Light mode illustration

Nexalink Privacy Policy

Effective: August 5, 2025

Entity: Nexalink Health, Inc. ("Nexalink")

Products: The Nexalink website and the CareCompass mobile and web applications (the "Services").
We build software to help people find appropriate care, understand benefits and costs, and take the next best action. This Policy explains what we collect, how we use and share data, and the choices you have.

We take a privacy-by-default approach: collect less, retain less, encrypt everything, and give you usable controls.

1. Scope & U.S.-Only Availability

This Policy covers the Nexalink website and CareCompass apps. The Services are intended for use in the United States only and are not directed to users outside the U.S.

Our role depends on how you access the Services:

  • If you access CareCompass through a provider, employer, or payer (a "Customer"), we generally act as a Business Associate under HIPAA and a service provider/processor under U.S. privacy laws. The Customer remains responsible for HIPAA "designated record sets."
  • If you use CareCompass directly, we act as an independent business/controller for your data.

If this Policy conflicts with a Customer BAA, the BAA controls for PHI we process for that Customer.

2. Information We Collect

You provide: account/profile details, plan/coverage details, navigation context, billing/EOB context, support messages, and communication preferences.

Automatic: device and app data, usage analytics, IP-derived coarse location, and first-party cookies. We do not use third-party advertising trackers.

From Customers/Integrations (enterprise): directory and plan feeds; optional FHIR/HL7 data if enabled by the Customer. EHR integration is not required for pilots.

3. How We Use Information

  • Deliver and improve the Services (navigation, provider search, booking hand-offs, benefits/billing clarity, reminders).
  • Explain benefits and likely costs; prioritize in-network options; encourage lower-cost appropriate care where applicable.
  • Security and support (fraud detection, troubleshooting, safety).
  • Analytics and quality (favoring de-identified/aggregated reporting).
  • Legal and contractual compliance.

We do not sell personal information and we do not use PHI for advertising.

4. AI/LLM Use (CareCompass)

We use policy-constrained models to turn plain-language questions into next steps. For enterprise pilots, PHI persistence to model vendors is off by default. We minimize prompts, mask obvious identifiers where feasible, and log model calls. Models may be self-hosted or configured with no retention. Guidance is not medical advice.

5. Cookies & Similar Tech (Web)

We use strictly necessary, functional, and first-party analytics cookies. We honor Global Privacy Control (GPC) signals.

6. Retention

  • Accounts: retained while your account is active.
  • Enterprise/PHI: retained per Customer instructions and any applicable BAA.
  • Logs/telemetry: typically 30–90 days.
  • Support records: up to 24 months unless law/contract requires longer.
  • De-identified analytics: may be retained longer.

7. Security

Encryption in transit and at rest, least-privilege access, tenant isolation, audit logging, secure SDLC, and incident response.

8. Your Choices & U.S. State Rights

  • Access, correction, or deletion: contact us at support@nexalink.care (direct users) or contact your provider/payer/employer (enterprise users).
  • Opt-outs: disable push/SMS/email notifications or precise location in device or in-app settings.
  • We comply with applicable U.S. state privacy laws (e.g., California CPRA). We do not sell or share personal information as defined by CPRA.

9. EEA/UK Users (Minimal Notice)

The Services are intended for U.S. use and we do not target users outside the U.S. If GDPR/UK GDPR nevertheless applies to your use:
Legal bases: contract (to provide the Services), legitimate interests (security, service improvement, de-identified analytics), consent (optional features), and legal obligation.
Rights: access, rectification, erasure, restriction, objection, portability, and the right to lodge a complaint with a supervisory authority.
Contact legal@nexalink.care to exercise rights; we may refer you to your provider/payer/employer if we act as their processor/Business Associate.

10. Children’s Privacy

The Services are not directed to children under 13. We do not knowingly collect data from children under 13 without verifiable parental consent. If you believe a child provided data without consent, contact support@nexalink.care.

11. No Medical Advice

CareCompass provides guidance, not diagnosis or treatment. In an emergency, call 911.

12. Changes

We will post updates here with a new effective date and, where material, provide additional notice. Continued use means you accept the updated Policy.

13. Contact

Nexalink Health, Inc.
Email: legal@nexalink.care
Customer Support: support@nexalink.care

This Policy is for transparency only. The BAA/DPA with a Customer controls for PHI we process for that Customer.