Privacy policy

Two kinds of information move through Carelyt. The first is account and team information — the names, emails, and roles of the people on your team, plus the settings you configure for the workspace. The second is client information — the names, addresses, phone numbers, services, sessions, and notes you record about the clients your team supports.

We only collect what your team enters or what’s needed to run the service: sign-ups, session logs, billing details for paying customers (handled by Stripe), and operational logs (page views, error reports) used to keep the platform up.

Account and team information is used to run the workspace — sign-in, role-based access, billing, and operational support. Client information is yours; we use it only to serve it back to your team inside Carelyt. We do not train models on it, advertise from it, or share it with anyone outside the sub-processors listed below.

All client and team information is stored in Australia. Specifically, in Supabase’s ap-southeast-2 region (Sydney). Our application is served from Vercel’s global edge network, but the database it talks to is in Sydney. Each tenant is isolated in the database via Postgres row-level security.

Inside your workspace: only the people you’ve invited, constrained by their role (super-admin, admin, therapist). Inside Carelyt: a small operations team can access systems for support and incident response, on a least-privilege basis, with audit logging. We do not browse your client information unless you ask us to in the course of a support request.

We use a small set of trusted operational services to run Carelyt. Each one is bound by their own privacy and security obligations.

• Supabase — Database, authentication, storage — Sydney region.
• Vercel — Application hosting and edge serving.
• Stripe — Subscription billing and customer portal.
• Resend — Transactional email (invites, password resets, trial reminders).
• Mapbox — Geocoding addresses and rendering the map view.

Under the Australian Privacy Principles you can ask us to access, correct, or delete the personal information we hold about you. Email hello@carelyt.com.au. If your team is the customer (you’re managing client information on their behalf), you’ll typically own these rights for your own clients — direct your clients to your internal process first.

Carelyt sets the minimum cookies it needs to keep you signed in and to remember your team. We don’t use third-party advertising or behavioural tracking cookies.

If we change something material about how we handle information, we’ll update the date at the top of this page and email super-admins on paid plans before the change takes effect.