Privacy Policy

NuBloom ("we," "us," or "our") provides a practice management platform designed for International Board Certified Lactation Consultants (IBCLCs) and allied healthcare professionals, as well as the patients they serve. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at nubloom.co, our web application at app.nubloom.co, and our mobile application (collectively, the "Service").

We collect only the personal information reasonably necessary to provide the Service, fulfill our contractual obligations, and comply with applicable law. We do not collect personal information beyond what is needed for these stated purposes.

1. Scope: Platform Data vs. Patient Data

This Privacy Policy governs how we handle platform data — the information you provide to create and manage your NuBloom account, such as your name, email, credentials, and billing information.

Patient clinical data (Protected Health Information, or PHI) entered into the Service by healthcare providers is processed by NuBloom as a Business Associate under HIPAA. Our handling of PHI is governed by the Business Associate Agreement described in our Terms of Service (Section 6.1)and by the provider's own Notice of Privacy Practices — not solely by this Privacy Policy. Patients seeking access to, amendment of, or information about their health records should contact their healthcare provider directly.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, phone number, professional credentials (for providers), and practice information such as practice name, NPI number, and taxonomy code. Patients may also provide a preferred name, date of birth, address, and language preference.

2.2 Protected Health Information (PHI)

In the course of providing the Service, we process PHI on behalf of healthcare providers, including:

• Patient demographics and contact information
• Medical history related to lactation, pregnancy, birth, and infant health
• Clinical visit documentation, assessments, and care plans
• Infant growth measurements and feeding records
• Insurance and billing information
• Uploaded documents such as identification and insurance cards

We handle PHI in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. We enter into Business Associate Agreements (BAAs) with covered entity customers as described in our Terms of Service.

2.3 Communication Data

When providers and patients use our secure messaging feature, we store message content, timestamps, and read receipts. SMS notifications sent through the Service include delivery metadata. We do not include clinical details or PHI in SMS messages; however, appointment reminders may contain scheduling information such as date, time, and practice name.

2.4 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. We retain Stripe customer identifiers and transaction metadata (amounts, dates, payment status) to maintain billing records.

2.5 Usage and Device Information

We use a privacy-focused, cookie-free analytics tool on our marketing website that does not collect personal data. It gathers only aggregate, anonymized usage statistics (page views, referral sources, device type, and country). No individual visitors are tracked or fingerprinted.

Within the application, our audit log records actions performed by authenticated users for security and compliance purposes. Audit entries may include metadata such as IP address, user agent, and timestamp.

2.6 Offline Data

Our mobile and web applications may store data locally on your device to enable offline access. Local data is encrypted where supported by the device and operating system. This data syncs with our servers when connectivity is restored and is permanently deleted from the device when you log out.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Enable providers to deliver, document, and bill for lactation care
• Facilitate secure communication between providers and patients via in-app messaging and SMS notifications
• Send appointment reminders and booking confirmations via email and SMS
• Process payments and generate invoices and superbills
• Provide the patient portal, including appointment scheduling, intake forms, and secure messaging
• Maintain audit trails for regulatory and HIPAA compliance
• Detect, prevent, and respond to security incidents, fraud, and unauthorized access
• Improve the Service and develop new features
• Respond to customer support requests
• Comply with legal obligations

We do not use your data to train machine learning or artificial intelligence models. We do not use your data for advertising, marketing profiling, or any purpose unrelated to delivering the Service.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We have not sold or shared personal information in the preceding 12 months. We share information only in the following limited circumstances:

4.1 Service Providers (Subprocessors)

We use third-party service providers to operate the platform, including providers of cloud hosting and database infrastructure, offline data synchronization, payment processing, transactional email delivery, SMS messaging, and website analytics. Each subprocessor processes data only as necessary to perform its function and is bound by contractual obligations consistent with our privacy and security commitments.

Where subprocessors handle PHI, they are bound by Business Associate Agreements or equivalent contractual protections as required by HIPAA.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government request. We will attempt to notify you before disclosing your information unless prohibited from doing so by law or court order.

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you by email and by posting a notice on the Service before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information in other circumstances with your explicit consent.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information in accordance with the HIPAA Security Rule, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security policies ensuring users can only access data within their organization
• Role-based access controls (owner, admin, provider, billing, readonly, intern)
• Automatic session timeout after 15 minutes of inactivity
• Biometric authentication support on mobile devices
• Comprehensive audit logging of all data access and modifications
• Immutable clinical records once signed by the provider
• Secure credential storage — passwords are hashed; we never store passwords in plaintext

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it to [email protected].

6. Breach Notification

In the event of a breach of unsecured Protected Health Information, we will notify affected healthcare providers (covered entities) without unreasonable delay and no later than 60 calendar days after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR 164.400-414).

Our breach notification will include:

• A description of the breach, including the date(s) of occurrence and discovery
• The types of information involved
• Steps individuals should take to protect themselves
• What we are doing to investigate the breach, mitigate harm, and prevent future occurrences
• Contact information for questions

For breaches of non-PHI personal information, we will notify affected users by email within a timeframe consistent with applicable state breach notification laws.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Account data: Retained while your account is active. Upon account deletion, personal data is removed from active systems within 90 days, except where retention is required by law.
• Clinical records (PHI): Retained in accordance with applicable healthcare record retention laws, which in many jurisdictions require retention for 7 to 10 years for adult records and longer for minors. Signed clinical documentation is immutable and versioned for compliance purposes.
• Audit logs: Retained for a minimum of 6 years, consistent with HIPAA documentation retention requirements (45 CFR 164.530(j)).
• Payment records: Retained as required by tax and financial regulations.
• Backup copies: May persist for up to 30 additional days after deletion from active systems before being purged.

We strongly recommend exporting your data before terminating your account. Data export is available as described in our Terms of Service (Section 5.3).

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate or incomplete information
• Deletion: Request that we delete your personal information, subject to legal retention requirements
• Portability: Receive a copy of your data in a structured, machine-readable format
• Restriction: Request that we restrict or limit certain processing of your information
• Opt-out of SMS: Withdraw consent for SMS notifications at any time by replying STOP or contacting your provider

Patients seeking access to their health records should contact their healthcare provider directly. Providers control their patients' clinical data and are responsible for responding to patient access requests under HIPAA.

To exercise any of these rights regarding your account data, contact us at [email protected]. We will acknowledge your request within 10 business days and respond substantively within 30 days. If we need additional time, we will notify you of the reason and the extended timeframe (up to 45 days for California residents, as required by the CCPA). We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

You may designate an authorized agent to submit a request on your behalf. We may require verification of your identity and the agent's authority before processing the request.

9. State-Specific Privacy Rights

9.1 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, phone number, IP address, account credentials
• Customer records: Professional credentials, practice information, billing address
• Protected classifications: Date of birth, gender (when voluntarily provided for clinical care)
• Commercial information: Subscription plan, payment history, transaction records
• Biometric information: Biometric authentication (Face ID, Touch ID) is processed on-device by the operating system; NuBloom does not store biometric templates
• Internet or network activity: Audit log entries (IP address, user agent, actions performed within the application)
• Geolocation data: Approximate location derived from IP address (we do not collect precise GPS location)
• Audio, electronic, visual, or similar information: Photos and documents uploaded by providers or patients (e.g., identification, insurance cards)
• Professional or employment information: Professional license type, NPI number, taxonomy code
• Inferences: Derived data such as practice metrics, patient progress trends, and growth chart percentiles generated from information you enter
• Sensitive personal information: Health-related information processed as PHI under HIPAA (used only for providing healthcare services, not for commercial purposes)

Under the CCPA/CPRA, you have the right to:

• Know what personal information we have collected and how it is used and shared
• Request deletion of your personal information
• Request correction of inaccurate personal information
• Opt out of the sale or sharing of your personal information
• Limit the use of your sensitive personal information
• Not be discriminated against for exercising your privacy rights

We do not sell or share your personal information as those terms are defined under the CCPA. We do not use sensitive personal information for purposes beyond those authorized by the CCPA. We will not discriminate against you for exercising any of your rights under the CCPA.

If we deny your request, you have the right to appeal. To appeal a denied request, contact us at [email protected]with "CCPA Appeal" in the subject line.

9.2 Washington Residents (My Health My Data Act)

If you are a Washington resident, the My Health My Data Act provides additional protections for consumer health data. NuBloom does not collect, share, or sell consumer health data outside of the HIPAA-regulated context described in this Privacy Policy. To the extent we process health data outside the scope of HIPAA, we will obtain your consent and provide the rights required under Washington law, including the right to access, delete, and withdraw consent for the collection and sharing of your health data.

9.3 Other State Privacy Laws

Many other states have enacted comprehensive consumer privacy laws, including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, and Minnesota. Residents of these and other states with applicable privacy laws may have similar rights to access, correct, delete, and port their personal information, and to opt out of targeted advertising. We do not engage in targeted advertising, profiling for decisions that produce legal or similarly significant effects, or the sale of personal information. To exercise your rights under any applicable state law, contact us at [email protected].

10. Do Not Sell, Share, or Track

We do not sell your personal information. We have never sold personal information and have no plans to do so.

We do not share your personal information for cross-context behavioral advertising, as defined under the CCPA/CPRA.

Global Privacy Control (GPC): Our Service is designed to honor Global Privacy Control signals. If your browser or device sends a GPC signal, we will treat it as a valid opt-out of the sale or sharing of personal information.

Do Not Track (DNT): Our marketing website does not track individual users. Within the application, we do not respond to browser Do Not Track signals because we do not engage in cross-site tracking.

11. Communications

11.1 Transactional Communications

We send transactional emails and SMS messages that are necessary for the operation of the Service, including appointment reminders, booking confirmations, portal invitations, security alerts, and account notifications. These communications are not marketing and cannot be opted out of while your account is active.

11.2 Marketing Communications

We may occasionally send marketing emails about product updates, new features, or educational content. You can opt out of marketing emails at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected]. Opting out of marketing emails does not affect transactional communications.

11.3 SMS Messages

SMS messages are sent on behalf of providers for appointment reminders, booking confirmations, and secure messaging notifications. SMS messages do not include clinical details or PHI. Appointment reminders may include scheduling information such as date, time, and practice name. Message notifications direct recipients to the secure patient portal without disclosing message content.

Message frequency varies based on appointment activity and messaging. Standard message and data rates may apply. You can opt out of SMS notifications at any time by replying STOP to any message or by contacting your provider. Opting out of SMS does not affect access to the patient portal or other features.

12. Cookies and Local Storage

Our marketing website (nubloom.co) does not use cookies for analytics or tracking. We use a privacy-focused, cookie-free analytics tool that collects no personal data.

The application (app.nubloom.co) uses essential cookies and local storage solely for authentication and session management. We do not use advertising cookies, third-party tracking cookies, or social media pixels. No cookie consent banner is required because we use only strictly necessary cookies.

13. AI and Automated Processing

NuBloom does not currently use artificial intelligence, machine learning, or automated decision-making systems to process your personal information or make decisions that produce legal or similarly significant effects.

We do not use your data — including clinical records, patient data, or any other information you enter into the Service — to train, fine-tune, or improve AI or machine learning models.

Reference data displayed in the Service (such as WHO growth chart percentiles) is based on published clinical standards and does not involve AI-generated analysis. All clinical decisions remain the sole responsibility of the treating provider.

If we introduce AI-powered features in the future, we will update this Privacy Policy, notify affected users, and provide the ability to opt out where required by law.

14. De-identification and Aggregation

We may de-identify or aggregate information so that it can no longer reasonably be used to identify a specific individual. De-identification follows the HIPAA Safe Harbor method (removal of the 18 specified identifiers under 45 CFR 164.514(b)(2)). We may use de-identified or aggregated data for internal analytics, service improvement, and industry benchmarking.

We will not attempt to re-identify de-identified information except to verify that our de-identification processes satisfy applicable legal requirements.

15. Data Location

All data is stored and processed in the United States. Offline data cached on your device is stored locally and syncs with our US-based servers.

If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer. We do not currently offer data residency options in other regions.

16. Children's Privacy

Our Service is designed for use by healthcare providers and their adult patients. Infant and child health information is entered by healthcare providers or parents/guardians as part of clinical care and is treated as Protected Health Information under HIPAA. We do not knowingly collect personal information directly from children under 13. If you believe a child under 13 has provided us with personal information without parental consent, please contact us at [email protected] and we will promptly delete it.

17. HIPAA and HITECH Compliance

When we process Protected Health Information on behalf of healthcare providers, we act as a Business Associate under HIPAA and the HITECH Act. By creating a provider account and accepting our Terms of Service, you enter into a Business Associate Agreement with NuBloom.

Our HIPAA compliance program includes:

• Administrative, physical, and technical safeguards aligned with the HIPAA Security Rule
• Workforce training on privacy and security policies
• Business Associate Agreements with all subprocessors who may access PHI
• Breach notification procedures compliant with the HIPAA Breach Notification Rule (45 CFR 164.400-414) and HITECH Act requirements
• Regular risk assessments and security reviews
• Audit logging and access controls supporting the HIPAA minimum necessary standard

Providers are responsible for their own HIPAA obligations as covered entities, including obtaining patient consent, maintaining their own Notice of Privacy Practices, and responding to individual access and amendment requests.

If your organization requires a custom BAA or has additional compliance requirements, contact [email protected].

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For changes that materially affect how we handle your personal information or PHI, we will notify you by email at least 30 days before the changes take effect. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

19. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

• Privacy and data rights requests: [email protected]
• Security concerns: [email protected]
• General support: [email protected]
• Website: nubloom.co/contact