Privacy Policy

Nimbus Healthcare ("we," "our," or "us") operates Nimbus OS™, a digital health technology platform that provides software-as-a-service (SaaS) and healthcare services, including the Novamed product offering. This Privacy Policy describes how we collect, use, disclose, and protect your personal information and Protected Health Information (PHI) when you use our platform, services, or websites.

By using Nimbus OS™, Novamed, or our services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use our services.

2.1 Protected Health Information (PHI)

As a healthcare technology platform, we collect and process PHI as defined by the Health Insurance Portability and Accountability Act (HIPAA), including:

• Patient medical records and health history
• Prescription and medication information
• Laboratory test results and diagnostic data
• Provider notes and clinical documentation
• Insurance and billing information
• Demographic information (name, date of birth, contact information)

2.2 Platform User Information

For providers, administrators, and other platform users, we collect:

• Name, email address, and professional credentials
• Organization and role information
• Account credentials and authentication data
• Usage data and platform activity logs

2.3 Technical Information

• Device information and IP addresses
• Browser type and version
• Cookies and similar tracking technologies
• Log files and system analytics

We use the information we collect for the following purposes:

• Healthcare Services: To provide, coordinate, and manage healthcare services, including prescription fulfillment, lab result delivery, and care coordination.
• Platform Operations: To operate, maintain, and improve the Nimbus OS™ platform and services.
• Treatment: To enable healthcare providers to deliver treatment and coordinate care.
• Payment: To process payments, bill insurance, and manage financial transactions.
• Healthcare Operations: For quality improvement, analytics, and operational purposes.
• Compliance: To comply with legal obligations, including HIPAA, state regulations, and healthcare standards.
• Communication: To send important updates, notifications, and respond to inquiries.
• Security: To detect, prevent, and respond to security threats and fraud.
• Artificial Intelligence Features: To power AI-assisted features within Nimbus OS™ and Novamed (such as clinical documentation assistance, summarization, content generation, and decision support tooling) using the third-party AI services described in Section 5.

4.1 Healthcare Providers

We share PHI with authorized healthcare providers, clinics, and medical professionals who are involved in your care and have a legitimate need for the information.

4.2 Pharmacy and Fulfillment

PHI is shared with our pharmacy network, including Lake Hills Pharmacy, for prescription fulfillment, compounding, and medication delivery.

4.3 Business Associates

We may share PHI with third-party service providers who act as Business Associates under HIPAA, including:

• Cloud hosting and infrastructure providers
• Payment processors and billing services
• Laboratory and diagnostic service providers
• Technology vendors and integration partners
• Artificial intelligence and machine learning service providers (see Section 5)

All Business Associates are contractually required to maintain the confidentiality and security of PHI, including through HIPAA-compliant Business Associate Agreements (BAAs) where applicable.

4.4 Legal Requirements

We may disclose information when required by law, including:

• Court orders, subpoenas, or legal process
• Public health reporting requirements
• Law enforcement requests (as permitted by law)
• Regulatory compliance and audits

Nimbus OS™ and the Novamed product use third-party artificial intelligence services to power certain features. We believe in transparent disclosure of the AI services we rely on so that users, providers, and patients can make informed decisions about their data.

5.1 AI Services We Use

Our platform integrates with the following third-party AI service:

• Amazon Web Services (AWS) Bedrock: We use AWS Bedrock, a fully managed service from Amazon Web Services that provides access to foundation models from leading AI companies. AWS Bedrock is used to power AI-assisted features within our platform, including (but not limited to) clinical text summarization, documentation drafting, natural language search, and intelligent workflow assistance.

5.2 How AI Is Used in Our Platform

Information processed through AWS Bedrock may include user-submitted text, platform metadata, and, in certain limited and access-controlled workflows, de-identified or minimum-necessary clinical information. Where PHI is involved, processing occurs within AWS regions and configurations that support HIPAA-eligible workloads, and is governed by a Business Associate Agreement (BAA) between Nimbus Healthcare and AWS.

5.3 AI Data Handling Commitments

• Your data is not used to train foundation models. AWS Bedrock does not use customer inputs or outputs to train the underlying foundation models offered through the service.
• Data is processed in transit and at rest using industry-standard encryption (TLS 1.3 in transit; AES-256 at rest).
• Access to AI features is governed by the same role-based and attribute-based access controls (RBAC/ABAC) that apply throughout Nimbus OS™.
• AI-generated outputs are intended to assist, not replace, the professional judgment of licensed healthcare providers. Clinicians remain responsible for all clinical decisions.
• We log AI feature usage to support quality assurance, security monitoring, and incident response.

5.4 Learn More

For additional information about AWS Bedrock's privacy and data handling practices, please review the AWS Bedrock documentation and the AWS Service Terms. Questions about how we use AI in our platform may be directed to support@nimbushealthcare.com.

Under HIPAA and applicable privacy laws, you have the following rights regarding your PHI:

• Right to Access: Request copies of your health information.
• Right to Amend: Request corrections to inaccurate or incomplete information.
• Right to an Accounting: Request a list of disclosures of your PHI.
• Right to Request Restrictions: Request limitations on how we use or disclose your PHI.
• Right to Request Confidential Communications: Request alternative methods of communication.
• Right to File a Complaint: File a complaint if you believe your privacy rights have been violated.

To exercise these rights, please contact us at support@nimbushealthcare.com or submit a written request to our Privacy Officer.

We implement comprehensive security measures to protect your information, including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.3)
• Role-based and attribute-based access controls (RBAC/ABAC)
• Regular security audits and penetration testing
• 24/7 security monitoring and incident response
• Employee training and background checks
• Business Associate Agreements with all third-party vendors handling PHI, including our AI service provider (AWS)

For more details, please see our Security & Trust page.

We retain PHI and personal information in accordance with applicable laws and regulations, including state medical record retention requirements and HIPAA. Generally:

• Medical records are retained as required by state law (typically 6–10 years).
• Account information is retained while your account is active and for a reasonable period thereafter.
• AI feature interaction logs are retained only as long as necessary for security, quality, and compliance purposes.
• We may retain certain information for legal, regulatory, or business purposes.

Our services are not intended for individuals under the age of 18. We do not knowingly collect information from children. If you believe we have collected information from a child, please contact us immediately.

We may update this Privacy Policy from time to time, including to reflect changes in the AI services or other technologies we use. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. We encourage you to review this policy periodically.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: