Effective date: January 1, 2025 · Last updated: March 2025
Kinloop is not a medical provider, medical device, or emergency service. It does not provide diagnosis, treatment, or clinical decision-making of any kind. If your loved one is in a life-threatening situation, call 911 immediately.
Kinloop is designed to support HIPAA-compliant workflows and handles all health information with administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C). Where Kinloop is engaged by a HIPAA Covered Entity and a Business Associate Agreement (BAA) is in place, sistemafusion, LLC may act as a Business Associate as defined under 45 CFR §160.103.
Most Kinloop users are individual family caregivers, not HIPAA Covered Entities. In those cases, HIPAA may not technically govern our relationship — but we apply the same privacy and security standards as a matter of policy. For more detail, see our . Notice of Privacy Practices.
To request a Business Associate Agreement or ask questions about our privacy practices, contact us at hello@kinloop.co.
Kinloop is a care management platform operated by sistemafusion, LLC. "Kinloop" is a trade name of sistemafusion, LLC ("Company," "we," "our," or "us"). Our service provides automated daily SMS medication check-ins, AI-assisted weekly care reports, and a caregiver portal for families managing a loved one’s chronic conditions.
Questions about this policy: hello@kinloop.co
When you create a Kinloop account, we collect your name, email address, and password (stored as a bcrypt hash by Supabase Auth). If you are a care coordinator or medical professional, we also collect your professional title and role.
With your consent, you provide us with your care recipient’s name, phone number, state of residence, medical conditions (for care planning purposes), and medication schedule. This information may constitute Protected Health Information (PHI) under HIPAA in applicable contexts and is handled with the same safeguards in all cases.
Care recipients respond to daily SMS check-ins with YES, NO, or HELP. These responses, along with timestamps and any follow-up communications, are stored as part of the care record and included in weekly reports. SMS messages never contain PHI — no diagnoses, medication names, or clinical details. For full details on what messages are sent and delivery limitations, see our Patient Communication Policy.
Payment card details are collected and stored exclusively by Stripe. We receive only a tokenized reference (Stripe customer ID) and subscription metadata. We never store raw card numbers or CVVs.
We collect standard server logs including IP addresses, browser type, and pages visited. We use this data solely for security monitoring, abuse prevention, and improving our service. We do not use third-party advertising trackers or sell usage data.
We do not use care recipient health information for marketing purposes, and we do not sell or rent your personal information to any third party.
Weekly reports include an AI-generated care summary. Before sending any data to our AI provider (Anthropic), we remove or replace all personally identifiable information, including names and phone numbers. The AI provider receives only de-identified health trend data (e.g., "patient responded YES 6 of 7 days") and is contractually prohibited from training on this data. We maintain appropriate data processing agreements with Anthropic governing the handling of this de-identified data.
We share data only with subprocessors essential to delivering our service. We seek to establish appropriate data protection agreements with each subprocessor, including Business Associate Agreements where applicable:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, auth, file storage | All account and care data |
| Twilio | SMS delivery | Phone number, message content |
| Stripe | Payments & billing | Name, email, payment method |
| SendGrid | Transactional email | Email address, report content |
| Anthropic | AI care summaries | De-identified health trends only |
| Vercel | Web hosting | Server logs, IP addresses |
We may also disclose information: (a) as required by law or court order; (b) to protect the rights, property, or safety of sistemafusion, LLC, our users, or the public; or (c) in connection with a merger, acquisition, or sale of assets, provided the acquirer agrees to honor this Privacy Policy.
We retain account data for as long as your account is active. Care records and check-in history are retained for a minimum of 6 years from the date of creation, in alignment with HIPAA records retention principles (45 CFR §164.530(j)) and as a matter of best practice for health-related data. Upon account deletion, your personal profile and payment data are deleted promptly; care records are purged after the applicable retention period.
Audit logs are retained for 6 years and may not be deleted upon account deletion, consistent with the HIPAA Security Rule.
Depending on your location and applicable law (including CCPA and applicable state privacy statutes), you may have the right to:
To exercise any of these rights, email hello@kinloop.co or use the "Download my data" and "Delete my account" options in your dashboard. We will respond within 30 days.
We implement industry-standard security controls including: AES-256 encryption at rest, TLS 1.2+ in transit, role-based access control, multi-factor authentication for staff accounts, per-request Content Security Policy nonces, and a comprehensive audit log of all data access and modifications. Our infrastructure providers (Supabase and Vercel) maintain SOC 2 Type II certifications.
Despite these measures, no system is perfectly secure. If you discover a security vulnerability, please report it responsibly to hello@kinloop.co.
Kinloop is designed for adults managing the care of elderly individuals. We do not knowingly collect personal information from anyone under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately.
Kinloop is intended for use within the United States only. Our servers are located in the United States. If you access our service from outside the US, you do so at your own risk and are responsible for compliance with local laws.
We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or a prominent notice on our website at least 30 days before they take effect. Your continued use of Kinloop after the effective date constitutes acceptance of the updated policy.
Privacy Officer — sistemafusion, LLC, operating as Kinloop
hello@kinloop.co
If you believe we have handled your information in violation of applicable law, you may contact us directly or file a complaint with the relevant regulatory authority. If your PHI is processed in connection with a HIPAA Covered Entity through Kinloop, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at hhs.gov/ocr/complaints.