Privacy Policy
Last updated: July 2026
Plain English Summary
- We only collect data necessary to run the platform. We do not sell your information to anyone, ever.
- Resident health data is protected under HIPAA. All protected health information (PHI) is handled by Marpass as a HIPAA Business Associate under our Business Associate Agreement (BAA) with your facility. This Privacy Policy governs account-holder and website-visitor data; the BAA governs PHI.
- You own your data. You can export your data at any time. When you leave Marpass, your data leaves with you, subject to the legal record-retention rules that apply to your facility.
- We use industry-standard security. AES-256 encryption at rest, TLS 1.2+ in transit, built on SOC 2 Type II-audited infrastructure (AWS, Vercel).
1. Business Associate Framing
For resident protected health information (PHI), Marpass, Inc., a Delaware corporation, acts as a HIPAA Business Associate that processes data on behalf of and under the instructions of its covered-entity customers (residential care facility operators). The handling of PHI is governed by the Business Associate Agreement (BAA) between Marpass and the covered entity, not by this Privacy Policy. This Privacy Policy governs the relationship between Marpass and the account-holders (operators, administrators, and staff) and website visitors. Where the BAA and this Privacy Policy differ as to PHI, the BAA controls.
2. Information We Collect
We collect information you provide directly when you create an account, set up your facility profile, and use our services. This includes:
- Account Information: Your name, email address, phone number, and facility details including license number and address.
- Resident Health Information: Protected health information (PHI) including resident names, dates of birth, diagnoses, medications, care plans, and related health records that you enter into the platform. PHI is handled under the BAA, not this Privacy Policy.
- Staff Information: Employee names, certifications, training records, and scheduling data.
- Usage Data: Information about how you interact with the platform, including features used, pages viewed, and actions taken. This data is collected to improve the service and is not linked to resident health records.
- Device Information: Browser type, operating system, device identifiers, and IP address for security and troubleshooting purposes.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Marpass platform and all its features.
- Process and manage medication administration records, care plans, scheduling, and compliance tracking as directed by you and consistent with the BAA.
- Send you service-related communications including account notifications, medication alerts, credential expiration reminders, and compliance updates.
- Improve and develop new features based on aggregated, de-identified usage patterns.
- Ensure the security of your account and protect against unauthorized access.
- Comply with HIPAA and applicable federal and state laws and regulations, including Florida and Washington residential-care requirements as applicable, and respond to lawful requests.
4. Data Sharing
We do not sell, rent, or trade your personal information or protected health information. We may share information in the following limited circumstances:
- Service Providers and Subprocessors: We work with carefully selected third-party service providers who assist us in operating the platform (cloud hosting, email delivery, payment processing). These providers are bound by contractual obligations equivalent to ours, including BAAs where PHI is involved. A current list of subprocessors is published at /subprocessors and customers are notified of changes.
- Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, including state inspection or licensing requirements.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
5. Data Security
We implement comprehensive security measures to protect your information:
- All data is encrypted at rest using AES-256 encryption.
- All data in transit is protected by TLS 1.2+ encryption.
- Our infrastructure is built on SOC 2 Type II-audited cloud providers (AWS, Vercel) within the United States.
- Access to protected health information is controlled through role-based permissions with multi-factor authentication.
- We maintain comprehensive audit logs of all access to health information.
- We conduct regular security assessments and automated security scanning.
6. Your Rights
You have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal information, subject to legal record-retention rules and the BAA.
- Export: Export your data in a standard, machine-readable format at any time.
- Restriction: Request that we limit how we use your information.
To exercise any of these rights, contact us at privacy[at]marpass.com. We will respond to your request within 30 days.
7. Data Retention
We retain information for as long as your account is active and thereafter as needed to provide the service and to meet your facility's legal record-retention obligations and applicable law. Residential care record-retention periods vary by state and facility type (for example, Washington adult family homes, assisted living, and nursing facilities, and Florida assisted living facilities each set their own minimum retention periods). When your account closes, you may export your data, and we will return or delete it within 60 days EXCEPT where longer retention is required by law or by the Business Associate Agreement. Separately, HIPAA requires certain compliance documentation (such as policies and disclosure records) to be retained for six years (45 CFR 164.316, 164.530(j)).
8. Washington Consumers (MHMDA)
Most health information Marpass processes is PHI handled by Marpass as a HIPAA Business Associate under the BAA, which is exempt from the Washington My Health My Data Act (RCW 19.373). For any consumer health data that is not exempt, see our Consumer Health Data Privacy Policy at /mhmda. That policy describes the categories of consumer health data collected, the purposes for which it is used, your Washington-consumer rights, and how to exercise them.
9. Children's Privacy
Marpass is intended for business and professional use by residential care facilities and is not directed to children.
10. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or an in-app notification. We encourage you to review this policy periodically.
11. Contact Us
If you have questions or concerns about this privacy policy or our data practices, please contact us:
- Privacy inquiries: info[at]marpass.com
- Security inquiries: security[at]marpass.com

Questions about your data?
We take privacy seriously. Reach out and we will answer any questions you have.