1. Introduction

‍

This Privacy Policy describes how Nesso Labs, Inc. ("Nesso," "we," "us," or "our") collects, uses, discloses, and protects information when you use our AI-powered clinical documentation platform ("Platform"), our marketing website at nessoapp.com ("Marketing Website"), or any related services (collectively, the "Services").

‍

By creating an account or using our Services, you agree to this Privacy Policy. Please read it carefully.

‍

This Privacy Policy applies to:

‍

• Therapists/Customers: Licensed mental health professionals who register for and use the Platform
• Website Visitors: Individuals browsing our Marketing Website
• Authorized Users: Patients and other individuals authorized by Customers to access the Platform

‍

This Privacy Policy should be read together with:

‍

• Our Terms of Service (nessoapp.com/terms)
• Our Business Associate Agreement (nessoapp.com/baa)

‍

If you are a HIPAA Covered Entity, the Business Associate Agreement governs how we handle Protected Health Information (PHI) and takes precedence over this Privacy Policy in case of any conflict regarding PHI.

‍

2. Information We Collect

‍

We collect information necessary to provide our AI-powered clinical documentation services and to comply with legal obligations.

‍

2.1 Account Information

‍

When you create an account, we collect:

‍

• Contact Information: Name, email address, phone number
• Account Credentials: Username, password (encrypted)
• Billing Information: Payment card details (processed securely by our payment processor; we do not store complete card numbers)

‍

2.2 Protected Health Information (PHI)

‍

As a HIPAA Business Associate, we process Protected Health Information on your behalf, including:

‍

• Session Data: Audio recordings (temporarily, during transcription only), session transcripts
• Clinical Notes: AI-generated and therapist-edited clinical documentation
• Patient Information: Names, dates of service, diagnoses, treatment information, and other health information you input or that is captured during sessions

‍

Use of these features requires an active Business Associate Agreement.

‍

Important:

‍

• You are responsible for obtaining proper patient consent before recording sessions or inputting patient information
• Audio recordings are deleted after transcription is complete
• Session transcripts and clinical notes are retained as described in Section 6

‍

2.3 Technical & Usage Information

‍

We automatically collect certain technical information when you use our Services:

‍

• Device Information: Device type, operating system, browser type and version
• Usage Data: Features used, actions taken, session duration, pages viewed
• IP Address & Location: IP address and general geographic location
• Log Data: Access times, error logs, system activity
• Cookies & Tracking Technologies: See Section 10 for details

‍

2.4 Communications

‍

We collect information you provide when you:

‍

• Contact customer support
• Provide feedback or suggestions
• Respond to surveys
• Sign up for marketing emails or newsletters

‍

2.5 De-identified & Aggregated Data

‍

We may de-identify or aggregate data in accordance with HIPAA standards (45 CFR §164.514(a)-(c)). Once properly de-identified, this data is no longer considered Personal Information or PHI and may be used for service improvement, research, and analytics.

‍

2.6 Psychotherapy Notes

‍

Nesso is intended for use with progress notes, sometimes referred to as "session notes." Nesso is not designed for the creation or storage of psychotherapy notes as defined under HIPAA. If you believe psychotherapy notes have been inadvertently submitted through the Platform, please contact us at hello@nessoapp.com.

‍

3. How We Use Your Information

‍

We use the information we collect for the following purposes:

‍

3.1 To Provide Services

‍

• Process session audio and generate clinical documentation
• Create AI-assisted documentation and other clinical content
• Provide customer support and respond to your inquiries
• Process payments and manage subscriptions

‍

3.2 To Improve Services

‍

• Analyze usage patterns and platform performance
• Identify and fix technical issues
• Develop new features and enhance existing functionality
• Conduct research using de-identified and aggregated data

‍

3.3 To Ensure Security & Compliance

‍

• Monitor for security threats and unauthorized access
• Detect and prevent fraud or abuse
• Comply with HIPAA Security Rule requirements
• Maintain audit logs as required by law

‍

3.4 To Communicate With You

‍

• Send transactional emails (account confirmations, billing notifications, service updates)
• Provide customer support responses
• Send marketing communications about our Services (you may opt out at any time)
• Notify you of changes to our Terms, Privacy Policy, or BAA

‍

3.5 To Comply With Legal Obligations

‍

• Respond to subpoenas, court orders, or legal processes
• Comply with HIPAA and other healthcare regulations
• Meet state and federal privacy law requirements

‍

3.6 What We Don't Do

‍

• We do not sell your data to third parties
• We do not use PHI for marketing purposes
• We do not permit the use of PHI for AI model training

‍

We may also use your information for other purposes for which you provide specific consent.

‍

3.7 Additional AI Restrictions

‍

We do not use Protected Health Information to develop, improve, or train artificial intelligence models.

‍

We do not use Customer Data — whether in its original, de-identified, or derivative form — to train artificial intelligence models intended to simulate clinical decision-making or act as a therapist.

‍

We do not permit subcontractors or vendors to use PHI submitted through the Platform for model training or AI development.

‍

We do not engage in automated decision-making that produces legal or similarly significant effects on individuals.

‍

4. Artificial Intelligence Transparency & Governance

‍

AI-generated outputs are assistive tools only and do not constitute medical advice, diagnosis, or treatment recommendations. Therapists remain solely responsible for reviewing and approving all documentation.

‍

No automated decisions regarding patient care are made by the Platform without human oversight and professional review.

‍

Artificial intelligence systems may produce probabilistic outputs and may contain inaccuracies. Nesso makes no guarantees regarding the accuracy or completeness of AI-generated outputs.

‍

Nesso does not use Protected Health Information to train AI models and requires vendors to maintain equivalent restrictions.

‍

Nesso maintains governance processes that may include bias reviews, model validation, vendor oversight, and AI-specific risk assessments.

‍

5. HIPAA Compliance

‍

5.1 Our Role as Business Associate

‍

Nesso is a HIPAA Business Associate. You (the mental health professional using our Services) are typically a HIPAA Covered Entity. This means:

‍

• We process Protected Health Information (PHI) on your behalf
• We are bound by the HIPAA Privacy Rule and Security Rule
• We have executed a Business Associate Agreement (BAA) with you
• We implement appropriate safeguards to protect PHI

‍

5.2 Business Associate Agreement (BAA)

‍

By using our Services to process PHI, you agree to our Business Associate Agreement, available at nessoapp.com/baa. If there is any conflict between this Privacy Policy and the BAA regarding the handling of PHI, the BAA controls. Nothing in this Privacy Policy modifies or expands obligations set forth in an executed BAA.

‍

5.3 Not a Covered Entity

‍

Nesso is not a HIPAA Covered Entity. We do not provide healthcare services directly to patients. You (the therapist) are responsible for determining whether you are a Covered Entity, obtaining proper patient authorizations and consents, complying with HIPAA's requirements for Covered Entities, and maintaining your own Notice of Privacy Practices.

‍

5.4 42 CFR Part 2 (Substance Use Disorder Records)

‍

If your practice handles substance use disorder records subject to 42 CFR Part 2, additional patient consent requirements and disclosure restrictions may apply. Nesso's safeguards and Business Associate Agreement are designed to support compliance with these requirements where applicable.

‍

6. Third-Party Services

‍

We work with third-party service providers to deliver our Services. Service providers who access Protected Health Information do so under Business Associate Agreements.

‍

6.1 Categories of Third-Party Services

‍

We use the following categories of third-party service providers: cloud infrastructure and hosting, payment processing, artificial intelligence services (for transcription and note generation), analytics, authentication, email communications (transactional and marketing), customer support, and website hosting for our Marketing Website.

‍

6.2 Subprocessor Safeguards

‍

All subprocessors that handle Protected Health Information are contractually required to execute Business Associate Agreements with equivalent safeguards.

‍

6.3 Geographic Location

‍

All data is stored and processed within the United States.

‍

7. Data Retention & Deletion

‍

7.1 Active Accounts

‍

While your account is active, we retain your data as long as necessary to provide Services and as required by applicable law.

‍

7.2 Audio Recordings

‍

Audio recordings are deleted after transcription is complete. We do not store, retain, or archive audio recordings. Once transcription is finished, the audio is permanently destroyed.

‍

7.3 After Account Termination

‍

Upon account termination, we will securely delete or destroy all Protected Health Information in accordance with our Business Associate Agreement and HIPAA requirements. We recommend exporting any data you wish to retain before canceling your account.

‍

7.4 De-identified Data

‍

We may retain de-identified and aggregated data indefinitely for purposes of improving our Services, conducting research, and developing new features, in accordance with applicable law. Once data is properly de-identified according to HIPAA standards, it is no longer considered PHI.

‍

7.5 Early PHI Deletion Requests

‍

Users may request deletion of specific Protected Health Information earlier than the standard retention schedule, subject to legal retention requirements, litigation holds, or active account obligations. Requests will be processed in accordance with HIPAA and the applicable Business Associate Agreement.

‍

7.6 Legal Holds

‍

Notwithstanding the above, we may retain data longer if required by law, legal process, litigation hold, or regulatory investigation.

‍

8. Your Privacy Rights

‍

8.1 Covered Entity Support

‍

When Nesso acts as a Business Associate, we assist Covered Entities in responding to patient requests including access, amendment, and accounting of disclosures as required under HIPAA.

‍

You have certain rights regarding your personal information. The specific rights available to you may depend on your state of residence.

‍

You have the right to access, correct, delete, and obtain copies of your personal information. You also have the right to opt out of the sale of your personal information (we do not sell personal information) and opt out of marketing communications. We will respond to verified requests within 45 days of receipt, as required by applicable law. We will not discriminate against you for exercising any of your privacy rights.

‍

To exercise your rights, contact us at:

‍

Email hello@nessoapp.com and include the type of request in your subject line.

‍

For PHI, you have additional rights under HIPAA, including rights to access, amendment, and accounting of disclosures. These rights are handled in accordance with our Business Associate Agreement and your role as the Covered Entity.

‍

9. State Privacy Law Compliance

‍

We comply with applicable state privacy laws, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and other state privacy laws as applicable.

‍

9.1 Sensitive Health Data

‍

We treat mental health-related information as highly sensitive personal information and apply enhanced safeguards consistent with its nature. Where applicable we also comply with emerging state health data laws such as the Washington My Health My Data Act and the Colorado Privacy Act.

‍

9.2 Categories of Information Disclosed

‍

In the past 12 months, we have disclosed the following categories of personal information to service providers for business purposes:

‍

• Identifiers (to cloud infrastructure, payment processors, authentication providers, email service providers, customer support platform)
• Sensitive Personal Information/PHI (to cloud infrastructure provider, transcription service provider)
• Internet Activity (to analytics providers)
• Commercial Information (to payment processors)

‍

We do not sell personal information or share it for cross-context behavioral advertising.

‍

9.3 Your Rights Under State Law

‍

Depending on your state of residence, you may have rights including: the right to know what personal information we collect, use, and disclose; the right to delete your personal information; the right to correct inaccurate information; the right to opt out of the sale of personal information (we do not sell); the right to limit use of sensitive personal information; and the right to non-discrimination for exercising your rights. To exercise any of these rights, email hello@nessoapp.com.

‍

10. Security

‍

We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule to protect your information from unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption in transit, role-based access controls, authentication safeguards, logging and monitoring controls, and vendor security assessments. No system is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential and reporting suspected security incidents to hello@nessoapp.com.

‍

In the event of a breach of unsecured PHI, we will notify you without unreasonable delay and no later than required by HIPAA (45 CFR §164.410) and other applicable laws.

‍

10.1 Additional Security Governance

‍

Nesso conducts regular security and privacy risk assessments, including assessments related to artificial intelligence components of the Platform.

‍

11. Cookies & Tracking Technologies

‍

We use cookies and similar technologies to operate our Platform and understand how you use our Services. We use essential cookies (required for Platform functionality, authentication, and security), analytics cookies (to improve our Services and understand usage patterns), and preference cookies (to remember your settings). On our Marketing Website, we use Google Analytics and Google Tag Manager. For information about how Google collects and processes data, visit www.google.com/policies/privacy/partners/. Google Analytics retains data according to their retention settings, typically 26 months. Within the Platform, we use a separate analytics service. We do not use cookies or tracking technologies to track patients or therapy sessions.

‍

You can control cookies through your browser settings. You can also opt out of Google Analytics tracking specifically by using Google's opt-out browser add-on, available at tools.google.com/dlpage/gaoptout. Blocking essential cookies will prevent the Platform from functioning properly, but blocking analytics or preference cookies will not affect core Services.

‍

12. Children's Privacy

‍

Our Services are not directed at children under 13, and we do not knowingly collect personal information directly from children. If you use our Services while providing care to minor patients, you are responsible for obtaining all necessary parental or legal guardian consents as required by applicable law before recording sessions or inputting patient information. If we learn that we have inadvertently collected information directly from a child under 13 without proper consent, we will delete that information promptly. Contact hello@nessoapp.com if you believe we may have such information.

‍

12.1 Minor Consent

‍

Therapists providing services to minor patients must comply with applicable state laws regarding minor consent to mental health treatment and recording requirements.

‍

13. International Access

‍

Our Services are designed for mental health professionals in the United States. All data is stored and processed within the United States. If you access our Services from outside the United States, you do so at your own risk and are responsible for compliance with local laws. By using our Services from outside the US, you acknowledge and agree that your data will be transferred to, processed, and stored in the United States; US privacy laws apply to our processing of your information; and US laws regarding data privacy and security may differ from those of your country of residence.

‍

14. Communications & Marketing

‍

We send transactional communications necessary for your use of the Services (account confirmations, password resets, billing notifications, service updates, and changes to our Terms or policies). These cannot be opted out of. We may also send marketing communications about new features, tips, and resources. You may opt out of marketing communications at any time by clicking "Unsubscribe" in any marketing email or contacting hello@nessoapp.com.

‍

15. Changes to This Privacy Policy

‍

We may update this Privacy Policy from time to time. We will notify you by posting the updated policy on our Marketing Website and updating the "Last Updated" date. For material changes, we may also send email notification. Continued use of the Services after changes are posted constitutes acceptance of the updated Privacy Policy.

‍

16. Contact Information

‍

For questions about this Privacy Policy or to exercise your privacy rights, contact us at:

‍

Nesso Labs, Inc.
Email: hello@nessoapp.com
Address: PO Box 1045, 125 S King Street, Suite 2A, Jackson WY 83001-1045
Website: nessoapp.com

‍

We aim to respond to all privacy requests within 45 days, as required by applicable law.

‍

17. Survival of Obligations

‍

Provisions relating to Protected Health Information, confidentiality, security safeguards, regulatory compliance, and related obligations survive termination of Services as required by law and applicable Business Associate Agreements.

‍

If any provision of this Privacy Policy is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect. In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to the same privacy protections. This Privacy Policy is governed by the laws of the State of Delaware and applicable US federal law (including HIPAA), without regard to conflict of laws principles.

‍

‍

‍