CareTrack - a full AI-powered case manager

AI-powered case management for nonprofits. Voice-first, cryptographically auditable, Security first .

Comment

CareTrack

CareTrack replaces spreadsheets for nonprofit case workers. Staff speak their notes, AI structures them. Every data change is SHA-256 hash-chained --tamper-evident by design. Built solo overnight for Opportunity Hack x WiCS @ ASU.

Inspiration

I read through the problem statements and noticed something.

NMTSA, Chandler CARE Center, ICM Food Bank, Will2Walk --eight different nonprofits, eight different domains, but every single one submitted the same core ask:

  • Help us register clients
  • Record what we do for them
  • Prove it to our funders

The tools that exist cost $150 per user per month. Most nonprofits are running on spreadsheets not because they want to, but because that's what they can afford.

I wanted to build something that:

  • Actually works
  • Costs almost nothing
  • Takes seriously the fact that these organizations handle sensitive information about vulnerable people

The security angle came from my background in CTF competitions and cryptography. I kept thinking:

Grant auditors ask nonprofits to prove their records haven't been altered. A spreadsheet can't do that. A SHA-256 hash chain can.

What It Does

CareTrack is a full case management platform built for small nonprofits.

Voice-first case notes

A case worker taps a button, speaks for 30 seconds about a client interaction, and the app produces a structured record:

  • Service type detected
  • Summary written
  • Action items extracted
  • Risk flags raised
  • Follow-up date calculated

No typing required. This directly targets the biggest time sink in case management: post-session documentation.

Text-to-speech readback

Any case note can be read aloud. Built for accessibility and for case workers in the field who are multitasking.

AI handoff summaries

One click generates a structured clinical brief from a client’s entire service history:

  • Background
  • Current status
  • Active needs
  • Risk factors
  • Recommended next steps

Staff turnover in nonprofits exceeds 30% per year. This prevents clients from falling through the cracks.

AI funder reports

Quarter-end grant reporting takes 2–5 days of staff time. CareTrack:

  • Pulls all service data
  • Writes the narrative automatically
  • Leaves final edits to staff

Appointment scheduling

  • Calendar view of upcoming appointments
  • No more sticky notes

Tamper-evident audit log

Every create, update, and delete is SHA-256 hash-chained:

SHA256(previous_hash | user_email | action | table | record_id)
  • Any modification breaks the entire chain
  • Live chain integrity badge
  • audit_log table has no UPDATE or DELETE RLS policies (append-only)
  • Enforcement is at the database layer, not just API

This provides cryptographic proof of data integrity --something most $150/month SaaS tools do not offer.

How We Built It

Stack

  • Next.js 16 (App Router)
  • Supabase (PostgreSQL + RLS + Auth)
  • Tailwind CSS
  • Radix UI
  • ElevenLabs (STT + TTS)
  • Anthropic Claude Sonnet 4.6
  • Vercel

Voice pipeline

  1. Browser MediaRecorder captures audio
  2. Sent to ElevenLabs scribe_v1
  3. Filler words removed server-side (regex)
  4. Clean transcript sent to Claude
  5. Claude returns structured JSON

Relative dates (e.g. “in 5 days”) are returned as offsets and computed server-side.

Security architecture

  • All API routes check supabase.auth.getUser() first
  • RLS policies act as second layer
  • Audit log is append-only
  • No PII stored in audit trail

AI usage philosophy

LLMs are used only where necessary:

  • Structuring speech
  • Generating narratives
  • Summarization

Everything else:

  • Date math
  • Filtering
  • Aggregation

Handled in code.

Challenges

Audit chain verification

The hash chain broke in production but worked locally.

Root cause:

  • PostgreSQL TIMESTAMPTZ vs JS Date.toISOString() mismatch

Fix:

  • Removed timestamp from hash
  • Used user_email instead

Result: stable chain.

Supabase build failures on Vercel

Static prerendering failed due to missing env variables.

Fix:

  • export const dynamic = 'force-dynamic' for dashboard pages
  • Lazy init with useRef
  • Avoid createClient() at module scope

ElevenLabs TTS free tier

  • eleven_turbo_v2_5- 402 error
  • Switched to eleven_multilingual_v2

CVE-2025-66478

  • Vercel blocked deployment due to Next.js vulnerability
  • Upgraded to Next.js 16

Accomplishments

Audit log system

End-to-end cryptographic integrity:

  • Data model
  • RLS policies
  • Hash chaining
  • Verification logic

Seeing “Chain Intact” after debugging was a major milestone.

Voice-to-note pipeline

  • Fully functional in one recording
  • Output is usable with minimal editing
  • Not a gimmick

What We Learned

  • LLMs are bad at date arithmetic

    • Return offsets, compute in code

  • Cryptographic integrity ≠ database enforcement

    • Both must align

  • Scope discipline matters in solo hackathons

    • Cut features like:
    • CSV import
    • Configurable fields
    • Semantic search

Everything shipped works --that matters more.

What’s Next

  • CSV import with AI column mapping
  • Semantic search using pgvector
  • Configurable field labels per organization
  • Multi-tenant support for multiple nonprofits

Built With

Share this project:

Updates