited to:
• Creating an account
• Registering for or accessing the Service
• Accepting or signing this agreement where presented
• Continuing to use the Service after being presented with these terms
By providing such consent, the user agrees that:
• The terms and conditions contained within this document constitute the binding Terms and Conditions governing use of the Service.
• The provisions contained within this document constitute the Privacy Policy governing the collection, use, storage, and protection of personal data.
• The provisions contained within this document constitute the Data Processing Agreement governing the processing of personal data in connection with the Service.
By consenting to this agreement, the user acknowledges that they have had the opportunity to review the entirety of this document, including all policies, standards, provisions, and governance practices described herein.
The user further acknowledges and agrees that personal data may be collected, processed, stored, transmitted, or otherwise handled in accordance with the provisions described in this document and applicable law.
By consenting to this agreement, the user confirms that their consent is informed and voluntary and that they agree to the processing of personal data as described herein.
Failure by a user to read or review this document does not invalidate the user’s acceptance of these terms where consent has been provided through the use of the Service or through acceptance of this agreement.
Caire AI Inc., its affiliates, service providers, infrastructure providers, and authorized third-party partners involved in the operation, hosting, or delivery of the Service shall not be held liable for a user’s failure to read, review, or understand the terms, conditions, policies, or provisions contained within this document.
Use of the Service constitutes acceptance of this agreement in its entirety.
Included Policies and Sections
____________________________________________________________________
This document constitutes the complete User Terms and Conditions, Privacy Policy, and Data Processing Agreement governing the use of the Caire AI Inc. platform, applications, and services. By accessing, using, or accepting this agreement, the user acknowledges and agrees to the terms, conditions, and data processing practices described herein.
User Terms, Privacy Policy, and Data Processing Agreement
Contact, Requests & Escalation Paths
Terms & Definitions
Privacy Policy
Data Use & Processing
Consent & User Authorization
Data Retention, Erasure & Storage
Data Infrastructure & Hosting
Third Parties & Processing Logs
Compliance & Oversight / Security
User Consent, Records, and Data Erasure
Account Erasure and Data Removal
User Consent Agreement
Contact, Requests & Escalation Paths
____________________________________________________________________
Contact, Requests & Escalation Paths
Caire AI Inc. provides designated contact channels to address inquiries related to privacy, legal matters, user support, and requests concerning personal data. Users may contact the appropriate department using the email addresses below. Response times may vary depending on the nature and complexity of the request.
Data Protection and Privacy Inquiries
DPO@hellocaire.com – Contact the Data Protection Officer for questions or inquiries related to data privacy, user safety, risk mitigation, or other critical data protection matters.
Service Level Objective (SLA): 24–48 business hours.
Legal Inquiries
Legal@hellocaire.com – For legal matters, contractual questions, regulatory inquiries, or formal communications directed to the legal team.
Service Level Objective (SLA): 3–5 business days.
Data Access and Consent Record Requests
DataRequest@hellocaire.com – For requests related to copies of historical consent records, data access requests, or documentation associated with prior user consent.
Service Level Objective (SLA): 14 business days.
General Support and Inquiries
contact@hellocaire.com – For general support requests, platform questions, or other inquiries not covered by the above contact categories.
Service Level Objective (SLA): 3–5 business days.
Terms and Definitions
____________________________________________________________________
Service
The Caire AI Inc. platform, applications, software, infrastructure, and related systems provided or operated by Caire AI Inc., including all associated features, interfaces, APIs, and functionality made available to users.
User Consent
The explicit and informed agreement provided by a user confirming acceptance of the User Terms and Conditions, Privacy Policy, and Data Processing Agreement governing use of the Service. User Consent is obtained at the time of account creation or initial access to the Service through the consent mechanisms presented within the application, which may include electronic signature, or other affirmative acceptance methods. By providing such consent, the user acknowledges that all subsequent use of the Service, features, functions, and interactions within the application occurs pursuant to and in accordance with the terms of this agreement. Use of the Service following such acceptance constitutes continuing consent to the provisions contained herein.
Controller (Data Controller)
The natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of Data. Under applicable global privacy frameworks including GDPR and relevant United States privacy laws, the Controller is responsible for ensuring that Data is processed lawfully, transparently, and in accordance with applicable regulatory and ethical standards.
Data Breach (Personal Data, GDPR)
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted in accordance with GDPR and Data of any kind in accordance with standard best practice, stored, or otherwise processed. This includes breaches resulting from both accidental and deliberate causes and may include cybersecurity incidents, system compromise, unauthorized access, or disclosure events affecting Personal Data per GDPR.
Data Processing Agreement (DPA)
The data processing provisions contained within these Terms and Conditions constitute the Data Processing Agreement governing the processing of Data between the parties. By accepting these Terms and Conditions herein (e.g. “User Terms and Conditions, Privacy Policy, and Data Processing Agreement”, the parties agree to the responsibilities, safeguards, and obligations related to the processing of Data as described herein.
Best-in-Class Data Protection by Design and by Default
A governance and engineering approach in which privacy, security, transparency, and responsible data practices are incorporated into the design, development, and operation of systems, services, products, and business processes from the outset and throughout their lifecycle. This principle aligns with GDPR requirements and internationally recognized responsible technology standards including OECD AI Principles.
Data Protection Impact Assessment (DPIA)
A structured assessment process used to evaluate the potential risks associated with the processing of Data, particularly where new technologies or high-risk processing activities are involved. A DPIA helps organizations identify, assess, and mitigate potential risks to individuals’ rights and freedoms, including privacy, security, fairness, and potential societal impacts associated with automated systems or data processing activities.
Data Protection Officer (DPO)
A designated individual or entity responsible for advising the organization on its data protection obligations and monitoring compliance with applicable privacy laws, regulatory requirements, and internal policies governing Data processing. The DPO may also act as a point of contact for supervisory authorities and individuals regarding privacy matters where required by law.
Data Subject (Individual)
An identified or identifiable natural person whose Personal Data is processed. A Data Subject may be directly or indirectly identifiable through identifiers such as name, identification number, online identifier, location data, device identifiers, or other attributes associated with their identity.
Personal Data
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), as defined under applicable privacy laws including the General Data Protection Regulation (GDPR).
Within this policy, the terms “Personal Data” and “Data” may be used interchangeably to refer only to the categories of information described in the section “AI Data Use Disclosure & User Consent.” These terms are used for consistency with international privacy frameworks and do not imply that the Service collects additional personally identifiable information beyond what is explicitly described in that section.
Under GDPR, Personal Data may include information that can identify an individual directly or indirectly, such as names, identification numbers, location data, device identifiers, or online identifiers. Caire AI Inc. collects only the specific data categories described in the section “AI Data Use Disclosure & User Consent.”
If additional categories of data are introduced in the future, the “AI Data Use Disclosure & User Consent” section will be updated accordingly.
Processing (Processing Operation)
Any operation or set of operations performed on Personal Data, whether by automated or manual means. Processing may include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, anonymization, erasure, or destruction of Personal Data.
Processor (Data Processor)
A natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of a Controller. The Processor acts only on documented instructions from the Controller and must implement appropriate technical and organizational safeguards to protect Personal Data during processing.
Record of Processing Activities (RoPA)
A documented inventory of an organization’s Personal Data processing activities. A RoPA provides a structured overview of the categories of data processed, the purposes of processing, data recipients, security safeguards, and other relevant information required to demonstrate compliance with applicable privacy regulations and governance standards.
Service Provider
Any supplier, contractor, partner, or external organization that processes Personal Data or provides services on behalf of a Controller or Processor. Service Providers may include infrastructure providers, software vendors, analytics providers, or operational partners supporting the delivery of services.
Standard Contractual Clauses
Model contractual provisions designed to provide appropriate safeguards for international transfers of Personal Data across jurisdictions. SCCs are used to ensure that Personal Data transferred from regions with strict privacy protections, such as the European Union, receives an adequate level of protection in the destination country.
Sub-processor
A third-party processor engaged by a Processor to carry out specific processing activities on behalf of the Controller. Sub-processors must adhere to the same data protection obligations imposed on the original Processor and may only be engaged with appropriate authorization and contractual safeguards.
Artificial Intelligence System (AI System)
A machine-based system designed to generate outputs such as predictions, recommendations, classifications, or decisions that influence environments or outcomes. AI systems may operate with varying levels of autonomy and may process Personal Data as part of their operation. AI systems are expected to operate in accordance with applicable laws and internationally recognized responsible AI principles, including transparency, accountability, safety, and human oversight as outlined in frameworks such as the OECD AI Principles.
Automated Decision-Making
Decision-making processes carried out by automated systems, including algorithms or AI systems, without meaningful human intervention. Such systems may analyze Personal Data to produce outcomes that affect individuals, including recommendations, predictions, or classifications. Applicable privacy regulations may provide individuals with rights related to such decisions.
Anonymization
The process of irreversibly removing identifying information from Personal Data such that an individual can no longer be identified directly or indirectly. Once data is properly anonymized, it is no longer considered Personal Data under many data protection frameworks.
Pseudonymization
The processing of Personal Data in such a way that the data can no longer be attributed to a specific Data Subject without the use of additional information. The additional information required to re-identify the individual is stored separately and protected through appropriate technical and organizational safeguards.
Privacy Policy
____________________________________________________________________
Processing of User Data
Caire AI Inc. processes data outlined in “AI Data Use Disclosure & User Consent” in connection with a user’s access to and use of the Caire AI mobile application and related services (the “Service”). This data is processed in accordance with applicable global data protection laws and frameworks, including the General Data Protection Regulation (GDPR), applicable United States privacy regulations, and internationally recognized responsible AI and data governance principles such as the OECD AI Principles.
Data is processed only to the extent necessary to operate, provide, maintain, secure, and improve the functionality of the Service. Processing activities may include operating application features, maintaining system security, supporting user accounts, improving platform performance, and enabling AI-powered functionality within the application.
Caire AI Inc. does not sell user data. Data is processed solely for purposes directly related to the operation and improvement of the Service.
Definition of Data
“Data” means any information relating to an identified or identifiable natural person. This includes any data that directly or indirectly identifies an individual, including identifiers, usage data, behavioral information, or other data processed by Caire AI Inc. in connection with the provision of services through its platform, applications, APIs, or infrastructure. “Data” may be used interchangeably with “Personal Data” as defined in the Personal Data definition below and in the AI Data Use Disclosure & User Consent.
Support for Data Subject Rights
Caire AI Inc. supports and facilitates the rights of individuals with respect to their data in accordance with applicable global privacy frameworks, including GDPR and relevant United States privacy laws. These rights may include the right to access, correct, erase, restrict processing of, or obtain a copy of data, as well as the right to withdraw consent where applicable. Caire AI Inc. maintains internal procedures designed to enable timely responses to verified requests from individuals regarding the processing of their data.
Requests from Data Subjects or Authorities
If a data subject, regulatory authority, or third party submits a request relating to the processing of data governed by this policy or any applicable data processing agreement, Caire AI Inc. will respond in accordance with applicable law and regulatory obligations. Where required, such requests may be referred to the relevant data controller or handled through established internal processes designed to ensure compliance with applicable privacy and regulatory requirements.
Anonymization and Pseudonymization
Where appropriate, data may be anonymized or pseudonymized for purposes such as internal analytics, system improvement, security monitoring, or aggregated reporting. Access to data is restricted to authenticated systems and authorized personnel with legitimate operational responsibilities. Users may access only data associated with their own accounts through authenticated systems. Data may be returned to the user upon verified request and may be erased upon verified request in accordance with applicable data erasure procedures and legal retention requirements. Caire AI Inc. does not collect PII, outside of the authenticated SSO user account email used to sign in via Apple, which is erased in accordance with Caire’s erasure policies.
Electronic Data Transfer and Secure Transmission
All data transmitted through the Caire platform is transferred using industry-standard encryption protocols, including HTTPS and TLS. The platform infrastructure is designed to require encrypted connections for all communication with web portals, APIs, and service endpoints. Unencrypted connections are automatically denied by system design. Access to data requires valid authentication credentials and appropriate authorization permissions based on role and system access controls.
Secure Disposal and Data Retention
Data is retained only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, or to maintain platform functionality. Personal data may be permanently erased upon verified request by the user or when a regulatory or contractual retention period expires. erasure procedures remove personal data from active databases and applicable backup systems in accordance with the platform’s data retention and erasure policies.
Secure Disposal or Subsequent Use of Data Media / Secure erasure of Documents
Documents, files, and stored data associated with user accounts may be erased upon verified request by the user or when a data retention period expires in accordance with applicable legal or operational requirements.
When personal data is erased, it is removed from active systems and applicable storage environments, including but not limited to:
• Active AWS RDS databases used to operate application services
• S3 storage used for secure data storage and system backups
Where technically feasible, users may request a copy of their personal data before erasure. Data transfers provided to users are transmitted using secure encrypted transmission mechanisms.
Electronic Data Transfer and Infrastructure Controls
Caire AI Inc. maintains controlled systems governing where and how data transfers may occur within the platform infrastructure. Access to internal systems and repositories is restricted through role-based permissions and authenticated accounts managed by Caire AI Inc.
Examples of infrastructure controls include:
• Access-controlled shared storage environments with role-based permissions
• Controlled software repositories accessible only through company-managed accounts
• Encryption for all personal data transmitted through web services and APIs
• Storage of personal data within secured AWS RDS environments
Production infrastructure environments may only be accessed by authorized Caire AI Inc. personnel with appropriate credentials. Administrative access to production data is granted only on a role-based and need-to-know basis and may be revoked at any time.
All platform requests to web portals, APIs, or other Caire-controlled endpoints must be made over encrypted HTTPS connections. Personal data may only be accessed or modified with valid authentication credentials and appropriate authorization permissions.
Where personal data is communicated to users electronically, it will only be sent to verified contact information associated with the user’s account.
Anonymization and Use of Aggregated Data
Caire AI Inc. may use anonymized or aggregated data for internal analytics, system improvement, security monitoring, and operational reporting. Users accessing the platform may only view personal data associated with their own accounts. The platform does not maintain separate storage of anonymized datasets that can be re-linked to identifiable users.
Where requested and where permitted under applicable law, users may request a copy of their personal data or request erasure of their data through established verification procedures.
Security of Processing
Caire AI Inc. implements appropriate technical and organizational measures designed to ensure the confidentiality, integrity, and availability of personal data processed through the platform. These measures are designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Security measures include but are not limited to:
• Encryption of data in transit using industry-standard protocols
• Role-based access controls and authenticated system access
• Monitoring and logging of administrative access
• Secure infrastructure environments and restricted production access
• Periodic security reviews of platform infrastructure and data handling procedures
Confidentiality of Personnel
Caire AI Inc. ensures that personnel with authorized access to personal data are subject to appropriate confidentiality obligations.
Personnel who are granted administrative or operational access to systems processing personal data:
• Are bound by confidentiality agreements or contractual obligations
• Receive appropriate access based on operational need and role-based permissions
• Are required to comply with internal security and data protection policies
• May have access privileges modified or revoked at any time where operational requirements change
International Data Transfers
Where personal data is transferred across jurisdictions, Caire AI Inc. implements appropriate safeguards designed to ensure that such transfers comply with applicable data protection laws and recognized international data protection standards.
Where required, data transfers may rely on mechanisms such as:
• Standard Contractual Clauses
• Adequacy decisions issued by relevant regulatory authorities
• Contractual safeguards and security controls designed to protect personal data
These safeguards are intended to ensure that personal data remains protected when transferred or accessed internationally.
Incident Response and Breach Notification
Caire AI Inc. maintains internal procedures designed to detect, investigate, and respond to potential security incidents affecting personal data.
Where a personal data breach is identified, Caire AI Inc. will assess the scope and potential impact of the incident and take appropriate steps to mitigate risk and protect affected systems and data. Where required by applicable law, relevant parties or authorities may be notified in accordance with regulatory obligations.
Responsible AI and Data Governance
Caire AI Inc. is committed to responsible development and use of data-driven systems and artificial intelligence technologies in accordance with recognized international standards, including the OECD AI Principles.
Where AI-enabled systems are used within the platform:
• Processing activities are designed to prioritize user privacy and data protection
• Personal data access is restricted through role-based controls and authentication systems
• Where possible, anonymized or pseudonymized data may be used to support system improvement and internal analytics
AI-enabled functionality is designed to support transparency, security, and responsible data handling practices.
Data Infrastructure & Hosting
Caire AI Inc. utilizes secure cloud infrastructure environments to host and operate platform services. Infrastructure environments are designed to support system availability, resilience, and secure processing of platform data.
Cloud infrastructure providers maintain internationally recognized security certifications and compliance frameworks. Access to infrastructure environments is restricted through permission-based controls, role-based authorization, and monitored administrative access.
Third Parties & Processing Logs
Where third-party services are used to support the operation of the platform, such services are required to comply with appropriate data protection and security obligations consistent with the standards described in this policy.
Processing logs and operational records may be maintained to monitor system health, security events, and operational performance. Access to such logs is restricted to authorized personnel responsible for system administration, security monitoring, and platform maintenance.
Sub-processors
Caire AI Inc. may engage carefully selected sub-processors or infrastructure providers to perform specific operational functions necessary to deliver platform services. Any sub-processor engaged must be subject to written agreements requiring compliance with data protection obligations consistent with the obligations described within these Terms and Conditions.
Sub-processors are required to implement appropriate technical and organizational safeguards to protect personal data processed on behalf of Caire AI Inc.
Cloud Hosting
Platform infrastructure is hosted using secure cloud computing environments designed to provide availability, resilience, and controlled administrative access.
Cloud infrastructure providers maintain multiple security and compliance certifications and operate global data centers designed to support regulated workloads and secure data processing.
Locations of Processing
Personal data may be processed in cloud infrastructure regions corresponding to the geographic location of the user where feasible. Data processing environments are designed to support compliance with applicable regional privacy and data governance requirements.
Depending on operational and infrastructure requirements, processing may occur within secure infrastructure regions including:
• United States
• Frankfurt
• London
• Stockholm
• Tokyo
• Seoul
• Hong Kong
Processing environments are designed to maintain appropriate safeguards to ensure the confidentiality, integrity, and availability of personal data.
Information Security
Caire AI Inc. implements technical and organizational security measures designed to protect personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure.
Security safeguards may include:
• encryption of data in transit
• system authentication and authorization controls
• access logging and monitoring
• infrastructure segmentation and restricted production access
• security monitoring and incident response procedures
Security measures are periodically reviewed to maintain the integrity and resilience of platform infrastructure.
Data Breach Management
Caire AI Inc. maintains internal procedures designed to detect, assess, and respond to potential data security incidents.
In the event of a personal data breach, Caire AI Inc. will take appropriate steps to investigate the incident, mitigate risks, and comply with applicable regulatory notification requirements where required by law.
Where relevant, affected parties or authorities may be notified within applicable regulatory timeframes.
Audit Rights
Where required by applicable contractual agreements or regulatory obligations, authorized parties may request reasonable information demonstrating compliance with data protection obligations contained within these Terms and Conditions.
Any such requests must be conducted in a manner that protects the confidentiality and security of Caire AI Inc. systems and other users of the platform.
Penetration Testing
Caire AI Inc. may conduct security testing and vulnerability assessments of platform infrastructure and systems in order to evaluate the effectiveness of security controls and to identify potential vulnerabilities.
Security testing may include internal reviews, third-party assessments, or infrastructure-level security testing where appropriate.
Data Protection Management System
Caire AI Inc. maintains internal governance procedures designed to support responsible data management and protection practices.
These procedures include periodic risk reviews, monitoring of system vulnerabilities, evaluation of security practices, and updates to security controls where necessary to maintain appropriate safeguards for personal data processed through the platform.
Security and data protection practices may be reviewed periodically to ensure alignment with evolving legal, regulatory, and operational requirements.
Data Use & Processing
User Data Ownership and Usage
Users retain rights to the personal data associated with their accounts. Caire AI Inc. processes user data solely for the purpose of providing and operating the Service and its features.
User data will not be disclosed, transferred, or made available to unauthorized parties except where required to operate the Service, comply with legal obligations, or support authorized infrastructure and service providers.
Data Use & Processing
Purpose Limitation and Data Minimization
Personal data collected through the Service is processed only for specific and legitimate purposes related to the operation of the mobile application and associated features.
Data processing is limited to what is reasonably necessary to:
• Provide application functionality
• Maintain user accounts
• enable AI-assisted features
• maintain system security and reliability
• improve application performance and usability
Caire AI Inc. does not intentionally collect sensitive personal data unless it is voluntarily provided by the user within application functionality.
Security & Infrastructure
Encryption and Cryptographic Protection
Personal data and Client Data transmitted outside client-controlled environments are protected using strong encryption standards. Encryption is applied to protect data during transmission and where applicable during storage using industry-recognized cryptographic methods and trusted certificate authorities.
Security & Infrastructure
Authentication and Identity Management
Access to platform systems requires authenticated user credentials. User identities are uniquely assigned and managed through defined access control processes. Authentication mechanisms may include password-based authentication, federated identity protocols (such as SAML or OAuth), or multi-factor authentication depending on the configuration selected by the client.
Security & Infrastructure
User Access Management
Access rights are assigned according to role-based authorization and the principle of least privilege. User permissions correspond to operational responsibilities and are reviewed periodically. Access rights are revoked when no longer required or upon termination of employment or engagement.
Security & Infrastructure
Vulnerability Assessment and Security Testing
Security assessments are conducted periodically to identify potential vulnerabilities within platform systems and services. Vulnerability assessments may include automated security scans, code analysis, and penetration testing. Identified vulnerabilities are evaluated and remediated in accordance with internal security procedures.
Compliance & Oversight
Personnel Screening and Confidentiality
Employees and authorized contractors who may access Client Data are subject to appropriate background verification procedures where permitted by applicable law. All personnel are bound by confidentiality obligations and contractual agreements designed to protect Client Data and personal information.
Consent & User Authorization
Data Subject Rights Support
Caire AI Inc. maintains procedures to respond to requests from individuals regarding their personal data in accordance with applicable data protection laws.
Users may exercise rights that may include:
• access to their personal data
• correction of inaccurate data
• erasure of personal data
• restriction of certain processing activities
• data portability where applicable
• withdrawal of consent where processing is based on consent
Requests related to personal data may be submitted using the contact channels provided in this document.
Data Infrastructure & Hosting
Sub-Processor Management
Where sub-processors are engaged to support platform services, they are contractually required to maintain data protection and security standards equivalent to those required of the Supplier. Data Processing Agreements are executed with such sub-processors and compliance is periodically reviewed.
Security & Infrastructure
Security Monitoring and Logging
Security monitoring mechanisms are implemented to detect and respond to potential security events. Platform systems maintain security logs related to system activity, authentication events, and administrative actions. Log access is restricted to authorized personnel responsible for platform operations and security oversight.
Security & Infrastructure
Privileged Access Control
Privileged or administrative system access is restricted to specifically authorized personnel. Administrative access is managed through dedicated privileged accounts and is subject to enhanced authentication and monitoring controls.
Compliance & Oversight
Security Incident Notification
The Supplier maintains procedures for detecting and responding to information security incidents. In the event of a confirmed breach involving Client Data, the affected client will be notified without undue delay in accordance with applicable contractual and legal obligations.
Compliance & Oversight
Business Continuity and Disaster Recovery
Business continuity and disaster recovery procedures are maintained to support the restoration of services following operational disruptions. Backup, recovery, and failover mechanisms are periodically tested to ensure system availability and data protection.
Data Infrastructure & Hosting
Logical Data Segregation
Client data is logically segregated within platform infrastructure to prevent unauthorized access between tenant environments. Access control mechanisms ensure that each client’s data remains isolated from the data of other clients.
Compliance & Oversight
International Data Transfer Compliance
Where personal data is processed across jurisdictions, appropriate safeguards are implemented in accordance with applicable data protection laws. Transfers may rely on recognized legal mechanisms including contractual protections and regionally compliant infrastructure controls.
Compliance & Oversight
Data Protection Governance
The organization maintains internal policies and procedures governing data protection practices. These policies define responsibilities for protecting personal data, managing security risks, and ensuring compliance with applicable data protection legislation.
Compliance & Oversight
Information Security Governance
The organization maintains an internal information security framework aligned with recognized industry security standards. Security policies and procedures are regularly reviewed, monitored, and updated to address evolving operational and regulatory requirements.
International Data Transfers
Cross-Border Data Transfer Safeguards
Where personal data is transferred across jurisdictions, the organization implements appropriate legal, technical, and organizational safeguards to ensure compliance with applicable data protection legislation. Such safeguards may include contractual protections, transfer impact assessments, and adherence to internationally recognized data transfer mechanisms where applicable.
International Data Transfers
Pseudonymisation and Encrypted Processing for Data Transfers
Where technically feasible, personal data involved in international processing activities is pseudonymised or encrypted prior to transfer. Processing architectures are designed to minimize exposure of identifiable information and support secure data handling without unnecessary decryption of personal data.
International Data Transfers
Transfer Impact Assessments
The organization conducts transfer impact assessments where personal data may be transferred internationally or disclosed to sub-processors or third parties. These assessments evaluate applicable legal frameworks, technical protections, and potential risks to personal data in the destination jurisdiction.
Data Infrastructure & Processing Architecture
Segregation of Personal Data by Source and Jurisdiction
Technical controls support the logical segregation of personal data originating from different sources or jurisdictions. This enables the organization to maintain separation of datasets, enforce jurisdiction-specific requirements, and support compliance with regional data protection and localization obligations.
Compliance & Oversight
Processor Role and Processing Instructions
Where Caire AI Inc. processes personal data in connection with the operation of the Service, it acts as the organization responsible for determining how user data is processed in accordance with applicable privacy laws and this Privacy Policy.
Data is processed only for purposes described in this document and in accordance with applicable legal requirements.
Compliance & Oversight
Contractual Data Processing Agreements
Data processing activities performed on behalf of clients are governed by contractual agreements incorporating applicable data protection requirements. These agreements define responsibilities, processing instructions, confidentiality obligations, and safeguards for personal data processing.
Data Use & Processing
Restrictions on Secondary Data Use
Personal data processed in connection with the provision of services is not used for secondary purposes such as product development, analytics, or optimization unless explicitly authorized by contractual agreement or processed in an aggregated and non-identifiable form.
Data Use & Processing
Aggregated Data Analysis
Where data analysis is conducted for operational or service improvement purposes, such analysis is performed on aggregated or de-identified datasets that do not identify individual data subjects.
Data Governance & Transparency
User Privacy Notice Integration
The application may display privacy notices or contextual information within the user interface to explain how personal data is used in connection with specific features or functionality.
These notices are designed to provide users with clear information regarding how data is processed while using the Service.
Data Infrastructure & Hosting
Cloud Infrastructure and Data Hosting Controls
Where services involve hosted infrastructure, client data is stored within secure cloud environments operated by trusted infrastructure providers. Hosting environments are configured with security controls including logical isolation, encryption, access management, and infrastructure monitoring.
Security & Infrastructure
Cybersecurity Governance and Risk Management
The organization maintains cybersecurity governance processes that include documented security policies, periodic risk assessments, and risk management procedures designed to identify, evaluate, and mitigate information security risks affecting systems and data.
Security & Infrastructure
Security Monitoring and Threat Protection
Technical measures are implemented to detect and prevent cyber threats. These may include vulnerability management programs, patch management processes, intrusion detection systems, security logging, and the use of anti-malware technologies to protect systems and data.
Security & Infrastructure
Secure Software Development Practices
Software development processes incorporate secure development practices designed to identify and mitigate security risks during the design, development, testing, and deployment of applications and services.
Security & Infrastructure
Account and Access Governance
User accounts and system access are governed through identity and access management controls including role-based access permissions, separation of duties, least privilege principles, and enhanced protections for privileged administrative access.
Security & Infrastructure
Multi-Factor Authentication
Where supported by system configuration, multi-factor authentication mechanisms are implemented to strengthen authentication controls for user accounts and administrative access.
Compliance & Oversight
Incident Response and Security Event Management
The organization maintains documented procedures for responding to cybersecurity incidents. Incident response plans define processes for detection, containment, investigation, and communication of security events that may impact systems or client data.
Compliance & Oversight
Cybersecurity Testing and Independent Audits
Security controls may be periodically evaluated through internal reviews, vulnerability assessments, penetration testing, or independent security audits designed to assess the effectiveness of the organization’s cybersecurity framework.
Compliance & Oversight
Subprocessor Due Diligence
The organization maintains procedures for evaluating prospective and existing subcontractors or service providers. Security and data protection requirements are extended to such parties through contractual obligations and vendor risk management processes.
Security & Infrastructure
Cloud Infrastructure Security Controls
Platform infrastructure is hosted within secure cloud environments operated by established infrastructure providers. Access to cloud services and system administration functions is managed through identity and access management controls with permissions granted on a role-based basis. Administrative access is restricted to authorized personnel and may be revoked when no longer required.
Security & Infrastructure
Encryption of Data in Transit
All connections to platform services, application interfaces, and APIs require encrypted communication protocols. Unencrypted connections are denied, and encrypted transmission mechanisms such as HTTPS and secure API authentication are enforced to protect personal data during transmission.
Security & Infrastructure
Credential Security and Password Protection
User authentication credentials are protected using cryptographic hashing algorithms and secure password management practices. Password reset procedures incorporate time-limited reset links and identity verification mechanisms to prevent unauthorized account access.
Security & Infrastructure
API Security and Authentication Controls
Access to platform APIs and system endpoints requires authenticated credentials and authorization tokens. Authentication controls validate both user identity and permission levels before allowing access to data resources or application functions.
Security & Infrastructure
Application Firewall and Network Protection
Network traffic to the platform is protected through web application firewall controls, traffic filtering mechanisms, and distributed denial-of-service (DDoS) protection technologies designed to detect and mitigate malicious network activity.
Security & Infrastructure
Monitoring and Security Logging
Application, infrastructure, and database activities are recorded through centralized logging systems. Logs may include access events, system interactions, and authentication attempts. Access to security logs is restricted to authorized system administrators responsible for operational monitoring.
Security & Infrastructure
Cloud Monitoring and Security Event Detection
Cloud-based monitoring services are used to observe infrastructure performance, detect anomalous activity, and identify potential security events. Monitoring systems support operational oversight and incident response processes.
Security & Infrastructure
Access Control for Administrative Privileges
Administrative access to infrastructure, databases, and production systems is restricted to designated personnel with elevated roles. Administrative permissions are granted on an individual basis and may be revoked if access is no longer required for operational responsibilities.
Data Infrastructure & Processing Architecture
Multi-Tenant Data Isolation
The platform architecture supports multi-tenant environments in which client data is segregated through logical access controls and database relationships. Tenant isolation mechanisms prevent access to data belonging to other clients or organizations.
Data Infrastructure & Processing Architecture
Environment Segregation for Development and Production
Separate system environments are maintained for development, staging, and production operations. Development environments utilize test or dummy data where possible, while production environments operate independently to prevent unauthorized access to live client data.
Data Infrastructure & Processing Architecture
Database Security and Access Controls
Production databases are protected through credential-based access controls and infrastructure-level authentication mechanisms. Database access permissions are restricted to authorized personnel with operational responsibilities.
Data Governance & Transparency
Data Retention and erasure Controls
Personal data is retained only for the period necessary to operate the Service, maintain system security, comply with legal obligations, and support legitimate operational requirements.
Users may request erasure of their personal data by deleting their account or submitting a request through the contact channels provided in this document.
When erasure occurs, personal data is removed from active systems and associated storage environments in accordance with internal data erasure procedures.
Compliance & Oversight
Contractual Confidentiality Obligations
Personnel with access to personal data are subject to confidentiality obligations and contractual commitments designed to protect client data and ensure responsible handling of personal information.
Compliance & Oversight
Vendor Infrastructure Reliance and Security Alignment
Where third-party infrastructure providers support the platform, the organization relies on the provider’s established security frameworks and compliance programs while maintaining internal controls governing application-level security and access management.
Compliance & Oversight
Security Incident Communication
In the event of a confirmed or suspected data security incident affecting client data, affected clients may be notified in accordance with contractual obligations and applicable legal requirements.
Security & Infrastructure
Identity and Access Lifecycle Management
User accounts and access permissions are managed throughout their lifecycle, including account creation, modification, suspension, and revocation. Access privileges are adjusted when users change roles or no longer require system access.
Security & Infrastructure
Authentication Rate Limiting and Brute Force Protection
Systems incorporate mechanisms designed to limit authentication attempts and detect brute-force access attempts. Security protections may include request rate limiting, traffic filtering, and automated threat mitigation controls.
Security of Your Data
We implement commercially reasonable technical and organizational safeguards designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These safeguards include administrative, technical, and physical security measures intended to protect the integrity and confidentiality of the information processed through the Service.
While we strive to use industry-standard security practices to protect Personal Data, no method of transmission over the Internet or method of electronic storage is completely secure. As a result, we cannot guarantee absolute security.
Data Storage and Processing
Personal Data may be processed and stored on secure cloud infrastructure operated by trusted third-party service providers. These infrastructure providers maintain security frameworks designed to support reliable and secure hosting environments.
Data processing may occur in jurisdictions where our infrastructure providers maintain systems and operations. By using the Service, You acknowledge that Your information may be transferred to and processed in these locations in accordance with this Privacy Policy.
Access Controls
Access to Personal Data is restricted to authorized personnel who require such access in order to operate, maintain, or improve the Service. Access permissions are granted according to operational roles and may be revoked when no longer required.
Data Retention
We retain Personal Data only for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. When Personal Data is no longer required for these purposes, it may be erased, anonymized, or aggregated.
International Data Transfers
Your information may be transferred to and maintained on computers located outside of Your state, province, country, or other governmental jurisdiction where data protection laws may differ from those in Your jurisdiction.
We take reasonable steps to ensure that such transfers are conducted in accordance with applicable data protection laws and that appropriate safeguards are implemented to protect Personal Data.
Service Providers
We may engage third-party service providers to support the operation of the Service, including infrastructure hosting, data storage, analytics, artificial intelligence processing, and other operational services.
These service providers are permitted to access Personal Data only to the extent necessary to perform services on our behalf and are required to handle Personal Data in accordance with applicable privacy and security obligations.
Subprocessors and Infrastructure Providers
We rely on a limited number of third-party infrastructure providers to support the operation of the Service. These providers may process or store data as part of delivering their services.
Infrastructure providers currently used in connection with the Service may include:
Amazon Web Services (AWS) – cloud infrastructure and computing services
Amazon S3 – secure object storage
Amazon EC2 – compute infrastructure for application services
OpenAI – artificial intelligence model infrastructure
ElevenLabs – voice synthesis infrastructure
These providers are engaged solely for operational purposes and are required to maintain appropriate security measures.
Data Erasure Requests
You may request erasure of Your Personal Data by deleting your account through the application or by contacting us using the contact information provided in this Privacy Policy.
When a erasure request is initiated, personal data is removed immediately from Caire AI Inc. active application systems. Infrastructure providers supporting the operation of the Service may require additional time to fully remove data from storage systems, backups, or operational logs.
Typical erasure timelines for infrastructure providers used by the Service may include:
• Amazon Web Services (AWS) infrastructure services including S3 and EC2 may require 24–48 hours for complete removal from storage environments.
• AWS operational logs may take up to 72 hours to be removed through normal log lifecycle management.
• OpenAI service logs may be retained for up to 30 days for abuse monitoring and security purposes, after which the data is removed in accordance with OpenAI data handling policies.
Subject to applicable legal or compliance obligations, Caire AI Inc. makes reasonable efforts to ensure that personal data is permanently erased or anonymized once a erasure request is completed.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, legal requirements, or the Service. When updates are made, the revised policy will be posted with an updated effective date.
Users are encouraged to review this Privacy Policy periodically.
Employee and Contractor Confidentiality
Personnel and contractors who may have access to systems or data used in the operation of the Service are required to comply with confidentiality and security obligations. Individuals with access to internal systems are expected to handle information in accordance with applicable privacy laws, internal security policies, and contractual confidentiality requirements.
Security Monitoring and Incident Response
Caire AI Inc. maintains internal procedures designed to monitor systems and infrastructure for potential security incidents or vulnerabilities. Security events are investigated and addressed in accordance with internal security practices intended to protect system integrity and user data.
In the event of a confirmed security incident affecting personal data, Caire AI Inc. will take appropriate steps to investigate, mitigate, and address the incident in accordance with applicable legal and regulatory obligations.
Business Continuity and Service Reliability
Caire AI Inc. maintains operational procedures designed to support the continued availability and reliability of the Service. These procedures may include infrastructure redundancy, system monitoring, backup processes, and recovery measures intended to minimize disruption in the event of system failures or unexpected events.
Subprocessors & Third-Party Processing Platforms
____________________________________________________________________
Caire AI Inc. engages a limited number of trusted third-party service providers (“subprocessors”) to support the operation, hosting, and functionality of the Service. These providers may assist with infrastructure hosting, artificial intelligence processing, or application support services.
Subprocessors are selected based on security, reliability, and compliance considerations. Where personal data may be processed by these providers as part of operating the Service, appropriate safeguards and contractual protections are implemented.
The following subprocessors may support operation of the Service:
Subprocessor, Service, and Purpose
Amazon Web Services (AWS): Cloud Infrastructure, provides secure cloud infrastructure used to host application services.
Amazon S3: Secure Object Storage, provides encrypted storage infrastructure for application data and backups.
Amazon EC2: Compute Infrastructure, provides virtual server environments used to operate backend systems.
OpenAI: Artificial Intelligence Services, provides AI model infrastructure used to generate responses within the application.
ElevenLabs: Voice Synthesis, generates synthetic voice output used by the application interface. No personal data processing.
Some infrastructure providers may support specific platform features without receiving or processing identifiable personal data.
Subprocessor access to data is limited to what is necessary to operate the Service. Caire AI Inc. periodically reviews infrastructure providers and may update this list as service providers change.
User Consent, Records, Data Erasure
____________________________________________________________________
Account Erasure, Data Removal, and Limited Consent Record Retention
Users may request erasure of their personal data at any time by deleting their account through the application.
Upon account erasure, personal data associated with the user account is removed immediately from Caire AI Inc. active application systems.
After erasure is initiated, removal from infrastructure providers may take additional time depending on the underlying service lifecycle processes:
• Amazon Web Services (AWS) — Data stored within AWS infrastructure services including AWS S3 and AWS EC2 may take a minimum of 24 hours and up to 48 hours to be fully removed from operational systems and storage environments.
• AWS infrastructure logs may take up to 72 hours to be removed as part of standard cloud logging lifecycle processes.
• OpenAI — Where user input data is processed through OpenAI services, related request logs or processing records may be retained by OpenAI for up to 30 days for abuse monitoring and system integrity purposes, after which they are removed in accordance with OpenAI infrastructure policies.
Caire AI Inc. does not retain personal data once erasure is requested and completed within its own systems. Residual copies that may exist temporarily within infrastructure backups or service logs are removed through the normal lifecycle processes of the underlying infrastructure providers.
Users may request confirmation of proof of data erasure at any time by contacting DataRequest@hellocaire.com.
User Consent Agreement
____________________________________________________________________
By accessing or using the Caire AI Inc. mobile application or related services, you acknowledge and agree to the terms contained within this document titled “User Terms and Conditions, Privacy Policy, and Data Processing Agreement.”
Your use of the application, including any acceptance, signature, or other consent mechanism presented within the application, constitutes your agreement to the terms, conditions, policies, and data processing practices described herein.
By providing consent, you acknowledge that you have had the opportunity to review this document in full and that you agree to the collection, use, storage, and processing of data in accordance with the provisions set forth in this agreement.
Users may withdraw consent at any time by deleting their account through the application or associated account management tools. Deleting an account will result in the erasure of associated user data in accordance with the platform’s data retention and erasure policies. If a user later chooses to create a new account or resume use of the Service, consent to the then-current version of these terms will be required again