Privacy policy.

Effective Date: July 1, 2024

Notice at Collection (Summary)

  • Categories collected: identifiers & contact, account/security logs, device/usage data, photos/media you upload, Resident and care information entered by Clients, billing metadata (no full card numbers), inferences (feature usage).
  • Purposes: provide Services (CRM, Maintenance, Calendars, EHR, Family Connect, optional billing), security, support, analytics, compliance, communications.
  • Sharing: service providers (hosting, security, messaging, analytics, payments/Stripe) and parties you authorize. We do not sell Personal Information or “share” it for cross-context behavioral advertising.
  • Retention: for as long as needed to provide Services and as required/permitted by law and contracts; Clients control retention of Client-entered records.

What this Privacy Policy Covers

This Policy explains how Kinnwell collects, uses, discloses, and protects personal information (“Personal Information”) when you use our websites, apps, and related services (the “Services”). Users include community personnel (“Clients” and their “Personnel”), Residents, Residents’ family members/representatives (“Resident Representatives”), and other Client-authorized users (“Authorized Users”).

Your use of the Services is also subject to our Terms (and any Order/MSA) which incorporate this Policy. This Policy does not cover practices of third parties we don’t control.

HIPAA/BAA: When Kinnwell receives Protected Health Information (“PHI”) from or on behalf of a covered entity Client, Kinnwell acts as a HIPAA Business Associate and uses/discloses PHI only as permitted by the applicable Business Associate Agreement (BAA) and HIPAA. Where there is a conflict, the BAA/HIPAA governs for PHI.

Categories of Personal Information We Collect

A. Business Contact & Account Data (all users)

  • Identifiers & contact: name, email, phone, role/title, employer/community, business address.
  • Account & security: usernames, hashed passwords, roles/permissions, MFA settings, audit and access logs.
  • Communications: support tickets, emails, in-app messages, feedback, survey responses.

B. Marketing CRM (lead management)

  • Prospect/lead info: contact details, referral source, stage/status, notes, tasks/activities.
  • Engagement data: communications history, meeting notes, attachments uploaded by Client.

C. Maintenance & Work Orders

  • Work orders & tasks: ticket details, timestamps, assignees, status, notes.
  • Facility/asset data: room/area, equipment identifiers, preventive-maintenance schedules.
  • Attachments: photos, documents uploaded by users.

D. Activity & Dining Calendars

  • Events & schedules: event details, reminders, RSVP/attendance.
  • Preferences: interests, accessibility accommodations, dietary preferences/restrictions.
  • Attendance associated to Resident profiles (if enabled by Client).

E. EHR for Senior Living (Client-entered Resident Data)

  • Resident profile & demographics (e.g., name, DOB, room/unit, contact).
  • Care info: assessments, service/care plans, ADLs, progress notes, incidents, vitals, allergies, diagnoses, provider info, risk flags, dietary restrictions.
  • Note: Kinnwell does not provide eMAR. If a Client enters medication lists or related notes, those are stored within Resident records but not as an eMAR workflow.
  • Attachments: documents/photos uploaded by Client (e.g., assessments, consents).

F. Family Connect (Resident Representatives)

  • Family/rep profiles: name, relationship, contact, access/consent settings.
  • Updates & media: posts, comments, photos/videos shared within the community’s private feed.
  • Communication logs: messages, notifications.

G. Billing & Payments (optional)

  • Billing profile: payer name, contact info, billing address, invoices, statements, receipts, transaction metadata (amount, date, method, last-4).
  • Processed by Stripe: we do not store full card numbers; Stripe returns tokens/last-4. See Stripe’s terms/privacy.

H. Device, Usage & Cookies

  • Device/usage: IP address, device/browser, OS, language, pages/screens viewed, features used, timestamps, referrers, general location (IP-derived), crash logs, performance data.
  • Cookies/SDKs: see “Cookies & Similar Technologies.”

I. Sensitive/Special Categories (only if provided by a Client or user)

  • Resident PHI (as above), government identifiers if entered by Client, signatures, and other sensitive data a Client chooses to store. Clients are responsible for notices/consents.

Categories of Sources

  • You/Your Organization: data you or admins enter; files uploaded; communications; usage.
  • Clients & Authorized Users: Client Personnel enter Resident/community data; family members submit content via Family Connect.
  • Service Providers & Integrations: e.g., payments (Stripe), email/SMS delivery, analytics, SSO/identity.
  • Automatic Collection: cookies, logs, and similar technologies.

Our Purposes for Collecting/Using Personal Information

  • Provide & operate the Services (accounts, auth, role-based access, CRM, Maintenance, Calendars, EHR, Family Connect, optional billing).
  • Support & security (troubleshooting, monitoring, preventing fraud/security incidents, auditing, enforcing policies).
  • Customize & improve (configure features, quality assurance, analytics, testing, research, product development).
  • Communications (service/transactional notices, product updates; occasional B2B marketing to business contacts per preferences).
  • Legal & compliance (comply with law, respond to lawful requests, exercise legal claims, maintain records).
  • With consent for specific purposes disclosed at collection.

We do not use Resident PHI for advertising/marketing.

Cookies & Similar Technologies

  • Essential (security, session, login).
  • Functional (preferences).
  • Analytics/Performance (feature usage, UX improvement).

You can control cookies in your browser. The Services currently do not respond to “Do Not Track” signals.

How We Share Personal Information

  • Your Client & Authorized Users: data entered for a specific Client is available to that Client’s authorized roles.
  • Service Providers: hosting, security, support, communications, analytics, and payments (Stripe)—under contracts limiting use/disclosure.
  • Integrations/Parties You Authorize: if a Client connects third-party tools or shares with insurers/providers/hospice, we facilitate those transfers as directed.
  • Legal/Compliance: to comply with law, enforce agreements, or protect rights/safety.
  • Business Transfers: in a merger, acquisition, financing, or sale, data may transfer under this Policy and applicable law.
  • De-identified/Aggregated: we may use/share data that does not identify you.

We do not sell Personal Information and do not “share” it for cross-context behavioral advertising as defined by California law.

Data Security

We implement commercially reasonable administrative, technical, and physical safeguards appropriate to the nature of the data (e.g., access controls, encryption in transit, monitoring/logging, environment hardening, personnel training). No system is 100% secure; you are responsible for protecting credentials. For PHI, we maintain safeguards consistent with HIPAA and applicable BAAs.

Data Retention

We retain Personal Information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and for legitimate business needs. Clients control retention of Client-entered content (e.g., Resident records). We may retain de-identified/aggregated data that does not identify you.

Personal Data of Children

The Services are intended for users 18+. We do not knowingly collect Personal Information from children under 13. If you believe a child under 13 provided Personal Information, contact support@kinnwell.com and we will delete it.

California & Other U.S. State Privacy Rights

Depending on your state (e.g., California (CCPA/CPRA), Colorado, Connecticut, Virginia, Utah), you may have rights to access/know, correct, delete, opt-out of sale/sharing/targeted advertising (we do not sell/share), limit use/disclosure of Sensitive Personal Information (we use only for permitted purposes), and be free from discrimination for exercising rights.

How to exercise: Email support@kinnwell.com with subject “Privacy Request,” describe your request (access, correction, deletion, etc.), and provide information needed for verification and to identify your Client relationship. If we process your information as a service provider/Business Associate for a Client, we may direct you to that Client. You may authorize an agent with signed permission; we may require verification.

HIPAA Notice

When Kinnwell receives or maintains PHI from or on behalf of a covered entity Client, Kinnwell acts as a Business Associate and uses/discloses PHI only as permitted by the applicable BAA and HIPAA. This Policy applies to Personal Information outside HIPAA/BAA scope.

International Use

The Services are designed for use within the United States. If you access them from outside the U.S., you do so at your own risk and are responsible for compliance with local laws.

Changes to this Privacy Policy

We may update this Policy from time to time. We’ll post the new version here and update the Effective Date. Material changes will be communicated via reasonable notice. Your continued use after changes means you accept the updated Policy.

Contact Information

Questions or requests? Email support@kinnwell.com or write to Kinnwell (Sponty, LLC), 112 E. Live Oak Ave, Arcadia, CA 91006.

Payments are processed by Stripe, Inc. Stripe collects/processes your payment info under its own terms and privacy policy. Kinnwell receives limited billing metadata (e.g., last-4, token, amounts, dates) and does not store full card numbers.

This Policy is provided for general informational purposes and does not constitute legal advice. Consider having counsel review for your specific operations and state requirements.