Provider Privacy

Malama Provider Portal Privacy Policy

Last updated: May 19, 2026

This Privacy Policy describes how Malama Health, Inc. (“Malama,” “we,” “us,” or “our”) handles personal information that we collect through our websites, mobile applications, provider portal, patient portal, digital tools, forms, communications, social media, marketing activities, events, and other online or offline interactions that link to or reference this Privacy Policy (collectively, the “Service”).

This Privacy Policy applies to:

  • patients, members, prospective patients, and other individuals who use Malama’s patient-facing services;

  • healthcare providers, clinical staff, care coordinators, doulas, administrators, payer personnel, community-based care team members, and other professional users who register for, access, or use the Malama Provider Portal (“Provider Portal Users”);

  • visitors to Malama websites and digital properties;

  • individuals who communicate with us, attend events, submit forms, participate in research or surveys, or otherwise interact with Malama.

If you are a Malama customer, patient, member, or participant through your healthcare provider, health plan sponsor, insurer, care organization, employer, or related organization or company, this Privacy Policy is not intended to modify or supersede any privacy notice, privacy policy, Notice of Privacy Practices, authorization, consent, or other privacy document provided by that organization.

Where Malama receives Protected Health Information subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) in our role as a HIPAA-regulated Business Associate of a healthcare provider, health plan sponsor, insurer, care organization, or similar organization, this Privacy Policy does not govern our handling of that Protected Health Information. We process that information consistent with our obligations under the applicable Business Associate Agreement (“BAA”).

This Privacy Policy is not a Notice of Privacy Practices under HIPAA. Malama’s HIPAA Notice of Privacy Practices, where applicable, is available separately.

1. Personal Information We Collect

We collect personal information in several ways, including information you provide to us, information collected automatically, information from third parties, and information generated through your use of the Service.

1.1 Information You Provide to Us

Personal information you may provide to us through the Service or otherwise includes:

Contact data, such as your first and last name, email address, phone number, mailing address, and other contact information.

Account data, such as username, password, profile information, provider code, organization affiliation, role, preferences, settings, and any other information you add to your account profile.

Health and wellness data, such as glucose levels, meals, meal photos, activity information, sleep information, stress information, pregnancy-related information, postpartum information, symptoms, goals, health notes, biometric information, care plan information, and other health-related information you choose to provide.

Demographic information, such as city, state, country of residence, postal code, age, language preference, pregnancy status, postpartum status, insurance status, or other information relevant to care navigation or program eligibility.

Program eligibility and benefits information, such as health plan, Medicaid status, benefit eligibility, program enrollment information, social needs, resource needs, referral information, and information needed to determine eligibility for Malama-supported services or community resources.

Communications, including messages, emails, texts, chats, phone calls, forms, support requests, survey responses, feedback, social media messages, and other communications that we exchange with you.

Transactional data, such as information relating to purchases, payments, orders, subscriptions, invoices, transaction history, or other payment-related activity, where applicable.

Marketing data, such as your preferences for receiving marketing communications and details about your engagement with our emails, messages, events, campaigns, and other communications.

User-generated content, such as notes, logs, photos, messages, comments, responses, forms, or other content that you generate, transmit, upload, or otherwise make available through the Service, along with associated metadata.

Relationship data, such as your familial, caregiver, clinical, administrative, or other relationship to individuals whose information you provide to us.

Consent and authorization data, such as electronic signatures, checkbox acknowledgments, permissions, consents, authorizations, communication preferences, opt-ins, opt-outs, timestamps, document versions, IP address, and records of your agreement to terms, policies, or notices.

Other information, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

1.2 Information We Collect from Provider Portal Users

If you register for, access, or use the Malama Provider Portal, we may collect additional personal information, including:

Professional account information, such as name, work email address, work phone number, title, role, department, professional credentials, specialty, license information, NPI, username, password, and account settings.

Organization information, such as organization name, practice name, facility name, care team name, payer name, organization type, website, work email domain, business address, service locations, facility identifiers, NPI, tax identifier, specialties, patient population, and program participation information.

Verification information, such as information used to verify your identity, role, professional status, organization affiliation, authority to bind an organization, or eligibility to access the Provider Portal.

Provider portal activity information, such as login activity, session data, pages viewed, reports accessed, patients viewed, patients invited, Authorized Users invited or removed, features used, actions taken, exports, downloads, support requests, audit logs, timestamps, IP address, browser type, device information, and user-agent information.

Agreement and signature records, such as checkbox acknowledgments, electronic signatures, signer name, signer email, signer role/title, organization name, timestamp, IP address, user agent, document versions, agreement snapshot, and records showing that you or your organization accepted Malama terms, policies, agreements, or notices.

Support and implementation information, such as support tickets, onboarding information, training interactions, technical questions, workflow information, EHR or system information, and communications with Malama support or account teams.

Patient-related information, if you or your organization submits, accesses, uses, or receives patient information through the Provider Portal. Patient-related information may include Protected Health Information under HIPAA and may be governed by a Business Associate Agreement rather than this Privacy Policy.

1.3 Information from Third-Party Sources

We may combine personal information we receive from you with personal information we obtain from other sources, such as:

Healthcare providers, care teams, health plans, payers, insurers, or care organizations, such as referral information, enrollment information, eligibility information, care coordination information, or information needed to provide the Service.

Public sources, such as government agencies, public records, professional licensing databases, public provider directories, social media platforms, and other publicly available sources.

Data providers, such as information services and data licensors that provide demographic, contact, verification, eligibility, or other information.

Marketing partners, such as joint marketing partners, event co-sponsors, webinar partners, and referral partners.

Third-party services, such as Apple Health, Google Fit, glucose meters, continuous glucose monitors, EHRs, health information exchanges, scheduling tools, communication tools, or other services that you choose to connect to or use with the Service.

Organizations associated with Provider Portal Users, such as the healthcare practice, facility, payer, care organization, or administrator that invites or authorizes you to use the Provider Portal.

1.4 Automatic Data Collection

We, our service providers, and our business partners may automatically collect information about you, your computer or mobile device, and your interactions over time with the Service, our communications, and other online services, such as:

Device data, such as operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type, IP address, unique identifiers, language settings, mobile device carrier, radio/network information, and general location information such as city, state, or geographic area.

Online activity data, such as pages or screens viewed, time spent on pages or screens, navigation paths, referring website, access times, duration of access, features used, buttons clicked, forms submitted, email opens, email clicks, and other interaction data.

Provider Portal logs, such as login events, failed login attempts, password resets, account changes, user-management events, patient access events, report access events, export events, invitation events, support events, audit logs, security logs, and administrative activity.

Precise geolocation data, when you authorize our mobile application or other Service features to access your device’s location.

1.5 Cookies and Similar Technologies

Some of the automatic collection described above is facilitated by technologies such as:

Cookies, which are small text files that websites store on user devices and that allow web servers to record browsing activities and remember submissions, preferences, and login status.

Local storage technologies, such as HTML5 local storage, which provide cookie-equivalent functionality and may store information on your device.

Web beacons, pixel tags, clear GIFs, SDKs, scripts, and similar technologies, which can be used to determine whether a webpage, email, message, or content was accessed, opened, viewed, or clicked.

We may use these technologies for technical operation, security, account authentication, functionality, analytics, performance measurement, product improvement, marketing, and compliance.

1.6 Information About Others

We may offer features that help users invite patients, providers, staff, care team members, family members, contacts, or other individuals to use the Service.

If you provide information about another person, you represent that you have the right, permission, consent, authorization, or other lawful basis to provide that information to us.

Please do not refer someone to us, invite someone, or share their contact details or health information with us unless you have permission or another lawful basis to do so.

2. How We Use Personal Information

We may use personal information for the following purposes or as otherwise described at the time of collection.

2.1 Service Delivery

We may use personal information to:

  • provide, operate, maintain, secure, and improve the Service;

  • create, maintain, and administer accounts;

  • provide patient-facing tools, provider-facing tools, care coordination tools, remote monitoring tools, reports, dashboards, reminders, and related functionality;

  • facilitate invitations to patients, care teams, providers, staff, family members, or other contacts;

  • personalize your experience with the Service and our communications;

  • communicate with you about the Service, including announcements, updates, security alerts, support messages, administrative messages, and account notices;

  • provide support and respond to requests, questions, and feedback;

  • verify identity, eligibility, account status, organization affiliation, or provider credentials;

  • manage access permissions, account roles, provider organizations, and Authorized Users;

  • maintain audit logs, security logs, and agreement acceptance records.

2.2 Patient Support, Care Navigation, and Program Operations

Depending on the Service you use, we may use personal information to:

  • support pregnancy, postpartum, diabetes, nutrition, remote monitoring, care coordination, doula care, care navigation, social care navigation, or other Malama-supported services;

  • help identify needs, resources, benefits, programs, or support services;

  • facilitate referrals, resource matching, care navigation, and closed-loop support workflows;

  • communicate with patients, members, providers, care teams, payers, or support organizations;

  • support patient engagement, reminders, education, logging, and reporting;

  • help providers and care teams review information submitted through Malama;

  • generate reports, summaries, dashboards, or other outputs.

Where this information is Protected Health Information processed by Malama as a Business Associate, it is governed by the applicable BAA.

2.3 Provider Portal Operations

We may use Provider Portal User information to:

  • create, administer, secure, and maintain Provider Portal accounts;

  • verify Provider Portal Users and Provider Organizations;

  • determine eligibility for Provider Portal access;

  • enable access to Provider Portal features;

  • manage Authorized Users, organization administrators, permissions, and roles;

  • provide support, training, onboarding materials, and technical assistance;

  • communicate about account status, portal functionality, security, legal terms, product updates, support requests, and administrative issues;

  • generate and maintain audit logs and security logs;

  • monitor, prevent, detect, investigate, and respond to security incidents, unauthorized access, misuse, fraud, or unlawful activity;

  • enforce Malama’s terms, policies, agreements, and legal rights;

  • operate, maintain, measure, improve, and develop Malama’s products and services;

  • understand provider workflows and product usage;

  • comply with legal, regulatory, contractual, security, and compliance obligations.

2.4 Research and Development

We may use personal information for research and development purposes, including to analyze, measure, develop, and improve the Service, our business, and our products.

Where required, we will use de-identified, aggregated, authorized, or otherwise legally permitted information.

Where Protected Health Information is involved, our use is subject to HIPAA and the applicable BAA.

2.5 Marketing and Communications

We and our service providers may send you marketing communications, newsletters, event invitations, product updates, educational content, or other communications.

You may opt out of marketing communications as described in the “Your Choices” section below.

No mobile information will be shared with third parties or affiliates for their marketing or promotional purposes. Text messaging originator opt-in data and consent will not be shared with third parties except as necessary to provide messaging services, comply with law, or as otherwise permitted by applicable law.

We may continue to send you non-marketing communications, including service messages, account notices, security alerts, care-related communications, support responses, legal notices, and administrative messages.

2.6 Compliance and Protection

We may use personal information to:

  • comply with applicable laws, lawful requests, legal process, subpoenas, court orders, audits, investigations, or government requests;

  • protect our, your, patients’, providers’, or others’ rights, privacy, safety, or property;

  • establish, exercise, or defend legal claims;

  • audit internal processes for compliance with legal, contractual, security, or policy requirements;

  • enforce the terms and conditions that govern the Service;

  • prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cyberattacks, credential abuse, identity theft, misuse of patient information, and unauthorized access.

2.7 With Consent or Direction

In some cases, we may ask for your consent to collect, use, or share personal information, such as where required by law.

We may also use or share personal information when you direct us to do so, such as when you connect third-party services, invite a provider, invite a patient, submit a referral, authorize sharing with a care team, or otherwise instruct us to share information.

2.8 De-Identified, Aggregated, or Anonymous Data

We may create de-identified, aggregated, or anonymous data from personal information and other information we collect.

We may use and share de-identified, aggregated, or anonymous data for lawful business purposes, including analytics, benchmarking, research, product improvement, publication, service development, operations, marketing, and business planning.

Where de-identified information is created from Protected Health Information, we will de-identify the information in accordance with HIPAA or as otherwise permitted by the applicable BAA.

3. How We Share Personal Information

We may share personal information with the following parties and as otherwise described in this Privacy Policy or at the time of collection.

3.1 Affiliates

We may share personal information with our corporate parent, subsidiaries, and affiliates for purposes consistent with this Privacy Policy.

3.2 Service Providers

We may share personal information with third parties that provide services on our behalf or help us operate the Service or our business, such as hosting, cloud infrastructure, information technology, security, analytics, customer support, email delivery, text messaging, communications, billing, payment processing, marketing, research, product analytics, and administrative services.

3.3 Healthcare Providers, Care Teams, Payers, and Care Organizations

We may share personal information with healthcare providers, care teams, health plans, payers, insurers, care coordination organizations, doulas, community-based organizations, resource partners, or other organizations where needed to provide the Service, support care coordination, support patient navigation, facilitate referrals, operate the Provider Portal, or as directed or authorized by you or your organization.

For example, we may share information needed for healthcare providers or care teams to access and review glucose logs, meal logs, trends, reports, patient-submitted information, care navigation information, or other information available through Malama.

Where information is Protected Health Information governed by a BAA, we use and disclose that information in accordance with the BAA and applicable law.

3.4 Provider Organizations and Account Administrators

If you are a Provider Portal User, we may share information about your Provider Portal account and activity with the Provider Organization associated with your account, including account administrators or other authorized personnel.

This may include your name, work email, role, account status, permissions, login activity, patient access activity, invitation activity, support requests, and other information needed to manage Provider Portal access, security, compliance, audit logs, and organization administration.

3.5 Third Parties Designated by You

We may share personal information with third parties when you direct us or consent to the sharing.

For example, we may share information with a healthcare provider, care team, family member, support person, health app, connected device, payer, benefit program, or resource partner when you authorize or direct us to do so.

3.6 Linked Third-Party Services

If you log into the Service with, connect to, or otherwise link your account to a third-party service, such as Apple Health, Google Fit, a glucose meter, CGM platform, EHR, communication tool, scheduling tool, or other service, we may share personal information with that third-party service.

The third party’s use of shared information is governed by its own privacy policy, terms, and account settings.

3.7 Business and Marketing Partners

We may share personal information with business partners, event partners, co-sponsors, referral partners, or organizations with whom we jointly offer products, services, events, programs, or content.

We do not share text messaging opt-in data or consent with third parties for their marketing or promotional purposes.

3.8 Payment Processors

Where payment is required, payment information may be collected and processed directly by payment processors, such as Stripe, or other payment providers.

Payment processors use payment information in accordance with their own privacy policies and terms.

3.9 Professional Advisors

We may share personal information with professional advisors, such as lawyers, auditors, accountants, bankers, insurers, and consultants, where necessary in the course of the professional services they provide to us.

3.10 Authorities and Others

We may share personal information with law enforcement, government authorities, courts, regulators, private parties, or others where we believe in good faith that disclosure is necessary or appropriate for the compliance and protection purposes described above.

3.11 Business Transferees

We may share personal information with acquirers and other relevant participants in business transactions, or negotiations or due diligence for business transactions, involving a corporate divestiture, merger, consolidation, acquisition, financing, reorganization, bankruptcy, sale, or other disposition of all or any portion of Malama’s business, assets, or equity interests.

4. Cookies and Similar Technologies

We may use cookies and similar technologies for:

Technical operation, such as enabling login, authentication, session management, security, load balancing, and core Service functionality.

Functionality, such as remembering preferences, settings, language, account state, and form entries.

Analytics, such as helping us understand how users interact with the Service, which pages and features are used, how users navigate, and how we can improve usability.

Security, such as detecting suspicious activity, preventing unauthorized access, investigating misuse, and maintaining audit logs.

Marketing and communications, such as measuring engagement with emails, campaigns, websites, events, and content.

We may use Google Analytics or similar tools. You can learn more about Google Analytics and available opt-out tools from Google.

Most browsers let you remove or reject cookies. If you disable cookies, some parts of the Service may not work properly.

5. Retention of Personal Information

We generally retain personal information for as long as reasonably necessary to fulfill the purposes for which we collected it, including to provide the Service, maintain accounts, support care coordination, comply with legal, accounting, reporting, contractual, security, and regulatory obligations, establish or defend legal claims, enforce agreements, maintain audit logs, prevent fraud, and protect the Service.

Provider Portal account records, audit logs, security logs, agreement acceptance records, and electronic signature records may be retained after account termination where necessary for legal, compliance, security, contractual, or evidentiary purposes.

Where information is Protected Health Information governed by a BAA, retention may also be governed by HIPAA, the BAA, and applicable agreements with covered entities or business associates.

6. Your Choices

6.1 Access or Update Your Information

If you have registered for an account with us through the Service, you may review and update certain account information by logging into your account and navigating to account settings, if available.

You may also contact us to request access to, correction of, or deletion of certain personal information.

6.2 Provider Portal Account Choices

Provider Portal Users may contact Malama or their Provider Organization administrator to request access to, correction of, or deactivation of certain Provider Portal account information.

Provider Organizations are responsible for managing Authorized Users and removing users who are no longer authorized to access the Provider Portal.

Certain Provider Portal information may be retained as necessary to maintain audit logs, comply with legal or contractual obligations, resolve disputes, enforce agreements, maintain security, or preserve records of electronic acceptance.

6.3 Opt Out of Marketing Communications

You may opt out of marketing-related emails by following the unsubscribe or opt-out instructions at the bottom of the email or by contacting us.

You may continue to receive service-related and other non-marketing emails.

If you receive marketing text messages from us, you may opt out of receiving further marketing text messages by replying STOP, where available.

6.4 Cookies

Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings.

Many browsers accept cookies by default until you change your settings.

If you set your browser to disable cookies, the Service may not work properly.

6.5 Mobile Location Data

You can disable our access to your device’s precise geolocation in your mobile device settings.

6.6 Linked Third-Party Services

If you connect the Service to a third-party platform, application, device, or account, you may be able to use settings in that third-party service to limit information shared with us.

If you revoke our ability to access information from a third-party service, that choice will not affect information we already received.

6.7 Delete Content or Close Account

You may be able to delete certain content through your account.

If you wish to request to close your account, please contact us.

We may retain certain information as necessary for legal, compliance, security, fraud prevention, audit, contractual, or operational purposes.

6.8 Declining to Provide Information

We need to collect certain personal information to provide the Service.

If you do not provide information identified as required or mandatory, we may not be able to provide the Service or certain features.

6.9 Do Not Track

Some internet browsers may be configured to send “Do Not Track” signals to online services. We currently do not respond to “Do Not Track” or similar signals.

7. Other Sites and Services

The Service may contain links to websites, mobile applications, forms, platforms, and other online services operated by third parties.

Our content may also be integrated into web pages, mobile applications, or other online services that are not associated with us.

These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party.

We do not control websites, mobile applications, platforms, or online services operated by third parties, and we are not responsible for their actions, privacy practices, or terms.

We encourage you to read the privacy policies of other websites, applications, platforms, and services you use.

8. Security

We employ technical, organizational, and physical safeguards designed to protect the personal information we collect.

However, security risk is inherent in all internet, software, and information technologies, and we cannot guarantee the security of personal information.

You are responsible for maintaining the confidentiality of your account credentials and for using appropriate security practices when accessing the Service.

Provider Organizations are responsible for managing their Authorized Users, removing users who are no longer authorized, and maintaining the security of their own systems, devices, networks, and accounts.

9. International Data Transfer

We are headquartered in the United States and may use service providers that operate in other countries.

Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country.

10. Children

The Service is not intended for use by anyone under 16 years of age unless provided through an authorized parent, guardian, healthcare provider, health plan, care organization, or other legally permitted pathway.

If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us.

If we learn that we have collected personal information through the Service from a child without consent or another lawful basis required by applicable law, we will comply with applicable legal requirements to delete the information.

11. HIPAA and Protected Health Information

Malama may receive, create, maintain, or transmit Protected Health Information in different capacities.

When Malama handles Protected Health Information on behalf of a healthcare provider, health plan, payer, insurer, care organization, or similar entity as a Business Associate under HIPAA, that information is governed by the applicable Business Associate Agreement and HIPAA, not this Privacy Policy.

When Malama acts as a covered entity or otherwise provides services subject to a HIPAA Notice of Privacy Practices, our HIPAA Notice of Privacy Practices may apply.

If you have questions about Protected Health Information maintained by your healthcare provider, health plan, payer, or care organization, please contact that organization directly.

12. State Privacy Rights

Depending on where you live, you may have certain privacy rights under state privacy laws. These rights may include the right to request access to, correction of, deletion of, or portability of certain personal information, or the right to opt out of certain uses or disclosures.

Some information, including Protected Health Information governed by HIPAA, may be exempt from certain state privacy law requirements.

To exercise available privacy rights, contact us using the information below.

We may need to verify your identity before fulfilling your request.

If your request relates to information we process on behalf of a healthcare provider, health plan, payer, care organization, or other customer, we may direct you to that organization or process your request in accordance with our agreement with that organization.

13. Changes to this Privacy Policy

We may modify this Privacy Policy at any time.

If we make material changes, we will notify you by updating the date of this Privacy Policy and posting the modified version on the Service, or by other appropriate means.

Any modifications will be effective when posted or as otherwise indicated at the time of posting.

Your use of the Service after the effective date of a modified Privacy Policy indicates your acceptance of the modified Privacy Policy to the extent permitted by applicable law.

14. How to Contact Us

You may contact us about this Privacy Policy or our privacy practices at:

Email: legal@heymalama.com

Mail: Malama Health, Inc.

2261 Market Street #4875

San Francisco, CA 94114

For Provider Portal support or account questions, you may also contact:

Email: support@heymalama.com