Effective date: [June 1st, 2025]
1. Who We Are
Bondimo Inc. (“Bondimo,” “we,” “us,” or “our”) provides a voice‑based AI companion that supports older adults through scheduled phone calls, cognitive games, reminders, and well‑being insights. You may use Bondimo in two ways:
Through a Senior‑Living Community, Retirement Home, or Care Provider (“Community Accounts”).
Directly as an individual, family member, or legal representative (“Direct‑to‑Consumer Accounts”).
Because we serve both channels, our privacy obligations differ slightly depending on who controls the resident’s data:
| Account Type | Primary Data “Controller”* | Bondimo’s Role |
|---|---|---|
| Community Account | The retirement home, assisted‑living or long‑term‑care provider | Service provider / data processor (HIPAA Business Associate; PHIPA “agent”) |
| Direct‑to‑Consumer (D2C) | Bondimo Inc. (with consent from the resident or legal rep) | Data controller / covered entity for the information you give us |
*Terminology varies by law (e.g., “covered entity” under HIPAA, “health information custodian” under PHIPA, “controller/processor” under GDPR).
2. Scope
This Policy explains how we collect, use, and safeguard personal information across:
AI companion phone calls
Cognitive games, reminders, and surveys
Resident/family web and mobile dashboards
APIs and customer‑support channels
It does not cover third‑party sites linked from our dashboards.
3. What We Collect
| Category | Examples | Source (Community vs. D2C) |
|---|---|---|
| Profile & Contact | Name, phone number, address, room/unit, preferences, emergency contacts | Community upload or user signup |
| Health & Care Insights | Mood‑screening answers, cognition scores, medication adherence, symptom logs | Phone calls, surveys, optional EHR import (Community) |
| Conversation Data | Audio recordings & transcripts, chatbot metadata | AI companion calls |
| Usage & Device | Call durations, dashboard log‑ins, IP address, cookies | Automatic |
| Feedback | Support tickets, feature requests, satisfaction surveys | Resident, family, staff |
4. How We Use Your Information
| Purpose | Community Accounts | Direct‑to‑Consumer Accounts | Legal Basis* |
|---|---|---|---|
| Deliver scheduled calls, reminders, games | ✔ | ✔ | Contract; consent |
| Generate dashboards & alerts | ✔ | ✔ | Contract; legitimate interests |
| Early detection of risks (falls, depression) | ✔ | ✔ | Vital interests; health‑care provision |
| Customise scripts & content | ✔ | ✔ | Legitimate interests |
| Product improvement (aggregated/de‑identified) | ✔ | ✔ | Legitimate interests; consent where required |
| Billing & audit logs | ✔ | ✔ | Legal obligations |
| Security & fraud prevention | ✔ | ✔ | Legitimate interests; legal obligations |
*We rely on the lawful bases required by your jurisdiction (e.g., HIPAA, PHIPA, PIPEDA, GDPR, CCPA).
5. Sharing & Disclosure
We never sell personal information. We share data only as follows:
| Recipient | Community Accounts | Direct‑to‑Consumer Accounts | Safeguards |
|---|---|---|---|
| Your Community’s authorized staff | ✔ | N/A | Processor agreement / BAA |
| Authorized family & legal reps | Configurable by Community | Opt‑in by user | Role‑based access |
| Service providers (cloud hosting, speech‑to‑text, analytics) | ✔ | ✔ | Confidentiality & data‑processing terms |
| Healthcare partners / regulators (when required) | Direction from Community | Only with explicit consent or legal duty | Legal compliance |
| Corporate transactions / legal requests | ✔ | ✔ | Continued protections; notice where required |
6. International Transfers
Bondimo’s primary servers are in Canada and the United States. Cross‑border transfers use Standard Contractual Clauses (GDPR) and HIPAA/PHIPA‑compliant infrastructure.
7. Retention
Active Account Data: Retained while your Community contract or D2C subscription is in force.
Health‑Record Data (Community): As required by provincial/state regulations—typically resident stay + 7 years.
Call Recordings: Default 12 months (customisable).
De‑identified Data: Kept indefinitely for analytics and research.
8. Security
AES‑256 encryption at rest, TLS 1.2+ in transit
Role‑based access control & multi‑factor authentication
SOC 2, HIPAA, PHIPA aligned policies
Annual third‑party penetration testing
72‑hour breach notification (or faster where law requires)
9. Your Rights
Depending on where you live, you may have the right to:
Access or download your data
Correct inaccuracies
Delete certain information
Restrict or object to processing
Transfer (port) data to another service
Withdraw consent without affecting past lawful use
Complain to a regulator (e.g., OPC Canada, HHS OCR, EU DPA)
How to Exercise
Community Accounts: Contact your facility’s privacy office first; we will assist them.
D2C Accounts: Email info@bondimo.com. We’ll respond within applicable legal timeframes (usually 30 days).
10. Cookies & Analytics
We use essential cookies for security and session management, plus optional analytics cookies to improve service. You can disable non‑essential cookies in your browser or dashboard settings.
11. Children
Bondimo is designed for adults in senior care. We do not knowingly collect data from persons under 18. Report any suspected minor data to privacy@bondimo.com.
12. Changes
We may update this Policy for legal or operational reasons. We will post updates here and—if the changes are material—notify Communities and D2C users directly.
13. Medical Disclaimer
Bondimo provides supportive engagement, reminders, and screening prompts. It does not diagnose or replace professional medical advice. Always consult qualified clinicians for medical concerns.
Last reviewed: [June 1st, 2025]