Privacy Policy
Last updated:
Nestsera is a software platform that helps independent practitioners run their practices. This policy describes how Nestsera (the company) collects, uses, and protects information about practitioners, their staff, and the clients who use the client portal.
Who is responsible for what
Your practitioner is the covered entity under HIPAA — they hold and are responsible for your health information. Nestsera processes that information on their behalf as a Business Associate under a signed Business Associate Agreement. For your rights regarding your health information specifically, see your practitioner's Notice of Privacy Practices, which they provide separately.
Information we collect
Account information you provide directly: name, email, phone, password.
Information generated as you use the platform: appointments, messages between you and your practitioner, documents you've signed, files you've uploaded, invoices and payments, and the timestamps and IP addresses of those events.
Information from your practitioner: clinical notes and other records they create about your care. We process this on their behalf and only as their software vendor.
How we use information
We use information to operate the platform, deliver notifications you or your practitioner have requested, process payments, maintain the audit trail required by HIPAA, communicate with you about your account, and improve the product. We do not sell personal information. We do not use Protected Health Information (PHI) for advertising or to train AI models. AI features that use messages or notes — such as session-note drafting — only run when a practitioner explicitly requests them, and the underlying API providers are bound by Business Associate Agreements.
How we protect information
Information is encrypted in transit (TLS 1.2+) and at rest. Sensitive fields — health information, contact details, payment identifiers — are encrypted at the application layer in addition to the disk-level encryption provided by our hosting infrastructure. Access is logged for at least six years per HIPAA. We follow HIPAA Security Rule administrative, physical, and technical safeguards, and we sign Business Associate Agreements with every subprocessor that processes PHI on our behalf.
Subprocessors
We work with a small number of vendors who help us run the platform. Those who handle PHI sign Business Associate Agreements before processing any information. Categories include cloud hosting, transactional email, payment processing, and AI inference. A current subprocessor list is available on request to privacy@nestsera.com.
How long we keep information
Health information and audit logs are retained for at least six years from the date of creation, as required by HIPAA. Practitioners may set longer retention to comply with state law or their professional licensure requirements. Account information is retained while your account is active and for a reasonable period afterward to satisfy legal, accounting, and security obligations.
Your rights
For your rights regarding Protected Health Information, refer to your practitioner's Notice of Privacy Practices — they hold and control that data. For other information Nestsera holds about you (account information, payment records, audit logs about your access), contact us at the email below to request access, correction, or deletion. Some requests are subject to retention requirements imposed by HIPAA and state law; we'll explain which limits apply to your request.
Residents of California, Virginia, Colorado, Connecticut, Utah, and other states with consumer privacy laws have additional rights, including the right to know what personal information we process and the right to non-discrimination for exercising those rights. State-specific addenda are available on request and apply automatically based on your state of residence.
Children
Nestsera is intended for use by adults. Minors may receive care through a practice that uses our platform; in those cases their parent or legal guardian provides any consent and account access on their behalf. We do not knowingly create accounts for children under 13 directly with us.
Breach notification
If we discover a breach of unsecured PHI, we will notify the affected practice without unreasonable delay and within the timeframe required by HIPAA. The practice is responsible for notifying their affected clients per HIPAA §164.404 and any applicable state law.
Changes
We may update this policy. Material changes will be communicated by email and reflected on this page, with an updated "Last updated" date.
Contact
Questions about this policy can be sent to privacy@nestsera.com. Reports of security issues should go to security@nestsera.com.