Last updated: March 13, 2026
This Privacy Policy ("Policy") explains how z.PAX LLC and its affiliates ("z-PAX," "we," "us," or "our") collect, use, disclose, and protect information in connection with our Platform-as-a-Service ("PaaS") offerings, including the z.PAX platform, associated APIs, tools, and related services (collectively, the "Services").
Important: This Privacy Policy applies exclusively to business-to-business relationships and is not a consumer-facing privacy notice. Our Services are designed for use by healthcare organizations including, for example, skilled nursing facilities, and other business entities ("Customers" or "you"). This Policy does not apply to end users, patients, residents, or individuals whose data may be processed through Customer's use of our Services—those individuals' privacy rights are governed by Customer's own privacy notices and our contractual agreements with Customer.
By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Use.
This Privacy Policy addresses three distinct categories of information, each governed by different legal frameworks:
When you visit our websites, request information about our Services, create an account, or use our platform, we collect business contact information and platform usage data as described in this Policy. For this category of information, z-PAX acts as a data controller (or "business" under applicable state privacy laws), and this Privacy Policy governs our data practices. This includes information such as: (a) Administrator and user contact details (b) Account credentials and authentication data (c) Platform configuration and usage analytics (d) Customer support communications (e) Billing and payment information (f) Marketing and sales communications
HIPAA Business Associate Relationship
If you are a HIPAA Covered Entity or Business Associate and subscribe to our hosting services, we receive, store, and process Protected Health Information ("PHI") on your behalf pursuant to a Business Associate Agreement ("BAA") executed between you and z-PAX. For PHI: (a) z-PAX is your Business Associate under HIPAA, acting on your instructions; (b) Our handling of PHI is governed exclusively by our BAA and any customer agreement you have in place, NOT this Privacy Policy; (c) z-PAX provides infrastructure hosting services and technical operations; (d) We do not access, use, or disclose your PHI except as: (i) Permitted or required under our BAA, (ii) Necessary to provide the Services, (iii) Required by law; and (e) You remain the Covered Entity or upstream Business Associate responsible for HIPAA compliance regarding the access and use of your organization's or your PHI
Important Limitation: This Privacy Policy does NOT create any rights, obligations, or limitations regarding PHI beyond those specified in your BAA and customer agreement. For all PHI-related matters including security obligations, breach notification, audit rights, and liability, refer exclusively to your contractual agreements with z-PAX.
Platform Infrastructure Model
If you authorize third-party developers ("TPDs") to access your data hosted on our platform, those developers access your data pursuant to a parallel Business Associate relationship, not a subcontractor chain. Specifically: (a) You must execute a separate authorization agreement with z-PAX permitting the TPD to access your data via our APIs; (b) You must execute a separate Business Associate Agreement and customer agreement directly with the TPD; and (c) z-PAX implements security and access control protocols based on your authorization but does not control, monitor, or assume responsibility for the TPD's access and use of your data. See Section 8 (eXchange Marketplace and Third-Party Developer Applications) for complete details on this data architecture.
For More Information: For detailed information about our handling of PHI, data security practices, audit rights, subprocessor arrangements, and related matters, please refer to: (a) Your executed Business Associate Agreement with z-PAX (b) Your customer agreement and any applicable Order Forms (c) Our Security & Compliance Documentation is available upon request.
Privacy laws, technology standards, and security best practices evolve continuously. We reserve the right to modify this Privacy Policy to reflect changes in: (a) Legal and regulatory requirements; (b) Industry best practices and standards; (c) Our data processing practices; (d) The features and functionality of our Services
Notice of Material Changes
When we make material changes to this Privacy Policy that affect your rights or our data practices, we will: 1. Post the revised Privacy Policy at https://myzpax.com/mobile/privacy.html; 2. Update the "Effective Date" and "Last Updated" fields at the top of this document 3. Provide notice through one or more of the following methods: (a) In-platform notification upon next login, (b) Posting on myzpax.com; 4. For changes affecting PHI processing, provide notice as required by our BAA
Your Responsibility: You are responsible for reviewing this Privacy Policy periodically and remaining informed of any changes. Your continued use of the Services after the effective date of any modifications constitutes acceptance of the updated Privacy Policy. If you do not agree with any modifications, you must discontinue use of the Services and contact us to terminate your subscription in accordance with your customer agreement.
This section describes the categories of platform contact and usage information we collect in our role as data host. This does not include PHI or other customer data processed pursuant to our BAA or customer agreement.
When you create an account or update your profile, we collect: (a) Full name and title; (b) Business email address and phone number; (c) Account credentials (username and encrypted password); and (d) Time zone preferences
For subscription billing, we collect: (a) Billing contact name and email; (b) If applicable, payment method details (collected and processed by our PCI-DSS compliant payment processor); (c) Billing address; (d) Payment terms; and (e) Invoice history and payment records. Note: We do not directly store banking information or credit card numbers. Payment card data is tokenized and processed by our third-party payment processor, Stripe, in compliance with PCI-DSS standards.
If you communicate with us, we may collect: (a) Customer support tickets and correspondence; (b) Live chat transcripts and chatbot interactions; (c) Email communications with our sales, support, and security teams; (d) Phone call recordings (with notice) for quality and training purposes; (e) Feedback, feature requests, and survey responses; and (f) Conference and webinar registration information
If you engage with our marketing activities, we may collect: (a) Newsletter subscription preferences; (b) Whitepaper, case study, and resource download requests; (c) Webinar and virtual event registrations; (d) Conference badge scans and networking interactions; (e) Demo and trial requests; and (f) Marketing communication preferences and opt-out requests
We automatically collect information about how you use our Services: (a) Login/logout timestamps and session duration; (b) Features accessed and frequency of use; (c) API calls made and API usage patterns; (d) Platform configuration changes and settings; (e) Search queries within the platform; (f) File uploads/downloads (metadata only, not content); (g) User permissions and role assignments; and (h) Application performance metrics
We collect technical data from devices used to access our Services: (a) IP address and geolocation data (city/region level); (b) Browser type, version, and language settings; (c) Operating system and device type; (d) Screen resolution and display settings; (e) Network information and connection type; (f) Referring URLs and navigation paths; and (g) Device identifiers (where permitted by device settings)
For security monitoring and incident response, we log: (a) Authentication attempts (successful and failed); (b) Account lockouts and password reset requests; (c) Changes to security settings and permissions; (d) Anomalous activity and potential security events; (e) Access from new or unrecognized devices/locations; and (f) Administrative actions and privileged operations
We use cookies and similar tracking technologies: (a) Strictly Necessary Cookies: Required for authentication, security, and core platform functionality; (b) Functional Cookies: Remember your preferences, settings, and customizations; (c) Analytics Cookies: Help us understand platform usage patterns and improve performance; and (d) Marketing Cookies: Track engagement with our marketing content (used only on our marketing websites, not within the platform). See Section 13 (Cookies and Tracking Technologies) for detailed information about cookies, your choices, and how to manage cookie preferences.
We may receive information from third-party sources including: (a) Identity Verification Services: For account security and fraud prevention; (b) Business Information Databases: To verify company information and maintain accurate records; (c) Marketing Partners: Conference organizers and co-marketing partners (with your consent); (d) Single Sign-On Providers: If you choose to authenticate using third-party identity providers; and (e) Public Sources: Publicly available business information to enhance our understanding of customer organizations
We use the platform contact and usage information described in Section 4 for the following business purposes. We do not use PHI for any purpose other than as specifically permitted by our BAA and necessary to provide the Services to you.
(a) Provide, operate, and maintain the Services; (b) Create and manage your account and user profiles; (c) Authenticate users and prevent unauthorized access; (d) Process transactions and manage subscriptions; (e) Enable platform features and functionality you request; (f) Facilitate integrations and API connections; and (g) Generate usage reports and analytics dashboards for your use
(a) Respond to your inquiries and support requests; (b) Provide technical assistance and troubleshooting; (c) Send service-related notifications and updates; (d) Communicate about account issues, billing, and subscription status; (e) Notify you of scheduled maintenance and service disruptions; and (f) Deliver security alerts and critical system notifications
(a) Analyze usage patterns to improve Services functionality; (b) Develop new features and enhancements; (c) Conduct research and data analysis to enhance user experience; (d) Identify and fix technical issues and bugs; (e) Optimize platform performance and reliability; and (f) Test new features with pilot customers (with consent)
(a) Detect, prevent, and respond to security incidents; (b) Monitor for fraudulent or suspicious activity; (c) Enforce our Terms of Use and Acceptable Use Policy; (d) Conduct security audits and vulnerability assessments; (e) Verify account holder identity and authorization; (f) Investigate and respond to potential security threats; and (g) Maintain logs for security forensics and incident investigation
(a) Comply with applicable laws, regulations, and legal processes; (b) Respond to lawful requests from government authorities; (c) Enforce our contractual rights and agreements; (d) Protect the rights, property, and safety of z-PAX, our customers, and others; (e) Defend against legal claims and disputes; (f) Maintain required business and financial records; and (g) Conduct internal audits and compliance reviews
With your explicit consent or where permitted by law, we may: (a) Send marketing communications about our Services; (b) Provide information about new features, updates, and enhancements; (c) Invite you to webinars, conferences, and educational events; (d) Share industry insights, whitepapers, and case studies; (e) Conduct customer satisfaction surveys; and (f) Offer promotions, discounts, or special programs. Note: You may opt out of marketing communications at any time using the unsubscribe mechanism in our emails or by contacting privacy@z-pax.com. Opting out of marketing communications will not affect service-related notifications.
We may create aggregated, anonymized, or de-identified data from the information we collect by removing identifiers such that the data can no longer reasonably be used to identify you or your organization. We may use this de-identified data for any lawful business purpose, including: (a) Benchmarking and industry research; (b) Product development and innovation; (c) Statistical analysis and trend identification; and (d) Public reporting and thought leadership. De-identified data is not subject to this Privacy Policy. We maintain technical and administrative measures to prevent re-identification of this data and will not attempt to re-identify it.
We do not sell platform contact and usage information to third parties. We may share this information only in the limited circumstances described below. PHI sharing is governed exclusively by our BAA and is not covered by this Section.
We engage carefully vetted service providers and subprocessors to assist in operating our business and delivering the Services. These entities process information only on our behalf and under our instruction, subject to confidentiality obligations. Categories of service providers include: (a) Cloud Infrastructure Providers: For data hosting and storage (SOC2 Type II certified); (b) Payment Processors: For billing and payment processing (PCI-DSS compliant); (c) Customer Support Platforms: For ticketing and helpdesk services; (d) Email and Communication Services: For transactional and notification emails; (e) Analytics Providers: For platform usage analytics and monitoring; (f) Security Services: For threat detection, monitoring, and incident response; and (g) IT and Development Tools: For software development and operations. Current Subprocessor List: A complete list of subprocessors who may access platform contact and usage information is available at https://trust.myzpax.com/subprocessors.
We may share information with our parent company, subsidiaries, and affiliates for: (a) Providing and supporting the Services; (b) Internal administration and reporting; (c) Coordinated customer support; and (d) Security and fraud prevention. Our affiliates are required to handle your information consistent with this Privacy Policy.
We may disclose information when we believe in good faith that disclosure is necessary to: (a) Comply with applicable law, regulation, legal process, or governmental request; (b) Enforce our Terms of Use, contracts, or policies; (c) Detect, prevent, or address security, fraud, or technical issues; (d) Protect the rights, property, or safety of z-PAX, our customers, or the public; (e) Defend against legal claims or litigation; and (f) Investigate potential violations of law or our policies. Where legally permitted and practicable, we use best efforts to notify affected customers before disclosing information in response to legal process, giving you an opportunity to seek protective measures.
If z-PAX is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, we may transfer information to the successor entity or acquiring organization. In such cases: (a) If this happens your information may be subject to a different privacy policy; (b) Upon assumption and assignment of agreements, any successor entity will honor the commitments we have made in this Privacy Policy or notify you of material changes. For PHI transfers, we will comply with all BAA requirements and obtain necessary consents. You may have rights to object or opt out depending on applicable law or contract terms.
We may share information for other purposes with your explicit consent, including: (a) Featuring you as a customer reference or case study; (b) Co-marketing initiatives with partners; (c) Participation in joint research or industry studies; and (d) Public testimonials or success stories. You may withdraw consent for these purposes at any time by contacting privacy@z-pax.com.
Information you choose to make publicly available through the Services (such as profile information visible to other users, if applicable) will be accessible to others according to your settings and the nature of the platform feature.
We retain the information we collect through our Services for no more time than is needed to serve the legitimate business purposes for which it was collected, or as necessary to comply with our legal obligations. When we have no ongoing legitimate business need to process your personal information, we either delete it or pseudonymize it unless otherwise required by applicable law or otherwise agreed to between z-PAX and a customer.
PHI retention is governed by your BAA and customer agreement, which may specify: (a) Minimum and maximum retention periods; (b) Return or destruction procedures upon termination; (c) Backup and archival policies; and (d) Legal hold requirements. See your BAAs for complete PHI retention terms.
z-PAX provides a platform infrastructure that hosts Protected Health Information and other data on behalf of Covered Entities pursuant to Business Associate Agreements. TPDs offer applications through our eXchange Marketplace that may access your protected data that we host on our platform only upon your written authorization.
z-PAX does not provide any third-party developer access to your data without your express written authorization.
The z-PAX platform operates under a parallel Business Associate model, not a subcontractor chain: We host your data as your Business Associate. Any TPD is an independent Business Associate to you. You authorize z-PAX to provide TPDs with PHI access. You and any TPDs you contract with are responsible for your HIPAA compliance and any applicable federal and state laws.
If you choose to use a TPD application that requires access to your PHI hosted on z-PAX, you MUST: 1. Execute Agreements with the TPD: (a) Enter into a separate customer agreement directly with the TPD; (b) Execute a HIPAA Business Associate Agreement with the TPD; (c) Review and accept the TPD's privacy policy and terms of use; and (d) Conduct appropriate due diligence on the TPD's security and compliance practices. 2. Provide Written Authorization to z-PAX: Specifically identify which TPD may access your data. 3. Understand z-PAX's Limited Role: (a) z-PAX provides PHI access based solely on your authorization; and (b) z-PAX is not responsible for the TPD's data practices, security, or compliance.
You may revoke a TPD's authorization at any time: (a) Provide written notice to z-PAX at privacy@z-pax.com; and (b) z-PAX will terminate the TPD's PHI access within 48 business hours. IMPORTANT: The TPD may retain data previously accessed pursuant to your agreements with them: (a) You must address data return, destruction, or continued use directly in your contract arrangements with the TPD; and (b) z-PAX has no control over data the TPD already accessed before your revocation.
z-PAX IS NOT RESPONSIBLE FOR: (a) The TPD's privacy practices, policies, or notices; (b) The TPD's data security measures or breach response; (c) The TPD's HIPAA compliance or Business Associate obligations; (d) The TPD's use, disclosure, or retention of your data; (e) The TPD's financial stability or business continuity; (f) The accuracy, functionality, or performance of TPD applications; and (g) Disputes between you and the TPD. Your Responsibilities: (a) Conduct thorough due diligence before authorizing TPD access; (b) Verify the TPD has appropriate security certifications and insurance; (c) Review TPD privacy policies and data handling practices; (d) Ensure TPD agreements protect your rights and comply with HIPAA; (e) Monitor TPD's ongoing compliance and security posture; and (f) Direct all questions, concerns, or requests about TPD data handling to the TPD, not to z-PAX.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Privacy Office
z.PAX LLC
200 Route 9 North, Suite 500
Manalapan, NJ 07726
Email:
privacy@z-pax.com
For PHI-Related Issues:
For matters related to Protected Health Information, security incidents
involving PHI, or BAA compliance, contact:
Email:
security@z-pax.com