How we collect, use, protect, and share your information
Plain-language summary: GuardianStep is a guardianship management tool. We collect only what we need to run the service. We do not sell your data. We do not share it with advertisers. Health and financial data is encrypted at rest. We comply with HIPAA when handling Protected Health Information. You can request deletion of your data at any time.
GuardianStep ("we," "our," or "us") is a software platform designed to help legal guardians, conservators, and holders of power of attorney manage elder care responsibilities. Our services include care coordination, financial tracking, document management, health record connectivity, and court report generation for individuals serving in a guardianship or similar fiduciary role.
For purposes of this Privacy Policy, "you" refers to the guardian, account holder, or authorized user of the GuardianStep platform. Information about the person in your care (the "ward" or "elder") is handled with the same protections described in this policy.
Privacy Contact: For privacy questions, data requests, or HIPAA-related inquiries, contact our Privacy Officer at privacy@guardianstep.com.
| Purpose | Legal Basis |
|---|---|
| Providing and operating the GuardianStep platform | Performance of contract |
| Authenticating your identity and securing your account | Legitimate interest / legal obligation |
| Generating court reports, annual accountings, and legal documents | Performance of contract |
| Importing and displaying health records from connected EHR systems | Performance of contract / your explicit authorization |
| Sending important account or security notifications | Legitimate interest / legal obligation |
| Improving the platform (aggregated, anonymized analytics only) | Legitimate interest |
| Complying with applicable laws including HIPAA | Legal obligation |
We do not use your information for advertising, behavioral tracking, sale to third parties, or training AI/ML models without your explicit consent.
We share your information only in the following limited circumstances:
We never sell, rent, or trade personal information or Protected Health Information to third parties for their own marketing or commercial purposes.
GuardianStep uses Plaid Technologies, Inc. to enable optional bank account connectivity. By connecting your bank account, you authorize Plaid to access your financial institution on your behalf and transmit account and transaction data to GuardianStep.
Plaid's collection and use of your information is governed by Plaid's Privacy Policy, available at plaid.com/legal.
You may disconnect your bank account at any time from the Finances section of GuardianStep. Doing so will revoke Plaid's ongoing access to your financial institution. Historical transaction data already imported remains in your account until you delete it.
HIPAA Commitment: GuardianStep maintains administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) for any Protected Health Information (PHI) processed through the platform.
GuardianStep operates as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities (such as health plans or healthcare providers), and as a platform used by individuals acting as personal representatives of patients under 45 C.F.R. § 164.502(g). Legal guardians and court-appointed conservators generally qualify as personal representatives under HIPAA and are authorized to access and manage the PHI of their wards.
The following data elements may constitute PHI when associated with an identifiable individual:
In the event of a breach of unsecured PHI, GuardianStep will notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D).
Organizations that require a formal Business Associate Agreement with GuardianStep for enterprise or institutional deployments should contact us at privacy@guardianstep.com.
EHR connectivity is an optional feature available on qualifying subscription plans. Using it is voluntary. You control which health systems to connect, what data to import, and when to disconnect.
GuardianStep uses FHIR R4 APIs (mandated by the 21st Century Cures Act) and authorized health data aggregators to retrieve a ward's health records from connected health systems. The guardian or authorized personal representative initiates the connection and grants explicit authorization through the health system's OAuth consent flow.
You may disconnect any EHR connection at any time from your account settings. Disconnection revokes ongoing access to that health system. Health data already imported remains in your account and can be manually deleted from within the application.
GuardianStep does not guarantee the accuracy, completeness, or currency of data received from third-party health systems. All imported health data should be reviewed by you and, where appropriate, verified with the ward's care team before relying on it for care decisions or court submissions.
GuardianStep implements multiple layers of security controls:
No method of transmission or storage is 100% secure. While we use industry-standard controls, we cannot guarantee absolute security. If you suspect unauthorized access to your account, contact us immediately at customerservice@guardianstep.com.
We retain your data for as long as your account is active or as needed to provide the service. Specific retention rules:
Depending on your location, you may have the following rights regarding your personal data:
To exercise any of these rights, email privacy@guardianstep.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.
HIPAA Individual Rights: To the extent GuardianStep processes PHI on your behalf as a personal representative of a ward, individuals have rights under HIPAA including the right to access, amend, and receive an accounting of disclosures of their PHI. Requests should be directed to privacy@guardianstep.com.
California residents: You have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of sale of personal information. GuardianStep does not sell personal information.
GuardianStep uses minimal cookies and local storage:
We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that track you across websites.
GuardianStep is designed for use by adults in a fiduciary or caregiving role. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify you by email or in-app notification at least 14 days before the changes take effect.
Your continued use of GuardianStep after the effective date constitutes acceptance of the updated policy.
Version 2.0 (April 18, 2026): Added HIPAA compliance section, EHR connectivity section, CLEAR identity verification disclosures, updated infrastructure disclosures to reflect Replit Enterprise BAA, and updated AI/OpenAI disclosure for Inventory Valuation feature.
GuardianStep operates an SMS messaging program to deliver time-sensitive alerts and notifications related to your account and the people you care for.
Program description. The GuardianStep SMS program sends transactional and account-related text messages, including: care alerts (medication reminders, missed check-ins, vitals out of range), document expiration notices, two-factor authentication codes, temporary access link confirmations, court-deadline reminders, and team-invitation notifications. We do not use SMS for marketing or promotional content.
How you opt in. By providing your mobile phone number during account signup, profile update, team invitation acceptance, or temporary-access enrollment, and by checking the consent box that accompanies the phone-number field, you expressly consent to receive text messages from GuardianStep at that number. You may also reply START or YES to a GuardianStep number to re-enroll after opting out.
Message frequency. Message frequency varies based on account activity and the events you have configured for the people you care for. A typical user receives between 2 and 20 messages per month. Two-factor authentication users may receive additional messages on each sign-in.
Carrier disclosure. Message and data rates may apply. GuardianStep is not responsible for any charges your wireless carrier may impose. Carriers are not liable for delayed or undelivered messages.
How to opt out. You may opt out of GuardianStep SMS messages at any time by replying STOP to any message you receive from us. After you reply STOP, we will send a single confirmation message and you will receive no further texts from that program. To rejoin, reply START. For help, reply HELP or contact customerservice@guardianstep.com.
Mobile information sharing. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All categories of personal information described in this Privacy Policy exclude mobile opt-in data and consent; this information will not be shared with any third parties. Mobile phone numbers are shared only with our SMS service provider (Twilio Inc.) for the sole purpose of transmitting the messages described above.
Supported carriers. The GuardianStep SMS program is available on most major U.S. wireless carriers, including AT&T, Verizon Wireless, T-Mobile, Sprint, U.S. Cellular, Boost Mobile, MetroPCS, Cricket, and Google Fi. Carriers are not liable for delayed or undelivered messages.
If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:
We aim to respond to all privacy inquiries within 5 business days.