top of page

Legal Directives including Terms of Use and Privacy Policy
Contact: itsupport@graymattersalliance.com to delete your account or for information regarding these policies.

Terms of Use Policy and Conditions

Gray Matters Alliance – Mobile App Privacy Policy 

Effective Date: 09/22/2025 
Applies To: 

  • GMA MyCompass™ App (Apple App Store only) 

  • GMA Compass Care Calling™ App (Apple & Google Play Store) 

  • GMA Compass Care Alerts™ App (Apple & Google Play Store) 

 

1. Purpose and Scope 

This Privacy Policy (“Policy”) describes how Gray Matters Alliance, LLC (“GMA,” “we,” “our,” or “us”) collects, uses, discloses, and protects personally identifiable information (“PII”) and protected health information (“PHI”) when you use any of the following mobile applications: 

  • MyCompass™ App – used by individuals receiving services (“End Users”) under GMA’s support programs 

  • Compass Care Calling™ App – used by guardians, legal representatives, or authorized professionals to communicate with End Users 

  • Compass Care Alerts™ App – used by guardians and authorized support personnel to receive real-time safety notifications. 

  • The iPad® and mobile digital device are registered trademarks or Apple Inc. Apple TV+, Apple Fitness+, and Apple Music services and all materials incorporated on the services (including, but not limited to text, photographs, images, video, music, and audio content) are protected by copyright, patent, trade secret, or other proprietary rights under the laws of the United States and other countries and regions. Some of the titles, characters, logos, or other images incorporated by Apple on these services are protected as registered or unregistered trademarks owned by Apple Inc. and its affiliates. All other trademarks are the property of their respective owners. 

These applications are part of GMA’s MyCompass System™, a comprehensive, HIPAA-compliant remote support and assistive technology platform that includes: 

  • The Compass Care Mobile™ and Web Apps 

  • Compass Care Alerts 

  • Compass Care Calling 

  • Secure cloud storage and APIs 

  • Raspberry Pi-based home technology 

  • Mobile Device Management (MDM) 

  • Optional content filtering and monitoring tools 

This Policy governs the handling of all data processed through these mobile applications, regardless of platform (iOS or Android), and applies to: 

  • End Users of the MyCompass App™ 

  • Authorized Users (guardians, caregivers, clinicians, or legal representatives) using the Compass Care Calling™ or Compass Care Alerts™ Apps 

  • Any information synced to or from GMA’s secure backend systems 

By downloading or using any of the apps, you acknowledge that you have read, understood, and accepted the terms of this Privacy Policy. 

2. Definitions 

The following definitions apply to this Privacy Policy and govern all interactions with the MyCompass™ App, Compass Care Calling™ App, and Compass Care Alerts™ App, collectively referred to herein as “the Apps.” These definitions ensure consistency across platforms and clarify the roles, rights, and responsibilities of users and GMA. 

 

2.1 “Apps” or “Applications” 

Refers collectively to the following mobile applications owned and operated by Gray Matters Alliance, LLC: 

  • GMA MyCompass™ App: A mobile application used by individuals (“End Users”) to access personal goals, receive support, communicate with care teams, and engage with safety and independence tools. Available via the Apple App Store only. 

  • Compass Care Calling™ App: A mobile application that allows Authorized Users to initiate or receive calls with End Users through the MyCompass System. Available on both Apple App Store and Google Play Store. 

  • Compass Care Alerts™ App: A mobile application for receiving real-time alerts and safety notifications about End Users based on predetermined thresholds, behaviors, or emergency indicators. Available on both Apple App Store and Google Play Store. 

 

2.2 “MyCompass System™” 

The integrated, HIPAA-compliant infrastructure operated by GMA, including mobile and web apps, cloud-based backend, secure APIs, MDM tools, and Raspberry Pi-based home technology. This system supports remote support services, care planning, device management, alerting, and communications for individuals served by GMA. 

 

2.3 “Gray Matters Alliance” or “GMA” 

Gray Matters Alliance, LLC, the legal entity responsible for developing, maintaining, and operating the Apps and associated technologies. GMA is a covered entity under HIPAA and the primary data steward for information processed through the Apps. 

 

2.4 “Protected Health Information” (PHI) 

As defined by HIPAA (45 CFR § 160.103), PHI refers to any individually identifiable health information transmitted or maintained in any form or medium that relates to: 

  • The individual’s health or condition, 

  • The provision of health care, or 

  • Payment for health care services, 
    and that can identify the individual or can reasonably be used to identify them. 

 

2.5 “Personally Identifiable Information” (PII) 

Information that can be used on its own or with other information to identify, contact, or locate a person, including (but not limited to): 

  • Full name 

  • Address 

  • Email 

  • Phone number 

  • Date of birth 

  • IP address 

  • Device identifier 

 

2.6 “End User” 

The individual receiving remote support services through GMA, typically using the MyCompass App directly. End Users may include persons with intellectual, developmental, or physical disabilities, aging adults, or others receiving waiver or clinical services. In some cases, End Users may require or authorize a guardian or representative to manage access on their behalf. 

 

2.7 “Authorized User” 

An individual who is legally authorized to access information about an End User. This includes: 

  • Legal guardians 

  • Parents or spouses with power of attorney 

  • Case managers, clinicians, or care providers with documented consent or contract authority 

Authorized Users may access or use the Compass Care Calling App or Compass Care Alerts App to fulfill their caregiving responsibilities or professional duties under HIPAA-compliant agreements. 

 

2.8 “Consent” or “Authorization” 

Refers to documented permission by the End User or their legally authorized representative, as required under 45 CFR § 164.508, for the collection, use, or disclosure of PHI or PII by GMA and its business associates. 

 

2.9 “Business Associate” 

Any individual or entity who performs functions involving PHI on behalf of GMA, pursuant to a formal Business Associate Agreement (BAA) as defined under HIPAA. This may include cloud hosting providers, software vendors, or customer support services. 

 

2.10 “Device Metadata” 

Automatically collected technical data related to app or device use, which may include: 

  • IP address 

  • Device operating system 

  • Device ID (Apple IDFA or Android AAID) 

  • Crash logs 

  • App version and usage patterns 

 

2.11 “De-Identified Data” 

Data that has been stripped of all personal identifiers such that the information cannot reasonably be used to identify an individual, in accordance with HIPAA’s de-identification standards (45 CFR § 164.514). 

 

2.12 “Mobile Device Management (MDM)” 

A set of administrative and technical tools used by GMA to monitor and control GMA-provided tablets or phones issued to End Users. MDM may include: 

  • App usage restriction 

  • Location tracking (if authorized) 

  • Internet filtering 

  • Device health and compliance monitoring 

 

2.13 “Emergency Event” 

A system-defined incident or condition that may include boundary breaches, periods of inactivity, fall detection, or any safety-related event that triggers an alert within the Compass Care Alerts App or initiates contact through Compass Care Calling. 

3. Information Collected 

GMA collects limited, purpose-driven information through its mobile applications to support individualized services, promote safety, and comply with healthcare obligations. Information is collected only when: 

  • Necessary for service delivery or client protection, 

  • Authorized by the End User or legal representative, or 

  • Required by law or regulatory contract. 

Information may be submitted directly by the user, passively collected via system use, or received from third-party integrations under Business Associate Agreements (BAAs). 

 

3.1 MyCompass™ App (Apple App Store – End Users) 

The MyCompass App is designed for individuals receiving remote support services. It collects information to facilitate daily routines, goals, wellness monitoring, and communication. 

Data Collected Includes: 

  • Personally Identifiable Information (PII): 

  • Full name, date of birth, contact information, client ID (if used) 

  • Service-Related Data (PHI): 

  • Support schedules, goal tracking, check-in notes, reminders 

  • Emergency contacts and custom alert preferences 

  • Inputted self-notes or feedback forms 

  • App Interaction Data: 

  • Page visits, clicks, frequency of logins, timestamped activities 

  • Device Metadata (via MDM): 

  • Device type, OS version, IP address, crash reports 

Sensitive Data Handling: 

  • No biometric data, GPS location, or microphone/camera access is collected unless explicitly enabled and authorized. 

  • The MyCompass App does not use tracking cookies, advertising IDs, or analytics SDKs unrelated to medical or care support. 

 

3.2 Compass Care Calling™ App (Apple + Google – Guardians & Care Teams) 

The Compass Care Calling App allows authorized individuals to initiate or respond to calls with the End User. This may include scheduled check-ins, support follow-ups, or wellness calls. 

Data Collected Includes: 

  • Caller/Recipient Identity: 

  • Display name, linked client ID, authorized user role 

  • Communication Metadata (not content): 

  • Call initiation timestamps, call duration, direction (incoming/outgoing), error codes 

  • Device Metadata: 

  • IP address, device ID, operating system 

  • User Authentication Tokens: 

  • Secured session ID used to verify the user and associate actions with proper records 

Note: 

  • No call audio is recorded or stored. 

  • GMA does not access call content unless such functionality is implemented in the future with express authorization and policy update. 

 

3.3 Compass Care Alerts™ App (Apple + Google – Guardians & Care Teams) 

The Compass Care Alerts App provides real-time event notifications and logs concerning End User safety, based on thresholds defined in the support plan. 

Data Collected Includes: 

  • Alert Metadata: 

  • Alert type (e.g., boundary exit, inactivity, environmental trigger) 

  • Timestamp, status (acknowledged/unacknowledged), and recipient log 

  • Authorized User Information: 

  • Name, role, contact, linked clients 

  • Device Metadata: 

  • Push token for notifications, OS version, device type 

  • Optional Geolocation (if enabled): 

  • Approximate GPS coordinates of the End User only when alert location monitoring is explicitly enabled by the guardian or representative 

Notes: 

  • Alerts are based on rules configured by authorized parties (e.g., caregivers, agencies). 

  • No continuous location tracking is performed unless explicitly configured and consented to by guardian or End User where legally appropriate. 

 

3.4 Shared System-Level Data (All Apps) 

The following technical and security-related data may be collected across all apps: 

  • User authentication logs and timestamps 

  • Password resets or session expirations 

  • Mobile Device Management (MDM) status 

  • App version, usage health, and error reporting 

  • Consent acknowledgment logs (e.g., EULAs, authorization forms) 

 

3.5 Optional or Third-Party Integrated Data 

If the MyCompass System is connected to approved third-party tools (e.g., smart medication dispensers, wearable sensors, or remote support platforms), GMA may receive: 

  • Device readings (e.g., medication events, fall sensors) 

  • Status reports (e.g., device disconnected, low battery) 

  • Usage patterns or alert history 

All such data is received under a HIPAA-compliant Business Associate Agreement and handled in accordance with this policy. 

 

3.6 Data Minimization and Least Privilege Access 

GMA enforces HIPAA’s “minimum necessary” standard. No employee, guardian, or system administrator may access more data than is required for the delivery of services. All access is logged and monitored. 

4. Legal Basis for Use of Information 

GMA collects, uses, and discloses information through its mobile applications only when there is a valid legal and ethical basis to do so. This clause outlines the lawful grounds under which information from the MyCompass App, Compass Care Calling App, and Compass Care Alerts App may be processed, in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and other applicable U.S. privacy laws. 

 

4.1 Treatment, Care Coordination, and Service Delivery 

Under HIPAA (45 CFR § 164.506), GMA may use and disclose Protected Health Information (PHI) without separate authorization when it is necessary for: 

  • Providing, coordinating, or managing remote support services; 

  • Facilitating direct care communication between clients and authorized caregivers; 

  • Responding to safety events, alerts, or wellness checks; 

  • Personalizing the MyCompass™ experience for the End User (e.g., goal tracking, schedule configuration). 

This is the primary basis for most data processing within all three applications. 

 

4.2 Legal Authorization and Consent 

GMA collects and uses PHI/PII based on signed HIPAA Authorizations, consents, or legal documentation provided by: 

  • The End User (if legally competent and authorized to do so); 

  • A legal guardian, health care power of attorney, or parent with documented authority; 

  • A state or agency-appointed representative under applicable state regulations. 

These consents authorize access to GMA MyCompass™, Compass Care Calling™, and/or Alerts and are logged in accordance with federal retention requirements. 

 

4.3 Regulatory and Contractual Obligations 

GMA may process data as required under federal, state, or local law, including: 

  • Compliance with Medicaid waiver programs, aging services, or state disability service contracts; 

  • Documentation of remote support service delivery; 

  • Incident or audit reporting obligations; 

  • Retention requirements mandated by funding agencies. 

No PHI is used for reasons beyond the scope of contractual service delivery or legal compliance without written authorization. 

 

4.4 Legitimate Interests in Client Safety 

To the extent permitted by law, GMA may rely on its legitimate interest in promoting client safety and well-being when: 

  • Sending system alerts to authorized parties in the event of a fall, elopement, or inactivity; 

  • Using app-based metadata to detect potential risks or failures (e.g., lack of device use); 

  • Managing emergency contact lists, device rules, or alert escalation trees. 

All such uses are governed by minimum necessary principles and user role permissions. 

 

4.5 Business Associate Agreements 

Any third-party vendor, contractor, or integrated service provider that processes or accesses data on behalf of GMA is subject to a Business Associate Agreement (BAA) in compliance with 45 CFR § 164.502(e). 

These partners may only use PHI/PII for the purpose of supporting service delivery and must maintain the same level of privacy and security controls as GMA. 

 

4.6 De-Identified and Aggregated Use 

GMA may use de-identified data, stripped of all identifiers in accordance with 45 CFR § 164.514, for: 

  • Quality assurance 

  • Product improvement 

  • System analytics 

  • Non-commercial research 

No such use is traceable to any End User or Authorized User and no marketing or advertising profiling is conducted with this data. 

5. How Information Is Used 

GMA uses information collected through the MyCompass App, Compass Care Calling App, and Compass Care Alerts App solely for the provision of lawful, consented, and necessary services as part of our customized remote support system. All data handling is governed by the principles of: 

  • Privacy: Information is only accessed by those with legitimate and authorized roles. 

  • Security: Data is encrypted, access-controlled, and monitored for unauthorized use. 

  • Confidentiality: Only the minimum necessary information is used to deliver services. 

We do not sell, share, or monetize user data. No collected information is used for advertising, profiling, or analytics related to the individual's care or system performance. 

 

5.1 To Support Day-to-Day Remote Services (MyCompass App) 

Information collected through the MyCompass App may be used to: 

  • Present schedules, reminders, or goal prompts for the End User; 

  • Facilitate the End User’s ability to log progress, communicate support needs, or provide input; 

  • Notify the End User about system updates, reminders, or personal achievements; 

  • Tailor app experiences to individual support plans; 

  • Help authorized support personnel understand patterns of engagement or inactivity. 

No content is used beyond the bounds of remote care, and all interactions are encrypted and stored in HIPAA-compliant environments. 

 

5.2 To Facilitate Secure Communication (Compass Care Calling App) 

The Compass Care Calling App allows legally authorized parties to connect with an End User via audio or video call. Data from this app may be used to: 

  • Facilitate live interactions between the End User and their support network; 

  • Track whether wellness or safety check-ins were attempted or completed; 

  • Identify service delivery gaps (e.g., repeated missed calls); 

  • Log connection issues to ensure technical reliability; 

  • Authenticate the calling party and protect against unauthorized access. 

No audio or video content is recorded or retained unless such functionality is explicitly enabled with legal authorization and user notice. 

 

5.3 To Respond to Alerts and Safety Events (Compass Care Alerts App) 

The Compass Care Alerts App processes safety-related information generated by GMA-connected devices, sensors, or usage patterns. Alert-related data may be used to: 

  • Notify guardians or care teams of boundary exits, periods of inactivity, potential falls, or system status events; 

  • Track and timestamp the response to an alert; 

  • Maintain historical alert logs for quality assurance and service validation; 

  • Assist with emergency communication based on pre-authorized protocols; 

  • Identify false positives or optimize alert parameters for individual needs. 

Location data is only accessed if the system configuration explicitly enables it with the appropriate consent. No continuous background tracking is performed. 

 

5.4 To Maintain System Integrity and Technical Support 

GMA uses metadata and diagnostic information to: 

  • Detect software bugs or application crashes; 

  • Maintain service uptime, speed, and compatibility across devices; 

  • Track login activity and authorization to prevent unauthorized access; 

  • Enforce Mobile Device Management (MDM) policies for security and safety; 

  • Deliver technical support when requested by the user or guardian. 

No unrelated analytics, user profiling, or advertising frameworks are implemented. 

 

5.5 To Satisfy Legal, Clinical, and Contractual Requirements 

Information may be used in compliance with: 

  • Required documentation for waiver-funded or publicly contracted services; 

  • Reporting for incident management or support plan outcomes; 

  • State or federal audit requests or investigations; 

  • Legally mandated disclosures (e.g., in cases of abuse, neglect, or imminent harm). 

All such uses are subject to the minimum necessary standard, logged in audit trails, and reviewed regularly by compliance staff. 

 

5.6 For Internal Quality Improvement and Risk Mitigation 

GMA may use de-identified or aggregated data to: 

  • Improve user interface accessibility or system usability; 

  • Analyze response times, system health, or overall engagement rates; 

  • Develop training materials or internal audit controls; 

  • Anticipate and proactively resolve safety risks or device issues. 

These uses never involve identifiable user data unless permission is granted through a formal authorization process. 

 

5.7 Strict No-Use Clauses 

GMA does not use any data collected through its apps for: 

  • Behavioral advertising or marketing purposes 

  • Sale to third parties 

  • Unconsented research 

  • Personal profiling beyond necessary safety configurations 

6. Disclosure of Information 

GMA treats all personal and health-related information collected through its mobile applications with the highest degree of confidentiality. We do not disclose your information to third parties except as necessary to: 

  • Deliver services; 

  • Comply with the law; 

  • Protect the safety of End Users; or 

  • Fulfill authorized care agreements. 

We strictly prohibit the sale, lease, or marketing-based use of any user data. 

 

6.1 Disclosures With Authorization 

GMA will disclose Protected Health Information (PHI) or Personally Identifiable Information (PII) to a third party only when one of the following applies: 

  • The End User has provided a HIPAA-compliant written authorization; 

  • A legal guardian, healthcare power of attorney, or state-appointed representative has authorized disclosure on the client’s behalf; 

  • A contractual party (e.g., Medicaid provider or case manager) has legal standing to access the data under a state or federal waiver program. 

Such disclosures may include information necessary for coordination of care, emergency contacts, or authorized clinical teams. 

 

6.2 Disclosures Without Authorization (As Permitted by Law) 

Under HIPAA (45 CFR § 164.512), GMA may disclose information without authorization in the following limited and legally permissible situations: 

  • To avert a serious threat to health or safety; 

  • To public health or social services authorities as part of mandated reporting; 

  • To comply with a court order, subpoena, or legal investigation; 

  • To regulatory agencies conducting audits, licensing, or service monitoring; 

  • To law enforcement under narrowly defined conditions (e.g., locating a missing vulnerable adult); 

  • To a medical examiner or coroner, if required by law in the event of death; 

  • To government authorities when necessary to comply with national security or protective services laws. 

Any such disclosures are tightly scoped to the minimum data required and documented in accordance with HIPAA’s accounting of disclosures rules. 

 

6.3 Disclosures to Business Associates 

GMA may share limited PHI or PII with Business Associates who perform specific services on GMA’s behalf, such as: 

  • Cloud storage providers; 

  • Notification infrastructure (e.g., secure SMS or alert gateways); 

  • Mobile device management platforms; 

  • Customer support tools used to respond to authorized tickets. 

All such entities are bound by a formal Business Associate Agreement (BAA) as required by 45 CFR § 164.502(e). These agreements require that Business Associates: 

  • Only use the information for the services explicitly authorized; 

  • Protect the information using industry-standard safeguards; 

  • Report any breach or unauthorized use immediately. 

 

6.4 Internal Access Controls 

Only GMA personnel with a legitimate “need to know” may access user data. This includes: 

  • Support staff providing onboarding or troubleshooting; 

  • Administrators managing app configurations; 

  • Clinicians or coordinators authorized by the End User or guardian; 

  • Compliance or legal staff auditing incidents or handling regulatory requests. 

Every access event is logged and monitored using secure audit controls. 

 

6.5 Guardian and Authorized User Disclosures 

Users of the Compass Care Calling and Compass Care Alerts Apps may only receive information: 

  • About clients for whom they have documented legal or clinical authority; and 

  • In a manner consistent with the limitations of their access (e.g., read-only vs. full interaction). 

No Authorized User has the ability to access PHI or system information outside of their assigned role or permission scope. Misuse or improper sharing of data by Authorized Users may result in immediate access suspension and legal action. 

 

6.6 De-Identified and Aggregated Disclosures 

GMA may share de-identified or aggregated information with third parties for: 

  • Quality improvement; 

  • Research (only if not involving PHI); 

  • Grant reporting; 

  • Public health initiatives or education. 

Such information will be scrubbed of all 18 HIPAA-defined identifiers and validated using either the Safe Harbor or Expert Determination method of de-identification. 

 

6.7 No Marketing Disclosures or Third-Party Monetization 

GMA will never: 

  • Sell or lease your data to advertisers or data brokers; 

  • Share your information with third parties for promotional or commercial gain; 

  • Authorize the use of your data in marketing materials without formal, written consent. 

7. Data Security and Retention 

GMA implements rigorous administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of information collected through the MyCompass App, Compass Care Calling App, and Compass Care Alerts App. These protections are designed to meet or exceed the standards set forth by: 

  • The Health Insurance Portability and Accountability Act (HIPAA) 

  • The Health Information Technology for Economic and Clinical Health Act (HITECH) 

  • Applicable state-level privacy and cybersecurity statutes 

  • Industry best practices for mobile health and assistive technologies 

 

7.1 Data Encryption 

All collected information is encrypted: 

  • In transit using industry-standard Transport Layer Security (TLS 1.2 or higher); 

  • At rest using Advanced Encryption Standard (AES-256); 

  • On devices under Mobile Device Management (MDM) controls, where applicable. 

This encryption applies to both personal identifiers and protected health information (PHI), including within app interactions, cloud storage, alert payloads, and administrative tools. 

 

7.2 Access Controls 

Access to data within the MyCompass System is strictly role-based and limited to individuals with verified credentials and a documented need-to-know. GMA enforces: 

  • Multi-factor authentication (MFA) for administrative and backend system users; 

  • Device-level security policies for GMA-managed tablets and smartphones; 

  • Time-based session expiration and automatic logouts after periods of inactivity; 

  • Audit logging and user access history tracking for every login and data access event. 

End Users and Authorized Users are only granted access to information appropriate to their role. Guardians and case managers may only access client data under their legal purview. 

 

7.3 Breach Detection and Notification 

In accordance with HIPAA’s Breach Notification Rule (45 CFR § 164.400–414), GMA maintains a formal breach response policy. In the event of unauthorized access, disclosure, or compromise of PHI: 

  1. The breach will be investigated and contained immediately; 

  1. Affected individuals will be notified in writing within 60 calendar days, unless an exception applies; 

  1. The U.S. Department of Health and Human Services (HHS) and any relevant state agencies will be notified, if required by law; 

  1. GMA will document the incident and take corrective action to prevent future occurrences. 

GMA does not tolerate security negligence. All Business Associates and vendors must agree in writing to report suspected breaches immediately. 

 

7.4 Data Retention 

GMA retains PHI and PII for a minimum of seven (7) years from the date of last use or as required by: 

  • Federal or state Medicaid documentation rules; 

  • Managed care contract provisions; 

  • Waiver program recordkeeping laws; 

  • Legal holds or audit requirements. 

In the event that retention timelines conflict, the longer duration shall apply. 

Once retention obligations expire, data is securely destroyed or permanently de-identified using NIST 800-88–compliant methods. 

 

7.5 Mobile Device Management (MDM) 

For GMA-issued or MDM-controlled devices, the following additional security features may apply: 

  • Remote lock and wipe functionality if a device is lost or stolen; 

  • Prohibited installation of unauthorized applications; 

  • Location tracking (if explicitly authorized and enabled); 

  • Usage restriction policies (e.g., no access to certain content categories); 

  • Regular device health scans and update enforcement. 

No MDM software is installed without user or guardian consent. MDM data is not used for advertising or non-service-related analytics. 

 

7.6 Infrastructure and Hosting 

All data is stored in secure, HIPAA-compliant cloud environments hosted in the United States. GMA’s infrastructure includes: 

  • Redundant data backups; 

  • Intrusion detection systems (IDS); 

  • Role-based administrative dashboards with least-privilege design; 

  • Periodic penetration testing and vulnerability scans; 

  • 24/7 system uptime monitoring with performance alerts. 

 

7.7 User Responsibility 

All users (End Users and Authorized Users) are expected to: 

  • Keep their login credentials confidential; 

  • Immediately report lost or stolen devices; 

  • Refrain from sharing app screenshots or personal data externally; 

  • Use only authorized devices and app stores to download or access GMA applications. 

GMA provides training and support for users to understand safe usage practices. 

8. User Rights and Choices 

GMA respects the rights of all users to control their personal information and protected health data. Whether you are an End User of the MyCompass App or an Authorized User of the Compass Care Calling or Compass Care Alerts App, you have clearly defined rights under: 

  • The Health Insurance Portability and Accountability Act (HIPAA); 

  • The Health Information Technology for Economic and Clinical Health (HITECH) Act; 

  • Applicable state privacy and disability service laws. 

The following rights apply to all data collected through GMA’s mobile applications, subject to legal authority and verification of identity. 

 

8.1 Right to Access 

You have the right to request access to any personal information or protected health information (PHI) collected or stored through the Apps, including: 

  • Service or support plan records; 

  • Logged activities or goals; 

  • Alert and call history (if applicable); 

  • Device metadata associated with your account. 

Requests may be made in writing to kyle@graymattersalliance.com or by contacting GMA’s Privacy Officer as provided in Clause 11. GMA may require verification of your identity or authority to access this information. 

 

8.2 Right to Correct or Amend Information 

You may request corrections to inaccurate, incomplete, or outdated information maintained by GMA. This includes updates to: 

  • Personal identifiers (e.g., name, contact info); 

  • Assigned caregivers or emergency contacts; 

  • Support goals or communication preferences; 

  • Technical records containing verifiable errors. 

Correction requests must be submitted in writing. GMA will respond within 30 calendar days, in accordance with HIPAA and state timelines. Certain clinical records may require documented justification for amendment. 

 

8.3 Right to Revoke Consent or Authorization 

An End User or legal representative may revoke a previously granted HIPAA Authorization or consent at any time, in writing. Upon revocation: 

  • GMA will discontinue any future uses or disclosures of PHI based on that Authorization; 

  • The revocation will not apply retroactively to uses or disclosures made while the Authorization was valid; 

  • Certain ongoing services may be limited or suspended if revocation prevents essential care coordination. 

Guardians wishing to revoke app access for Authorized Users must submit a written request, along with legal documentation of authority. 

 

8.4 Right to Limit Use or Disclosure 

You may request restrictions on the way GMA uses or discloses your PHI. While GMA is not required to agree to all requested restrictions, we will: 

  • Review each request individually; 

  • Honor any restriction agreed to in writing, unless required by law to override it; 

  • Provide a written response with the decision and, if denied, a justification. 

 

8.5 Right to Data Portability (Where Applicable) 

Upon request, GMA will provide a copy of your personal data or PHI in a readable, portable format, consistent with HIPAA requirements, and deliver it: 

  • To you directly, or 

  • To a third party designated in writing by you or your legal representative. 

Only data collected by GMA directly will be portable. Data obtained from third-party services will be excluded unless legally transferrable. 

 

8.6 Right to File a Complaint 

If you believe your privacy rights have been violated, you have the right to file a complaint with: 

  • GMA’s Chief Administrative Officer 

  • The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) 

GMA prohibits retaliation against anyone who exercises this right. 

 

8.7 Right to Delete (Limited by HIPAA Retention Rules) 

Under HIPAA, medical or service-related data must be retained for a minimum of 7 years and cannot be deleted upon user request during that period. However: 

  • Non-clinical or auxiliary records (e.g., app notes, preferences) may be deleted upon request; 

  • Deletion of Authorized User accounts may be granted if no longer responsible for the End User; 

  • Full account deletion may occur after services are terminated and records are no longer required for legal, billing, or compliance purposes. 

GMA will clearly communicate the deletion timeline, and any legal exceptions, in its response to your request. 

 

8.8 Request Procedures 

To make a request related to any of the rights above, please contact: 

Email: documentation@graymattersalliance.com 
Mail: 119 South Main Street 
Phone: 314-266-2678 

All requests will be acknowledged within 10 business days and completed within the timelines required by applicable law. 

9. Third-Party Services 

GMA may utilize select third-party service providers to support the secure and effective operation of the GMA MyCompass™ App, Compass Care Calling™ App, and Compass Care Alerts™ App. These providers help GMA deliver remote support, ensure system reliability, manage alerts, and provide customer service — but they do not own, sell, or independently access your data. 

All third-party relationships are strictly governed by Business Associate Agreements (BAAs) or comparable data protection contracts, and no third-party is permitted to use Protected Health Information (PHI) or Personally Identifiable Information (PII) for any purpose outside the scope of their engagement with GMA. 

 

9.1 Types of Third-Party Services Used 

GMA may use third-party services for the following functional areas: 

  • Cloud Hosting Providers 
    To store encrypted user data in HIPAA-compliant cloud environments (e.g., AWS GovCloud or comparable U.S.-based data centers). 

  • Mobile App Infrastructure 
    For push notifications, device updates, app distribution, and crash diagnostics (e.g., Firebase Crashlytics or equivalent, configured for HIPAA safety). 

  • Secure Communication Tools 
    To enable voice, video, or alert-based communication between End Users and Authorized Users (Agora). 

  • Mobile Device Management (MDM) 
    To configure, monitor, and secure GMA-issued devices and tablets used by End Users. 

  • Customer Support Systems 
    For support ticket tracking and secure correspondence with clients and guardians. 

  • Third-Party Hardware Integrations (Optional) 
    Some users may integrate GMA-compatible equipment (e.g., medication dispensers, fall sensors). Data from these devices flows through secure APIs and is treated under the same HIPAA standards as in-app data. 

 

 

9.2 Restrictions on Third Parties 

All third-party service providers are explicitly prohibited from: 

  • Selling, reusing, or disclosing any user data; 

  • Using app data for marketing, advertising, analytics, or profiling; 

  • Retaining any data beyond what is required for contractual compliance; 

  • Accessing audio, video, or location data unless technically necessary and contractually permitted; 

  • Subcontracting services without GMA’s written consent and a downstream HIPAA-compliant agreement in place. 

 

9.3 Guardian and Client Awareness 

When a third-party tool is involved in delivering care (e.g., a caregiver app, medication device, or alert service), GMA will: 

  • Identify the tool in onboarding materials or device guides; 

  • Provide clear instructions regarding configuration and consent; 

  • Offer training or support for any approved integration; 

  • Ensure that data remains within the boundaries of authorized use. 

 

9.4 Public App Store Requirements 

To comply with the Apple App Store and Google Play Store policies, the following third-party SDKs or APIs may be embedded in the mobile apps, but are configured to disable: 

  • Advertising tracking features 

  • Analytics features not required for security or bug resolution 

  • Device fingerprinting or app-based profiling 

GMA does not share any Apple or Android device identifiers (e.g., IDFA, AAID) with third parties for commercial purposes. 

10. Children’s and Incapacitated Adults’ Privacy 

The GMA MyCompass™ App, GMA Compass Care Calling™ App, and GMA Compass Care Alerts™ App may be used by or on behalf of individuals who are legally considered minors, incompetent adults, or individuals under guardianship or supported decision-making agreements. GMA takes extra precautions to ensure that all data collected for or about these individuals is handled in compliance with: 

  • The Health Insurance Portability and Accountability Act (HIPAA); 

  • Applicable state laws regarding minors and guardianship; 

  • Best practices for vulnerable populations, including those with developmental, cognitive, or behavioral challenges. 

 

10.1 Age Restrictions and Guardian Access 

  • The GMA MyCompass™ App may be used directly by an End User of any age, so long as that individual is a recipient of GMA services and the app is configured appropriately for their support needs. 

  • End Users under the age of 18, or those who have been declared legally incapacitated or require substituted decision-making, must have a legal guardian, parent, or court-appointed representative act on their behalf with regard to: 

  • Authorization of data access 

  • Consent to terms of service 

  • Configuration of app settings 

  • Activation of safety or communication features 

GMA requires documentation of legal authority (e.g., guardianship orders, power of attorney, support decision-making agreement) prior to enabling access to any app by an Authorized User acting on behalf of another person. 

 

10.2 Collection of Information from Minors 

GMA does not knowingly collect PHI or PII from minors without guardian consent. Where services are provided to a person under the age of 18, or an adult who lacks legal capacity, all data collection is limited to the minimum necessary and is directed to support care delivery under the authorization of: 

  • A legal guardian; 

  • A parent or custodian (where permitted by state law); 

  • An authorized service coordinator or representative from a support agency. 

GMA does not engage in behavioral tracking, targeted advertising, or profiling of minors in any capacity. 

 

10.3 Role of Guardians and Authorized Representatives 

Guardians and legally authorized representatives may: 

  • Set up and manage user profiles; 

  • Determine who may access the Compass Care Calling or Alerts Apps; 

  • Enable or restrict alert thresholds and app notifications; 

  • Revoke access or request updates to information on behalf of the End User. 

All guardian activities are logged and stored in accordance with HIPAA audit requirements. 

 

10.4 Support for Limited Capacity Clients 

For End Users who possess partial cognitive ability, but require assistance, GMA encourages supported decision-making and collaborates with guardians and providers to promote autonomy wherever possible. This may include: 

  • Shared access between the client and guardian; 

  • Interface configurations tailored to individual ability levels; 

  • Prompting mechanisms that allow the End User to participate in tasks with guidance. 

GMA recognizes that capacity is contextual and may change over time, and will work with legal representatives to ensure proper access levels are maintained. 

 

10.5 COPPA Compliance (Children’s Online Privacy Protection Act) 

Although GMA’s apps are not intended for the general public and are not directed at children under 13 for independent use, we take steps to align with COPPA standards. In any case where a child under 13 may use an app, guardian consent and oversight are required, and all collection is solely for service delivery and protection. 

11. Contact Information 

GMA has designated a HIPAA Privacy Officer to oversee all privacy-related matters, ensure compliance with federal and state data protection laws, respond to user inquiries, and handle any concerns regarding the handling of personal or health information across the MyCompass App, Compass Care Calling App, and Compass Care Alerts App. 

If you have any questions, concerns, requests, or wish to exercise your rights as outlined in this Privacy Policy, please contact: 

 

📌 HIPAA Privacy Officer 
Name: Kyle Dortch 
Title: Chief Administrative Officer & HIPAA Privacy Officer 
Organization: Gray Matters Alliance, LLC 
Email: kyle@graymattersalliance.com 
Phone: [Insert Business Phone Number] 
Mailing Address: 
Gray Matters Alliance 
119 S Main Street St Charles 63301 
Missouri, United States 

 

Filing a Complaint 

If you believe your privacy rights have been violated, you may file a complaint with: 

Gray Matters Alliance (using the contact information above), or 
U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) 

OCR Website: https://www.hhs.gov/hipaa/filing-a-complaint/ 
OCR Phone: 1-800-368-1019 

You will not be retaliated against for filing a complaint. 

 

Response Timeframes 

GMA will acknowledge all privacy-related inquiries within 10 business days and respond in full within the timelines required by HIPAA, state law, or relevant service agreements (generally within 30 calendar days for access or amendment requests). 

12. Changes to This Privacy Policy 

GMA reserves the right to update or modify this Privacy Policy at any time in order to reflect: 

  • Changes to applicable laws and regulations (including HIPAA, HITECH, or state-specific privacy rules); 

  • Updates to the functionality, features, or supported integrations of the GMA MyCompass™ App, Compass Care Calling™ App, or Compass Care Alerts™ App; 

  • Enhancements to our security protocols or data handling practices; 

  • Business operational changes that affect how information is managed. 

Any changes to this Privacy Policy will be: 

  • Posted prominently within the mobile apps, 

  • Published on the official GMA website at , and 

  • Communicated directly to Authorized Users and End Users, when legally required or where the changes involve material alterations to data use or user rights. 

 

12.1 Effective Date of Revisions 

Each updated version of this Privacy Policy will include a clearly stated “Last Updated” date at the top of the document. Users are encouraged to review the policy periodically to stay informed about how GMA protects their information. 

 

12.2 Continued Use as Acceptance 

By continuing to use any of GMA’s mobile applications after an updated version of this Privacy Policy has been posted, you acknowledge and accept the revised terms. If you disagree with any material changes, you have the right to discontinue use of the apps and request assistance with account closure. 

 

12.3 Notification for Material Changes 

In the case of material changes (e.g., expanded use of PHI, new categories of data collected, changes in legal rights), GMA will: 

  • Provide advance notice via in-app messaging or email to affected users (as applicable); 

  • Offer an opportunity for users to re-consent where required by law or contract; 

  • Retain a historical record of prior versions for audit and reference. 

bottom of page