Legal Information
Privacy Policy
Learn how Grelin Health collects, uses, and protects your information. This policy explains our commitment to your privacy and data security.
Last Updated: June 2026
1. Introduction and Scope
Grelin Health, Inc. ("Grelin Health," "we," "us," or "our") is committed to protecting the privacy and security of all individuals who interact with our organization. This Website Privacy Policy ("Privacy Policy") sets forth our comprehensive approach to data governance and outlines how we collect, process, use, disclose, and safeguard information obtained through our digital properties.
This Privacy Policy applies to information collected through Grelin Health's public-facing digital properties, including www.grelinhealth.com, affiliated subdomains, web-based contact forms, marketing landing pages, and other online platforms that link to this Privacy Policy (collectively, the "Sites"). These Sites serve healthcare organizations, business partners, prospective clients, employment applicants, and other professional stakeholders throughout the United States.
Grelin Health is an AI-powered Autonomous Revenue Cycle Management (RCM) technology provider delivering specialized services to healthcare organizations across the United States. By accessing or utilizing our Sites, you acknowledge your understanding of this Privacy Policy in its entirety.
This Privacy Policy governs information collected exclusively through our marketing and informational Sites and does not extend to: • Data processed through our enterprise service platform, which is governed by executed Master Services Agreements, Business Associate Agreements (BAAs), and Data Processing Agreements (DPAs) with healthcare provider customers. • Information disclosed directly to healthcare provider customers; such information is subject to the privacy policies and practices of the respective healthcare organization. • Data collected through third-party websites, applications, or services accessible via hyperlinks from our Sites; such third parties maintain independent privacy governance. • Personnel information of Grelin Health employees and contractors, which is subject to separate internal privacy and data handling protocols.
This Privacy Policy does not create any contractual rights, legal obligations, or third-party beneficiary interests.
2. Protected Health Information (PHI) Handling
Grelin Health processes Protected Health Information (PHI) pertaining to patients of our healthcare provider customers in connection with revenue cycle management services provided under contractual arrangements. In this capacity, Grelin Health functions as a "Business Associate" as defined under the Health Insurance Portability and Accountability Act of 1996 and its regulatory framework (HIPAA).
Our management of PHI is governed by: • The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164) • The executed Business Associate Agreement (BAA) between Grelin Health and the applicable healthcare provider entity • Applicable Data Processing Agreements (DPAs) and supplementary contractual arrangements
Important Notice: Protected Health Information is NOT collected through our Sites.
Our Sites function exclusively as marketing and informational platforms. We do not solicit or accept Protected Health Information through any contact form, communication channel, or submission mechanism on our Sites. Any PHI maintained by Grelin Health is received directly from healthcare provider customers under HIPAA-compliant Business Associate Agreements—not through digital marketing channels.
For individuals seeking information regarding the use, access, or correction of their health information, please contact your healthcare provider directly. Healthcare providers, as Covered Entities under HIPAA, are responsible for providing patients with comprehensive Notice of Privacy Practices documentation.
3. Information Collection Practices
Grelin Health collects information through three primary channels: direct provision by users, automatic collection during Site interactions, and limited third-party sources. Below we provide a comprehensive taxonomy of information categories.
3.1 Directly Provided Information Users may elect to provide information through various Site interaction points: • Professional Inquiry Submissions: When submitting contact forms, demo requests, or general inquiries, we collect professional contact information including name, business email address, telephone number, organizational affiliation, job title, geographic location, and communication content. • Marketing Program Enrollment: Participation in newsletter subscriptions, webinar registrations, or content resource downloads requires collection of name, business email, organizational details, and preference selections. • Employment Applications: Job application submissions require name, contact information, resume/curriculum vitae, cover letters, employment and educational background, professional references, work authorization documentation, and supplementary materials. • Professional Correspondence: Electronic communications via email, contact forms, chat interfaces, or other messaging channels, including associated attachments and documents. • Event Participation: Business contact information and communication records from interactions at Grelin Health-sponsored or co-sponsored events, conferences, and industry gatherings.
Voluntary provision of certain information may be restricted; declining to provide requested information may limit access to specific Site features or communications.
3.2 Automatically Collected Information The Sites generate automatic data collection through our infrastructure and authorized technology partners: • Technical Environment Data: Internet Protocol (IP) address, device classification and characteristics, operating system specification, browser type and version, language preferences, timezone information, and screen resolution metrics. • Usage Pattern Data: Visited pages and interface elements, interaction events, time allocation per page, navigation sequences, referral sources, and exit pathways. • Server Event Records: Technical transaction logs and request records including temporal data and access metadata. • Geographic Information: General geographic location derived from IP address analysis; precise GPS-based location is not collected via our Sites. • Cookie and Tracking Technology: See Section 5 for comprehensive cookie utilization documentation.
3.3 Third-Party Information Sources We may receive supplementary information from carefully selected third parties: • Marketing Development Partners: Lead generation and marketing partners operating under applicable legal compliance frameworks. • Professional Data Sources: Business directories, professional networking platforms, and publicly available professional databases utilized for B2B prospecting consistent with applicable regulations. • Co-Marketing Partnerships: Joint marketing partners with whom we distribute collaborative content, where you have consented to information sharing. • Recruitment Resources: Recruiting platforms, professional recruiters, and professional references in connection with employment considerations. • Service Provider Functions: Vendors providing fraud detection, security assessments, and advanced analytics services.
3.4 Sensitive Information Protection Grelin Health does not request sensitive personal information through our Sites. We strongly advise against submitting Social Security numbers, financial account credentials, payment card numbers, government-issued identification numbers, biometric data, precise geographic location data, or Protected Health Information through any Site communication channel. Should sensitive information be voluntarily submitted, we will treat it in accordance with applicable legal frameworks and this Privacy Policy, and will securely delete such information when retention is not operationally necessary.
4. Information Utilization Framework
Grelin Health utilizes collected information exclusively for legitimate business and commercial purposes, including:
• Inquiry Response and Support: Responding to contact inquiries, demo requests, technical support questions, and professional communications. • Service Delivery: Fulfilling content delivery requests, managing event registrations, and providing comprehensive product and service information. • Recruitment Operations: Evaluating employment applications, conducting candidate communications, and fulfilling recruitment and verification obligations. • Marketing and Business Development: Delivering marketing communications regarding Grelin Health's offerings, events, and thought leadership content, in compliance with applicable legal requirements and subject to recipient opt-out rights. • Experience Personalization: Customizing Site experience through content recommendations and targeted advertising in accordance with applicable legal frameworks. • Analytics and Continuous Improvement: Analyzing visitor engagement patterns, measuring marketing campaign performance, and optimizing content, design, performance, and overall user experience. • Security and Fraud Prevention: Detecting, investigating, and preventing fraudulent activity, unauthorized access, and unlawful conduct; protecting the security and integrity of our Sites, network infrastructure, and information assets. • Legal and Regulatory Compliance: Fulfilling legal obligations, regulatory requirements, court orders, and valid legal process requests; enforcing terms of service and contractual agreements. • Corporate Transaction Evaluation: Assessing and executing potential or actual corporate transactions including mergers, acquisitions, financing arrangements, and organizational restructuring.
Grelin Health does not utilize Site-collected information to train, fine-tune, or evaluate production artificial intelligence or machine learning models. Site-collected information is reserved exclusively for marketing, sales, recruitment, and operational functions described in this Section. Information collected through the Sites is specifically excluded from use in developing or improving AI/ML models that power our customer-facing revenue cycle management platform. Customer data, including Protected Health Information processed under executed BAAs, is governed separately through BAAs, DPAs, and customer-specific contractual arrangements.
Information may be aggregated or de-identified such that it no longer reasonably identifies individuals, and such aggregated or de-identified information may be utilized and disclosed for any lawful purpose, including service improvement and product development initiatives.
8. Data Retention Framework
Grelin Health maintains personal information for the duration necessary to fulfill collection purposes, including:
• Inquiry and Request Management: Responding to and following up on user inquiries, requests, and communications. • Business Relationship Continuity: Maintaining ongoing customer and partner relationships. • Legal and Regulatory Obligation: Complying with legal requirements, accounting standards, tax obligations, regulatory mandates, and contractual obligations. • Legal Claim Management: Establishing, exercising, or defending legal claims, including applicable statute of limitations periods. • Agreement Enforcement: Enforcing contractual arrangements and preventing fraud, abuse, and unauthorized access.
Upon determination that information is no longer operationally necessary, Grelin Health will securely delete or de-identify such information. Retention periods vary depending on information category and processing purpose. Specific retention timelines are documented in Grelin Health's internal Records Retention Policy and are applied consistently across all information categories.
9. Information Security Safeguards
Grelin Health implements comprehensive administrative, technical, and physical security controls designed to protect personal information from unauthorized access, use, disclosure, alteration, and destruction. These controls are applied commensurate with information sensitivity and regulatory requirements:
• Data Encryption: Encryption of data in transit utilizing industry-standard Transport Layer Security (TLS) protocols and encryption of data at rest within production environments using FIPS-validated cryptographic algorithms.
• Access Controls: Role-based access control (RBAC) implementation, multi-factor authentication (MFA) requirements, and least-privilege access principles governing personnel information access.
• Network Security Infrastructure: Advanced network segmentation, firewall protection, intrusion detection and prevention systems (IDPS), and continuous security monitoring.
• Personnel Security: Background verification for personnel with information access, mandatory security awareness training, and periodic security certification renewal.
• Vendor Governance: Comprehensive due diligence procedures for service providers and sub-processors, contractual security requirements, and continuous compliance oversight.
• Incident Response: Documented incident response procedures including detection, investigation, containment, remediation, and notification protocols consistent with applicable legal requirements.
• Vulnerability Management: Regular security assessments, penetration testing, vulnerability scanning, and timely remediation of identified deficiencies.
• Business Continuity: Disaster recovery and business continuity planning to ensure information availability and integrity.
Grelin Health acknowledges that no internet transmission method or electronic storage system provides absolute security. While we implement commercially reasonable security measures consistent with industry best practices, we cannot guarantee absolute information security. Users retain responsibility for maintaining credential confidentiality and exercising appropriate care when transmitting information to Grelin Health.
10. Privacy Inquiries and Data Subject Requests
Grelin Health is committed to addressing privacy inquiries, data subject requests, and concerns regarding our information handling practices. Should you have questions regarding this Privacy Policy, our data governance practices, or wish to exercise your privacy rights, please direct your inquiry to our Privacy Office using the contact information provided below.
Primary Contact Information
Organization: Grelin Health, Inc.
Privacy Office Email: Compliance@grelinhealth.com
Response Timeline: Grelin Health commits to acknowledging all privacy inquiries and data subject requests within five (5) business days of receipt. Comprehensive responses to documented requests will be provided within thirty (30) calendar days, consistent with applicable legal requirements.
When submitting privacy inquiries or data subject requests, please provide sufficient information to enable Grelin Health to accurately identify you and process your request. This may include your name, email address, organization affiliation, and a clear description of your inquiry or request.