Privacy Policy

CozziTech LLC ("CozziTech," "we," "us," or "our") provides the ctEVV™ Electronic Visit Verification (EVV) platform, consisting of a mobile application for caregivers and a web portal for administrators (together, the "Service"). This Privacy Policy explains what information the Service collects, how we use and disclose that information, the choices you have, and the safeguards we apply.

1. Who This Policy Applies To

This Policy applies to three categories of individuals whose information the Service may process:

• Caregivers / Workers who log in to the ctEVV™ mobile or web application to record visits.
• Consumers / Clients (the individuals receiving services) whose records are managed in the Service by a provider agency.
• Administrators at provider agencies who use the web portal to manage consumers, visits, and reports.

In most cases, the provider agency (not CozziTech) is the "Covered Entity" under HIPAA and is the controller of the consumer information processed in the Service. CozziTech processes that information on the agency's behalf under the BAA in force with that agency.

2. Information We Collect

2.1 Consumer Information

When an agency creates or imports a consumer record, the Service stores information such as:

• Full legal name, middle name, suffix, and any "also known as" names
• Date of birth and gender
• Home address (street, city, state, ZIP, county)
• Email address(es)
• Medicaid identifier
• Program enrollment information, current plan, and assigned support coordinator
• Diagnosis codes and diagnosis description (ICD-style codes; PHI)
• A photograph reference for visual identification

2.2 Caregiver / Worker Information

• Username and a securely hashed password (passwords are never stored in plaintext)
• Worker identifier and tenant (agency) assignment
• Role and access-level indicators
• Account creation timestamp

2.3 Visit and Location Data

To verify the time, place, and delivery of services, the Service collects:

• Check-in and check-out timestamps
• Precise GPS coordinates (latitude and longitude) at check-in, at check-out, and at periodic intervals (by default approximately every five minutes) while a visit is open
• Distance from the consumer's known service address (used to alert workers if they move outside the expected service area)
• Coordinates captured at the moment of signature
• Visit notes and visit type (free-form text entered by the caregiver; may contain PHI)
• Administrative notes flagged for review
• Electronic signature image (a signature captured on the device)

2.4 Device and Authentication Information

• Session tokens used to maintain an authenticated session
• Stored credentials in the device's hardware-backed secure storage only if the caregiver enables biometric sign-in
• A biometric-enabled flag indicating that the caregiver has chosen to use device-level biometric unlock (such as Face ID, Touch ID, or Android biometric unlock) to re-authenticate
• Push notification tokens issued by the device platform's push notification service (Apple and Google), used to deliver operational alerts to the mobile app

2.5 Information We Do Not Collect

The Service does not currently integrate any third-party analytics, advertising, crash-reporting, or behavioral-tracking SDKs. We do not sell personal information, and we do not use PHI for advertising.

3. How We Use Information

We use the information described above only for the following purposes:

• To authenticate caregivers and administrators and to keep accounts secure
• To record, verify, and report electronic visit verification events as required by the agency's payer (for example, a state Medicaid program)
• To confirm that services were delivered at the correct location and time
• To enable agency administrators to manage consumer records, schedules, and visit history
• To deliver operational notifications (for example, reminders to check out, or alerts when a worker has moved beyond the expected service area)
• To protect the Service against fraud, abuse, and unauthorized access
• To meet legal, regulatory, and contractual obligations, including those imposed by HIPAA and applicable state EVV regulations

4. Location Services

ctEVV™ requires precise location access on mobile devices in order to function as an EVV system. Location is collected only while a caregiver is signed in and a visit is open, and the device prompts for foreground and (where applicable) background location permission before any coordinates are captured. Caregivers may revoke location permission at any time in their device settings; however, the Service cannot record a compliant EVV visit without location access.

5. How We Share Information

We share information only as described below:

• With the provider agency that employs or contracts you. All consumer, worker, and visit information is made available to the agency that owns the data, in accordance with the BAA in force with that agency.
• With service providers acting on our behalf. We use a limited number of vendors to operate the Service, including:
  • Cloud hosting and database providers that store Service data;
  • Platform push notification services (Apple and Google) that deliver operational notifications to the mobile app. Push payloads are designed to avoid carrying PHI.
  Where these vendors handle PHI, they are bound by written agreements that include HIPAA Business Associate obligations or equivalent safeguards.
• To comply with law. We may disclose information if required to do so by law, subpoena, court order, or other valid legal process, and as permitted under 45 C.F.R. § 164.512.
• To protect rights and safety. We may disclose information when we believe in good faith that disclosure is necessary to investigate, prevent, or take action regarding suspected illegal activity or threats to the safety of any person.
• In connection with a corporate transaction. If CozziTech is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to the confidentiality and HIPAA obligations described in this Policy.

We do not sell, rent, or trade personal information or PHI to third parties for their own marketing purposes.

6. Data Security

CozziTech maintains administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of information processed by the Service, consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). These safeguards include, among others:

• Encryption of data in transit
• Storage of caregiver passwords as salted cryptographic hashes — plaintext passwords are never persisted on our servers
• Authenticated session tokens with limited lifetimes
• Use of the device operating system's hardware-backed secure storage for any credentials cached on the device
• Role- and tenant-based access controls within the platform
• Logging and monitoring of authentication and administrative events

No method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

7. Breach Notification

In the event of a breach of unsecured PHI, CozziTech will notify the affected Covered Entity without unreasonable delay and in any event within the timeframes required by the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414) and the applicable BAA. The Covered Entity is responsible for notifying affected individuals, the Secretary of Health and Human Services, and, where required, the media, unless the BAA expressly delegates that responsibility to CozziTech.

8. Data Retention

Visit records, location data, signatures, and notes are retained for as long as the provider agency's account remains active and for any additional period required by the agency's payer, by applicable state EVV regulations, or by HIPAA record-retention requirements (generally at least six years). When retention periods expire and an agency requests deletion, CozziTech will delete or de-identify the information in accordance with the BAA, except where retention is required by law.

9. Your Rights

If you are a consumer whose information is processed in ctEVV™, your HIPAA-protected rights (including the right to access, amend, and receive an accounting of disclosures of your PHI) are exercised through the provider agency that maintains your record, which is the Covered Entity for HIPAA purposes. Please direct requests to that agency. CozziTech will support the agency in responding to such requests as required by HIPAA and the applicable BAA.

If you are a caregiver, you may request access to or correction of the account information we hold about you by contacting us at the address below or by asking your agency administrator.

Depending on where you live, you may have additional rights under state privacy laws. We will honor such rights to the extent they apply and do not conflict with HIPAA or with our obligations to a Covered Entity.

10. Children's Privacy

ctEVV™ is not directed to children and is not intended to be used by individuals under 13 to create an account. The Service may, however, contain consumer records of minors who receive services through a provider agency; such records are processed at the direction of, and under the legal authority of, the agency that maintains them.

11. International Users

The Service is hosted in and operated from the United States. By using the Service, you understand that your information will be processed in the United States, which may have data protection laws different from those in your country of residence.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last Updated" date at the top of this page and, where appropriate, provide additional notice (such as an in-app message or an email to agency administrators). The current version is always available at cozzitech.com/evv-privacy/.

13. Contact Us