Privacy Policy

1. Overview

NICU Companion LLC ("NICU Companion," "we," "us," or "our") operates the NICU Companion platform — a digital health application that connects parents and guardians of newborns in Neonatal Intensive Care Units (NICUs) with their baby's clinical care team.

This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website at nicucompanion.com and our mobile and web applications (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Services.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, phone number, relationship to patient (mother, father, guardian)
• Authentication data: Password (stored as a one-way cryptographic hash — we never see your plain-text password), multi-factor authentication credentials
• Messages: Communications sent between you and your baby's care team through the in-app messaging feature
• Notification preferences: Your choices about when and how you receive alerts

2.2 Patient Health Information

When you are granted access to a patient record, we process Protected Health Information (PHI) on your behalf. This includes:

• Patient demographics (name, date of birth, medical record number)
• Vital signs and physiological measurements (heart rate, oxygen saturation, respiratory rate, temperature, weight)
• Nursing notes and clinical assessments authored by your care team
• Developmental milestones and care plan goals
• Care team assignments and shift information

This information originates from the hospital's Electronic Health Record (EHR) system and is accessed only after you have been authorized by the clinical team.

2.3 Automatically Collected Information

• Device information: Device type, operating system version, unique device identifiers
• Log data: IP address, access timestamps, pages visited, actions taken within the app
• Usage data: Features used, session duration — used only for improving the service

We do not use cookies for advertising. We do not sell your data. We do not use third-party advertising networks.

3. How We Use Your Information

We use the information we collect for the following purposes only:

• Providing the Services: Displaying your baby's vitals, notes, milestones, and care team information; enabling secure messaging
• Authentication and security: Verifying your identity, enforcing access controls, detecting unauthorized access
• Notifications: Sending alerts you have opted into (new notes, vital alerts, messages, milestone updates)
• Service improvement: Understanding how the app is used so we can make it better — using only de-identified, aggregated data
• Legal compliance: Meeting our obligations under HIPAA, applicable state laws, and our agreements with healthcare providers
• Safety: Investigating and responding to potential security incidents

We do not use your information for marketing to third parties, advertising profiling, or any purpose not described above.

4. Protected Health Information (HIPAA)

NICU Companion LLC is a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We operate under Business Associate Agreements (BAAs) with the healthcare providers ("Covered Entities") whose patients use our platform.

4.1 Your HIPAA Rights

As the parent or guardian of a NICU patient, you have rights under HIPAA regarding your child's Protected Health Information. These rights are primarily exercised through the hospital, not through NICU Companion. Please contact your hospital's Privacy Officer for:

• Requesting a copy of your child's medical records
• Requesting amendments to your child's records
• Filing a HIPAA complaint

4.2 Minimum Necessary Standard

We access only the PHI necessary to provide the Services. Parent-facing views display only information relevant to their authorized patient. Clinical staff see only patients assigned to their care.

4.3 Breach Notification

In the event of a breach of unsecured PHI, we will notify the affected Covered Entity (hospital) within the timeframes required by HIPAA. The hospital will then notify affected individuals as required by law.

5. How We Share Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

5.1 With Your Healthcare Provider

Messages and interactions within the platform are visible to the clinical staff assigned to your baby's care, as part of the core purpose of the service.

5.2 With Service Providers (Business Associates)

We share information with vendors who help us operate the platform, all of whom are bound by Business Associate Agreements and are prohibited from using your information for any other purpose:

• Amazon Web Services — cloud infrastructure and data storage
• Anthropic — AI language model powering the parent support assistant
• Twilio — SMS delivery for authentication codes and notifications

5.3 Legal Requirements

We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

5.4 Business Transfers

If NICU Companion LLC is acquired, merges with another company, or transfers its assets, your information may be transferred. We will notify you via email and a prominent notice on our website prior to any such transfer, and the acquiring entity will be required to honor this Privacy Policy.

6. Security Safeguards

We implement comprehensive technical safeguards designed to meet and exceed HIPAA Security Rule requirements:

• Encryption in transit: TLS 1.3 for all data transmitted between your device and our servers
• Encryption at rest: AES-256-GCM encryption for all stored PHI using AWS KMS with customer-managed keys
• Authentication: Multi-factor authentication required for all users; short-lived JWT tokens (15-minute expiry)
• Access controls: Role-based access control enforced at both the application and database layer; parents can only access their own baby's data
• Audit logging: Every access to PHI is logged to an immutable, encrypted audit trail retained for 7 years
• Infrastructure: Hosted on HIPAA-eligible AWS services; no PHI is stored on end-user devices beyond session memory

While we implement strong safeguards, no method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at security@nicucompanion.com.

7. Data Retention

We retain different categories of data for different periods:

• Account information: Retained while your account is active, plus 90 days after deletion to allow for account recovery
• Protected Health Information: Retained for the period required by our agreement with the healthcare provider, typically 7 years from the date of last service (in accordance with HIPAA and applicable state law)
• Audit logs: Retained for 7 years (HIPAA minimum)
• Messages: Retained for 7 years as part of the clinical communication record
• Anonymized usage analytics: May be retained indefinitely, as they contain no personal information

To request deletion of your account and associated personal information, contact us at privacy@nicucompanion.com. Note that deletion of PHI is subject to the retention requirements of our healthcare provider agreements and applicable law.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate personal information (note: clinical data must be corrected through your healthcare provider)
• Deletion: Request deletion of your account and personal information, subject to legal retention requirements
• Portability: Request your data in a machine-readable format
• Opt-out of notifications: You may adjust notification preferences in the app at any time

To exercise any of these rights, email privacy@nicucompanion.com. We will respond within 30 days.

9. Children's Privacy

Our Services are designed for use by adults (parents and guardians) and clinical staff. We do not knowingly collect personal information directly from individuals under the age of 18.

Our platform does process health information about newborn patients as part of its core function — this is done under the authorization of parents/guardians and in accordance with HIPAA and our agreements with healthcare providers.

If you believe we have inadvertently collected personal information from a minor, please contact us at privacy@nicucompanion.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated policy on this page with a new "Last Updated" date
• Send an email notification to all registered users at least 30 days before the change takes effect
• Display a prominent notice in the app

Continued use of our Services after the effective date of a revised policy constitutes your acceptance of the changes.

11. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

To file a complaint with the U.S. Department of Health and Human Services regarding our HIPAA practices, visit hhs.gov/hipaa/filing-a-complaint.