Last Updated: April 8, 2026
Effective Date: April 8, 2026
This Privacy Policy (“Policy”) describes how NonoShad, Inc., doing business as NonoShad (“NonoShad,” “we,” “us,” or “our”), collects, uses, discloses, and protects information in connection with our AI voice agent platform for medical offices (the “Service”).
This Policy applies to:
This Policy does not apply to the privacy practices of our Customers. Callers who have questions about how their healthcare provider handles personal information should contact their provider directly.
Our handling of Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is governed by the Business Associate Agreement (“BAA”) we execute with each Customer. In the event of a conflict between this Policy and the BAA regarding PHI, the BAA controls.
When you register for the Service, we collect:
To power your AI voice agent, we collect information you provide about your practice:
When the AI voice agent handles calls, the following data may be collected:
Important: Call data frequently contains Protected Health Information (PHI) as defined under HIPAA. All PHI is handled in accordance with our BAA with the applicable Customer. See Section 4 for details.
We collect aggregated and operational data about how the Service is used:
Payment processing is handled by our third-party payment processor, Stripe, Inc. (“Stripe”). We do not store credit card numbers, debit card numbers, or bank account numbers on our systems. We receive and store:
For information on how Stripe handles your payment data, see Stripe's Privacy Policy.
When you access the Service dashboard, we automatically collect:
This data is collected for security, fraud prevention, and service improvement purposes.
We use the information we collect for the following purposes:
Important: Service improvement activities use only aggregated, de-identified data that cannot reasonably identify any individual patient or caller. De-identification complies with the standards set forth in 45 C.F.R. Section 164.514(b). We never use identifiable PHI for product development, training, or marketing.
NonoShad operates as a Business Associate (“BA”) under HIPAA when processing PHI on behalf of our Customers, who are typically Covered Entities (“CE”) or Business Associates themselves. Our obligations regarding PHI are defined in the BAA we execute with each Customer.
If you are a patient or caller whose information was processed by our Service, please note:
In the event of a breach of unsecured PHI, NonoShad will notify the affected Customer in accordance with the BAA and the HIPAA Breach Notification Rule (45 C.F.R. Sections 164.400-414). The Customer, as the Covered Entity, is responsible for notifying affected individuals and the Department of Health and Human Services as required.
We use the following third-party sub-processors to provide the Service. Each sub-processor processes data only as necessary to perform their specific function:
| Sub-Processor | Function | Data Processed |
|---|---|---|
| Retell AI | Voice processing, AI agent runtime | Call audio, transcripts, caller phone numbers (PHI) |
| Supabase (via AWS) | Database hosting, authentication | All Customer Data, including PHI |
| Microsoft Azure | Backend infrastructure, hosting (Azure Container Apps, Azure Key Vault) | All data processed by the Service |
| Stripe | Payment processing | Billing and payment information (no PHI) |
| Calendar integration (optional) | Appointment data, provider availability | |
| Resend | Transactional email | Account notifications, email addresses (no PHI) |
Where sub-processors handle PHI, NonoShad has executed appropriate Business Associate Agreements or equivalent contractual protections with each sub-processor, as required by HIPAA.
We maintain an up-to-date list of sub-processors at this page. We will notify Customers at least thirty (30) days before adding a new sub-processor that handles PHI.
We may disclose information, including PHI, if required to do so by law or in response to:
Where permitted by law, we will notify the affected Customer before disclosing their data in response to legal process.
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, Customer Data may be transferred to the successor entity, provided the successor agrees to be bound by the terms of this Policy and any applicable BAA.
We implement comprehensive administrative, technical, and physical safeguards to protect information in our custody:
Data retention is configurable per Customer, subject to the following defaults and minimums:
| Data Type | Default Retention | Notes |
|---|---|---|
| Call recordings | Configurable (default: 7 years) | Aligns with medical records retention requirements in most US states |
| Call transcripts | Configurable (default: 7 years) | Same as recordings |
| Call metadata | Configurable (default: 7 years) | Same as recordings |
| Account information | Duration of account + 30 days | Deleted after termination export window |
| Payment records | 7 years | Required for tax and financial compliance |
| Audit logs | 6 years minimum | Required by HIPAA |
| Usage analytics | 3 years | Aggregated, de-identified |
Customers may configure shorter retention periods for call recordings, transcripts, and metadata through the Service dashboard, subject to applicable legal requirements. NonoShad is not responsible for advising Customers on applicable retention requirements.
Data is automatically and permanently deleted after the configured retention period expires. Deletion is performed using secure methods that prevent recovery.
Customers may request earlier deletion of specific data by contacting support@medvoice.ai. Early deletion requests will be processed within thirty (30) days, subject to any legal holds or regulatory requirements.
Upon termination of a Customer's account, Customer Data is available for export for thirty (30) days. After this period, all Customer Data, including PHI, is permanently destroyed in accordance with the BAA. A certificate of destruction is available upon request.
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code Sections 1798.100-1798.199.100):
To exercise your rights: Contact us at privacy@medvoice.ai or via email. We will verify your identity before processing your request. Requests will be fulfilled within forty-five (45) days, with one forty-five (45) day extension if reasonably necessary.
Note: CCPA/CPRA rights do not apply to PHI that is handled under HIPAA. PHI is governed by HIPAA and the applicable BAA. See Section 4.3.
If you are a patient or caller, your rights regarding PHI are governed by HIPAA and must be exercised through your healthcare provider (our Customer). These rights include:
Please contact your healthcare provider directly to exercise these rights. NonoShad, as a Business Associate, does not respond directly to patient rights requests but will assist our Customers in fulfilling their obligations.
If you are a Customer or End User of the Service, you may:
You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide written authorization signed by the requestor, and we may require direct verification from the requestor.
The Service uses only essential cookies necessary for the operation of the platform:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains authenticated session | Session (expires on logout or browser close) |
| Authentication token | Secures your login session | 7 days |
| CSRF token | Prevents cross-site request forgery | Session |
Because we use only essential cookies, no cookie consent banner is required. Essential cookies are necessary for the Service to function and cannot be disabled without affecting core functionality.
The Service is a business-to-business platform designed for use by medical office administrators and staff. It is not directed at individuals under the age of eighteen (18), and we do not knowingly collect personal information from children.
If callers who interact with the AI voice agent are minors, their information is handled as PHI under the applicable BAA and in accordance with HIPAA, which provides protections for minors' health information.
If we become aware that we have collected personal information from a child under the age of thirteen (13) outside of the healthcare context, we will take steps to delete that information promptly. If you believe a child has provided us with personal information inappropriately, please contact us at privacy@medvoice.ai.
The Service is designed for and available only to medical offices, clinics, and healthcare organizations located in the United States. The Service is governed by US federal law (including HIPAA and TCPA) and applicable US state laws.
We do not intentionally collect or process personal information from individuals outside the United States. If you are located outside the United States, please do not use the Service.
Data processed by the Service is stored and processed in the United States.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
For material changes to this Policy, we will:
For non-material changes (e.g., formatting, clarifications that do not alter meaning), we will update the Policy and revise the “Last Updated” date without prior notice.
Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the changes. If you do not agree to the changes, you should discontinue use of the Service and contact us to close your account.
If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:
NonoShad — Privacy
NonoShad, Inc.
Address on file
Privacy Inquiries: privacy@medvoice.ai
General Support: support@medvoice.ai
Phone: Contact via email
Data Protection Officer: Not yet designated
DPO Contact: Not yet designated
For HIPAA-related concerns, you may also file a complaint with the US Department of Health and Human Services, Office for Civil Rights:
This Privacy Policy is a template and has not been reviewed by legal counsel. NonoShad strongly recommends that you engage qualified legal counsel to review and customize this Policy before use.