Effective date: January 1, 2025 Last updated: June 9, 2026
Metta Health ("Metta Health," "we," "us," or "our") provides revenue cycle management ("RCM") services and software to healthcare providers, including medical billing, accounts receivable management, claims denial management and appeals, out-of-network payer negotiation, and Independent Dispute Resolution ("IDR") arbitration support. This Privacy Policy explains what information we collect, how we use and share it, and the choices and rights available to you.
This Policy applies to our websites, web and browser-extension applications, and related services (collectively, the "Services"). It does not apply to the practices of our customers or any third party we do not control.
1. Our Two RolesHow we handle your information depends on the role we play:As a service provider / business associate. When we process information on behalf of a healthcare provider or organization (our "Customer") to deliver the Services, the Customer controls that information. This includes Protected Health Information ("PHI"). Our handling of PHI is governed by the Health Insurance Portability and Accountability Act ("HIPAA") and by the Business Associate Agreement ("BAA") we enter into with each Customer. Where this Policy and a BAA conflict with respect to PHI, the BAA controls.As a controller of our own data. When we collect information for our own purposes — for example, account registration, billing, security, and operating our website — we determine how that information is used, as described in this Policy.If you are a patient, subscriber, or other individual whose information appears in records we process for a Customer, please see Section 10.
2. Information We Collect2.1 Account and identity informationWhen you or your organization create and use an account, we collect information that identifies you and supports secure access — including your name and contact details, the credentials and settings used to authenticate you and protect your account, your account preferences and assigned roles, your organization membership, and records of account and access activity.2.2 Protected Health Information (PHI) and claims dataTo deliver RCM and arbitration services, we process healthcare claims and supporting records on behalf of our Customers. This information can include patient and subscriber details, claim and dispute identifiers, the clinical and billing information needed to evaluate and pursue a claim, related financial amounts, supporting documentation, and correspondence exchanged in connection with a dispute. We process this information only to provide the Services and as permitted by our BAA with the relevant Customer.2.3 Provider, carrier, and entity informationWe maintain business information about the providers, provider organizations, carriers/payers, and IDR entities involved in the workflows we support, such as their names, business identifiers, and contact and business details.2.4 Integration and credential dataWhen you direct us to connect the Services to systems you use, we collect and store the credentials and authorizations needed to establish and maintain those connections. Sensitive credentials and authorizations are encrypted at rest.2.5 Files and generated materialsWe store the files you upload and the files the Services ingest, process, or generate in the course of delivering the Services, together with basic information about those files.2.6 Activity and audit logsWe maintain activity and audit logs of actions taken within the Services to support security, accountability, troubleshooting, and our regulatory obligations.2.7 Technical and usage informationWe automatically collect technical information necessary to operate and secure the Services, such as device and browser information, IP address, session data, and log data.
3. How We Use InformationWe use information to:Provide, operate, maintain, and improve the ServicesProcess healthcare claims, prepare arbitration packets, and support IDR and payer-negotiation workflows on behalf of CustomersAuthenticate users, manage accounts and organizations, and enforce permissionsCommunicate with you about the Services, including service and security noticesSecure the Services, detect and prevent fraud or abuse, and maintain audit trailsComply with legal, regulatory, and contractual obligationsWe use PHI only as directed by the applicable Customer and as permitted by the BAA and HIPAA. We do not sell personal information or PHI.Automated processing and AISome features use automated and artificial-intelligence tooling (for example, to parse documents and emails or to assist in drafting arbitration materials). These tools operate under contractual protections; where they process PHI, they do so as our subcontractors under terms consistent with HIPAA. We do not permit our AI subprocessors to use Customer data or PHI to train their general models.
4. How We Share InformationWe share information only as needed to operate the Services and as described below. We do not sell personal information.Within your organization. Information is accessible to authorized members of your organization according to their assigned roles and permissions.Service providers and subprocessors. We use vetted third parties to host, store, secure, and process data on our behalf — including cloud infrastructure and object storage (e.g., AWS S3 or compatible storage), email delivery (e.g., SendGrid), Google Workspace APIs, and AI document-processing services. These providers are bound by contractual confidentiality and security obligations, and by a BAA where they handle PHI.At your direction. When you connect an integration, we share data with the external system you authorize (e.g., to upload claim tracking data to Google Sheets or to initiate disputes through a payer or IDR portal).Legal and safety. We may disclose information when required by law, legal process, or government request, or to protect the rights, safety, and security of Metta Health, our Customers, or others.Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred subject to this Policy and applicable law.
5. Data SecurityWe maintain administrative, technical, and physical safeguards designed to protect information, consistent with the HIPAA Security Rule and industry practice. These include:Encryption of sensitive credentials and tokens at rest, and encryption of data in transitRole-based access controls and the principle of least privilegeMulti-factor authentication and password hashingAudit logging of data-affecting actionsNetwork controls, monitoring, and access restrictionsNo method of transmission or storage is completely secure. We cannot guarantee absolute security, but we work to protect information and to respond promptly to any security incident in accordance with our legal obligations, including breach notification requirements under HIPAA and applicable law.
6. Data RetentionWe retain information for as long as needed to provide the Services, to comply with our legal, regulatory, and contractual obligations (including recordkeeping requirements applicable to healthcare claims and disputes), to resolve disputes, and to enforce our agreements. PHI is retained and disposed of in accordance with the applicable BAA. When information is no longer required, we delete or de-identify it using reasonable measures.
7. Your Rights and ChoicesDepending on your role and applicable law, you may have rights to access, correct, update, delete, restrict, or obtain a copy of personal information, and to object to certain processing.Account holders may review and update much of their account information directly within the Services, or by contacting us.Patients and other individuals whose PHI we process should direct requests to access, amend, or restrict PHI to the relevant healthcare provider (our Customer), who controls that information. We will support our Customers in responding to such requests as required by HIPAA. See Section 10.To exercise rights or ask questions, contact us using Section 13. We will respond as required by applicable law. We will not discriminate against you for exercising your rights.
8. Residents of Certain U.S. StatesIf you are a resident of California or another state with comprehensive privacy legislation, you may have additional rights regarding personal information, including rights to know, access, correct, delete, and limit certain uses, and to appeal a denied request. We do not sell personal information or share it for cross-context behavioral advertising. PHI and other information governed by HIPAA is generally exempt from these state laws and is handled under HIPAA and the applicable BAA. To exercise applicable rights, contact us using Section 13.
9. International Data TransfersThe Services are operated in the United States and are intended for use by U.S. healthcare providers. If you access the Services from outside the United States, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your jurisdiction.
10. Patients and Other Individuals (PHI)If you are a patient, subscriber, or other individual whose information appears in records we process, Metta Health acts as a business associate to your healthcare provider, not as the entity that controls your health information. We process your information solely to provide services to that provider under a BAA and HIPAA. Requests to access, amend, restrict, or learn how your PHI is used or disclosed should be directed to your provider, who is the appropriate point of contact for those rights. We will assist our Customers in fulfilling these obligations as required by law.
11. Children's PrivacyThe Services are intended for use by healthcare and business professionals and are not directed to children. We do not knowingly collect personal information directly from children through the Services. Health records we process on behalf of Customers may relate to patients of any age; such information is handled as PHI under HIPAA and the applicable BAA.
12. Third-Party Services and LinksThe Services integrate with and may link to third-party systems (such as Google Workspace and payer or IDR portals). Those services are governed by their own privacy policies and terms, and we are not responsible for their practices. We encourage you to review the policies of any third-party service you use.
13. Contact UsIf you have questions about this Privacy Policy or our data practices, or wish to exercise a privacy right, contact us at:Metta Health Email: gro.htlaehattem%40tcatnoc Mailing address: 251 Little Falls Dr, Wilmington, DE, 19808
14. Changes to This PolicyWe may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date above and, where required, provide additional notice. Your continued use of the Services after an update takes effect constitutes acceptance of the revised Policy.