Nem

Legal

Privacy Policy

Last updated: May 30, 2026

1. Overview

This Privacy Policy explains how Nem Health, Inc. ("Nem," "we," "our," or "us") collects, uses, shares, and protects information when you use our Service. Healthcare data is sensitive and we treat it that way — even before HIPAA certification is in place, our architecture is designed to meet HIPAA technical and administrative safeguards.

2. Information we collect

Information you provide

  • Account information — name, email, phone number, organization details.
  • Billing information — payment method, billing address (processed via Stripe; we do not store full card numbers).
  • Clinic configuration — staff records, treatment catalog, branding, AI agent prompts.
  • Patient information you enter — names, contact details, clinical notes, appointments, billing records. This may include Protected Health Information (PHI) under HIPAA.

Information collected automatically

  • Voice agent call data — recordings, transcripts, caller phone numbers, AI summaries.
  • Usage data — pages visited, features used, time spent, error logs.
  • Device data — IP address, browser type, operating system.

3. How we use information

  • To provide the Service — scheduling, voice receptionist, billing, reports.
  • To communicate with you about your account, security, and product updates.
  • To improve the Service — aggregated and de-identified analytics only.
  • To prevent fraud and abuse.
  • To comply with legal obligations.

We do not sell your data. We do not use patient information for advertising, ranking, or model training without explicit customer consent.

4. How we store data

Data is stored encrypted at rest (AES-256) on infrastructure operated by our hosting partners (currently Supabase / AWS regions in the United States). Data is encrypted in transit (TLS 1.2+). Access is restricted by role-based access control (RBAC) and logged.

5. How we share data

We share data only with:

  • Subprocessors who provide infrastructure on our behalf (cloud hosting, voice AI, payment processing, email, analytics). A current list is available on request to legal@nem.ai.
  • Authorized users in your workspace — based on the roles you configure.
  • Authorities when required by law, valid subpoena, or court order. We will notify you unless legally prohibited.

6. HIPAA and Business Associate Agreement

If you are a covered entity under HIPAA, you are required to have a Business Associate Agreement (BAA) in place before processing PHI through the Service. Contact legal@nem.ai to request our BAA. We will execute BAAs with HIPAA-eligible customers; we are also working to maintain BAAs with our underlying subprocessors.

7. Data retention

Active customer data is retained for the duration of your subscription. After account termination, we retain a copy for 30 days for export, then delete it within 90 days unless legal obligations require longer retention. Audit logs are retained for at least 6 years to support HIPAA-aligned operations.

8. Your rights

You have the right to:

  • Access the information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your information (subject to legal retention requirements).
  • Export your data in a portable format (CSV).
  • Opt out of non-essential communications.

To exercise these rights, email privacy@nem.ai.

9. Children

The Service is not directed to children under 13. We do not knowingly collect data directly from children. Patient records you enter may include minors as patients of your clinic; the legal basis for processing is your responsibility as the controller of those records.

10. International transfers

Data is processed primarily in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US, where data protection laws may differ from those in your jurisdiction.

11. Security incidents

If we become aware of a security breach involving your data, we will notify you in accordance with applicable law and our Security & Compliance commitments.

12. Changes to this policy

We may update this policy periodically. Material changes will be communicated by email and posted here with a new "Last updated" date.

13. Contact

Questions about privacy? Email privacy@nem.ai. For BAAs and HIPAA inquiries, email legal@nem.ai.

Draft starting point. This document is a working draft prepared by the Nem team. It is not legal advice and must be reviewed by qualified counsel before production use. We will revise these documents periodically — current customers will be notified of material changes via email.