Privacy Policy
Effective Date: May 15, 2025
This Privacy Policy applies to users of our telepresence platform, clients, and customers. Carrot Medical, LLC ("we," "our," or "us") is committed to protecting the privacy of your personal data when you use our telepresence platform and associated services (collectively, the "Services").
1. Information We Collect
When you use our Services, we may collect the following personal data:
- Account Information: When hosts and participants create accounts on the C-Suite portal, we collect your name, email address, and profile details (which may include your job title and organization).
- Meeting Metadata: We collect basic meeting information (e.g., meeting times, durations, and participant counts) to facilitate service delivery. We do not store audio/video content, chat messages, or files shared during meetings on our servers unless specifically requested by the meeting host. If server-side storage is specifically requested, we will retain this content as necessary to fulfill the purpose of the storage, or as otherwise communicated to the requesting user. Users maintain control of their content, which may also be stored locally on their devices, and are responsible for securing this locally stored data.
- Calendar Integration: If you link your calendar, we may access your calendar data, such as event titles, times, and attendees, to schedule meetings and provide meeting reminders. You can revoke calendar integration permissions through your account settings.
- Usage Data: We collect device information, browser type, IP address, and interactions with our Services. This data helps us improve our Services by, for example, identifying popular features and optimizing meeting performance, troubleshoot technical issues, analyze usage patterns, and enhance security.
2. How We Use Your Personal Data
We use collected personal data to:
| Category of Personal Data | Purpose of Processing | Legal Basis (for EU/UK Users - See Section 9) |
|---|---|---|
| Account Information | Provide account access and authentication; deliver the Services; communicate with you about your account | Performance of contract; Legitimate interest |
| Meeting Metadata | Facilitate telepresence meetings; generate usage statistics; improve service reliability | Performance of contract; Legitimate interest |
| User-Controlled Content | Enable real-time communication during meetings (content is not stored on our servers unless specifically requested by meeting hosts) | Performance of contract; Consent (as applicable for any server-side storage) |
| Calendar Integration | Schedule meetings; provide meeting reminders | Consent; Performance of contract |
| Usage Data | Improve Services; troubleshoot technical issues; analyze usage patterns; enhance security | Legitimate interest |
Additional processing purposes:
- Operate and maintain our Services
- Improve service security and functionality
- Communicate service-related information
- Fulfill legal obligations
3. Data Sharing and Disclosure
We do not sell personal data. We do not discriminate against consumers for exercising their privacy rights. We may share your personal data with:
- Service Providers: To operate and support our Services. These categories of providers include cloud hosting and storage providers, authentication and security service providers, analytics and performance monitoring providers, customer support tools and services, and communication and email service providers. All service providers are contractually bound to use your personal data only for providing services to us and in compliance with applicable privacy laws.
- Legal Authorities: When required to comply with applicable laws, court orders (such as subpoenas), governmental regulations, or other legal processes.
- Business Transfers: In the context of a merger, acquisition, or sale of all or a portion of our assets, in which case the successor entity will be bound by the terms of this Privacy Policy and assume the obligations described herein.
4. Data Retention
We retain your personal data only as long as necessary to provide our Services or comply with applicable legal obligations. Different types of data may be retained for different periods:
- Account Information: Retained while your account is active and for a reasonable period afterward (e.g., for 90 days) to address any follow-up questions or concerns.
- Meeting Metadata: Retained only as long as necessary to provide our Services and comply with applicable legal obligations.
- Usage Data: Retained for as long as needed to analyze and improve our Services.
- Support Communications: Retained to address ongoing issues and to improve our customer service.
You may request the deletion of your personal data at any time by contacting us at privacy@carrotmedical.com, subject to legal retention requirements (e.g., for tax or legal defense purposes). We regularly review our data retention practices and delete personal data that is no longer necessary.
5. Data Security
We implement industry-standard technical, administrative, and physical safeguards to protect your personal data from unauthorized access, disclosure, or destruction. These measures include:
- Encryption of data in transit and at rest
- Access controls and authentication mechanisms
- Regular security assessments and testing
- Employee training on privacy and security practices
- Incident response procedures
While we strive to protect your personal data, no security measures are perfect. We cannot guarantee the absolute security of your data.
6. HIPAA and Protected Health Information
Carrot Medical, LLC complies with HIPAA requirements, including entering into Business Associate Agreements (BAAs) with clients as necessary to safeguard Protected Health Information (PHI). As a Business Associate, while we do not actively access or store PHI in the typical course of providing our Services, we provide a secure platform for its transmission as instructed by our healthcare clients.
Each healthcare client is responsible for ensuring that:
- PHI is used and disclosed in accordance with HIPAA
- Proper consents and authorizations are obtained from patients
- Appropriate security measures are implemented on their end
In the event of a security incident involving PHI, we will notify affected healthcare clients in accordance with BAA terms and HIPAA requirements.
7. Cookies and Tracking Technologies
Our Services use cookies and similar tracking technologies to enhance your experience and collect information about how you interact with our Services.
Types of Cookies We Use:
- Essential Cookies: Required for the operation of our Services, including authentication and security.
- Analytics Cookies: Help us understand how users interact with our Services.
- Functional Cookies: Allow us to remember your preferences and provide enhanced features.
- Third-Party Cookies: May be set by our service providers for analytics and functionality.
You can manage your cookie preferences through your browser settings. We honor Do Not Track (DNT) signals when technically feasible. Please be aware that some browsers may not support DNT signals, and you should check your browser settings for options regarding tracking. We cannot guarantee that all third-party services integrated with our platform will respect these signals.
8. U.S. State Privacy Rights
Residents of certain U.S. states, including California, Colorado, Virginia, Connecticut, and Utah, may have additional rights under state privacy laws. These rights may include:
California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- The right to know what personal information we collect, use, disclose, and share
- The right to request access to your personal information
- The right to request deletion of your personal information
- The right to correct inaccurate personal information
- The right to opt out of the sale or sharing of personal information (we do not sell your data)
- The right to limit the use and disclosure of sensitive personal information (if applicable)
- The right not to receive discriminatory treatment for exercising any of these rights
To exercise any of these rights, or to designate an authorized agent to make a request on your behalf, please contact us at privacy@carrotmedical.com.
We will respond to verified requests within 45 days, with a possible extension of up to an additional 45 days when reasonably necessary. We may need to verify your identity before fulfilling your request by matching information you provide with information in our records.
Other U.S. State Residents
Residents of states such as Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, and Indiana may also have rights under applicable privacy laws. These rights may include access, correction, deletion, and the right to opt out of certain data processing activities. We are committed to honoring all applicable state privacy rights.
To exercise your rights under your state's privacy law, please contact privacy@carrotmedical.com. We will respond to verified requests within the timeframe specified by the applicable state law.
9. EU/EEA and UK Privacy Rights (GDPR)
If you are located in the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), the General Data Protection Regulation (GDPR) and UK GDPR provide you with the following additional rights, and the legal bases for processing your data are explained below:
- The right to access your personal data and receive information about its processing.
- The right to rectification of inaccurate or incomplete personal data.
- The right to erasure ("right to be forgotten") of your personal data under certain circumstances.
- The right to restrict processing of your personal data in specific situations.
- The right to data portability to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
- The right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
- The right to withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal.
- The right to lodge a complaint with a supervisory authority in your country of residence, place of work, or where an alleged infringement of the GDPR has occurred.
We process your personal data based on the following legal grounds:
- Performance of a contract: This applies when we need to process your data to provide you with the Services you have requested (e.g., account information to give you access).
- Consent: We rely on your consent for certain processing activities, such as calendar integration and any server-side storage you specifically request. You have the right to withdraw your consent at any time.
- Legitimate interests: We may process your data based on our legitimate interests in operating and improving our Services, ensuring security, and for other purposes that are balanced with your rights and interests (e.g., using usage data to analyze and enhance the platform).
- Legal obligations: We may need to process your data to comply with applicable laws and regulations.
To exercise your GDPR rights, please email us at privacy@carrotmedical.com. We will respond to your request within 30 days.
10. Additional Disclosures
Third-Party Services:
Our Services may integrate with third-party tools (such as calendar or authentication services). Your use of these integrations is subject to those providers' privacy policies, and we encourage you to review them. We conduct privacy and security assessments of third-party service providers before integration.
Data Transfers:
Information collected through our Services may be processed and stored in the United States or other jurisdictions where our service providers operate. By using our Services, you consent to such transfers, which are conducted in accordance with applicable law and appropriate safeguards, such as Standard Contractual Clauses for data transferred from the EU/EEA/UK.
Automated Processing:
Currently, we do not use your personal data for automated decision-making or profiling that would produce legal effects or similarly significantly affect you. However, we reserve the right to implement such technologies in the future, in which case we will provide you with appropriate notice and choices.
Changes to Your Personal Information:
You can update personal information associated with your account through your account settings or by contacting us at privacy@carrotmedical.com.
11. Data Breach Notification
In the event of a data breach that compromises the security of your personal information, we will:
- Notify affected users without undue delay, typically within 72 hours of discovering the breach (or as required by applicable law)
- Provide information about the nature of the breach, the categories of personal data affected, and the steps we are taking to address the breach
- Notify relevant regulatory authorities as required by applicable law
12. Children's Privacy
Our Services are not directed to individuals under the age of 13 (or 16 in the EU/UK). We do not knowingly collect personal data from children. If we learn we have inadvertently collected such data, we will delete it promptly.
13. Changes to This Policy
We may revise this Privacy Policy periodically. We encourage you to review this policy regularly for any updates. Updated versions will be posted on our website with a new effective date. For material changes, we will provide notification through our Services or via email before the changes take effect. Your continued use of our Services after changes to this Privacy Policy constitutes your acceptance of the updated terms.
14. Contact Us
For questions or concerns about this policy or your personal data:
Carrot Medical, LLC
22122 20th Ave SE
Bothell, WA 98021, USA
Email: privacy@carrotmedical.com