Legal
Privacy Policy
Last updated: 6/4/2026
1. Introduction & scope
This Privacy Policy describes how 31M Health, Inc. (“31M,” “we,” “our,” or “us”) collects, uses, discloses, and protects information in connection with our website (the “Site”) and our care-management platform (the “Platform”). It applies to visitors to the Site, to prospective customers who submit information through our forms, and to individual users of the Platform.
PHI processed under a Business Associate Agreement. When 31M processes Protected Health Information (“PHI”) on behalf of a covered entity or another business associate under the Health Insurance Portability and Accountability Act (“HIPAA”), our use and disclosure of that PHI is governed by the executed Business Associate Agreement (“BAA”) between the parties. In the event of a conflict between this Policy and the BAA with respect to PHI, the BAA controls.
2. Information we collect
We collect information in three ways: information you provide directly, information collected automatically when you use the Site or Platform, and (rarely) information we receive from third parties.
Information you provide. Contact details (name, work email, phone number), the name of your organization, information you include in support inquiries, demo requests, or Request Access submissions, and any other information you choose to share with us. Please do not submit PHI through the marketing Site.
Automatically collected information. Device and browser information, IP address, approximate location derived from IP, referring page, pages viewed, dates and times of visits, and interaction events. We use first-party cookies and similar technologies described in Section 5.
Information from third parties. We do not currently purchase, license, or receive personal information about you from data brokers or advertising networks. If we receive information from a third party in connection with a sales referral or partner introduction, we treat it under this Policy.
3. How we use information
We use the information described above to (i) operate, secure, and improve the Site and Platform; (ii) respond to inquiries and requests; (iii) evaluate, scope, and onboard prospective customers; (iv) communicate with you about products, security advisories, and updates relevant to your account; (v) detect and prevent fraud, abuse, and security incidents; and (vi) comply with applicable legal obligations.
No sale of personal information.We do not sell personal information as that term is defined under the California Consumer Privacy Act (as amended by the California Privacy Rights Act, “CCPA/CPRA”) or comparable US state laws. We do not share personal information for cross-context behavioural advertising.
4. HIPAA, BAAs, and PHI
When customers process PHI on the Platform, 31M acts as a Business Associate within the meaning of HIPAA. We sign a BAA with every customer that processes PHI through the Platform. The BAA governs permitted uses and disclosures of PHI, our safeguards, breach notification timelines, audit rights, and obligations on termination.
The marketing Site is not designed to receive PHI and should not be used to transmit PHI. If PHI is inadvertently sent to us outside of a paid customer relationship (for example, in a support email or contact form), we delete it and notify the sender.
5. Cookies and tracking technologies
We use first-party cookies and similar technologies for (a) strictly necessary purposes (authentication, security, load balancing), (b) preferences (remembering your theme choice), and (c) limited first-party analytics that help us understand which pages are useful. We do not use third-party advertising cookies, retargeting pixels, or social-media trackers on the marketing Site.
You can disable cookies through your browser settings. Strictly necessary cookies cannot be disabled without affecting Platform functionality. We honour the “Global Privacy Control” browser signal where applicable as an opt-out request for cross-context disclosures (which we do not currently make in any case).
6. Sharing and disclosures
We share information only as needed and only with the categories of recipients described below.
- Sub-processors. Vetted vendors who provide infrastructure, hosting, email, security, and analytics services on our behalf, under written contractual confidentiality and data-protection terms. A current list of sub-processors is available on request and, for Platform customers, is referenced in the BAA.
- Affiliates and successors. Our affiliates, and any successor entity in connection with a merger, acquisition, or sale of assets, subject to commitments at least as protective as this Policy.
- Legal and safety. Government authorities, regulators, or other third parties as required by law, valid legal process, or to protect the rights, safety, or property of 31M, our customers, or the public.
7. Data retention
We retain Site information for as long as needed for the purposes described in this Policy, plus reasonable archival, audit, and legal-hold periods. Platform customer data, including PHI, is retained and deleted in accordance with the customer’s subscription agreement and BAA.
You may request deletion of personal information we hold about you by contacting us at privacy@31m.site. We will honour deletion requests except where retention is required by law, needed to complete a transaction, or necessary to establish or defend legal claims.
8. Security
We implement administrative, physical, and technical safeguards designed to protect personal information against unauthorised access, alteration, disclosure, and destruction. The Platform is encrypted in transit (TLS 1.2+) and at rest (AES-256), uses role-based access controls, and produces immutable audit trails. See our Security page for a current overview of our program, including SOC 2 Type II coverage.
9. International transfers
31M is headquartered in the United States and our infrastructure is hosted in US regions. If you access the Site or Platform from outside the US, your information will be transferred to and processed in the US. Where required by applicable law, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.
10. Your rights
Depending on where you live, you may have rights with respect to personal information we hold about you. To exercise any right, email privacy@31m.site with enough detail to verify your identity and respond meaningfully. We do not discriminate against you for exercising any of these rights.
California (CCPA/CPRA). California residents have the right to (i) know what categories and specific pieces of personal information we have collected, (ii) request deletion, (iii) request correction of inaccurate personal information, (iv) opt out of sale or sharing of personal information (we do not sell or share), (v) limit the use and disclosure of sensitive personal information, and (vi) not be retaliated against for exercising these rights. You may use an authorised agent to make a request on your behalf.
Other US states. Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive consumer privacy laws have comparable rights. We honour verified consumer requests under those laws.
11. Children’s privacy
The Site and the Platform are intended for use by healthcare professionals and administrators, not by children. We do not knowingly collect personal information from children under 13 (or the equivalent minimum age in the relevant jurisdiction). If you believe a child has provided us with personal information, contact privacy@31m.site and we will delete it.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced on the Site and, where appropriate, by direct notice to Platform customers. The “Last updated” date at the top of this Policy reflects the most recent revision. Continued use of the Site or Platform after a change indicates acceptance of the updated Policy.
13. Contact
Questions or requests under this Policy can be sent to privacy@31m.site.
Mailing address: 31M Health, Inc. — [street address placeholder] — [city, state, ZIP, country].