Legal

Privacy Policy

Last updated: April 28, 2026  ·  Effective: April 28, 2026

Introduction

Care Pilot Minnesota, LLC (“CarePilot,” “we,” “us,” or “our”) operates the website at carepilotmn.com and the CarePilot compliance platform (collectively, the “Services”). We are headquartered in Minneapolis, Minnesota.

This Privacy Policy explains how we collect, use, disclose, and protect information about:

  • Website visitors — individuals who visit carepilotmn.com, submit contact or demo request forms, or otherwise interact with our public-facing website.
  • Platform customers — Minnesota DHS-licensed agencies and their authorized staff who use the CarePilot platform to manage compliance, documentation, EVV, and billing.

By accessing or using our Services, you agree to this Privacy Policy. If you do not agree, please discontinue use.

Information we collect

Information you provide to us

When you contact us, request a demo, or use our platform, we may collect:

  • Name, job title, and agency name
  • Work email address and phone number
  • Agency size, program type, and compliance questions submitted through forms
  • Account credentials for platform access
  • Agency operational data entered into the platform (employee records, client service records, EVV data, billing data, compliance documentation)

Information collected automatically

When you visit our website, we may automatically collect:

  • IP address and approximate geographic location
  • Browser type, operating system, and device information
  • Pages visited, time spent, and referral URLs
  • Session data and interaction logs within the platform

Information we do not collect

CarePilot does not directly collect protected health information (PHI) from individuals receiving care. PHI that appears within the platform is entered by agency staff and governed by the Business Associate Agreement described in Section 4.

How we use your information

We use collected information to:

  • Provide, operate, and maintain the CarePilot platform and website
  • Respond to contact and demo requests and schedule consultations
  • Set up and configure platform accounts for agency customers
  • Deliver compliance monitoring, EVV tracking, documentation, and billing features
  • Send transactional communications (account setup, renewal reminders, compliance alerts)
  • Send marketing communications, where you have consented or where permitted by applicable law — with an opt-out available at any time
  • Improve our Services through aggregated, de-identified usage analytics
  • Comply with legal obligations, including Minnesota DHS reporting requirements
  • Detect and prevent fraud, abuse, or security incidents

We do not use your data to train third-party artificial intelligence models or sell it to data brokers.

HIPAA & Business Associate Agreements

CarePilot serves as a Business Associate (as defined under the Health Insurance Portability and Accountability Act of 1996, “HIPAA”) for agency customers who are Covered Entities or Business Associates themselves.

Before any agency customer may enter protected health information into the CarePilot platform, we require execution of a Business Associate Agreement (BAA). The BAA governs our permitted uses and disclosures of PHI and our obligations to:

  • Use PHI only as necessary to provide contracted services
  • Implement appropriate administrative, physical, and technical safeguards
  • Report any breach of unsecured PHI within the timeframes required by HIPAA
  • Ensure that sub-processors handling PHI are bound by equivalent obligations
  • Return or destroy PHI upon termination of the customer relationship

If your agency has not yet executed a BAA with CarePilot and requires one, please contact us at info@carepilotmn.com.

Minnesota data privacy

In addition to HIPAA, CarePilot operates in compliance with Minnesota's health data privacy framework, including:

  • Minnesota Health Records Act (Minn. Stat. § 144.291 et seq.) — governs the confidentiality of health records and requires patient consent for disclosure except in limited circumstances.
  • Minnesota Government Data Practices Act (MGDPA) — applies to government agencies that share data with CarePilot as part of DHS program operations.
  • Minnesota DHS data sharing agreements — where CarePilot receives or accesses data through DHS-integrated systems (e.g., MMIS), we comply with all applicable data use restrictions.

Minnesota residents whose data is processed through our platform may exercise the rights described in Section 9 of this Policy.

Data sharing

CarePilot does not sell your personal information.

We share information only in the following limited circumstances:

  • Service providers (sub-processors) — We engage trusted vendors for cloud hosting, email delivery, and analytics. All sub-processors are contractually required to process data only on our behalf and in accordance with this Policy.
  • Agency administrators — Within the platform, authorized agency administrators can access data entered by their staff. Access is role-based and logged.
  • Legal requirements — We may disclose information if required by law, court order, or valid governmental request, or to protect the rights, property, or safety of CarePilot, our customers, or the public.
  • Business transfers — If CarePilot is acquired or merges with another organization, your information may be transferred as part of that transaction. We will notify affected customers and provide opt-out options where required by law.

We do not share personal information with third-party advertisers or data brokers.

Data security

We implement industry-standard technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls limiting data access to authorized personnel
  • Comprehensive audit logging of all platform activity
  • Regular security assessments and vulnerability scanning
  • Staff training on data handling and HIPAA compliance
  • Incident response procedures for suspected breaches, including HIPAA breach notification

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security. In the event of a breach affecting your data, we will notify you in accordance with applicable law.

Data retention

  • Website inquiry and demo request data — retained for up to 24 months from the date of submission, or until you request deletion.
  • Platform customer data — retained for the duration of the customer relationship plus 7 years, or as required by Minnesota DHS program retention requirements, whichever is longer.
  • PHI processed under a BAA — returned or securely destroyed within 30 days of BAA termination, except where retention is required by law.
  • Usage and analytics data — retained in aggregated, de-identified form indefinitely for product improvement.

Customers may request earlier deletion of their data by contacting us at info@carepilotmn.com, subject to any legal or contractual retention obligations.

Your rights

Depending on your relationship with CarePilot and applicable law, you may have the right to:

  • Access — Request a copy of the personal information we hold about you.
  • Correction — Request correction of inaccurate or incomplete information.
  • Deletion — Request deletion of your personal information, subject to legal and contractual retention requirements.
  • Portability — Request a copy of your data in a structured, machine-readable format.
  • Opt-out of marketing — Unsubscribe from marketing communications at any time using the link in any email, or by contacting us directly.
  • Complaint — Lodge a complaint with the Minnesota Department of Human Services or a relevant data protection authority if you believe your rights have been violated.

To exercise any of these rights, contact us at info@carepilotmn.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

Note for individuals whose data was entered by a CarePilot agency customer: CarePilot processes that data as a Business Associate on behalf of the agency. Requests related to PHI should be directed to the agency that entered your data, as they are the Covered Entity responsible for that information.

Cookies

CarePilot uses a limited number of cookies and similar technologies on our website:

  • Strictly necessary cookies — Required for the website and platform to function (session management, authentication). These cannot be disabled.
  • Analytics cookies — Used to understand how visitors interact with our website (e.g., pages visited, session duration). Data is aggregated and does not identify individual users.

We do not use advertising cookies, cross-site tracking cookies, or sell cookie data to third parties.

You can control cookie settings through your browser preferences. Disabling analytics cookies will not affect your ability to use the site.

Contact us

For questions about this Privacy Policy, to exercise your data rights, or to request a Business Associate Agreement, please contact:

Care Pilot Minnesota, LLCMinneapolis, MN 55402info@carepilotmn.com(952) 843-3916

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify platform customers by email. Your continued use of our Services after any update constitutes acceptance of the revised Policy.

If you have a concern about how we handle your data that we have not resolved to your satisfaction, you may contact the Minnesota Department of Human Services.