Privacy Policy

1. Introduction

Hambros Inc ("Company," "we," "us," or "our") operates the ResidentCheckin.co automated wellness check-in service ("Service"). This Privacy Policy explains how we collect, use, share, and protect information when facilities use our Service on behalf of their residents.

By using our Service, you consent to the practices described in this Privacy Policy.

2. Parties and Roles

Our Service involves three categories of individuals. We handle data differently for each:

Facility Customers ("Customer," "Facility"). The organization (senior living facility, assisted living community, or similar) that subscribes to the Service, manages resident enrollment, and is responsible for payment. The Facility is the data controller — they decide which residents are enrolled and how the Service is configured.

Residents ("End Users"). The individuals who receive daily check-in calls, text messages, or other communications through the Service. Resident data is provided to us by the Facility, not directly by the resident. The Company processes resident data on behalf of and at the direction of the Facility.

Facility Staff. Employees or agents of the Facility who are designated to receive alerts when a resident does not respond to a check-in. Facility Staff data (name, email, phone) is provided by the Facility.

3. Data We Collect About Facility Customers

When a Facility subscribes to the Service, we collect:

• Account Information: Facility name, address, phone number, timezone, website
• Administrator Information: Name, email address, phone number of facility administrators and staff who manage the Service
• Billing Information: Payment method details (credit card, bank account) processed securely through Stripe, our third-party payment processor. We do not store full card numbers — Stripe handles this.
• Billing Contact: Name, email, and phone of a designated billing contact (if different from the administrator)
• Terms Acceptance Records: Which version of Terms of Service was accepted, by whom, when, and from what IP address
• Communication Records: Correspondence with our support team

4. Data We Collect About Residents

Resident data is provided to us by the Facility, not directly by the resident. We collect only the minimum information necessary to deliver the Service:

• Identity: First name, last name
• Contact Information: Phone number(s) for check-in calls and text messages
• Service Preferences: Preferred check-in time, preferred contact channel (phone call, SMS, or voice assistant), call window duration, vacation schedules
• Contact Methods: Ordered list of phone numbers and channels to attempt during check-in, configured by the Facility
• Notes: Optional notes entered by Facility Staff (e.g., room number, special instructions)

5. Data Generated During Service Delivery

As the Service operates, we automatically generate and store:

• Check-In Records: Date, time, and outcome of each check-in (completed, missed, cancelled), the channel used (phone, SMS, voice assistant, web), and the time of response
• Contact Attempts: A log of each attempt to reach a resident, including the channel, timestamp, and whether the attempt succeeded or failed
• Alert Records: When Facility Staff were notified of a missed check-in, including who was notified and when
• SMS Message Logs: Content of text messages sent to and received from residents as part of the check-in process. These are retained for service delivery and compliance purposes
• Audit Events: An immutable log of significant system actions for security, compliance, and troubleshooting (e.g., resident enrolled, schedule changed, alert sent, subscription activated)
• Email Tracking: For operational and marketing emails sent to Facility administrators and staff, we track delivery status, opens, and clicks to ensure reliable communication

6. Data Collected Automatically

When you visit our website or use the Service platform, we automatically collect:

• Website Usage: IP address, browser type, pages visited, referring URL
• Session Data: Login timestamps, session duration
• Cookies: See Section 15 below

7. How We Use Data

We use the data we collect for the following purposes:

Service Delivery

• Making daily check-in calls and sending text messages to residents
• Notifying Facility Staff when a resident does not respond
• Processing resident responses and recording check-in status
• Managing resident enrollment, schedules, and contact preferences

Billing and Account Management

• Processing subscription payments and generating invoices
• Managing payment methods and billing contacts
• Sending billing-related notifications (payment receipts, failed payment alerts, subscription changes)

Communications

• Sending operational emails to Facility administrators and staff (alerts, summaries, system notifications)
• Sending marketing emails about service updates and features to Facility administrators and staff
• Responding to support requests

Compliance and Security

• Maintaining audit trails as required for regulatory compliance
• Monitoring system security and preventing unauthorized access
• Complying with legal obligations

Service Improvement

• Analyzing system performance and reliability
• Identifying and resolving service issues

8. How We Share Data

We do not sell personal information to third parties. We share data only in the following circumstances:

With Facility Staff (Configured by the Facility)

When a resident does not respond to a check-in, we notify the Facility Staff members designated by the Facility. The information shared includes: the resident's name, the fact that they did not respond, the date and time, and the number of contact attempts made. The Facility controls which staff members receive these alerts.

With Service Providers

We use trusted third-party providers to deliver our Service. These providers process data on our behalf under contractual obligations to protect the data and use it only for the specified purpose:

• Stripe — Payment processing and subscription management
• Telnyx — Voice calls and SMS delivery for check-ins and alerts
• Mailgun — Email delivery for notifications, alerts, and marketing
• DigitalOcean — Cloud infrastructure and data hosting
• Honeybadger — Error monitoring and system reliability (no personally identifiable information transmitted)

We do not share resident data with any provider that does not require it for service delivery.

With Law Enforcement or as Required by Law

We may disclose information when required by law, court order, or government request, or when we believe disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

In a Business Transfer

If the Company is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify affected Facilities before any such transfer.

9. HIPAA

ResidentCheckin is NOT designed for transmitting or storing Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).

• The Company is NOT a HIPAA Business Associate
• No Business Associate Agreement (BAA) is offered or in place
• Facilities that are subject to HIPAA are solely responsible for their own compliance
• Facilities must NOT input PHI into the Service beyond the minimal contact information necessary for service delivery (names and phone numbers)

This is consistent with Section 7.2 of our Terms of Service.

10. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect information in our systems:

Technical Safeguards

• Encryption of data in transit (TLS/SSL) and sensitive data at rest
• Secure cloud infrastructure with access controls
• Regular security updates and patch management
• Webhook signature verification for third-party integrations

Administrative Safeguards

• Role-based access controls (Facility administrators see only their own facility's data)
• Immutable audit logs of all significant system actions
• Limited employee access on a need-to-know basis

11. Data Retention

We retain data for the following periods:

• Active Accounts: All data is retained throughout the active subscription
• After Cancellation — 30-Day Read-Only Period: Facility administrators retain read-only access to view history and download invoices for 30 days after service ends
• After Cancellation — 6-Month Archive Period: Resident records are retained for 6 months after service ends to allow for reactivation. After 6 months, resident records are archived
• Check-In History and Audit Records: Retained indefinitely for compliance and regulatory purposes, even after account closure
• Invoice and Billing Records: Retained for 7 years as required by tax regulations
• SMS Message Logs: Retained for the duration of the active subscription plus 2 years
• Terms Acceptance Records: Retained permanently as legal records

After retention periods expire, we securely delete or anonymize information unless we are required by law to retain it longer.

12. Facility Customer Rights

Facility Customers may exercise the following rights regarding their data and their residents' data:

• Access: View all resident data, check-in history, and billing information through the Service dashboard
• Correction: Update resident information, contact details, and preferences through the Service at any time
• Deletion: Remove individual residents from the Service at any time. Request full account deletion by contacting us
• Data Export: Request a copy of facility and resident data in a portable format by contacting support
• Marketing Opt-Out: Unsubscribe from marketing emails at any time using the unsubscribe link in each email. This does not affect operational notifications.

13. Resident Privacy Rights

Residents do not have a direct account with ResidentCheckin. Their data is managed by their Facility.

If a resident or their family wishes to know what data we hold:

We will confirm the categories of data we hold (name, phone number, check-in records, contact preferences) and refer the resident to their Facility to obtain the actual data. The Facility can access and provide this information through their Service dashboard.

If a resident or their family wishes to have their data deleted:

We will notify the Facility of the request. Upon confirmation from the Facility, we will delete the resident's data. If the Facility objects (e.g., the resident is still actively enrolled), we will inform the resident that the request must be resolved with their Facility.

Process for resident privacy requests:

1. Contact us at [email protected] or (855) 410-1010
2. We will acknowledge the request within 48 hours
3. We will notify the Facility and coordinate the response
4. We will respond to the resident within 30 days

Opting out of the Service:

A resident may opt out of SMS messages at any time by replying STOP to any message. To stop all check-in communications (calls, SMS, voice assistant), the resident should contact their Facility to be removed from the Service.

14. SMS and Text Messaging

When a Facility enrolls a resident with a mobile phone number and the resident consents to receive text messages:

• We send automated text messages related to the daily check-in service, including check-in prompts, confirmations, and service notifications
• Message frequency varies based on the check-in schedule (typically 1-3 messages per day)
• Message and data rates may apply
• Opt out at any time by replying STOP to any message. You will receive one final confirmation and no further texts will be sent. Opting out of SMS does not cancel your check-in service — the Facility may configure an alternative contact method
• For help, reply HELP or contact [email protected]
• SMS message content (both sent and received) is logged and retained for service delivery and compliance
• Mobile phone numbers and messaging consent data will not be sold or shared with third parties for promotional or marketing purposes
• Messaging consent data is shared only with vendors that assist in delivering messages (e.g., our telephony provider) as required to operate the Service
• Supported carriers are not liable for delayed or undelivered messages

15. Cookies and Tracking Technologies

Our website uses cookies and similar technologies:

• Essential Cookies: Required for website functionality and cookie consent preferences
• Analytics Cookies: Google Analytics (only with your consent) to understand website usage
• Preference Cookies: Remember your settings and preferences
• Session Cookies: Maintain your logged-in session in the Service platform

You can control cookies through your browser settings, including blocking or deleting cookies. Disabling cookies may affect website functionality and your ability to use the Service platform. See our Cookie Policy for more details.

16. Age Requirement

The Service is designed for use by adult residents of senior living facilities. Facility administrators and staff must be at least 18 years of age to create an account or manage the Service. We do not knowingly collect personal information from individuals under 18 in the context of account management.

17. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

• We will post the updated Privacy Policy on our website
• We will update the "Effective Date" at the top
• For material changes, we will notify Facility Customers via email at least 30 days before the changes take effect

Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

18. State and Provincial Privacy Rights

Our Service is available to facilities in the United States and Canada.

California Residents (CCPA/CPRA)

We voluntarily extend the following rights to all our customers, regardless of location:

• Right to know what personal information is collected and how it is used
• Right to know whether personal information is sold or disclosed (we do not sell personal information)
• Right to request deletion of personal information (subject to the process described in Sections 12 and 13)
• Right to non-discrimination for exercising privacy rights

Canadian Users (PIPEDA)

We comply with applicable Canadian privacy laws regarding the collection, use, and disclosure of personal information of Canadian residents.

To exercise privacy rights:

• Email: [email protected] with subject "Privacy Rights Request"
• Phone: (855) 410-1010
• We will respond within 30 days (45 days if an extension is needed, with notice)

19. Contact Information

If you have questions about this Privacy Policy or our privacy practices: