Healthcare Data Commitment
NeurixaHealthAI™ is a HIPAA Business Associate. We never sell Protected Health Information (PHI) and process it only under signed Business Associate Agreements (BAAs). Our platform is SOC 2 Type II and HITRUST certified. For enterprise data processing terms, refer to your Master Service Agreement and Data Processing Addendum.
1. Overview
NeurixaHealthAI, Inc. ("NeurixaHealthAI," "we," "us," or "our") is committed to protecting the privacy and security of information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website, use our platform, or interact with our services (collectively, the "Services").
As a healthcare technology company, we understand the sensitivity of health-related information and operate under strict legal and ethical obligations. This policy is designed to be transparent about our data practices and to help you understand your rights.
This Privacy Policy applies to all users of our Services, including healthcare organizations, providers, payers, administrators, and visitors to our website. It does not apply to information collected by third-party websites or services that may be linked from our platform.
2. Information We Collect
We collect several types of information in connection with the Services:
Account & Registration Information
- Name, job title, and professional credentials
- Business email address and contact information
- Organization name, type, and NPI/tax identification numbers
- Username, password, and account preferences
- Billing and payment information (processed securely via PCI-compliant processors)
Usage & Platform Data
- Log data including IP addresses, browser type, pages visited, and timestamps
- Feature usage patterns and workflow interactions
- API call logs and integration activity
- Device identifiers and operating system information
- Session recordings and click-stream data (with consent, for product improvement)
Healthcare & Clinical Data (Enterprise Customers)
- Protected Health Information (PHI) submitted by enterprise customers under a signed Business Associate Agreement (BAA)
- Clinical workflow data, prior authorization requests, and revenue cycle records
- De-identified or aggregated population health analytics
- EHR integration data transmitted via FHIR R4 and HL7 interfaces
Communications Data
- Messages sent through our contact forms, support tickets, and chat
- Email correspondence with our team
- Survey responses and feedback submissions
- Webinar and event registration information
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing, operating, and maintaining the Services
- Processing transactions and managing enterprise accounts
- Sending administrative communications, including service updates and security alerts
- Providing customer support and responding to inquiries
- Improving, personalizing, and expanding our Services through analytics and research
- Developing new features, products, and services
- Monitoring and analyzing usage patterns to enhance platform performance
- Detecting, preventing, and addressing technical issues, fraud, and security threats
- Complying with legal obligations, including HIPAA, HITECH, and applicable state laws
- Enforcing our Terms of Service and other agreements
- Sending marketing communications (with your consent, where required by law)
4. HIPAA & Protected Health Information
NeurixaHealthAI operates as a HIPAA Business Associate when processing Protected Health Information (PHI) on behalf of Covered Entities. We enter into Business Associate Agreements (BAAs) with all enterprise customers before any PHI is processed through our platform.
PHI submitted to our platform is used exclusively to provide the contracted Services and is never sold, rented, or used for marketing purposes. We implement the full suite of HIPAA Administrative, Physical, and Technical Safeguards required under the HIPAA Security Rule.
Our PHI handling practices include:
- End-to-end encryption for all PHI in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls limiting PHI access to authorized personnel only
- Comprehensive audit logging of all PHI access and modifications
- Workforce training on HIPAA privacy and security requirements
- Business Associate Agreements with all downstream subprocessors handling PHI
- Breach notification procedures in compliance with the HIPAA Breach Notification Rule
- Data minimization — we collect and process only the PHI necessary to provide the Services
6. Data Security
We implement industry-leading security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security program includes:
- SOC 2 Type II certification — independently audited security controls
- HITRUST CSF certification for healthcare data security
- End-to-end encryption using TLS 1.3 for data in transit and AES-256 for data at rest
- Multi-factor authentication (MFA) required for all platform access
- Continuous security monitoring, intrusion detection, and vulnerability scanning
- Annual penetration testing by independent third-party security firms
- Zero-trust network architecture with least-privilege access principles
- Comprehensive incident response plan with defined SLAs for breach notification
- Regular security awareness training for all employees
7. Data Retention
We retain personal information and Customer Data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.
For enterprise customers, data retention periods are specified in the applicable Master Service Agreement (MSA) and Data Processing Addendum (DPA). Upon contract termination, Customer Data is retained for a transition period (typically 90 days) to allow for data export, after which it is securely deleted or anonymized.
Specific retention periods by data type:
- Account information: Duration of account plus 3 years after closure
- PHI and clinical data: As specified in the BAA and applicable law (minimum 6 years under HIPAA)
- Usage logs and analytics: 24 months rolling window
- Support communications: 3 years from last interaction
- Financial records: 7 years as required by applicable tax and accounting laws
- Marketing data: Until consent is withdrawn or 3 years of inactivity
8. Your Privacy Rights
Depending on your location and applicable law, you may have the following rights regarding your personal information:
- Right to Access — Request a copy of the personal information we hold about you
- Right to Correction — Request correction of inaccurate or incomplete information
- Right to Deletion — Request deletion of your personal information (subject to legal retention requirements)
- Right to Portability — Receive your data in a structured, machine-readable format
- Right to Restrict Processing — Request that we limit how we use your information
- Right to Object — Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent
- Right to Non-Discrimination — Exercise your privacy rights without discriminatory treatment
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
California residents may submit privacy requests by contacting us at [email protected] or through our contact form. We will respond to verified requests within 45 days as required by law.
We do not sell personal information as defined under the CCPA. We do not share personal information for cross-context behavioral advertising without consent.
- Right to know what personal information is collected, used, shared, or sold
- Right to delete personal information collected from you
- Right to opt-out of the sale or sharing of personal information
- Right to correct inaccurate personal information
- Right to limit use and disclosure of sensitive personal information
- Right to non-discrimination for exercising CCPA rights
11. International Data Transfers
NeurixaHealthAI is headquartered in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.
For customers in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate legal mechanisms for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission.
Our global research collaborators in Australia, India, Canada, and the United Kingdom operate under data sharing agreements that comply with applicable local privacy laws and HIPAA requirements.
12. Children's Privacy
Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information.
If you believe we have inadvertently collected information from a child under 18, please contact us immediately at [email protected].
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:
- Posting the updated policy on our website with a new "Last Updated" date
- Sending an email notification to registered account holders
- Displaying a prominent notice within the platform for 30 days following material changes
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Team: