CRMO Care – Terms of Service

Introduction

Welcome to CRMO Care. CRMO Care is operated by Flarepath Health, Inc. ("Flarepath Health," "we," "our," or "us"). These Terms of Service ("Terms") govern your use of the CRMO Care mobile app, website, and related services (collectively, the "Service").

By accessing or using the Service, you agree to these Terms and our Privacy Policy. If you do not agree, please do not use the Service.

1. Overview & Purpose

CRMO Care is a wellness and information-management platform that helps individuals and families:

• Track daily symptoms, medications, wellness trends, flare-up frequency, sleep quality, and activity levels
• Complete PROMIS (Patient-Reported Outcomes Measurement Information System) assessments to standardize health tracking
• Use voice recording to capture health information hands-free via the Voice Journal feature
• Record clinical appointments using the Visit Companion feature to generate AI-powered visit summaries
• Sync health metrics from Apple Health / HealthKit (iOS) including activity, mobility, vitals, and sleep data
• Interact with an AI-powered chat assistant for personalized health insights
• Manage caregivers, dependents, and care team members
• Organize and visualize information gathered from multiple sources
• Retrieve and store copies of their own medical records under the HIPAA Right of Access
• Optionally contribute de-identified data to CRMO research efforts

CRMO Care is not a healthcare provider, insurer, or covered entity under HIPAA. It does not provide medical advice, diagnosis, or treatment. Always consult a licensed medical professional for health-related decisions or emergencies.

2. Eligibility & Accounts

To use the Service, you must:

• Be 18 years of age or older (or have verified guardian consent)
• Provide accurate registration information
• Maintain the confidentiality of your login credentials
• Accept responsibility for all activity that occurs under your account

We may suspend or terminate accounts that violate these Terms or applicable law.

2a. International Users

During the Beta testing period, CRMO Care welcomes users from outside the United States. CRMO is a global condition, and we aim to serve families worldwide.

For International Users:

• You may use the Service regardless of your country of residence during Beta
• Your data is stored on U.S.-based infrastructure and governed by U.S. law
• We apply GDPR-aligned principles (data minimization, purpose limitation, right to erasure) to all users
• You have the same data rights as U.S. users: access, edit, delete, and export
• Research participation remains opt-in and subject to your local regulatory requirements
• Clinical trial participation may be limited by your country's regulatory framework

Note: Post-Beta international availability will depend on regulatory requirements in your jurisdiction. We will provide advance notice if international access changes.

3. User Data & Ownership

3a. Your Data

You own all information that you upload, enter, or authorize CRMO Care to retrieve, including:

• Personal wellness logs and symptom tracking
• Voice recordings and transcripts
• AI chat interactions
• Medical records obtained via your HIPAA Right of Access

CRMO Care does not claim ownership of your data.

3a-1. Our Data Commitments

We commit to the following principles regarding your data:

We Will Never:

• Sell your identifiable data to any third party
• Share your data with marketers or advertising companies
• Use your data for advertising or targeted marketing
• Enroll you in research or clinical trials without your explicit opt-in consent
• Share your data with data brokers or commercial aggregators

You Always Have The Right To:

• Access — View and download all data we hold about you
• Edit — Correct inaccurate information at any time
• Delete — Request permanent deletion of your account and data
• Export — Download your data in a standard electronic format
• Withdraw Consent — Opt out of research at any time without losing app access

Our Research Data Position:

"CRMO Care shares de-identified, aggregated insights or study datasets under explicit consent and formal agreements. All research and registry participation is opt-in only."

3b. License to Operate the Service

You grant CRMO Care a limited, revocable license to host, store, and process your data solely to provide and improve the Service. This includes:

• Transcribing voice recordings through HIPAA-compliant AI services (OpenAI with Business Associate Agreement)
• Extracting structured data from audio using minimum-necessary PHI principles
• Processing voice data through BAA-covered endpoints only
• Generating AI insights (with user review required before saving)
• Displaying charts and summaries

AI Processing Safeguards: All AI processing of Protected Health Information (PHI) occurs through vendors with Business Associate Agreements in place. User review and approval is required before any AI-extracted data is saved to your account.

We do not sell or monetize user data.

3c. Voice Recordings and Transcripts

Voice recordings and transcripts are retained per user preference. You have full control over your voice data:

• You can delete recordings at any time from your account settings
• You can review, edit, and correct all AI-extracted data before saving
• Transcription quality is validated before clinical use
• Voice data never sent to non-BAA-covered services

You may also request deletion by emailing info@crmo-care.app.

3d. AI Chat Interactions

AI chat queries and responses may be retained for debugging and quality improvement. AI insights are informational only and not medical advice. You may request deletion of your chat history at any time.

3e. HIPAA Right of Access

When you use CRMO Care to retrieve your own medical records under your HIPAA Right of Access, CRMO Care acts as your personal health record tool at your direction. We are not acting as a Business Associate in this capacity, but rather as your agent helping you organize your own data.

3f. Accuracy of External Records

Records retrieved from third-party portals are provided "as is." CRMO Care is not responsible for the completeness or accuracy of records obtained from healthcare providers or plans. If you discover an error in a record, contact the provider directly to request a correction.

3g. Right to Delete or Export

You may request account closure and data deletion at any time by emailing info@crmo-care.app. We will delete identifiable data within 30 days unless required by law to retain it longer.

Deletion includes:

• Account information
• Wellness logs and symptom data
• Voice recordings and transcripts
• AI chat history
• Imported medical records

You may also export a copy of your data through the Service where available.

4. Privacy & Security

We implement HIPAA-aligned security measures to protect your health information.

Security Measures

• TLS 1.3 encryption in transit and AES-256 encryption at rest
• Row-Level Security (RLS) ensuring complete database-level data isolation between users
• Database queries fail-closed (deny by default) if RLS is misconfigured
• PHI-free logging — application logs contain only user IDs and metadata, never health data
• Error tracking (Sentry) configured with PHI scrubbing
• U.S.-based, SOC 2 Type II compliant infrastructure (Supabase)
• Multi-factor authentication for internal systems
• Role-based access controls and comprehensive audit logging (7-year retention)
• Separate development, staging, and production environments (no real PHI in testing)
• NIST-aligned incident response plan with 72-hour breach notification

Voice & AI Processing

• Voice recordings encrypted in transit and at rest
• Business Associate Agreement (BAA) in place with OpenAI for HIPAA compliance
• AI processing through BAA-covered endpoints only
• Minimal necessary PHI principle applied to AI prompts (IDs and metadata only)
• AI processing logs contain no PHI (only request IDs, latency, error codes)
• User review and editing required before any AI-structured data is saved
• Voice recordings never sent to non-BAA-covered analytics tools

Third-Party Service Providers

All third-party services that process Protected Health Information (PHI) are covered by Business Associate Agreements (BAAs) to ensure HIPAA-aligned protection of your data.

See our Privacy Policy for complete details.

5. Research Databank (Optional)

Participation in the CRMO Care Research Databank is voluntary and opt-in.

CRMO Care supports two distinct research pathways, each with different data handling:

Clinical Trial Participation (Pathway A)

• Uses coded participant identifiers (subject IDs) with controlled re-identification capability
• Follows ICH GCP (International Council for Harmonisation Good Clinical Practice) standards
• Requires separate trial-specific informed consent beyond these Terms
• Data retention follows protocol-specific regulatory requirements (often 2–25 years)
• Supports safety monitoring, adverse event follow-up, protocol compliance, and regulatory submissions
• Withdrawal requests processed according to trial-specific procedures
• CRMO Care maintains secure re-identification keys under strict access controls

General Research Data Sharing (Pathway B)

• Fully de-identified using HIPAA Safe Harbor or Expert Determination standards
• All 18 HIPAA PHI identifiers removed
• No re-identification capability exists for this pathway
• k-anonymity enforcement: Minimum cohort size required before data export
• Data shared with academic researchers, medical centers, rare disease organizations
• You can withdraw at any time; previously shared anonymized data cannot be retrieved from external researchers

Research Data Architecture

• Clinical and research data stored in separate database projects
• Automated, auditable de-identification/pseudonymization processes
• Batch ETL processes transfer data (not real-time)
• Research API rate limiting per institutional customer
• Consent verification before inclusion in research datasets

What May Be Shared

(Varies by pathway)

• Wellness logs and patient-reported outcomes (PROs)
• De-identified voice transcripts (not audio recordings)
• De-identified AI chat interactions
• De-identified Right-of-Access medical records
• Treatment logs and medication history

Your Rights

• Opt in or out of either pathway at any time
• Prevent future sharing
• Request deletion of identifiable data
• Continue using the app regardless of participation
• Clinical trial data retention follows trial-specific regulatory requirements
• General research data: standard deletion rights apply

See the CRMO Care Research Databank Proposal and Beta User Agreement (Version 2.7, Section 12) for complete details.

6. Acceptable Use

You agree not to:

• Use the Service for unlawful, fraudulent, or malicious purposes
• Upload harmful code or interfere with the Service's operation
• Access another user's account without authorization
• Attempt to circumvent security controls or reverse-engineer the App
• Enter identifiable information about others without their consent
• Use voice recordings or AI chat to violate others' privacy
• Violate any law or regulation in connection with your use

Violation of this section may result in immediate suspension or termination of your account.

7. Third-Party Services

The Service relies on integrations and infrastructure from trusted vendors, including:

• Supabase — database hosting, authentication, and file storage
• Vercel — frontend and web deployment
• Google Cloud — infrastructure hosting (Business Associate Agreement in place)
• OpenAI — voice transcription (Whisper) and AI chat/structuring (BAA in place; prohibited from using your data for model training)
• Sentry — error tracking (PHI scrubbed before transmission)
• Expo — mobile app framework and push notification delivery
• Apple HealthKit — read-only health metrics on iOS (governed by Apple's privacy framework)
• iOS Keychain / Android Keystore — device-level secure credential storage
• App stores — distribution (Apple App Store, Google Play)

Use of those services is subject to their own terms and privacy policies. CRMO Care is not responsible for any downtime or issues caused by third-party providers.

8. Beta Features & Updates

Some features may be released as Beta Features for limited testing. By using Beta Features, you acknowledge that they may contain bugs or change without notice.

Participants in the Beta Program must also agree to the Beta User Agreement (Version 2.7, effective January 16, 2026).

Beta Agreement Section 12 distinguishes:

• Clinical trial participation (Section 12A): pseudonymized data with re-identification capability
• General research sharing (Section 12B): fully anonymized data

We may update these Terms or the Service at any time. Continued use after updates constitutes your acceptance of the revised Terms.

9. Intellectual Property

All software, graphics, logos, and content in the Service are owned by CRMO Care or its licensors and protected by intellectual property laws. You may not copy, modify, or create derivative works without our written permission.

10. Feedback

We welcome your feedback and suggestions. By submitting feedback, you grant CRMO Care a royalty-free, perpetual license to use that feedback to improve our products and services, without obligation or compensation.

11. Suspension & Termination

We may suspend or terminate your access to the Service at any time if:

• You violate these Terms or applicable law
• You engage in fraudulent or harmful behavior
• We discontinue the Service or any part of it

Upon termination, your data will be deleted or anonymized according to our Privacy Policy, including voice recordings, AI chat history, and any data contributed to the Research Databank.

12. Limitation of Liability

To the maximum extent permitted by law:

• CRMO Care and its founders or affiliates are not liable for indirect, incidental, special, or consequential damages arising from use of the Service
• We do not guarantee uninterrupted access or error-free performance
• We are not liable for inaccuracies in voice transcription or AI-generated insights
• We are not liable for the accuracy of medical records retrieved from third-party systems
• Your sole remedy for dissatisfaction is to stop using the Service

13. Dispute Resolution & Governing Law

These Terms are governed by the laws of the Commonwealth of Massachusetts, without regard to conflict-of-law rules. You agree to the exclusive jurisdiction of state and federal courts located in Massachusetts. Any claims must be brought individually and not as part of a class action.

14. Non-Clinical Disclaimer

The Service is a wellness and information management tool for personal use only. It is not a substitute for professional medical advice, diagnosis, or treatment.

Important Disclaimers:

• Voice-recorded notes are transcribed but not medically reviewed
• AI chat responses are for informational purposes only and are not medical advice
• Charts and insights are for self-reflection, not clinical decision-making
• Always consult a licensed healthcare professional for medical decisions
• If you have a medical emergency, call 9-1-1 or seek immediate medical care

15. Fair Credit Reporting Act Notice

CRMO Care is not a consumer reporting agency. Our data may not be used to determine eligibility for credit, insurance, employment, or housing.

16. Modifications & Continuity

We may revise these Terms. If changes are material, we will notify you via email or in-app notice.

Continuing to use the Service after changes take effect signifies acceptance.

17. Contact

Questions, feedback, or deletion requests:

info@crmo-care.app security@crmo-care.app

18. Acceptance

By using the CRMO Care Service, you confirm that:

• You have read and agree to these Terms
• You agree to the Privacy Policy (Version 4.1)
• If applicable, you agree to the Beta User Agreement (Version 2.7)
• If you opt into the Research Databank or CRMO Registry, you understand the distinction between clinical trial participation and general research data sharing
• If you opt into research, you agree to the Research Databank terms and consent
• You understand that we will never sell your data to marketers and that all research participation is opt-in