Last updated: May 13, 2026
PHI is encrypted, tenant-isolated, governed by a signed BAA — and never used to train external AI models.
This Privacy Policy describes how Arc Care, Inc. ("Arc Care," "we," "our") collects, uses, and discloses information through our website, marketing channels, and the Arc Care platform (the "Service"). Protected Health Information (PHI) processed on behalf of a covered entity is governed primarily by our Business Associate Agreement (BAA) and the HIPAA Privacy and Security Rules.
Account information (name, email, organization, role), usage data (logs, device, IP, telemetry), customer-submitted clinical data (including PHI under a BAA), and communications (demo requests, support tickets, sales inquiries).
To deliver, maintain, and secure the Service; to generate utilization and clinical decision support output; to provide customer support; to comply with legal obligations; and, for non-PHI data only, to improve the Service. We do not sell personal information.
Arc Care operates as a HIPAA Business Associate. PHI is processed solely to perform Services under a signed BAA, encrypted at rest (AES-256) and in transit (TLS 1.2+), segregated by tenant, and access-restricted by role with full audit logging. PHI is never used to train external or third-party AI models.
Arc Care does not use Customer Data — and never PHI — to train external or third-party AI models. Internal model improvements use de-identified, aggregated data only, in accordance with HIPAA's Safe Harbor or Expert Determination methods.
We share information only with: (a) sub-processors bound by written agreements (including BAAs where applicable), (b) authorities when required by law, and (c) successors in connection with a merger or acquisition. A current sub-processor list is available on request.
We maintain administrative, technical, and physical safeguards including encryption, RBAC, MFA, immutable audit logs, vulnerability management, and incident response. See our Compliance page for details.
We retain account and usage data for as long as your account is active or as needed to provide the Service. PHI retention is governed by the BAA and applicable legal requirements; on termination, PHI is returned or destroyed per the BAA.
Depending on jurisdiction, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. Patients should direct PHI-related requests to their healthcare provider; we support our customers in honoring those requests.
The Service is hosted in the United States. By using the Service, you acknowledge that your information may be processed in the U.S. and other jurisdictions with different data protection laws.
The Service is not directed to individuals under 13, and we do not knowingly collect personal information from children directly.
We may update this Policy. Material changes will be communicated by email or in-app notice. The "Last updated" date below reflects the latest revision.
Privacy questions? Email privacy@arccare.ai. For HIPAA-specific inquiries, contact our Privacy Officer at privacy@arccare.ai.
For our full HIPAA posture, see the Compliance page.