Privacy Policy
Last updated: April 16, 2026
I AM GRACE INC., a California corporation with its principal place of business at 2121 Avenue of the Stars, Suite 800, Century City, CA 90067 (“I AM GRACE,” “GRACE,” “we,” “us,” or “our”), respects your privacy. This Privacy Policy describes the personal information we collect, how we use and share it, the choices you have, and your rights under applicable law, when you: (i) visit our website at https://www.iamgrace.baby and its subdomains and related pages (the “Website”); (ii) register a hospital account, sign in, or otherwise use the GRACE software-as-a-service product (the “Service”); (iii) submit a demo request, public-dashboard access request, or other form; (iv) communicate with us by email or through other channels; or (v) interact with our content on third-party platforms that link to this Policy. This Policy is intended to comply with applicable privacy and data-protection laws wherever you are located, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the “CCPA”), the EU and UK General Data Protection Regulations (“GDPR”/“UK GDPR”), the Virginia, Colorado, Connecticut, Utah, and other U.S. state comprehensive privacy laws, and the Children’s Online Privacy Protection Act (“COPPA”). If there is any conflict between this Policy and a separately executed Business Associate Agreement (“BAA”) with respect to Protected Health Information, the BAA will control. If there is any conflict between this Policy and a separately executed data-processing agreement (“DPA”) with respect to Customer Personal Data, the DPA will control.
1. Scope and role under privacy laws
This Policy applies to personal information we collect about visitors to the Website; prospects, demo requesters, and public-dashboard lead submitters; hospital administrators, charge nurses, unit managers, clinicians, and other authorized users of the Service (“Authorized Users”); and individuals who correspond with us. For personal information we collect about Website visitors, prospects, and our direct relationships with Authorized Users (for example, account credentials, profile data, marketing preferences, and analytics), I AM GRACE is the “business,” “controller,” or “data controller,” as those terms are defined under applicable law. For Customer Data (defined below) that a hospital customer (the “Customer”) submits to or creates through the Service in the course of using it, I AM GRACE acts as a “service provider,” “processor,” or “data processor” on behalf of the Customer. The Customer determines what Customer Data is submitted to the Service and is the controller of that data; our processing of it is governed by the GRACE Subscription Agreement, any executed Order Schedule, any executed DPA, and, where Protected Health Information is in scope, a separately executed BAA. Authorized Users should contact the Customer directly to exercise rights relating to Customer Data.
2. Definitions
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, and includes “personal data” and “personally identifiable information” as those terms are used under applicable law. “Sensitive Personal Information” includes government identifiers, precise geolocation, account credentials combined with access information, contents of communications (other than those directed to us), genetic or biometric data, and, to the extent relevant, information concerning health, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or union membership. “Customer Data” means data relating to a hospital, its Authorized Users, or its patients that the Customer or its Authorized Users input to, upload to, or generate within the Service, including unit census, room state, acuity factors, staffing assignments, notification logs, shift debriefs, ingestion events, and any Protected Health Information the Customer submits under a BAA. “Protected Health Information” or “PHI” has the meaning given to it under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “Process” and “Processing” mean any operation performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.
3. Categories of personal information we collect
Depending on how you interact with us, we may Process the following categories of Personal Information in the most recent twelve (12) months: (a) Identifiers and contact data. Your name, work or personal email address, professional title, employer or hospital, role on a labor-and-delivery unit, phone number (if you provide it), account user ID, and any correspondence identifiers we use to communicate with you. (b) Account credentials. Your chosen password, stored as a salted bcrypt hash (never in plaintext); password-reset and email-verification tokens (stored only as SHA-256 digests); session tokens issued as signed JSON Web Tokens; role in the Service (sysadmin, administrator, charge nurse, or user); permission flags such as whether you must reset your password, verify your email, or complete your profile. (c) Professional profile and onboarding data. The information you submit through our profile-completion and onboarding forms, including your name, job title, company, and confirmation email (persisted in our “profile_onboarding_submissions” collection); the information you submit to request a demo (name, email, hospital, role, approximate labor-room count, and free-text message, persisted in our “demo_requests” collection); and the information you submit to access the public dashboard (name, job title, company, and email, persisted in our “public_dashboard_leads” collection). (d) Hospital registration and configuration data. Your hospital or unit name and total labor-room count; hospital-level settings, roles, and notification preferences that you or your administrator configure. (e) Clickwrap and agreement-acceptance records. A record of your acceptance of our Subscription Agreement and related attestations, including the agreement slug and version, the timestamp of acceptance, the name and email of the accepting user, the IP address and user-agent string recorded at acceptance, and boolean attestations (authority to bind, no-PHI acknowledgment). These records are retained in both your account documents and an immutable “agreement_acceptances” audit collection for the purpose of establishing informed consent and audit defensibility. (f) Communications and support data. The contents of emails, support tickets, or other communications you send to us, our replies, and metadata about those communications (timestamps, message identifiers, delivery status). (g) Customer Data processed on behalf of the Customer. When a hospital uses the Service, we process Customer Data the Customer submits or generates, which may include (i) operational data such as room occupancy, acuity factors, nurse assignments, surge-level history, and notification logs; (ii) HL7 v2, FHIR R4, or REST-ingested census, admission-discharge-transfer, and staffing events; (iii) Authorized User–generated content such as shift debriefs, rescue, missed-care, or well-being notes, and outcomes entries; and (iv) Protected Health Information only where a BAA is separately executed. We Process Customer Data solely for the purposes described in Section 1 above and in accordance with the applicable written contracts. (h) Usage, device, and analytics data. When you visit the Website we collect log and analytics data, including IP address, user-agent string, browser type and version, operating system, device class (desktop/mobile/tablet/bot), screen dimensions, preferred language, referrer URL, requested page path, timestamps, and whether the request appears to originate from a known bot or crawler. This data is stored in our “page_views” collection for site-operations, security, and analytics purposes. We also log similar metadata to our API, error, and notification logs for diagnostic and security purposes. (i) Integration, ingestion, and API-key metadata. For Customers who enable EHR and system integrations, we log metadata about ingestion events (source, event type, timestamp, counts, error messages) in our “ingest_log” collection and keep hashed representations of API keys for authentication. The ingested operational data is Customer Data, governed as described in (g). (j) Inferences and derived data. We derive limited inferences from the data above to operate the Service, such as surge-band labels, acuity scores, nurse-to-acuity ratios, 2-hour level forecasts, 8-hour staffing forecasts, AWHONN shortfall calculations, session risk flags, and suspected-abuse signals. We do not intentionally collect Sensitive Personal Information about Website visitors, and we do not intentionally process Customer Data that constitutes Protected Health Information during the evaluation tier. Customers are contractually prohibited from submitting PHI without a separately executed BAA.
4. Sources of personal information
We collect Personal Information from the following sources: (i) directly from you when you submit forms, create an account, communicate with us, accept the Subscription Agreement, complete your profile, or use the Service; (ii) automatically through your device and browser when you interact with the Website or Service (see Section 10 on cookies and similar technologies); (iii) from your hospital or employer when they invite you as an Authorized User, provision your role, or configure system settings; (iv) from third-party systems authorized by the Customer, such as EHRs, bed-management systems, and other clinical-IT systems that send HL7 v2, FHIR R4, or REST events to the Service; and (v) from our service providers and sub-processors acting on our behalf (for example, our email-delivery, hosting, and AI providers).
5. Purposes of processing
We Process Personal Information for the following business purposes: (a) to provide, operate, secure, maintain, and improve the Website and the Service; (b) to create, authenticate, administer, and recover accounts, including password reset, email verification, and agreement re-acceptance flows; (c) to record and evidence your acceptance of legal terms, including the Subscription Agreement, and to enforce those terms; (d) to respond to demo requests, public-dashboard access requests, and other inquiries, and to send transactional communications such as confirmation and notification emails; (e) to deliver, configure, and audit the operational features of the Service, including surge-level calculation, AWHONN-shortfall reporting, weighted-acuity scoring, predictive and staffing forecasts, notifications, and reporting; (f) to route alerts according to the Job-Role × Notification-Type matrix configured by the Customer and the user’s personal preferences; (g) to operate integrations authorized by the Customer and to log ingestion events for diagnostic and audit purposes; (h) to detect, investigate, prevent, and respond to fraud, abuse, security incidents, and violations of our terms; (i) to analyze and improve the Website and Service, including aggregated and de-identified analytics; (j) to comply with applicable law, legal process, and lawful requests from governmental and regulatory authorities; (k) to establish, exercise, or defend legal claims; and (l) with your consent, for any additional purpose disclosed at the time of collection.
6. Legal bases (EEA/UK)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we Process your Personal Information under the following legal bases: (i) performance of a contract — to provide you the Website and Service you have requested and to perform the Subscription Agreement or any applicable written contract; (ii) our legitimate interests — to operate, secure, and improve the Website and Service, to market our Service to prospective customers where permitted, to prevent fraud and abuse, and to enforce our legal rights, balanced against your rights and freedoms; (iii) legal obligation — to comply with applicable law and lawful requests; (iv) consent — where you have given consent for a specific purpose (you can withdraw consent at any time without affecting the lawfulness of prior processing); and (v) vital interests or public interest, in the rare circumstance that either applies. Where we rely on legitimate interests you can request further information about the balancing test we performed.
7. Disclosures to third parties
We disclose Personal Information only as described in this Policy or as permitted by law. We do not sell your Personal Information for money, and, except as described below with respect to cross-context-behavioral-advertising signals you may choose to opt out of (currently none), we do not share your Personal Information for cross-context behavioral advertising as those terms are defined under the CCPA. We may disclose Personal Information to: (a) Service providers and sub-processors acting on our behalf under written contracts that restrict their use of the data to performing services for us, including cloud hosting, database hosting (MongoDB), email delivery (SMTP providers), AI processing (see Section 9), analytics, error monitoring, customer support, and professional advisors. A current list of material sub-processors is available on request through the contact channels published on the Website. (b) The Customer (and its administrators) in the case of Authorized Users — for example, your hospital administrator can see that you accepted an agreement, configure your role, manage your notification preferences, and remove your access. (c) Other Authorized Users within the same hospital account, to the extent necessary to operate shared features such as shift dashboards, the unit notification matrix, and escalation routing. (d) Our affiliates and corporate successors. Personal Information may be transferred in connection with a merger, acquisition, corporate reorganization, financing, sale of assets, bankruptcy, or similar transaction; we will require any successor to honor this Policy or provide notice of any material change. (e) Governmental, judicial, law-enforcement, and regulatory authorities where we believe in good faith that disclosure is required by law, subpoena, court order, or other legal process; where disclosure is necessary to comply with applicable reporting obligations; or where disclosure is necessary to protect the safety, rights, or property of I AM GRACE, our users, or the public. (f) Professional advisors (such as lawyers, accountants, and auditors) under obligations of confidentiality. We do not knowingly sell or share the Personal Information of consumers under the age of 16.
8. International data transfers
I AM GRACE is based in the United States, and our service providers and sub-processors may be located in the United States or other countries. If you access the Website or Service from outside the United States, your Personal Information will be transferred to, Processed in, and stored in the United States or other jurisdictions, which may have data-protection laws that differ from those of your country. Where we transfer Personal Information from the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful mechanism. You may contact us for more information about the safeguards we apply.
9. Automated decision-making and AI processing
GRACE uses automated processing, including machine-learning-based inference, to provide certain features of the Service, such as shift-debrief summarization, room-activity summarization, qualitative “feel” interpretation, and 2-hour surge-level forecasting. These AI features are produced by sending structured prompts, operational data, and de-identified or synthetic inputs (evaluation tier: no PHI) to our third-party large-language-model provider, Anthropic, PBC (the “LLM Provider”), via its API. We have implemented the LLM Provider’s enterprise controls, including the contractual prohibition against training its foundation models on our API inputs or outputs. The LLM Provider Processes these inputs for the limited purpose of returning a response to us. We do not use the LLM Provider outputs to make any legal or similarly significant decision about you automatically; clinical decisions, staffing decisions, and activation decisions remain with licensed clinicians and hospital leadership. You may have the right to object to processing based on automated decision-making, including profiling, where required by applicable law (see Section 14).
10. Cookies and similar technologies
We use a minimal set of cookies and similar technologies that are strictly necessary to operate the Website and Service or that we consider to have a low privacy impact. Specifically: (a) Session cookie (“grace_session”). An HTTP-only, SameSite=Lax, Secure-in-production cookie that stores a signed JSON Web Token used for authentication after you sign in. This cookie is strictly necessary for authenticated use of the Service and cannot be disabled. Its default expiration is seven days. (b) Public-dashboard access cookie. A cookie we set after you successfully submit the public-dashboard access form, to remember your acknowledgment of the access form for up to 365 days. (c) Page-view analytics. We log page-view events server-side (see Section 3(h)). We do not currently use third-party advertising cookies, cross-site tracking pixels, or social-media tracking beacons on the Website. We respect and implement the Global Privacy Control (“GPC”) signal and the “Do Not Track” (“DNT”) browser signal to the extent required by applicable law; because we do not engage in cross-context behavioral advertising or sell Personal Information, honoring these signals does not change the operational behavior of the Website beyond what this Policy already describes. You can manage or delete cookies through your browser settings.
11. Retention
We retain Personal Information for as long as necessary to fulfill the purposes described in this Policy, unless a longer period is required or permitted by law. Specific retention considerations include: (i) account data is retained for the life of the account and, following account closure, for a commercially reasonable wind-down period; (ii) agreement-acceptance records are retained as long as the Service is offered and for a reasonable additional period to defend against legal claims, as they are part of our contract-formation audit trail; (iii) page-view analytics are retained in an identifiable form for up to eighteen (18) months and thereafter deleted or aggregated; (iv) demo-request and public-dashboard-lead records are retained for as long as reasonably necessary to respond to the request, follow up, and meet tax, accounting, and legal recordkeeping obligations; (v) email and support communications are retained under our records-retention schedule; and (vi) Customer Data is retained in accordance with the Subscription Agreement, any Order Schedule, any DPA, and any BAA, and is deleted or returned in accordance with those agreements upon termination. Retention periods may be longer when necessary to comply with legal obligations, to resolve disputes, to enforce our agreements, or to protect the safety of our users.
12. Security
We maintain administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing. These measures include: encryption of Personal Information in transit using industry-standard TLS; hashing of passwords using bcrypt; SHA-256 digests of sensitive tokens; JSON Web Tokens stored in HTTP-only, SameSite cookies; role-based access controls within the Service; audit logs for privileged administrative actions and agreement acceptances; network segmentation between the marketing Website and the application; principle-of-least-privilege access to production systems for our personnel; and periodic review of our third-party sub-processors. Despite these measures, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a Personal Information breach that requires notification under applicable law, we will notify affected individuals and regulators as required.
13. HIPAA, PHI, and the no-PHI evaluation tier
GRACE is designed so that the evaluation tier of the Service operates without the submission of Protected Health Information, with the Customer and the accepting user attesting to the no-PHI restriction at signup and at each agreement re-acceptance. Under the Subscription Agreement, Customers must not submit PHI to the Service until they have separately executed a Business Associate Agreement with I AM GRACE. Where a BAA has been separately executed, I AM GRACE acts as a “business associate” (as defined under HIPAA) solely with respect to the PHI the Customer submits under that BAA, and Processes such PHI in accordance with the BAA, the HIPAA Privacy, Security, and Breach Notification Rules, and applicable state law. In the event of any conflict between this Policy and a BAA with respect to PHI, the BAA will control. Individuals who believe the Service may contain PHI about them should contact the covered entity (typically the hospital Customer); individuals may also contact us through the channels in Section 19 and we will route appropriately.
14. Your privacy rights
Subject to applicable law and any applicable exemptions, you may have some or all of the following rights with respect to Personal Information we have collected about you acting as a business/controller: (a) Right to know/access. Request confirmation of whether we Process your Personal Information, and a copy of the Personal Information we hold, the categories of Personal Information, the sources, the purposes of Processing, and the categories of recipients. (b) Right to correct/rectify. Request that we correct inaccurate or incomplete Personal Information. (c) Right to delete/erase. Request that we delete Personal Information about you, subject to exceptions (for example, to complete a transaction, detect security incidents, comply with a legal obligation, or exercise or defend legal claims). (d) Right to restrict or object. Request that we restrict Processing, or object to Processing based on legitimate interests, including direct marketing. (e) Right to portability. Receive Personal Information in a structured, commonly used, machine-readable format, or request that we transmit it to another controller where technically feasible. (f) Right to opt out of sale/sharing/targeted advertising. As noted, we do not sell or share Personal Information for cross-context behavioral advertising. A machine-readable GPC signal will be honored as an opt-out request where applicable law requires. (g) Right to limit use of Sensitive Personal Information. To the extent we Process any Sensitive Personal Information as defined by applicable law, you may request that we limit use to what is necessary to perform the Service requested or as otherwise permitted. (h) Right to non-discrimination. You will not receive discriminatory treatment for exercising any of these rights. (i) Right to withdraw consent. Where we rely on consent, you may withdraw it at any time. (j) Right to appeal. Some U.S. state laws give you the right to appeal our response to a rights request; instructions for doing so will be included in our response. (k) Right to lodge a complaint with a supervisory authority. EEA, UK, and Swiss residents may lodge a complaint with their local data-protection authority (for example, the UK Information Commissioner’s Office). To exercise any of these rights, contact us as described in Section 19. We will verify your identity using information reasonably necessary given the nature of the request. You may designate an authorized agent to make a request on your behalf, subject to verification. Rights relating to Customer Data should generally be directed to the hospital Customer; we will assist the Customer in responding to verified requests as the Subscription Agreement and any DPA require.
15. Additional disclosures for California residents (CCPA/CPRA)
This Section supplements the rest of this Policy with information required by the CCPA for California residents. In the most recent twelve (12) months, we have collected the categories of Personal Information described in Section 3, which correspond to the following CCPA categories: identifiers; customer-records information (Cal. Civ. Code § 1798.80(e)); characteristics of protected classifications (only if voluntarily provided, such as professional role); commercial information; internet or other electronic network activity information; professional or employment-related information; and inferences drawn from the above. We collect Personal Information from the sources listed in Section 4 and use it for the business or commercial purposes listed in Section 5. We disclose Personal Information to the categories of recipients described in Section 7. We have not “sold” Personal Information or “shared” Personal Information for cross-context behavioral advertising, as those terms are defined under the CCPA, in the preceding twelve (12) months. We do not have actual knowledge that we sell or share the Personal Information of consumers under sixteen (16) years of age. California residents may exercise the rights described in Section 14 by contacting us as described in Section 19. We do not use or disclose Sensitive Personal Information for purposes other than those permitted without the right to limit under the CCPA.
16. Additional disclosures for other U.S. state residents
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), Tennessee (TIPA), Indiana, Iowa, Delaware, New Hampshire, New Jersey, and other states with comprehensive privacy laws may have rights analogous to those described in Section 14. We do not “sell” Personal Information for monetary consideration, do not engage in “targeted advertising” based on Personal Information collected across distinct businesses or websites, and do not engage in “profiling” in furtherance of decisions that produce legal or similarly significant effects concerning consumers, as those terms are defined under applicable state law. You may appeal any denial of a rights request by replying to our written response; if the appeal is denied, you may contact your state’s attorney general.
17. Children
The Website and Service are intended for healthcare organizations and their authorized workforce, not for children. We do not knowingly collect Personal Information directly from children under 13 years of age (or the higher applicable age in your jurisdiction) and do not intentionally collect any Personal Information directly from minors on the Website. If you believe we may have collected Personal Information from a child without verifiable parental consent, please contact us at the address in Section 19 and we will delete it in accordance with applicable law.
18. Marketing communications and preferences
We may send you transactional communications (such as password-reset emails, security alerts, legal-notice acknowledgments, and confirmation emails) that are necessary to provide the Website or Service; these cannot generally be opted out of while you maintain an account. We may also send commercial electronic communications where permitted by applicable law (for example, to inform prospects who have submitted a demo request of product updates). You can opt out of commercial emails at any time by using the unsubscribe link included in the email, replying with an opt-out request, or contacting us at the address in Section 19. In accordance with the CAN-SPAM Act, emails we send include our physical address and a clear method for opting out.
19. How to contact us and exercise your rights
If you have questions about this Policy, would like to exercise any of the rights described above, or wish to raise a concern, please contact us: I AM GRACE INC. Attn: Privacy 2121 Avenue of the Stars, Suite 800 Century City, CA 90067, USA You may also contact us through the contact options published on the Website. For Subscription Agreement questions, intellectual-property complaints, or DMCA notices, please refer to our Terms and Conditions at https://www.iamgrace.baby/terms. To the extent required by applicable law, we may verify your identity before responding to a rights request and will respond within the period required by the applicable law.
20. EEA, UK, and Swiss representatives
If you are located in the EEA, the UK, or Switzerland and you require a local representative to contact under Article 27 of the GDPR or the UK GDPR, please contact us at the address in Section 19 and we will direct your request appropriately. At this time, I AM GRACE has not appointed a designated EEA or UK representative for Article 27 purposes because our Processing does not routinely meet the thresholds that require one; if your situation requires a local contact, we will promptly cooperate to designate one.
21. Links to third-party sites and content
The Website may contain links to third-party websites, services, or content (for example, academic journal landing pages, AWHONN publications, or EHR-vendor documentation). We are not responsible for the privacy practices or content of those third parties, and the inclusion of a link does not imply endorsement. We encourage you to read the privacy notices of any third-party site you visit.
22. Aggregated and de-identified data
We may aggregate, anonymize, or de-identify Personal Information so that the resulting data cannot reasonably be linked to any identified or identifiable individual. We may use and disclose such aggregated or de-identified data for research, analytics, benchmarking, product improvement, and other lawful purposes. We commit to maintaining and using such data in de-identified form, and not to attempting to re-identify the information, except as permitted by applicable law.
23. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The “Last updated” date at the top of this Policy reflects the current version. If we make material changes, we will provide additional notice, such as posting a notice on the Website, notifying administrators through the Service, or, where required, sending an email or requesting re-consent. Your continued use of the Website or Service after the effective date of any updated Policy constitutes your acceptance of the updated Policy, to the extent permitted by applicable law.
24. Severability and interpretation
If any provision of this Policy is held invalid or unenforceable, the remaining provisions will continue in full force and effect. Headings are for convenience only and do not affect interpretation. The word “including” means “including without limitation.”