support@calmora.com

|

1-800-CALMORA
Contact
Contact

CALMORA PRIVACY POLICY

1. PURPOSE, SCOPE, AND BINDING AGREEMENT

Calmora (“the Company,” “we,” “us,” or “our“) is committed to protecting the privacy and security of your personal and health-related information. This Privacy Policy governs our data collection, processing, and usage practices across our website, mobile applications, associated APIs, and all electronic communications (collectively, the “Platform“). By accessing or using the Platform, you provide your explicit consent to the data practices described herein. If you do not agree with these practices, you are prohibited from using the Services and must exit the Platform immediately.

2. SEPARATION OF ENTITIES & THE "SECURE PLATFORM" FIREWALL

Calmora operates as a Management Services Organization (MSO) providing administrative and technological services to independent medical practices and clinicians (the “Providers“).

  • The Secure Platform: Once a user authenticates into the password-protected portions of the Platform (“Secure Platform“), all data collected is considered Protected Health Information (PHI) and/or medical information.
  • Governing Law: This data is governed strictly by the Notice of Privacy Practices (NPP) provided by your independent Provider, maintained in accordance with the 2026 federal alignment of HIPAA and 42 CFR Part 2.
  • Commercial Restriction: PHI collected within the Secure Platform will never be sold, nor will it be used for advertising, marketing, or third-party data mining purposes without your explicit, written HIPAA Authorization.

3. COMPREHENSIVE DATA COLLECTION & "CLICKSTREAM" METRICS

We collect “Personal Information” (identifiable data) and “Usage Data” (technical data) to the minimum extent necessary:

  • Account Information: Legal name, email, phone, physical address, and government-issued identification for identity verification.
  • Health & Clinical Data: Medical history, OUD symptoms, laboratory test results, and medications provided by you or your independent Provider.
  • Payment & Subscription Data: To facilitate recurring billing, we utilize a third-party, secure payment processor. Calmora does not store, nor do we have access to, your full credit card number or CVV code. We receive only secure “tokens” that allow us to process your subscription.
  • Technical Usage Data: We automatically receive data including IP addresses, MAC addresses, device identifiers, operating system version, browser type, referring URLs, time zone settings, and “clickstream” data representing your specific path through our Platform.

4. PLATFORM FACILITATION & THE "BUSINESS ASSOCIATE" NETWORK

To maintain a high-performance clinical environment, Calmora utilizes professional third-party Infrastructure-as-a-Service (IaaS) providers and clinical network facilitators. These partners provide the technological backbone of the Platform, including but not limited to patient portals, secure messaging systems, physician networks, and data hosting services.

  • Legal Shield: All such partners are contractually bound by Business Associate Agreements (BAAs) and confidentiality obligations under HIPAA. You acknowledge that these partners may have access to your information strictly to the extent necessary to facilitate your clinical journey.

5. SPECIAL PROTECTIONS FOR OUD RECORDS (42 CFR PART 2)

Records regarding the treatment of substance use disorders are subject to heightened federal protections.

  • Strict Non-Disclosure: We shall not disclose any information identifying you as a person with a substance use disorder unless you provide written consent, a court order is issued, or in the event of a medical emergency.
  • Testimony Prohibition: Your records are strictly prohibited from being used to initiate or substantiate any criminal charges against you or to conduct any investigation. Such records cannot be introduced in any civil, criminal, administrative, or legislative proceedings against you without your explicit written consent or a specific court order issued in compliance with 42 CFR Part 2.

6. DETAILED DATA USAGE & RE-DISCLOSURE NOTICE

We use collected information to:

  • Provide Services: Administer, operate, and secure the Platform.
  • Workforce Training: Educate our workforce in data protection and customer support.
  • Internal Development: Conduct research and develop new features using de-identified, aggregated data.
  • Re-disclosure Warning: You are hereby notified of the potential for information disclosed pursuant to the Privacy Rule to be subject to re-disclosure by a recipient and no longer protected by federal privacy laws, though Calmora maintains strict BAAs to mitigate this risk

7. COOKIES, PIXELS, AND TARGETED ADVERTISING

We and our third-party advertising partners (Google, Meta/Facebook, Microsoft/Bing) use cookies, web beacons, and pixels to store information about your interactions with the public portions of our Platform.

  • Retargeting: Pixels allow us to build a profile of your interests to show you relevant advertisements on other websites.
  • Opt-Out Rights: You may restrict cookies via browser settings or opt-out of targeted advertising via the NAI or DAA opt-out pages.
  • Do Not Track (DNT): Our Platform does not currently respond to “Do Not Track” signals.

8. DISCLOSURE OF INFORMATION TO THIRD PARTIES

We do not sell your personal information. Disclosures are limited to:

  • Service Providers: Partners who process data based on our instructions.
  • Legal Obligations: To comply with a law, search warrant, or subpoena; to protect the physical safety of any person; or to defend against legal claims.
  • Business Transfers: To a buyer or successor in the event of a merger, acquisition, or sale of assets, subject to confidentiality protections.

9. RETENTION & DATA SECURITY

  • Retention: We retain account information while your account is active. You acknowledge that under HIPAA and state medical record laws, we are required to maintain PHI for a minimum mandatory period (7–10 years), which survives account deletion.
  • Security: We utilize administrative, physical, and technical safeguards. However, you acknowledge that any transmission of information over the internet is at your own risk.

10. BREACH NOTIFICATION PROTOCOL

In the event of a security breach involving your unsecured PHI, Calmora will notify you in accordance with the HIPAA Breach Notification Rule. Notice will be provided without unreasonable delay (and no later than 60 days post-discovery) via email or first-class mail.

11. YOUR RIGHTS & STATE-SPECIFIC DISCLOSURES

Depending on your residency (including California, Virginia, and Delaware), you may have the following rights:

  • Request to Know & Access: The right to request a portable copy of the information we have collected.
  • Request to Delete: The right to request data deletion (subject to HIPAA retention mandates).
  • Right to Correct: The right to request correction of inaccurate or misleading information.
  • Accounting of Disclosures: The right to request a list (an “accounting”) of certain disclosures of your PHI made in the three (3) years prior to your request.
  • Authorized Agents: You may designate an authorized agent to make requests on your behalf, provided you provide verifiable written permission.

12. CHILDREN'S PRIVACY

The Platform is strictly for individuals eighteen (18) years of age or older. We do not knowingly collect or solicit data from anyone under 18.

13. SEVERABILITY AND SURVIVAL

  • Survival: Provisions regarding Limitation of Liability, Indemnification, and Data Retention shall survive any termination of this Agreement.
  • Severability: If any portion of this Policy is found unenforceable, the remaining sections remain in full force.

14. CHANGES TO THIS POLICY

Calmora reserves the right to modify this Privacy Policy at any time. Changes will be effective immediately upon posting to the Platform. Your continued use of the Platform constitutes acceptance of the revised Policy.

×

Thank you! Your message has been sent.