Privacy Policy

Account Information

When you create an account, we collect and store the following information:

• Email address and password (hashed for security)
• Full name or display name
• Professional role (student, nurse, NP, PA, or other healthcare learner)
• License information and credentials verification (if applicable)
• Account creation and update timestamps

This information is necessary to authenticate your access, personalize your experience, and provide you with appropriate learning resources based on your professional role.

Subscription & Payment Information

Payment processing is handled exclusively by Stripe, a PCI DSS-compliant payment processor. We do not store, transmit, or have access to your credit card information, bank account details, or sensitive payment credentials. We only receive and store the following from Stripe:

• Transaction confirmation status (successful, failed, or pending)
• Subscription status (active, canceled, or expired)
• Billing cycle dates and amount
• Invoice records for your account

Usage & Analytics Information

We collect information about how you interact with NXS Clinical to understand usage patterns, improve features, and provide personalized recommendations:

• Features accessed (drug reference, disease reference, calculators, flashcards, study tools)
• Search queries and diagnostic tool usage
• Study progress, time spent on materials, and learning engagement
• Exam performance and assessment results
• Flashcard spaced repetition system (SRS) data and study patterns
• Content viewed, downloaded, or bookmarked
• Session duration and frequency of use

Device Information

To ensure secure access and enforce device limits for subscription accounts, we collect:

• Device fingerprint (a unique identifier derived from device characteristics)
• Device type and operating system
• Browser type, version, and user agent
• IP address and approximate geographic location
• Session tokens and authentication cookies

Device fingerprints are used for session management and to enforce device-limit policies for subscription accounts. Session heartbeats are sent every 5 minutes to maintain active session security.

Preferences & Settings

We store your account and display preferences, which are synchronized across your devices:

• Theme preferences (dark mode, light mode, system default)
• Display and layout preferences
• Notification settings and communication preferences
• Language and localization preferences
• Accessibility settings and customizations
• Sidebar state and UI organization preferences

Approximately 27 preference keys are synchronized between your browser's localStorage and our Supabase database via user_metadata, ensuring a consistent experience across devices.

Shift & Clinical Tools Data

Important: All shift support and clinical data remain entirely on your device and are NOT transmitted to our servers. These tools help you during clinical shifts and include:

• Patient brain sheets and clinical summaries
• SBAR (Situation, Background, Assessment, Recommendation) templates
• Shift handoff sheets and change-of-shift reports
• Shift task lists and clinical reminders
• Personal clinical notes and observations

This data is stored exclusively in your browser's localStorage and never transmitted to NXS Clinical servers. You have full control over when and whether to sync this data. We recommend clearing shift data at the end of each shift for privacy and compliance.

AI Assistant Data

When you use NXS Clinical's AI assistant features, your prompts, questions, and instructions are submitted to Anthropic's Claude API for processing. Please be aware:

• AI prompts are transmitted to Anthropic's servers for inference and response generation
• Do NOT submit patient-identifiable information (PII), protected health information (PHI), or real patient data to the AI assistant
• Prompts may be retained for safety, training, and service improvement purposes according to Anthropic's privacy policy
• Always use de-identified, educational examples when interacting with the AI assistant

Review Anthropic's privacy policy at anthropic.com/privacy for complete details on how AI prompts are handled.

Supabase (Authentication & Database)

Supabase is our primary backend infrastructure provider, handling:

• User authentication and session management
• Account data storage and persistence
• Real-time data synchronization across devices
• User preferences and settings (user_metadata storage)
• Usage analytics and study progress data

Supabase maintains SOC 2 Type II compliance and implements enterprise-grade security standards. Data is encrypted in transit and at rest.

Stripe (Payment Processing)

Stripe securely processes all subscription payments and billing. We do not transmit payment card information to Stripe on your behalf—payment data flows directly from your browser to Stripe's secure infrastructure. Stripe is PCI DSS Level 1 compliant, meeting the highest industry payment security standards. We only receive transaction confirmations and subscription status from Stripe.

Anthropic (AI Services)

NXS Clinical integrates Anthropic's Claude API to provide AI-powered clinical support and educational assistance. When you use AI features:

• Your prompts and questions are transmitted to Anthropic's servers
• Claude generates responses based on your queries
• Prompts may be used for safety monitoring and service improvement per Anthropic's policy

Review Anthropic's privacy policy for comprehensive details. Never submit patient data or real PHI to the AI assistant.

Vercel (Hosting & CDN)

Vercel hosts our web application and serves content globally through their CDN. Vercel implements standard security practices and SOC 2 compliance. Your IP address and basic request metadata may be collected for hosting, performance monitoring, and DDoS protection.

OpenAI (Text-to-Speech)

NXS Clinical uses OpenAI's text-to-speech API to convert study materials into audio format. When you use audio features, text content is transmitted to OpenAI's servers for speech synthesis. No patient data or personally identifiable information should be submitted to audio features. OpenAI's data usage is governed by their API terms and privacy policy.

Groq (Transcription Services)

NXS Clinical uses Groq's API for audio transcription services. When you use transcription features, audio content is transmitted to Groq's servers for processing and conversion to text. Do not submit audio containing patient information, protected health information (PHI), or any personally identifiable information to transcription features. Groq's data usage is governed by their API terms and privacy policy.

Each third-party service maintains its own privacy policy and security practices. We encourage you to review their privacy policies independently to understand how they handle your data.

Active Accounts

Account information, study data, preferences, and usage analytics are retained for the duration of your active subscription. Data is retained for at least 30 days after cancellation to allow account recovery.

Inactive Accounts

Accounts that remain inactive (no login or usage) for 12 consecutive months may be subject to deletion. We will attempt to notify you via email before deletion. You can reactivate your account at any time by logging in.

Aggregated Analytics

Anonymized, aggregated usage patterns and analytics are retained indefinitely for service improvement and research purposes.

Local Device Data

Data stored in your browser's localStorage (preferences, shift notes, drafts) remains on your device until you clear your browser cache or manually delete it. This data is never synchronized to our servers without your explicit action.

Encryption in Transit

All data transmitted between your device and NXS Clinical servers is encrypted using TLS 1.3 (Transport Layer Security). This protects your information from interception during transmission.

Encryption at Rest

Data stored in our Supabase database is encrypted at rest using AES-256 encryption, the same standard used by financial institutions and government agencies.

Authentication & Sessions

Authentication tokens are stored in HttpOnly cookies, preventing access by malicious JavaScript. Sessions are secured with cryptographic signatures and refreshed regularly. Device session heartbeats are sent every 5 minutes to detect and terminate unauthorized sessions.

Password Security

Passwords are hashed using industry-standard algorithms (bcrypt) and salted. We never store or have access to your plain-text password.

Infrastructure Security

NXS Clinical uses Supabase (SOC 2 Type II certified) and Vercel for hosting, both maintaining enterprise-grade security practices, regular security audits, DDoS protection, and intrusion detection systems.

Data Access Controls

Access to user data is restricted to authorized personnel only, with role-based access controls. All access is logged and monitored for suspicious activity.

General Rights (All Users)

• Right to Access: Request a copy of all personal data we hold about you in a portable format
• Right to Correction: Request that we update, correct, or amend inaccurate information
• Right to Deletion: Request deletion of your data ("right to be forgotten"), subject to legal retention requirements
• Right to Portability: Receive your data in a structured, machine-readable format and have it transferred to another service provider
• Right to Opt-out: Opt out of certain data uses, marketing communications, and analytics
• Right to Withdraw Consent: Withdraw consent for data processing at any time

California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request what personal information we collect, use, and share
• Right to Delete: Request deletion of personal information we have collected from you
• Right to Opt-out of Sale/Sharing: Opt out of the sale or sharing of personal information for targeted advertising (Note: NXS Clinical does not sell personal information)
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use: Limit our use and disclosure of sensitive personal information
• Right to Non-discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Opt-out of Automated Decisions: Opt out of profiling or automated decision-making that produces legal or similar effects

To exercise these rights, contact us at support@nxsclinical.com. We will verify your identity and respond within 45 days.

EEA & UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have rights under the General Data Protection Regulation (GDPR):

• Right of Access: Access your personal data at any time
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion under certain conditions ("right to be forgotten")
• Right to Restrict Processing: Restrict how we process your data
• Right to Portability: Receive data in portable format and transfer to other controllers
• Right to Object: Object to processing for marketing, profiling, or legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time (does not affect prior processing)
• Right to Lodge a Complaint: File a complaint with your national data protection authority

For data subject requests or GDPR inquiries, contact support@nxsclinical.com. We will respond within 30 days.

Other Jurisdictions

Additional privacy laws may apply in your jurisdiction (such as Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.). We comply with applicable state and international privacy laws. Contact us for specific information about your rights under your local laws.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: support@nxsclinical.com
• Clearly state which right you wish to exercise
• Provide sufficient information to verify your identity
• Specify the data or action you are requesting

We will verify your identity and respond to legitimate requests within the timeframe required by applicable law (typically 30-45 days). No fees will be charged unless your request is manifestly unfounded or excessive.

Browser Local Storage

Preferences & Settings: Your display preferences, theme settings, layout configurations, and other personalization data are stored in your browser's localStorage. This data remains on your device and enables a consistent experience across sessions. You can clear this data at any time through your browser settings.

Shift & Clinical Data: Patient brain sheets, SBAR templates, handoff notes, and shift task lists are stored exclusively in localStorage for your clinical reference. This data is never transmitted to our servers and is under your complete control.

Authentication Cookies

HttpOnly Cookies: We use HttpOnly cookies to store encrypted authentication tokens. These cookies:

• Cannot be accessed by JavaScript (protecting against XSS attacks)
• Are encrypted and signed with cryptographic keys
• Are automatically sent only to our secure servers over HTTPS
• Expire after a set period or when you log out

What We Do NOT Use

• We do NOT use third-party tracking cookies or pixels
• We do NOT use remarketing or behavioral advertising cookies
• We do NOT share cookies with external advertisers or analytics services
• We do NOT employ fingerprinting for user tracking (only for session security)

Managing Cookies & Storage

You can control cookies and local storage through your browser settings:

• Clear cookies and storage data through your browser preferences
• Disable third-party cookies (note: disabling all cookies may affect functionality)
• Use private/incognito browsing to avoid persistent local storage
• Manage localStorage for individual sites through browser developer tools