Privacy Policy

Norvia Health, Inc. (“Norvia,” “we,” “us,” or “our”) operates the Norvia Health platform, including the website at norvia.health, the clinical operations portal, and the patient care portal (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

1. Information We Collect

1.1 Information You Provide

• Account information: Name, email address, phone number, clinic/organization name, and role when you create an account.
• Patient information: Patient name, date of birth, contact details, insurance information, medical records, and surgical case details entered by authorized clinic staff.
• Communications: Messages sent through the platform, including coordinator-patient messages, notes, and document requests.
• Uploaded documents: Files uploaded to the platform such as medical records, consent forms, and identification documents.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, timestamps, and actions taken within the platform.
• Device and network data: IP address, browser type, operating system, and device identifiers.
• Cookies: Session cookies for authentication and functional cookies for preferences. We do not use advertising or tracking cookies.

2. How We Use Your Information

• Provide, maintain, and improve the Service
• Facilitate clinical operations including scheduling, case management, and care coordination
• Send appointment reminders, care instructions, and operational notifications via SMS, email, or fax
• Generate AI-assisted autofill suggestions and translations
• Maintain audit trails and compliance records
• Respond to support requests and communicate about the Service
• Detect and prevent fraud, abuse, or security incidents

3. Protected Health Information (PHI)

When Norvia processes Protected Health Information on behalf of a covered entity (healthcare provider), we do so as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). Our handling of PHI is governed by the Business Associate Agreement (BAA) with each covered entity. We maintain administrative, physical, and technical safeguards to protect PHI including encryption at rest and in transit, role-based access controls, and comprehensive audit logging.

4. How We Share Information

We do not sell your personal information. We may share information with:

• Service providers: Third-party vendors that assist in operating the Service (e.g., Telnyx for SMS, SMTP providers for email, Phaxio for fax). These providers are contractually obligated to protect your data.
• Your healthcare providers: Clinic staff authorized by your healthcare provider to access your information for care coordination purposes.
• Legal requirements: When required by law, regulation, legal process, or governmental request.

5. Data Retention

We retain personal information and PHI for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce agreements. Clinic administrators may request deletion of data in accordance with applicable law and our BAA obligations.

6. Data Security

We implement industry-standard security measures including TLS encryption for data in transit, AES-256 encryption for data at rest, role-based access controls, and regular security assessments. All access to PHI is logged in our audit system. While we strive to protect your information, no method of transmission or storage is 100% secure.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information
• Object to or restrict certain processing
• Receive a copy of your data in a portable format
• Opt out of SMS communications by replying STOP (see our SMS Consent page)

For patients: please contact your healthcare provider directly regarding access to your medical records, as they are the data controller for your PHI.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. Patient minors' information may be entered by authorized clinic staff as part of clinical operations under the direction of the treating provider.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Continued use of the Service after changes constitutes acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: