Privacy Policy

Last updated: April 16, 2026

I AM GRACE INC., a California corporation with its principal place of business at 2121 Avenue of the Stars, Suite 800, Century City, CA 90067 (“I AM GRACE,” “NEDOCS,” “we,” “us,” or “our”), respects your privacy. This Privacy Policy describes the personal information we collect, how we use and share it, the choices you have, and your rights under applicable law, when you: (i) visit our website at https://www.nedocs.org and its subdomains and related pages (the “Website”); (ii) register a hospital account, sign in, or otherwise use the NEDOCS software-as-a-service product (the “Service”); (iii) submit a demo request, public-dashboard access request, or other form; (iv) communicate with us by email or through other channels; or (v) interact with our content on third-party platforms that link to this Policy. This Policy is intended to comply with applicable privacy and data-protection laws wherever you are located, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the “CCPA”), the EU and UK General Data Protection Regulations (“GDPR”/“UK GDPR”), the Virginia, Colorado, Connecticut, Utah, and other U.S. state comprehensive privacy laws, and the Children’s Online Privacy Protection Act (“COPPA”). If there is any conflict between this Policy and a separately executed Business Associate Agreement (“BAA”) with respect to Protected Health Information, the BAA will control. If there is any conflict between this Policy and a separately executed data-processing agreement (“DPA”) with respect to Customer Personal Data, the DPA will control.

1. Scope and role under privacy laws

This Policy applies to personal information we collect about visitors to the Website; prospects, demo requesters, and public-dashboard lead submitters; hospital administrators, charge nurses, ED managers, clinicians, and other authorized users of the Service (“Authorized Users”); and individuals who correspond with us. For personal information we collect about Website visitors, prospects, and our direct relationships with Authorized Users (for example, account credentials, profile data, marketing preferences, and analytics), I AM GRACE is the “business,” “controller,” or “data controller.” For Customer Data that a hospital customer submits to or creates through the Service, I AM GRACE acts as a “service provider,” “processor,” or “data processor” on behalf of the Customer.

2. Definitions

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular individual or household. “Sensitive Personal Information” includes government identifiers, precise geolocation, account credentials, and health, biometric, or similar data. “Customer Data” means data relating to a hospital, its Authorized Users, or its patients that the Customer inputs to, uploads to, or generates within the Service. “Protected Health Information” or “PHI” has the meaning given under HIPAA. “Process” means any operation performed on Personal Information.

3. Categories of personal information we collect

Depending on how you interact with us, we may Process identifiers and contact data; account credentials (passwords stored only as salted hashes, tokens stored as SHA-256 digests); professional profile and onboarding data; hospital registration and configuration data; clickwrap and agreement-acceptance records; communications and support data; Customer Data processed on behalf of the Customer; usage, device, and analytics data; integration, ingestion, and API-key metadata; and limited inferences and derived data. We do not intentionally collect Sensitive Personal Information about Website visitors and prohibit submission of PHI without a separately executed BAA.

4. Sources of personal information

We collect Personal Information directly from you; automatically through your device and browser; from your hospital or employer when they invite you as an Authorized User; from third-party systems authorized by the Customer (EHRs, bed-management systems sending HL7 v2, FHIR R4, or REST events); and from our service providers and sub-processors acting on our behalf.

5. Purposes of processing

We Process Personal Information to provide, operate, secure, maintain, and improve the Website and Service; to administer and recover accounts; to record acceptance of legal terms; to respond to demo and access requests; to deliver and audit operational features including NEDOCS score calculation and notifications; to route alerts per the role-based notification matrix; to operate integrations; to detect and prevent fraud and abuse; to analyze and improve; to comply with law; to establish or defend legal claims; and, with consent, for additional disclosed purposes.

6. Legal bases (EEA/UK)

If you are located in the EEA, the UK, or Switzerland, we Process your Personal Information under performance of a contract; our legitimate interests; legal obligation; consent; and vital or public interest where applicable.

7. Disclosures to third parties

We disclose Personal Information only as described in this Policy or permitted by law. We do not sell your Personal Information and do not share it for cross-context behavioral advertising. We may disclose to service providers and sub-processors; the Customer and its administrators; other Authorized Users within the same hospital account; our affiliates and corporate successors; governmental and regulatory authorities; and professional advisors.

8. International data transfers

I AM GRACE is based in the United States; your Personal Information may be transferred to and Processed in the United States or other jurisdictions. For transfers from the EEA, UK, or Switzerland we rely on appropriate safeguards such as Standard Contractual Clauses or the UK International Data Transfer Addendum.

9. Automated decision-making and AI processing

NEDOCS uses automated processing, including ML-based inference, for features such as shift-debrief summarization and surge-level forecasting, by sending structured prompts and de-identified or synthetic inputs (evaluation tier: no PHI) to a third-party large-language-model provider under enterprise controls. Clinical, staffing, and activation decisions remain with licensed clinicians and hospital leadership.

10. Cookies and similar technologies

We use a minimal set of cookies: a strictly necessary session cookie; a public-dashboard access cookie; and server-side page-view analytics. We do not use third-party advertising cookies or cross-site tracking. We respect the Global Privacy Control and Do Not Track signals to the extent required by law.

11. Retention

We retain Personal Information for as long as necessary to fulfill the purposes described, unless a longer period is required or permitted by law. Page-view analytics are retained in identifiable form for up to eighteen (18) months. Customer Data is retained in accordance with the Subscription Agreement, DPA, and BAA.

12. Security

We maintain administrative, technical, and physical safeguards including TLS in transit, password hashing, SHA-256 token digests, role-based access controls, audit logs, network segmentation, and least-privilege access. No method of transmission or storage is completely secure.

13. HIPAA, PHI, and the no-PHI evaluation tier

The evaluation tier operates without the submission of PHI. Customers must not submit PHI to the Service until a BAA has been separately executed. Where a BAA exists, I AM GRACE acts as a business associate solely with respect to the PHI submitted under that BAA.

14. Your privacy rights

Subject to applicable law, you may have rights to know/access, correct, delete, restrict or object, portability, opt out of sale/sharing, limit use of Sensitive Personal Information, non-discrimination, withdraw consent, appeal, and lodge a complaint with a supervisory authority. Contact us as described in Section 19 to exercise these rights.

15. Additional disclosures for California residents (CCPA/CPRA)

We have collected the categories of Personal Information described in Section 3, from the sources in Section 4, for the purposes in Section 5, disclosed to the recipients in Section 7. We have not sold or shared Personal Information for cross-context behavioral advertising in the preceding twelve months.

16. Additional disclosures for other U.S. state residents

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Tennessee, and other states with comprehensive privacy laws may have analogous rights. We do not sell Personal Information, engage in targeted advertising, or profile in furtherance of legally significant decisions.

17. Children

The Website and Service are intended for healthcare organizations and their authorized workforce, not for children. We do not knowingly collect Personal Information from children under 13.

18. Marketing communications and preferences

We may send transactional communications necessary to provide the Service, and commercial communications where permitted by law. You can opt out of commercial emails at any time via the unsubscribe link or by contacting us.

19. How to contact us and exercise your rights

I AM GRACE INC., Attn: Privacy, 2121 Avenue of the Stars, Suite 800, Century City, CA 90067, USA. You may also contact us through the contact options published on the Website.

20. EEA, UK, and Swiss representatives

If you require a local representative under Article 27 of the GDPR or UK GDPR, contact us at the address in Section 19 and we will direct your request appropriately.

21. Links to third-party sites and content

The Website may contain links to third-party websites or content. We are not responsible for the privacy practices or content of those third parties.

22. Aggregated and de-identified data

We may aggregate, anonymize, or de-identify Personal Information and use such data for research, analytics, benchmarking, and product improvement, and commit not to re-identify it except as permitted by law.

23. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date reflects the current version. Material changes will be accompanied by additional notice.

24. Severability and interpretation

If any provision is held invalid, the remaining provisions continue in full force. Headings are for convenience only. “Including” means “including without limitation.”