Privacy Policy

At Serenity, protecting the data of residents and staff is our priority. This policy describes how we collect, use, store, and protect personal information within our platform.

1. Data We Collect: We collect data provided by the subscribing organization to deliver the service, including: resident information (full name, ID, insurance, medical history, vitals, medications), staff information (name, email, role, employment documents), and administrative information (billing, subscription plans, locations).

2. Purpose of Processing: Data is used exclusively to: (a) deliver the contracted care home management services, (b) generate operational and financial reports, (c) comply with applicable regulatory requirements for the elderly care sector, (d) send service-related notifications.

3. Storage, Security, and Data Location: Data is stored on Supabase infrastructure (provider: Amazon Web Services) located in the US-East-1 region (Virginia, United States). We use encryption at rest (AES-256) and in transit (TLS 1.3). We apply Row Level Security (RLS) policies to ensure each organization can only access its own data. We perform automatic daily backups with point-in-time recovery capability.

4. Access and Control: Only authorized users within their organization can access data, according to permissions assigned by the administrator through the role system. Serenity does not access resident data unless strictly necessary for technical support with explicit authorization.

5. User Rights: The subscribing organization may at any time: request a complete export of their data, request the permanent deletion of all their information, modify staff access permissions. Requests are processed within 10 business days.

6. Data Retention: Data is retained during the active subscription period and up to 90 days after cancellation, after which it is irreversibly deleted unless otherwise required by law.

7. Clinical Records and Integrity: Clinical records (medical notes, vital signs, medication administration) are not permanently deleted. Corrections preserve the original version through an immutable audit log system that records who made each change, what was modified, and when. This system complies with traceability requirements mandated by care facility regulations.

8. Digital Signatures and Confirmations: The platform uses an individual user authentication mechanism with a password as the digital signature method for clinical actions. Each action is linked to the authenticated user, their full name, and the server timestamp.

9. Applicable Law: This policy is governed by applicable data protection regulations in your jurisdiction.