Back to home
LEGAL · Effective April 8, 2026

NonoShad — Privacy Policy

Last Updated: April 8, 2026
Effective Date: April 8, 2026


1. Introduction

This Privacy Policy (“Policy”) describes how NonoShad, Inc., doing business as NonoShad (“NonoShad,” “we,” “us,” or “our”), collects, uses, discloses, and protects information in connection with our AI voice agent platform for medical offices (the “Service”).

This Policy applies to:

  • Customers: Medical offices, clinics, and healthcare organizations that use our Service (“you” or “Customer”).
  • End Users: Administrative staff and authorized personnel who access the Service on behalf of a Customer.
  • Callers: Patients and other individuals who interact with AI voice agents powered by our Service.

This Policy does not apply to the privacy practices of our Customers. Callers who have questions about how their healthcare provider handles personal information should contact their provider directly.

Our handling of Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is governed by the Business Associate Agreement (“BAA”) we execute with each Customer. In the event of a conflict between this Policy and the BAA regarding PHI, the BAA controls.


2. Information We Collect

2.1 Account Information

When you register for the Service, we collect:

  • Organization name, address, and phone number
  • Admin contact name and email address
  • Staff names, email addresses, and roles (for user accounts)
  • Practice type and specialty

2.2 Practice Configuration

To power your AI voice agent, we collect information you provide about your practice:

  • Office hours and holiday schedules
  • Provider names, specialties, and availability
  • Services offered and accepted insurance plans
  • Frequently asked questions and custom responses
  • Call handling rules and routing preferences
  • Appointment types and scheduling parameters

2.3 Call Data

When the AI voice agent handles calls, the following data may be collected:

  • Call recordings — audio recordings of inbound calls (if enabled)
  • Call transcripts — text transcriptions of call audio
  • Caller phone numbers — the originating telephone number
  • Patient names — as provided by the caller during the conversation
  • Insurance information — as provided by the caller
  • Appointment details — dates, times, providers, and reasons for visit
  • Call metadata — date, time, duration, and outcome of each call

Important: Call data frequently contains Protected Health Information (PHI) as defined under HIPAA. All PHI is handled in accordance with our BAA with the applicable Customer. See Section 4 for details.

2.4 Usage Data

We collect aggregated and operational data about how the Service is used:

  • Call volume, duration, and peak times
  • AI agent performance metrics (e.g., successful scheduling rate, transfer rate)
  • Feature usage within the dashboard
  • Minutes consumed per billing period

2.5 Payment Information

Payment processing is handled by our third-party payment processor, Stripe, Inc. (“Stripe”). We do not store credit card numbers, debit card numbers, or bank account numbers on our systems. We receive and store:

  • Billing contact name and email
  • Billing address
  • Payment method type (e.g., “Visa ending in 4242”)
  • Transaction history (amounts, dates, invoice numbers)

For information on how Stripe handles your payment data, see Stripe's Privacy Policy.

2.6 Device and Browser Data

When you access the Service dashboard, we automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Device type
  • Referring URL
  • Pages visited and actions taken within the dashboard
  • Date and time of access

This data is collected for security, fraud prevention, and service improvement purposes.


3. How We Use Information

We use the information we collect for the following purposes:

3.1 Providing the Service

  • Operating the AI voice agent to answer calls on your behalf
  • Processing caller requests (scheduling, information, routing)
  • Generating call transcripts and recordings
  • Delivering analytics dashboards and reports

3.2 Processing and Analyzing Calls

  • Transcribing call audio into text
  • Analyzing call content to determine outcomes and caller intent
  • Generating performance metrics and quality indicators

3.3 Analytics and Reporting

  • Producing call volume, duration, and outcome reports
  • Providing AI agent performance analytics
  • Generating billing usage summaries

3.4 Billing and Account Management

  • Processing subscription payments and overage charges
  • Sending invoices and payment receipts
  • Managing account status and plan changes

3.5 Security and Fraud Prevention

  • Detecting and preventing unauthorized access
  • Monitoring for suspicious activity
  • Enforcing our Terms of Service
  • Maintaining audit logs

3.6 Service Improvement

  • Improving AI voice agent accuracy and capabilities
  • Developing new features
  • Conducting internal research and analytics

Important: Service improvement activities use only aggregated, de-identified data that cannot reasonably identify any individual patient or caller. De-identification complies with the standards set forth in 45 C.F.R. Section 164.514(b). We never use identifiable PHI for product development, training, or marketing.


4. HIPAA and Protected Health Information

4.1 Our Role as Business Associate

NonoShad operates as a Business Associate (“BA”) under HIPAA when processing PHI on behalf of our Customers, who are typically Covered Entities (“CE”) or Business Associates themselves. Our obligations regarding PHI are defined in the BAA we execute with each Customer.

4.2 How We Handle PHI

  • PHI is used and disclosed only as permitted by the applicable BAA and HIPAA.
  • PHI is never used for marketing purposes.
  • PHI is never sold to third parties.
  • PHI is never used for purposes unrelated to providing the Service, except as required by law.
  • Access to PHI is restricted to authorized personnel on a need-to-know basis.

4.3 Patient Rights Under HIPAA

If you are a patient or caller whose information was processed by our Service, please note:

  • We are not your healthcare provider. Your healthcare provider (our Customer) is the Covered Entity responsible for your PHI.
  • To exercise your HIPAA rights (access, amendment, accounting of disclosures, restrictions), please contact your healthcare provider directly.
  • We will cooperate with our Customers to fulfill their obligations regarding patient rights requests as required by our BAA.

4.4 Breach Notification

In the event of a breach of unsecured PHI, NonoShad will notify the affected Customer in accordance with the BAA and the HIPAA Breach Notification Rule (45 C.F.R. Sections 164.400-414). The Customer, as the Covered Entity, is responsible for notifying affected individuals and the Department of Health and Human Services as required.


5. Information Sharing and Sub-Processors

5.1 Sub-Processors

We use the following third-party sub-processors to provide the Service. Each sub-processor processes data only as necessary to perform their specific function:

Sub-ProcessorFunctionData Processed
Retell AIVoice processing, AI agent runtimeCall audio, transcripts, caller phone numbers (PHI)
Supabase (via AWS)Database hosting, authenticationAll Customer Data, including PHI
Microsoft AzureBackend infrastructure, hosting (Azure Container Apps, Azure Key Vault)All data processed by the Service
StripePayment processingBilling and payment information (no PHI)
GoogleCalendar integration (optional)Appointment data, provider availability
ResendTransactional emailAccount notifications, email addresses (no PHI)

Where sub-processors handle PHI, NonoShad has executed appropriate Business Associate Agreements or equivalent contractual protections with each sub-processor, as required by HIPAA.

We maintain an up-to-date list of sub-processors at this page. We will notify Customers at least thirty (30) days before adding a new sub-processor that handles PHI.

5.2 Legal Requirements

We may disclose information, including PHI, if required to do so by law or in response to:

  • Valid subpoenas, court orders, or other legal process
  • Requests from law enforcement or government agencies
  • Actions necessary to protect the safety of any person
  • Actions necessary to protect our legal rights

Where permitted by law, we will notify the affected Customer before disclosing their data in response to legal process.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, Customer Data may be transferred to the successor entity, provided the successor agrees to be bound by the terms of this Policy and any applicable BAA.

5.4 What We Do NOT Do

  • We do NOT sell personal information or PHI. We have not sold personal information in the preceding twelve (12) months and have no plans to do so.
  • We do NOT use PHI for marketing. We will never use patient data to market products or services to patients.
  • We do NOT share data with advertisers. We do not engage in advertising-supported business models.
  • We do NOT share personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”).

6. Data Security

We implement comprehensive administrative, technical, and physical safeguards to protect information in our custody:

6.1 Encryption

  • At rest: All data, including PHI, is encrypted using AES-256 encryption.
  • In transit: All data transmitted between clients, servers, and sub-processors is protected using TLS 1.2 or higher.
  • Database: Database-level encryption is enabled on all data stores.

6.2 Access Controls

  • Role-based access control (RBAC) restricts data access to authorized personnel.
  • Multi-factor authentication (MFA) is required for all internal administrative access.
  • Principle of least privilege is enforced across all systems.
  • Unique user IDs and strong password policies are enforced.

6.3 Audit Logging

  • All access to PHI is logged with timestamps, user identifiers, and actions performed.
  • Audit logs are retained for a minimum of six (6) years, as required by HIPAA.
  • Logs are tamper-resistant and stored separately from operational data.

6.4 Infrastructure Security

  • Backend services are hosted in SOC 2 Type II and HIPAA-compliant data centers.
  • Network segmentation and firewalls isolate sensitive systems.
  • Regular vulnerability scanning and penetration testing.
  • Automated intrusion detection and alerting.

6.5 Organizational Controls

  • All employees with access to PHI undergo HIPAA training.
  • Background checks are conducted for personnel with access to sensitive data.
  • Incident response plan is maintained and tested regularly.
  • Regular security risk assessments are conducted in accordance with the HIPAA Security Rule.

7. Data Retention

7.1 Retention Periods

Data retention is configurable per Customer, subject to the following defaults and minimums:

Data TypeDefault RetentionNotes
Call recordingsConfigurable (default: 7 years)Aligns with medical records retention requirements in most US states
Call transcriptsConfigurable (default: 7 years)Same as recordings
Call metadataConfigurable (default: 7 years)Same as recordings
Account informationDuration of account + 30 daysDeleted after termination export window
Payment records7 yearsRequired for tax and financial compliance
Audit logs6 years minimumRequired by HIPAA
Usage analytics3 yearsAggregated, de-identified

7.2 Customer Configuration

Customers may configure shorter retention periods for call recordings, transcripts, and metadata through the Service dashboard, subject to applicable legal requirements. NonoShad is not responsible for advising Customers on applicable retention requirements.

7.3 Automatic Purge

Data is automatically and permanently deleted after the configured retention period expires. Deletion is performed using secure methods that prevent recovery.

7.4 Early Deletion

Customers may request earlier deletion of specific data by contacting support@medvoice.ai. Early deletion requests will be processed within thirty (30) days, subject to any legal holds or regulatory requirements.

7.5 Post-Termination

Upon termination of a Customer's account, Customer Data is available for export for thirty (30) days. After this period, all Customer Data, including PHI, is permanently destroyed in accordance with the BAA. A certificate of destruction is available upon request.


8. Your Rights

8.1 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code Sections 1798.100-1798.199.100):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, exercising legal claims).
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary, but you may submit a request to confirm this.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Right to Limit Use of Sensitive Personal Information: We use sensitive personal information only as necessary to provide the Service.

To exercise your rights: Contact us at privacy@medvoice.ai or via email. We will verify your identity before processing your request. Requests will be fulfilled within forty-five (45) days, with one forty-five (45) day extension if reasonably necessary.

Note: CCPA/CPRA rights do not apply to PHI that is handled under HIPAA. PHI is governed by HIPAA and the applicable BAA. See Section 4.3.

8.2 Rights Under HIPAA

If you are a patient or caller, your rights regarding PHI are governed by HIPAA and must be exercised through your healthcare provider (our Customer). These rights include:

  • Right to access your PHI
  • Right to request amendment of your PHI
  • Right to an accounting of disclosures
  • Right to request restrictions on uses and disclosures
  • Right to request confidential communications

Please contact your healthcare provider directly to exercise these rights. NonoShad, as a Business Associate, does not respond directly to patient rights requests but will assist our Customers in fulfilling their obligations.

8.3 Access, Correction, and Deletion for Customers

If you are a Customer or End User of the Service, you may:

  • Access your account information and practice configuration through the Service dashboard.
  • Correct inaccurate account or configuration data through the Service dashboard or by contacting support.
  • Delete your account by contacting support@medvoice.ai. Account deletion is subject to the data retention and post-termination provisions in Section 7.

8.4 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide written authorization signed by the requestor, and we may require direct verification from the requestor.


9. Cookies and Tracking

9.1 Cookies We Use

The Service uses only essential cookies necessary for the operation of the platform:

CookiePurposeDuration
Session cookieMaintains authenticated sessionSession (expires on logout or browser close)
Authentication tokenSecures your login session7 days
CSRF tokenPrevents cross-site request forgerySession

9.2 What We Do NOT Use

  • No third-party tracking cookies. We do not use Google Analytics, Facebook Pixel, or any third-party tracking technology on the Service dashboard.
  • No advertising cookies. We do not serve ads and do not use cookies for advertising purposes.
  • No cross-site tracking. We do not track your activity across other websites.

9.3 Browser Settings

Because we use only essential cookies, no cookie consent banner is required. Essential cookies are necessary for the Service to function and cannot be disabled without affecting core functionality.


10. Children's Privacy

The Service is a business-to-business platform designed for use by medical office administrators and staff. It is not directed at individuals under the age of eighteen (18), and we do not knowingly collect personal information from children.

If callers who interact with the AI voice agent are minors, their information is handled as PHI under the applicable BAA and in accordance with HIPAA, which provides protections for minors' health information.

If we become aware that we have collected personal information from a child under the age of thirteen (13) outside of the healthcare context, we will take steps to delete that information promptly. If you believe a child has provided us with personal information inappropriately, please contact us at privacy@medvoice.ai.


11. International Users

The Service is designed for and available only to medical offices, clinics, and healthcare organizations located in the United States. The Service is governed by US federal law (including HIPAA and TCPA) and applicable US state laws.

We do not intentionally collect or process personal information from individuals outside the United States. If you are located outside the United States, please do not use the Service.

Data processed by the Service is stored and processed in the United States.


12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

12.1 Notification of Material Changes

For material changes to this Policy, we will:

  • Provide at least thirty (30) days' advance notice via email to Customer administrators.
  • Post the updated Policy on our website with a revised “Last Updated” date.
  • Display a prominent notice within the Service dashboard.

12.2 Non-Material Changes

For non-material changes (e.g., formatting, clarifications that do not alter meaning), we will update the Policy and revise the “Last Updated” date without prior notice.

12.3 Continued Use

Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the changes. If you do not agree to the changes, you should discontinue use of the Service and contact us to close your account.


13. Contact Information

If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:

NonoShad — Privacy
NonoShad, Inc.
Address on file

Privacy Inquiries: privacy@medvoice.ai
General Support: support@medvoice.ai
Phone: Contact via email

Data Protection Officer: Not yet designated
DPO Contact: Not yet designated

For HIPAA-related concerns, you may also file a complaint with the US Department of Health and Human Services, Office for Civil Rights:


This Privacy Policy is a template and has not been reviewed by legal counsel. NonoShad strongly recommends that you engage qualified legal counsel to review and customize this Policy before use.