Privacy Policy
Last updated: June 28, 2026
This Privacy Policy explains how PROFOPP LLC, doing business as Nexu Health (“Nexu Health,” “we,” “us,” or “our”), collects, uses, discloses, and protects information in connection with our website at nexu.health(the “Site”) and the telehealth infrastructure services we provide to healthcare clinics and providers (the “Services”).
Summary
- We are a technology and infrastructure provider. When we process health information through the Services, we do so as a HIPAA Business Associate on behalf of our Clients, not for our own purposes.
- Through the Site, we collect only limited business-contact and technical information.
- We do not sell or share your personal information, and we do not use it for cross-context behavioral advertising.
- Depending on where you live, you have rights over your personal information, including the right to access, correct, delete, and appeal. See “Your U.S. state privacy rights” below.
Our role: infrastructure provider and Business Associate
Nexu Healthprovides white-label telehealth infrastructure to healthcare organizations (“Clients”). When a Client uses our platform to deliver care to patients, the Client is the covered entity (or the responsible party) for that care, and Nexu Health acts as a Business Associateunder the U.S. Health Insurance Portability and Accountability Act, as amended (“HIPAA”). We handle Protected Health Information (“PHI”) only on behalf of, and under the documented instructions of, our Clients pursuant to a Business Associate Agreement (“BAA”). Each Client’s own privacy notice governs its relationship with its patients.
Information that is regulated as PHI under HIPAA, and certain other categories such as information governed by the Gramm-Leach-Bliley Act, is exempt from U.S. state consumer privacy laws and is therefore not the subject of the state-law rights described below. Patient requests relating to PHI should be directed to the applicable Client (the covered entity); we will assist the Client as required by the BAA.
Scope of this policy
This policy describes our practices for information we collect as a business — primarily from Site visitors and from the business contacts of prospective and current Clients. It does not govern PHI that we process on behalf of Clients, which is governed by the applicable BAA and the Client’s own privacy notices.
Information we collect
Information you provide
- Contact and business information you choose to provide (for example, when you email us or submit a business inquiry): name, email address, telephone number, company, job title, and the contents of your message.
- Correspondence and records of your communications and requests to us.
Information collected automatically
- Device and log data generated when you visit the Site, such as IP address, approximate (city-level) location derived from IP, browser and device type, operating system, referring pages, and pages viewed.
- Usage data about how you interact with the Site, used to operate, maintain, and secure it.
Protected Health Information (on behalf of Clients)
Through the Services we process PHI that Clients and their patients submit, which may include identifiers, demographics, clinical intake responses, prescription and order data, messages, and payment-related information. We process this information solely to provide the Services and as permitted by the applicable BAA and law.
Sources of personal information
We collect personal information directly from you; automatically from your device and browser when you use the Site; and, for the Services, from our Clients and their patients and authorized users.
How we use information
- To respond to inquiries and provide, operate, and support the Site and Services;
- To maintain, secure, monitor, and improve the Site and Services;
- To communicate with you about the Services, including administrative and transactional messages;
- To detect, prevent, and address fraud, abuse, security, and technical issues;
- To comply with legal, regulatory, and contractual obligations and to establish, exercise, or defend legal claims.
We collect and use the minimum personal information reasonably necessary and proportionate for these disclosed purposes (data minimization), and we do not use it for incompatible purposes without providing notice.
Cookies and similar technologies
This marketing Site uses only strictly necessary cookies required for basic operation. We do not currently run third-party advertising or analytics trackers on nexu.health. If we introduce analytics in the future, we will update this policy and, where required, request your consent.
Our Site does not alter its behavior in response to browser “Do Not Track” signals. Because we do not sell personal information or share it for cross-context behavioral (targeted) advertising, no additional opt-out is required; where applicable law treats an opt-out preference signal such as Global Privacy Control (GPC) as a valid request, we honor it.
How we disclose information
We do not sell personal information, and we do not share it for cross-context behavioral advertising. We disclose personal information only as follows:
- Service providers and subprocessorsthat help us deliver the Site and Services — for example, cloud hosting and database providers, our payment processor (Stripe), email delivery, error monitoring, and, for the Services, clinical-workflow and pharmacy-fulfillment partners — each bound by contract and, where they handle PHI, by a BAA.
- Professional advisors such as auditors, lawyers, and accountants, under confidentiality obligations.
- Legal and safety recipients when we believe disclosure is required by law or legal process, or necessary to protect the rights, property, or safety of Nexu Health, our users, or the public.
- Business transfers— in connection with a merger, acquisition, financing, or sale of assets, subject to this policy or a successor policy.
Your U.S. state privacy rights
Several U.S. states — including California (CCPA/CPRA), Texas (TDPSA), Virginia, Colorado, Connecticut, Utah, and others with comprehensive privacy laws — give residents rights over their personal information. Subject to the exemptions described above (including for HIPAA-regulated information), you may have the right to:
- Confirm whether we process your personal information and access it;
- Correct inaccurate personal information;
- Request deletion of your personal information;
- Obtain a portable copy of the personal information you provided to us;
- Opt out of the sale or sharing of personal information, targeted advertising, and certain profiling; and
- Limit the use of sensitive personal information.
California disclosures (CCPA/CPRA)
The following table describes the categories of personal information (as defined by the CCPA) we have collected from Site visitors and business contacts in the preceding 12 months, their sources, the business purposes for collection, and the categories of recipients to whom we disclose them.
| Category | Examples | Source | Business purpose | Disclosed to |
|---|---|---|---|---|
| Identifiers | Name, email, phone, IP address | You; automatic | Respond, operate, secure | Service providers |
| Customer records (Cal. Civ. Code § 1798.80) | Name, company, contact details | You | Business communications | Service providers |
| Commercial information | Inquiries and interest in the Services | You | Respond, improve | Service providers |
| Internet/network activity | Browsing and usage of the Site, log data | Automatic | Operate, secure | Service providers |
| Geolocation (approximate) | City-level location from IP | Automatic | Security, operations | Service providers |
| Professional/employment | Job title, employer | You | Business communications | Service providers |
Sensitive personal information. We do not collect sensitive personal information through the Site for our own purposes, and we do not use or disclose it for purposes that would trigger the right to limit its use. Sale/sharing. We have not sold or shared personal information, including the personal information of consumers under 16. Automated decision-making. We do not use automated decision-making technology or profiling that produces legal or similarly significant effects about you.
California “Shine the Light.” We do not disclose personal information to third parties for their own direct marketing purposes.
How to exercise your rights
To make a request, email us at privacy@nexu.health or use the details on our Contact page. We will verify your request using the information we hold about you, and you may use an authorized agent where permitted by law. We will not discriminate against you for exercising your rights.
Right to appeal. If we decline your request, you may appeal by emailing privacy@nexu.healthwith “Privacy Appeal” in the subject line. If your appeal is denied, you may contact your state attorney general — for example, the Office of the Texas Attorney General or the California Privacy Protection Agency.
Data retention
We retain personal information for as long as needed to fulfill the purposes described in this policy — for example, to respond to and manage business inquiries, maintain security and business records, and meet legal, tax, and accounting obligations — after which it is deleted or de-identified. Where no specific legal requirement applies, we determine retention based on the amount, nature, and sensitivity of the information and the purposes for which it is processed. Retention of PHI is governed by the applicable BAA and the Client’s instructions.
Data security
We maintain administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, role-based access controls, tenant data isolation, audit logging of PHI access, monitoring, and regular review of our controls. No method of transmission or storage is completely secure, but we work to protect information consistent with our legal and contractual obligations.
International users
We operate in the United States and the Services are intended for use in the United States. If you access the Site from outside the United States, your information will be processed in the United States, where data protection laws may differ from those in your location.
Children’s privacy
The Site is a business-to-business website not directed to children, and we do not knowingly collect personal information from children under 13 (or under 16 where applicable) through it. If you believe a child has provided us personal information, contact us and we will delete it. Any pediatric care delivered by a Client is governed by that Client’s policies and applicable law.
Third-party links
The Site may link to third-party websites and services that we do not operate or control. Their privacy practices govern your use of them, and we encourage you to review their policies.
Changes to this policy
We may update this Privacy Policy from time to time. We will revise the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Site after changes become effective constitutes acceptance of the updated policy.
Contact us
Questions or privacy requests can be directed to our Privacy Officer at privacy@nexu.health, or by mail to PROFOPP LLC, 8911 N Capital of Texas Hwy, Suite 4200/1013, Austin, TX 78759, United States.