Privacy Policy

Last updated: March 18, 2026

Overview

CareSphere is a residential care operations platform operated by Boston Managed IT, LLC ("Boston Managed IT," "we," "us," or "our"). This Privacy Policy describes how we collect, use, store, and protect information when you use the CareSphere platform and website.

CareSphere handles protected health information (PHI) on behalf of our customers under the Health Insurance Portability and Accountability Act (HIPAA). We take that responsibility seriously. This policy explains what we do and what we don't do with your data.

Information We Collect

Account and organization information. When you create a CareSphere account, we collect your name, email address, organization name, and contact information. We use this to provide and support the service.

Protected health information (PHI). CareSphere customers enter resident and client data as part of using the platform. This includes demographic information, medication records, incident reports, care plans, and other health-related data. This information belongs to you — we process it only to deliver the service as described in your Business Associate Agreement.

Usage data. We collect logs of system activity including login events, actions taken within the application, and error reports. This data is used for security, support, and system reliability. Logs do not contain PHI.

Website analytics. We may collect anonymous analytics about visits to our marketing website (carespherehq.com) such as page views and browser types. This data is not linked to individual users and is used only to improve the website.

How We Use Your Information

  • To provide, operate, and maintain the CareSphere platform
  • To authenticate users and enforce access controls
  • To send service-related communications (account setup, support responses, system notifications)
  • To respond to support requests and resolve technical issues
  • To maintain the audit trail required by HIPAA and your organization's compliance obligations
  • To improve the platform based on usage patterns (using anonymized data only)
  • To comply with legal obligations

We do not use your data for advertising. We do not sell your data. We do not share your data with third parties except as described in this policy or required by law.

Data Storage and Security

All data is stored on secure cloud infrastructure in the United States. We use PostgreSQL with encryption at rest. All data in transit is protected by TLS 1.2 or higher. Access to production systems is restricted to authorized personnel only.

PHI is encrypted at rest and in transit. PHI is not stored in application logs or included in URL parameters. We maintain a complete audit trail of all access to and modifications of health records.

For full details of our security controls, see our Security and Compliance page.

Third-Party Services

CareSphere uses a limited number of third-party services to operate the platform:

  • Cloud hosting infrastructure — For compute, storage, and database services. These providers operate under data processing agreements and do not have access to PHI beyond what is necessary to store and process encrypted data.
  • Email delivery — For transactional emails such as password resets and system notifications. These emails do not contain PHI.

We do not use third-party analytics tools, advertising networks, or social media integrations within the CareSphere application.

HIPAA Compliance

CareSphere is designed to comply with the HIPAA Security Rule and Privacy Rule as they apply to business associates. We enter into a Business Associate Agreement (BAA) with every customer before they go live on the platform. The BAA governs how we handle PHI and defines the obligations of both parties.

If you are a covered entity or business associate under HIPAA and need a BAA, contact us at support@bostonmit.com before using the platform with real patient data.

Data Retention

We retain your data for as long as your account is active plus a reasonable period thereafter to allow for data export and resolution of any disputes. When you close your account, we will provide a full data export and then securely delete your data in accordance with our data retention policy and your BAA.

Audit logs are retained for a minimum of six years to support HIPAA compliance requirements.

Your Rights and Data Requests

Customers have the right to access, export, and delete the data they have entered into CareSphere. Data export is available at any time through the platform or by contacting support.

For requests related to PHI on behalf of a resident or client, please contact the organization that manages their care. As a business associate, we process PHI under the direction of the covered entity (our customer).

For any other privacy-related requests, contact us at support@bostonmit.com.

Children's Privacy

CareSphere is a business-to-business platform intended for use by healthcare organizations and their staff. It is not directed at or intended for use by children. We do not knowingly collect personal information from children under the age of 13.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify customers by email or by posting a notice in the application. The date at the top of this policy reflects when it was last updated.

Contact

For questions about this Privacy Policy or our data practices, contact:

Boston Managed IT, LLC
Boston, Massachusetts
support@bostonmit.com
bostonmit.com