Privacy Policy

Introduction

Neuvora LLC ("Neuvora," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, store, and protect information when you visit our website at neuvora.com (the "Site"), use our software platform, or engage with our healthcare technology services (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including healthcare providers, patients, and visitors to our Site. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Important: To the extent that we handle Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), our use and disclosure of such information is governed by our Notice of Privacy Practices, which supplements this Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, phone number, professional credentials, and organizational affiliation when you create an account or register for our Services.
• Contact Form Submissions: Name, email, phone number, organization name, and message content when you submit inquiries through our contact forms.
• Patient Health Information: When our platform is used by healthcare providers, we may process health data including vital signs, medication information, treatment plans, cognitive assessment results, and other clinical data as directed by the healthcare provider. This information is treated as PHI under HIPAA.
• Billing Information: Payment details, insurance information, and billing addresses necessary for processing services and claims.
• Communications: Records of correspondence when you contact us via email, phone, or other channels.

1.2 Information Collected Automatically

• Device and Browser Information: IP address, browser type and version, operating system, device type, and unique device identifiers.
• Usage Data: Pages visited, time spent on pages, click patterns, referring URLs, and other interaction data.
• Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to enhance your experience. See Section 7 (Cookies and Tracking Technologies) for details.
• Log Data: Server logs that record requests made to our servers, including timestamps, URLs requested, and response codes.

1.3 Information from Third Parties

• Healthcare Providers: Information shared with us by healthcare providers who use our platform to deliver care to their patients.
• Integration Partners: Data received through integrations with Electronic Health Record (EHR) systems, practice management software, and other healthcare technology platforms.
• CogniFit: Cognitive assessment data and results from our partnership with CogniFit for cognitive testing services.

2. How We Use Your Information

We use the information we collect for the following purposes:

Legal Bases for Processing: We process your information based on: (a) your consent; (b) the necessity to perform a contract with you or your healthcare provider; (c) compliance with legal obligations, including HIPAA; and (d) our legitimate business interests that do not override your rights.

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• With Healthcare Providers: We share patient data with authorized healthcare providers as necessary to deliver care through our platform.
• Service Providers: We engage trusted third-party vendors who assist in operating our Services, including cloud hosting providers (Amazon Web Services), email service providers (SendGrid), and analytics services. All service providers with access to PHI are bound by Business Associate Agreements (BAAs) as required by HIPAA.
• Integration Partners: When directed by a healthcare provider, we may share data with EHR systems, billing systems, and other authorized healthcare technology platforms.
• CogniFit: For cognitive assessment services, relevant assessment data is shared with CogniFit pursuant to our partnership agreement and applicable BAAs.
• Legal Requirements: We may disclose information when required by law, regulation, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control.
• With Your Consent: We may share your information for other purposes with your explicit consent.

4. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Information: Retained for the duration of your account and for a reasonable period thereafter for legal and business purposes.
• Protected Health Information: Retained in accordance with HIPAA requirements and applicable state medical record retention laws, which generally require retention for a minimum of six (6) years from the date of creation or the date when the information was last in effect, whichever is later. Some states require longer retention periods.
• Usage and Analytics Data: Generally retained for up to twenty-four (24) months.
• Contact Submissions: Retained for up to three (3) years unless you request earlier deletion.

5. Data Security

We implement comprehensive administrative, technical, and physical safeguards designed to protect your information in accordance with HIPAA Security Rule requirements and industry best practices:

• AES-256 encryption for data at rest and TLS 1.2+ encryption for data in transit
• Multi-factor authentication for platform access
• Role-based access controls with least-privilege principles
• Regular security assessments and penetration testing
• Continuous monitoring and audit logging
• Employee security awareness training
• Incident response and breach notification procedures

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to implementing reasonable measures to protect your data.

6. Your Rights and Choices

6.1 General Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Portability: Request a copy of your data in a commonly used, machine-readable format.
• Opt-Out: Opt out of marketing communications at any time by using the unsubscribe link in our emails or contacting us directly.

6.2 HIPAA Rights

If your information constitutes PHI, you have additional rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of your PHI. These rights are described in detail in our Notice of Privacy Practices.

6.3 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share information.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.

Note: PHI that is collected, maintained, used, or disclosed pursuant to HIPAA is exempt from the CCPA/CPRA. Where HIPAA applies to your information, your rights are governed by HIPAA and our Notice of Privacy Practices.

7. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

• Essential Cookies: Required for the Site to function properly, including session management and security.
• Analytics Cookies: Help us understand how visitors interact with our Site, including pages visited and navigation patterns.
• Functional Cookies: Remember your preferences and settings to enhance your experience.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our Site. We do not use cookies to track or collect PHI.

8. Third-Party Services

Our Services may integrate with or link to third-party services. These include:

• Amazon Web Services (AWS): Cloud infrastructure and hosting services (BAA in place).
• SendGrid: Transactional email delivery services.
• CogniFit: Cognitive assessment and neuropsychological testing platform.
• EHR Systems: Various Electronic Health Record systems for data integration.

These third parties have their own privacy policies, and we encourage you to review them. We are not responsible for the privacy practices of third-party services that are not under our control.

9. Children's Privacy

Our Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 through our website. If a healthcare provider uses our platform to provide care to a minor, such data is handled as PHI under HIPAA and the applicable healthcare provider's policies.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at [email protected], and we will take steps to delete such information.

10. Data Storage and International Transfers

Our Services are hosted and operated in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction. By using our Services, you consent to the transfer of your information to the United States.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required, provide you with additional notice (such as a prominent notice on our Site or email notification).

Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.