NeurixaHealthAI logo
HomePrivacy Policy
Legal

Privacy
Policy

Your privacy and the security of healthcare data are foundational to everything we build at NeurixaHealthAI™.

HIPAA Compliant
SOC 2 Type II
HITRUST Certified
GDPR Aware

Effective Date: June 1, 2026  · Last Updated: June 5, 2026

Privacy questions? Contact us →

Healthcare Data Commitment

NeurixaHealthAI™ is a HIPAA Business Associate. We never sell Protected Health Information (PHI) and process it only under signed Business Associate Agreements (BAAs). Our platform is SOC 2 Type II and HITRUST certified. For enterprise data processing terms, refer to your Master Service Agreement and Data Processing Addendum.

1. Overview

NeurixaHealthAI, Inc. ("NeurixaHealthAI," "we," "us," or "our") is committed to protecting the privacy and security of information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website, use our platform, or interact with our services (collectively, the "Services").

As a healthcare technology company, we understand the sensitivity of health-related information and operate under strict legal and ethical obligations. This policy is designed to be transparent about our data practices and to help you understand your rights.

This Privacy Policy applies to all users of our Services, including healthcare organizations, providers, payers, administrators, and visitors to our website. It does not apply to information collected by third-party websites or services that may be linked from our platform.

2. Information We Collect

We collect several types of information in connection with the Services:

Account & Registration Information

  • Name, job title, and professional credentials
  • Business email address and contact information
  • Organization name, type, and NPI/tax identification numbers
  • Username, password, and account preferences
  • Billing and payment information (processed securely via PCI-compliant processors)

Usage & Platform Data

  • Log data including IP addresses, browser type, pages visited, and timestamps
  • Feature usage patterns and workflow interactions
  • API call logs and integration activity
  • Device identifiers and operating system information
  • Session recordings and click-stream data (with consent, for product improvement)

Healthcare & Clinical Data (Enterprise Customers)

  • Protected Health Information (PHI) submitted by enterprise customers under a signed Business Associate Agreement (BAA)
  • Clinical workflow data, prior authorization requests, and revenue cycle records
  • De-identified or aggregated population health analytics
  • EHR integration data transmitted via FHIR R4 and HL7 interfaces

Communications Data

  • Messages sent through our contact forms, support tickets, and chat
  • Email correspondence with our team
  • Survey responses and feedback submissions
  • Webinar and event registration information

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing, operating, and maintaining the Services
  • Processing transactions and managing enterprise accounts
  • Sending administrative communications, including service updates and security alerts
  • Providing customer support and responding to inquiries
  • Improving, personalizing, and expanding our Services through analytics and research
  • Developing new features, products, and services
  • Monitoring and analyzing usage patterns to enhance platform performance
  • Detecting, preventing, and addressing technical issues, fraud, and security threats
  • Complying with legal obligations, including HIPAA, HITECH, and applicable state laws
  • Enforcing our Terms of Service and other agreements
  • Sending marketing communications (with your consent, where required by law)

4. HIPAA & Protected Health Information

NeurixaHealthAI operates as a HIPAA Business Associate when processing Protected Health Information (PHI) on behalf of Covered Entities. We enter into Business Associate Agreements (BAAs) with all enterprise customers before any PHI is processed through our platform.

PHI submitted to our platform is used exclusively to provide the contracted Services and is never sold, rented, or used for marketing purposes. We implement the full suite of HIPAA Administrative, Physical, and Technical Safeguards required under the HIPAA Security Rule.

Our PHI handling practices include:

  • End-to-end encryption for all PHI in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access controls limiting PHI access to authorized personnel only
  • Comprehensive audit logging of all PHI access and modifications
  • Workforce training on HIPAA privacy and security requirements
  • Business Associate Agreements with all downstream subprocessors handling PHI
  • Breach notification procedures in compliance with the HIPAA Breach Notification Rule
  • Data minimization — we collect and process only the PHI necessary to provide the Services

5. How We Share Your Information

We do not sell, trade, or rent your personal information or Customer Data to third parties. We may share information in the following limited circumstances:

Service Providers & Subprocessors

  • Cloud infrastructure providers (e.g., AWS, Google Cloud) under strict data processing agreements
  • Analytics and monitoring tools operating under confidentiality obligations
  • Payment processors handling billing under PCI-DSS compliance
  • Customer support platforms with appropriate data protection agreements

Legal & Compliance Disclosures

  • When required by law, court order, or government authority
  • To protect the rights, property, or safety of NeurixaHealthAI, our users, or the public
  • In connection with legal proceedings or to enforce our Terms of Service
  • To respond to lawful requests from public authorities, including national security or law enforcement

Business Transfers

  • In connection with a merger, acquisition, or sale of all or a portion of our assets, with appropriate notice and continuity of data protection obligations

6. Data Security

We implement industry-leading security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security program includes:

  • SOC 2 Type II certification — independently audited security controls
  • HITRUST CSF certification for healthcare data security
  • End-to-end encryption using TLS 1.3 for data in transit and AES-256 for data at rest
  • Multi-factor authentication (MFA) required for all platform access
  • Continuous security monitoring, intrusion detection, and vulnerability scanning
  • Annual penetration testing by independent third-party security firms
  • Zero-trust network architecture with least-privilege access principles
  • Comprehensive incident response plan with defined SLAs for breach notification
  • Regular security awareness training for all employees

7. Data Retention

We retain personal information and Customer Data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

For enterprise customers, data retention periods are specified in the applicable Master Service Agreement (MSA) and Data Processing Addendum (DPA). Upon contract termination, Customer Data is retained for a transition period (typically 90 days) to allow for data export, after which it is securely deleted or anonymized.

Specific retention periods by data type:

  • Account information: Duration of account plus 3 years after closure
  • PHI and clinical data: As specified in the BAA and applicable law (minimum 6 years under HIPAA)
  • Usage logs and analytics: 24 months rolling window
  • Support communications: 3 years from last interaction
  • Financial records: 7 years as required by applicable tax and accounting laws
  • Marketing data: Until consent is withdrawn or 3 years of inactivity

8. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

  • Right to Access — Request a copy of the personal information we hold about you
  • Right to Correction — Request correction of inaccurate or incomplete information
  • Right to Deletion — Request deletion of your personal information (subject to legal retention requirements)
  • Right to Portability — Receive your data in a structured, machine-readable format
  • Right to Restrict Processing — Request that we limit how we use your information
  • Right to Object — Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent
  • Right to Non-Discrimination — Exercise your privacy rights without discriminatory treatment

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

California residents may submit privacy requests by contacting us at [email protected] or through our contact form. We will respond to verified requests within 45 days as required by law.

We do not sell personal information as defined under the CCPA. We do not share personal information for cross-context behavioral advertising without consent.

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information collected from you
  • Right to opt-out of the sale or sharing of personal information
  • Right to correct inaccurate personal information
  • Right to limit use and disclosure of sensitive personal information
  • Right to non-discrimination for exercising CCPA rights

10. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform. These include:

  • Essential Cookies — Required for the platform to function (authentication, security, session management)
  • Analytics Cookies — Help us understand how users interact with our Services (e.g., page views, feature usage)
  • Preference Cookies — Remember your settings and personalization choices
  • Marketing Cookies — Used to deliver relevant content (only with your consent)

11. International Data Transfers

NeurixaHealthAI is headquartered in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For customers in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate legal mechanisms for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Our global research collaborators in Australia, India, Canada, and the United Kingdom operate under data sharing agreements that comply with applicable local privacy laws and HIPAA requirements.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information.

If you believe we have inadvertently collected information from a child under 18, please contact us immediately at [email protected].

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Posting the updated policy on our website with a new "Last Updated" date
  • Sending an email notification to registered account holders
  • Displaying a prominent notice within the platform for 30 days following material changes

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Team:

Company: NeurixaHealthAI, Inc.
Privacy Team: [email protected](forwards to [email protected])
Data Protection Officer: [email protected](forwards to [email protected])
HIPAA / BAA Inquiries: [email protected](forwards to [email protected])