1. Scope and summary
This Privacy Policy applies to Neurabrix websites, ClinicOS, and related applications, support, communications, and services that link to it (collectively, the “Services”). “Neurabrix,” “we,” “us,” and “our” refer to Neurabrix Inc. and its affiliates, including the Neurabrix entity identified in your order form, service agreement, or other contract with us.
A healthcare provider or clinic may provide its own privacy notice describing its practices. If that notice conflicts with this policy regarding patient information that we process for the provider, the provider’s notice and our agreement with that provider govern to the extent required by law.
2. Our role
When a clinic, hospital, clinician, or other organization uses ClinicOS for its patients, personnel, or operations, that organization generally decides why and how personal information is processed. We process that information on its behalf as a service provider, processor, or, where applicable, business associate, according to its instructions and our contract with it.
We act for our own purposes when we process website, business-contact, account-administration, billing, security, and service-usage information. Questions about patient records, clinical decisions, or a provider’s privacy practices should usually be directed first to the relevant provider.
3. Information we collect
Depending on how you use the Services, we may process:
- Identity and contact information, such as name, email address, phone number, postal address, date of birth, user identifier, professional title, and organization.
- Account and authentication information, such as login identifiers, roles, permissions, authentication tokens, and account settings. We do not receive your password from an external identity provider when it authenticates you directly.
- Health and clinical information, such as symptoms, diagnoses, medications, allergies, medical history, notes, recordings, transcripts, images, test results, appointments, and other information entered into or generated through ClinicOS.
- Operational and transaction information, such as scheduling, billing, payment status, inventory, support requests, customer configuration, and communications. Payment-card details may be handled directly by a payment provider rather than stored by us.
- Device, usage, and log information, such as IP address, browser and device type, operating system, timestamps, pages or features used, performance data, diagnostics, audit events, cookie identifiers, and approximate location inferred from an IP address.
- Communications and feedback, including messages, call or meeting details, survey responses, and information you provide to support or sales teams.
Please do not provide personal information that is not needed for the relevant care, workflow, or request. If you provide information about another person, you must be authorized to do so.
4. Sources of information
We receive information:
- directly from you when you create an account, use the Services, or contact us;
- from healthcare providers, employers, administrators, caregivers, or other authorized users;
- from connected systems and services that a customer or user chooses to integrate;
- automatically from browsers, devices, and our Services; and
- from vendors, identity providers, and public or commercial sources where permitted by law.
5. How we use information
We use personal information as permitted by applicable law and our customer agreements to:
- provide, configure, maintain, and support the Services;
- enable clinical, administrative, scheduling, communication, and operational workflows;
- authenticate users, manage roles and permissions, and prevent fraud, abuse, and security threats;
- process transactions and administer customer accounts;
- monitor reliability, troubleshoot, audit, and improve performance and usability;
- respond to inquiries and send service, security, support, and administrative communications;
- comply with law, enforce agreements, and protect people, rights, safety, and property; and
- create and use aggregated or de-identified information as described below.
Where a legal basis is required, we rely as appropriate on consent, performance of a contract, compliance with legal obligations, protection of vital interests, and our or another party’s legitimate interests, balanced against individual rights. A healthcare customer determines the legal basis for patient information it directs us to process.
6. Artificial intelligence and de-identified data
ClinicOS may use artificial intelligence and machine-learning systems to support functions such as transcription, summarization, information extraction, search, workflow assistance, quality checks, and other features presented in the Services. AI output may be incomplete or inaccurate and should be reviewed by appropriately qualified users when used in healthcare or other consequential contexts.
Use of de-identified data
To the extent permitted by applicable law and our contracts, we may transform information so that it does not identify and cannot reasonably be used to identify an individual (“De-identified Data”). We may use De-identified Data for lawful business purposes, including to operate, analyze, audit, secure, research, develop, test, validate, evaluate, and improve the Services and other products, and to train and improve artificial-intelligence and machine-learning models.
We may retain De-identified Data for these purposes and may disclose it where lawful. We maintain measures designed to prevent the data from being associated with an individual, require recipients to use it only in de-identified form, and do not attempt to re-identify it except to test and improve our de-identification safeguards or as required by law. We do not characterize information as de-identified merely because direct identifiers have been replaced or separated if an individual remains reasonably identifiable.
Identifiable health data
We do not use identifiable patient health information to train general-purpose or shared AI models unless valid authorization or consent, our agreement with the applicable healthcare customer, and applicable law allow that use. Where U.S. protected health information is involved, we de-identify it for our own use only when the applicable business associate agreement authorizes de-identification and the process satisfies applicable HIPAA requirements. Customer-specific processing needed to provide a contracted feature is governed by the applicable customer agreement and is not treated as permission to train a general-purpose model.
8. Data retention
We retain personal information for as long as reasonably necessary to provide the Services, meet the instructions and retention settings of our customers, maintain legitimate business and security records, resolve disputes, enforce agreements, and comply with legal, regulatory, tax, accounting, and clinical recordkeeping obligations. Retention periods vary by the type of information, the context in which it was collected, and applicable contractual and legal requirements.
When personal information is no longer required, we delete it or render it de-identified, subject to backup cycles, legal holds, and technical limitations. De-identified information may be retained for as long as it remains de-identified and useful for a lawful purpose.
9. Security
We use administrative, technical, and physical safeguards designed to protect personal information, taking into account its sensitivity and the nature of the Services. These may include access controls, authentication, encryption, logging, monitoring, personnel controls, vendor review, backups, and incident response processes. No system is completely secure, and we cannot guarantee absolute security.
You are responsible for protecting your credentials, using the Services only as authorized, and promptly notifying your administrator or us of suspected unauthorized access.
10. International data transfers
Neurabrix and its service providers may process information in countries other than the country where it was collected. Where required, we use recognized transfer mechanisms and contractual, organizational, and technical safeguards. Customer contracts or product configuration may specify additional hosting or location requirements.
11. Your rights and choices
Depending on your location and the context, you may have rights to request access, correction, updating, deletion, portability, restriction, or objection; withdraw consent; appeal a decision; nominate another person to exercise rights; or complain to a regulator. These rights may be limited by applicable law and may not apply to information that is not personal information, including De-identified Data.
For patient information held in ClinicOS for a healthcare provider, contact that provider first. We will assist the provider as required by law and our agreement. For information Neurabrix controls directly, email contact@neurabrix.co with the subject “Privacy request.” We may need to verify your identity and authority before acting. Authorized agents may submit requests where permitted by law.
ClinicOS users may submit an account and associated-data deletion request through our ClinicOS account deletion page.
You may control cookies through your browser and unsubscribe from marketing email using the link in the message. We may still send non-marketing communications about your account, transactions, security, or the Services.
12. Regional notices
India
Where India’s Digital Personal Data Protection Act, 2023 and its implementing rules apply, you may have rights including access to information about processing, correction, completion, updating, erasure, grievance redressal, and nomination, subject to the Act’s commencement provisions and exceptions. You may contact us using the grievance channel below.
European Economic Area, United Kingdom, and Switzerland
Where applicable data-protection law in these regions applies, Neurabrix’s role and legal basis are described in Sections 2 and 5. You may also have the right to lodge a complaint with your local supervisory authority. Information is anonymous only when a person is not or is no longer identifiable; pseudonymized information remains personal information when it can be linked back to a person.
United States
State privacy laws may provide additional rights, subject to their scope and exceptions. We do not discriminate against you for exercising an applicable privacy right. When we process protected health information as a business associate, HIPAA and the applicable provider’s Notice of Privacy Practices and business associate agreement govern that information. This policy is not a HIPAA Notice of Privacy Practices for a healthcare provider.
13. Children
Our general websites and business Services are not directed to children. ClinicOS may process information about minors when submitted by a healthcare provider, parent, guardian, or other authorized person for healthcare or related services. We process that information under the customer’s instructions and applicable law. We do not knowingly collect children’s personal information through our general website without appropriate authorization.
14. Changes to this policy
We may update this policy to reflect changes in our Services, practices, or legal obligations. We will post the updated version here and revise the “Last updated” date. If required by law, we will provide additional notice or obtain consent before a material change takes effect.
15. Contact us
For privacy questions, requests, or grievances, contact our Privacy and Grievance team at contact@neurabrix.co with the subject “Privacy request.” General support is available at the same address.
Please identify the ClinicOS customer or healthcare provider connected with your request, if applicable, but do not email medical records or other sensitive information unless we provide a secure method.