Skip to main content

Privacy Policy

Last updated: April 19, 2026

Legal Status — Metrics That Care is NOT a HIPAA-Covered Entity

Metrics That Care is a consumer wellness application. We are NOT a HIPAA-covered entity and NOT a business associate of one. We are not a health plan, a health-care clearinghouse, or a health-care provider that transmits standard electronic transactions. We do not sign Business Associate Agreements (BAAs). The health data you log in our app is not Protected Health Information under HIPAA.

We apply industry-standard safeguards and comply with the federal and state laws that do govern consumer health data, including the FTC Act (Section 5), the FTC Health Breach Notification Rule, Washington's My Health My Data Act, California's CMIA and CCPA/CPRA, and comparable consumer-health statutes in other states.

Information We Collect

We collect information you provide directly to us, including:

  • Name and email address when you create an account
  • Contact information when you reach out to us
  • Health and care-related information you choose to enter into the app (sleep, energy, mood, symptoms, behavioral observations, hygiene, nutrition, tasks, and recipient profiles)
  • Account credentials when you create an account
  • IP address, user agent, and timestamps for security and audit logs (retained up to 90 days)

We do not use analytics or advertising SDKs, do not send your data to AI or LLM providers, and do not collect precise geolocation data.

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Send you updates about Metrics That Care (you can opt out anytime)
  • Respond to your comments and questions
  • Authenticate you and secure your account (login monitoring, session management)
  • Comply with legal obligations and defend our legal rights

We do not train machine-learning models on your information, do not use your information for advertising targeting, and do not sell or share your information for cross-context behavioral advertising.

Data Security

We apply layered technical safeguards. All traffic uses TLS 1.2 or higher. Passwords are stored only as bcrypt hashes. Session tokens are short-lived (30 minutes); refresh tokens are stored server-side and can be revoked. Every sensitive operation (login, account deletion, export, share invite) is recorded in an audit log.

We do not claim end-to-end encryption, zero-knowledge, or "bank-level" encryption. No system is impervious. If we discover a security incident affecting your data, we will notify you per the "Breach Notification" section below.

Data Sharing

We do not sell your personal information. We may share your information only:

  • With family members you explicitly invite to share care information
  • With service providers who help us operate our platform (Railway for hosting, Vercel for the web app, SendGrid for email) under strict data-processing obligations
  • When required by law or to protect rights and safety

Consent for the Person Being Cared For

Metrics That Care is a caregiver tool. When you add a family member ("recipient") to your account, you are attesting that you have permission to record information about them — either because they have given you that permission directly, or because you are their legally recognized caregiver and they are unable to consent on their own behalf (for example, due to dementia, severe illness, or because they are a minor child you care for).

We ask you to take that responsibility seriously. A separate in-app flow that allows recipients capable of self-consent to directly acknowledge being tracked is planned for a future release. Until then, please only add recipients when you have appropriate authority and consent to do so.

If you believe you have been added to this service without your knowledge or consent, contact us at the email below and we will investigate and remove any data upon verification of identity.

Data Retention and Deletion

When you delete your account, we hard-delete your profile, recipients, and all associated health data from our active database within 24 hours. Backup copies taken for disaster recovery may retain your data for up to 30 additional days, after which they are rotated out and become unrecoverable.

When you delete your account, we hard-delete your profile within 24 hours. Audit logs and security records are typically retained up to 90 days; time-based purging is on our 2026 roadmap.

We do not currently auto-delete inactive accounts. Your data is retained until you request deletion via account settings or email.

Data retained after account deletion: Audit log records are anonymized at deletion time (your identity is removed; the operational record is preserved for security and compliance purposes per CCPA and Washington MHMD). Database backups rotate out within 30 additional days. Vercel edge logs persist up to 30 days; SendGrid delivery records persist per SendGrid's DPA.

Security Contact & Breach Notification

If we discover a breach affecting your data, we will notify affected users within 60 days of discovery, consistent with the FTC Health Breach Notification Rule and applicable state law. Some states require notification within as few as 30 days of discovery; we will honor the shortest applicable timeline. To report a security concern directly, email admin@metricsthatcare.com.

Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and data
  • Export your data in a portable format
  • Opt out of marketing communications
  • Withdraw consent for any data collection requiring your consent (Washington / California / GDPR) by deleting your account or contacting us

To exercise any right, use in-app Settings whenever possible. For anything you cannot do in the app, email admin@metricsthatcare.com from the email address on your account. We will respond within 30 days and will never charge you to exercise these rights.

Cookies and Local Storage

We use only strictly necessary authentication cookies (HttpOnly, Secure). We do not use analytics cookies, advertising cookies, or third-party trackers. Local storage holds only non-sensitive preferences (theme, onboarding state, tooltip dismissals) and never contains authentication tokens or personal information.

Changes to This Policy

We may update this Privacy Policy from time to time. For material changes (new subprocessors handling consumer health data, new uses of your data, changes in scope), we will notify you by email or in-app at least 30 days before the change takes effect. For clarifying edits, we will update the "Last updated" date.

Contact Us

If you have questions about this Privacy Policy or your personal information, please contact us at admin@metricsthatcare.com.