Privacy Policy

Effective date: June 10, 2026 · Last updated: June 10, 2026

This Privacy Policy explains how Nūr Evoke (designed by Nur Behavioral Health) ("we", "us") collects, uses, and protects information through the Nūr Evoke application and related services (the "Service").

1. Information we collect

• Account & identity — name, work email, role, and organization, managed through our identity provider (AWS Cognito). We do not store your password.
• Protected Health Information (PHI) — client records, scheduling, clinical data, session notes, documents, and related information your organization enters to deliver care.
• Usage & device data — log data needed to operate and secure the Service (e.g., timestamps, IP address for security, audit events). We keep PHI out of logs and URLs.

2. How we use information

We use information solely to provide, secure, maintain, and improve the Service for your organization — including authentication, access control, scheduling, clinical documentation, billing support, and audit logging. We do not sell personal information or PHI, and we do not use PHI for advertising.

3. Protected Health Information & HIPAA

For PHI, we act as a Business Associate of your organization (the Covered Entity) under HIPAA, and we handle PHI in accordance with a signed Business Associate Agreement (BAA). See our HIPAA Notice for details on safeguards and rights.

4. How information is shared

We share information only with subprocessors needed to run the Service, each under appropriate contractual and (where PHI is involved) BAA protections — for example, HIPAA-eligible AWS services for hosting/encryption, and Google Workspace for documents, calendar, and email. We disclose information when required by law or to protect rights and safety.

5. Data security

PHI is encrypted at rest (AWS KMS) and in transit (TLS 1.2+), hosted only on HIPAA-eligible infrastructure. We enforce multi-factor authentication, role-based access scoped to each organization, session timeouts, and an audit trail on access to and changes of PHI-bearing records.

6. Data retention

We retain information for as long as your organization maintains an account and as required by applicable law and your records-retention obligations. On termination, data is handled per your agreement and the BAA.

7. Your rights

Because your organization controls its records, requests to access, correct, or delete PHI should be directed to your organization, which we support as its Business Associate. For account data you may contact us at info@nurbhealth.com.

8. Cookies

We use only the cookies/local storage necessary to keep you signed in and to operate the Service. We do not use advertising or cross-site tracking cookies.

9. Children's privacy

The Service is used by behavioral-health professionals. Any information about minors is entered by your organization as part of care and is handled as PHI under HIPAA and the BAA.

10. Changes & contact

We may update this policy; material changes will be posted here with a new effective date. Questions: info@nurbhealth.com, 316 E Bloomingdale Ave, Brandon FL 33511.