Legal

Privacy Policy

How Cartara Health Inc. and our Vector platform collect, use, protect, and share information. Written for patients, practice staff, and partners — in plain language.

Effective April 25, 2026 · Last updated April 25, 2026

Who we are

Cartara Health Inc. is a Delaware corporation that builds software for healthcare. This policy covers our two products:

  • Vector — an Advanced Primary Care Management (APCM) platform used by physician practices and Accountable Care Organizations.
  • Atlas — a population health and care intelligence platform used by health plans, employers, and government health programs.

HIPAA & our role

When practices and ACOs use Vector to manage patient care, they are HIPAA Covered Entities and Cartara Health is their Business Associate. We sign a Business Associate Agreement (BAA) with every Covered Entity customer before any protected health information (PHI) is processed. The BAA governs how we may use and disclose PHI on the Covered Entity's behalf.

Patients should direct privacy requests (access, amendment, accounting of disclosures) to their physician practice in the first instance, who will work with us if needed.

Information we collect

For practices and their staff: name, work email, work phone, NPI (when applicable), role, practice/organization, and account credentials. Plus standard product telemetry — pages visited, actions taken, error logs — used to operate and improve the product.

For patients enrolled in a Vector practice's APCM program: demographic and contact information, clinical information provided by the practice, care plan content, communications history, and consent records.

For website visitors (cartarahealth.com): standard server logs (IP address, user-agent, referring URL) and basic analytics. No advertising trackers. No data brokers.

How we use information

  • To operate the Vector and Atlas platforms and deliver the services our customers contract for.
  • To send patient outreach messages (SMS and email) on behalf of physician practices, in accordance with TCPA consent and our SMS Policy.
  • To deliver analytics and reporting to our customers in support of clinical and operational decisions.
  • To detect and prevent fraud, abuse, and misuse of the platform.
  • To comply with legal obligations and respond to lawful requests.
  • To improve our products through aggregated, de-identified analytics.

We do not sell patient information. We do not share patient information with third parties for marketing or advertising purposes. We do not use patient information to train AI models for parties outside the patient's care team.

Who we share information with

  • Subcontractors and infrastructure providers (cloud hosting, email/SMS delivery, analytics) who are bound by Business Associate Agreements or equivalent confidentiality obligations. A current list is available on request.
  • Other Covered Entities involved in a patient's care when authorized by the patient or permitted by HIPAA's Treatment, Payment, and Operations exception.
  • Law enforcement, courts, or regulators when required by valid legal process.
  • Successors in the event of merger, acquisition, or sale of Cartara Health Inc., subject to the same obligations as in this policy.

Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256). We log every administrative and clinical action with tamper-evident timestamps. Access to PHI is role-based and reviewed quarterly. We run continuous vulnerability scanning and respond to security incidents within 24 hours of discovery.

If a breach affecting your information occurs, we will notify the affected Covered Entity within 24 hours and assist them in patient notification per HIPAA Breach Notification Rule timelines.

Retention

We retain PHI for the duration of the practice's contract with us plus seven years (the HIPAA-mandated minimum), unless the practice instructs us to retain longer for medical-records purposes or shorter pursuant to a deletion request. We retain audit logs for the same period. Account telemetry (non-PHI) is retained for two years.

Your choices

SMS: Reply STOP to any message to opt out of all SMS. See our SMS Policy for full details.

Email: Use the unsubscribe link in any non-essential email or contact your practice.

Account access & deletion: Direct requests to your practice; if your practice has discontinued service, contact us at privacy@cartarahealth.com.

State privacy rights (CA, CO, CT, VA, others): Where state law gives you specific rights (access, deletion, correction, portability, opt-out of sale or sharing), we honor them. We do not sell personal information.

Children

The Vector platform serves Medicare beneficiaries and other adults enrolled in APCM programs. We do not knowingly collect personal information from children under 13 except via authorized pediatric practices acting under HIPAA and parental consent.

Changes to this policy

We will update this policy when our practices change or when law requires. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated to current customers in advance.

Contact

Privacy questions: privacy@cartarahealth.com

Security questions or incidents: security@cartarahealth.com

General contact:

Cartara Health Inc.
1007 N Orange St, 4th Floor, Ste 1382
Wilmington, DE 19801
United States