Care Roster logo Care Roster
Sign in
Legal

Privacy Policy

Effective June 12, 2026 · Last updated June 26, 2026

Care Roster is a shared contact directory for care agencies — hospice, home health, senior care, and assisted living teams. This policy explains, in plain language, what information passes through the service, why, and what happens to it. We have tried to keep it short enough to actually read.

We never ask for or store patient information. Care Roster has no patient fields, no visit records, and no way to link a contact to a patient. Because the product holds no protected health information (PHI), no HIPAA Business Associate Agreement (BAA) is required.

The short version

  • Your agency's data belongs to your agency. You can export it anytime and ask us to delete it.
  • We collect only what the service needs to run: the contact directory records your agency enters, staff account details, and basic technical logs.
  • We never sell data, never run ads, and never use customer data to train AI models.
  • No patient data, ever — by design.
  • One essential session cookie in the app; light analytics on our public marketing pages only, never inside the application.

Who we are

Care Roster is operated by MortonApps LLC and lives at careroster.hospiceapps.com. If anything in this policy is unclear, or you want to exercise any of the rights described below, email us at info@hospiceapps.com — a real, monitored inbox.

What we collect

Contact directory records your agency enters. Agencies use Care Roster to maintain their operational contact directory. Depending on what your agency chooses to enter, a contact record can include: organization name, category, tags, and for each individual contact: name, role, phone number, email address, and after-hours or on-call flags.

Staff accounts. When an agency staff member is invited to the service, we store their name, email address, and a hashed password (we never store the password itself).

Usage and log data. Like virtually every web service, we keep basic technical logs (such as IP address, browser type, and request timestamps) for security and troubleshooting, and each contact record keeps an audit trail of who created or changed it.

Our role: your agency controls its data

For the contact directory information described above, your agency is the data controller and MortonApps LLC is the data processor. In plain terms: the agency decides what contact information to enter and why; we process it only on the agency's instructions, solely to provide the service. The lawful basis for our processing is the agency's instructions under our agreement with them — agencies are responsible for having an appropriate basis for the records they keep. Our processor commitments — including breach notice, subprocessor-change notice, and deletion on termination — are set out in our Data Processing Addendum.

No patient information — by design

Care Roster is an operational contact directory, not a patient record system. It is a companion to your EMR, not a replacement for it. There are no patient fields anywhere in this product, free-text fields carry a visible reminder never to enter patient information, and our Terms of Service prohibit entering PHI. Because the service holds no PHI, it is not a HIPAA business associate and no BAA is required.

How we use data

We use the data in your account for exactly one purpose: providing the service to your agency — storing your contact directory, keeping your account secure, and sending any account notifications you trigger. Specifically:

  • We never sell personal information, to anyone, for any reason.
  • We never show ads and never share data with advertisers.
  • We never use customer data to train AI models.
  • We do not mine, profile, or analyze your records for any purpose beyond running the service.

Who else touches the data (subprocessors)

We use a small number of infrastructure providers to run the service:

  • Cloudflare — hosting and data storage (United States). All customer data lives on Cloudflare's infrastructure.
  • Amazon Web Services (AWS) — email delivery via Amazon SES (for messages the service sends, such as invitations and notifications) and encrypted, off-site database backups via Amazon S3 for disaster recovery (United States).

That's the full list. These providers process data only as needed to provide their service to us, and we will update this policy if the list changes.

How we protect it

  • Passwords are hashed with PBKDF2 — we cannot see or recover them.
  • Session tokens are stored hashed.
  • If your agency configures custom SMTP credentials, they are encrypted at rest.
  • Role-based access controls (admin, staff, read-only viewer) limit who in your agency can see and change what.
  • Each agency's data is isolated to its own workspace (tenant isolation).
  • All traffic to the service is encrypted in transit over HTTPS.

No internet service can promise perfect security, but we keep the design simple and the attack surface small, and we will notify affected agencies promptly if we ever discover a breach involving their data.

How long we keep data

  • Active subscriptions and trials: data is retained for as long as your account is active.
  • Lapsed accounts: if a trial or subscription lapses, the account becomes read-only. The data stays intact, viewable, and exportable — it is never deleted automatically.
  • Deletion on request: an agency can request full deletion of its data anytime by emailing info@hospiceapps.com.
  • Backups: for disaster recovery we keep encrypted, access-controlled backups of the database in Amazon Web Services (Amazon S3) — recent daily backups for 90 days, plus periodic archival snapshots kept long-term. When you ask us to delete your data, we remove it from the live service promptly; any copies that remain in backups are used solely to recover from a failure and are not otherwise accessed.
  • Abandoned signups: trial workspaces that are created but never activated are purged after about 7 days.

Your rights and choices

Agencies can access and export all of their data (CSV export is built in), correct any record, and request deletion of their account and data by emailing us.

Individual contacts and staff who want to access, correct, export, or delete information about themselves should contact their agency first — the agency controls its records and can handle most requests directly in the app. You can also email info@hospiceapps.com and we will help route the request to the right place. We respond to all requests and never penalize anyone for making one.

Cookies

Inside the signed-in application we set one essential session cookie so you stay signed in — no tracking cookies, no advertising cookies, and no analytics. On our public marketing pages we use privacy-friendly analytics (Microsoft Clarity) to see how visitors use the site so we can improve it; these may set cookies or use similar technologies. We do not run analytics of any kind inside the application, where your agency's contact directory data lives.

Children

Care Roster is a business tool for hospice agencies and is not directed at children. We do not knowingly collect information from children, and agency staff accounts are intended for adults.

Changes to this policy

If we change this policy, we will update the date at the top of this page, and for any meaningful change we will let active customers know by email. We won't reduce your rights under this policy without telling you first.

Text messaging (SMS)

Care Roster offers agencies an optional feature to send operational, non-marketing text messages — such as on-call notifications and schedule updates — to their own staff, volunteers, and contacts. When an agency uses it:

  • What we process. The mobile phone numbers your agency enters, and a record of opt-in/opt-out status, so the agency can send its messages and we can honor opt-outs.
  • How it’s used. Mobile numbers and SMS consent are used only to deliver the agency’s own messages on its behalf. We never use them for our own marketing.
  • We never sell or share them. We do not sell, rent, or share mobile phone numbers or SMS opt-in/consent information with third parties or affiliates for their marketing or promotional purposes. Sharing is limited to the messaging provider needed to deliver a message (Amazon Web Services), and no mobile opt-in data is shared with anyone for marketing.
  • Opting out. Recipients can reply STOP to any message to opt out at any time, or HELP for help. Standard message and data rates may apply.

Contact

Questions, requests, or concerns: info@hospiceapps.com. This inbox is monitored by the people who build the product.

See also our Terms of Service.