Privacy Policy

1. Who we are & scope

“Nahshii Health,” “Nahshii,” “we,” “us,” or “our” means Nahshii Health, Inc. This Privacy Policy explains how we collect, use, disclose, and protect information when you use:

  • our websites and pages (the “Sites”);
  • our mobile and web applications, SMS, WhatsApp, and chat interfaces (the “Apps”);
  • our AI-assisted support, self-help tools, and content (“AI Companion”);
  • optional messaging or sessions with human clinicians or coaches (“Human Support”); and
  • institutional programs provided through employers, payers, schools, community clinics, or other organizations (“Institutional Services”).

By using our Services, you agree to this Policy and any product-specific notices presented at sign-up. If an Institution makes our Services available to you, that Institution may be the “controller/covered entity,” and Nahshii will act as “processor/business associate” for portions of processing under a Business Associate Agreement (BAA) or data processing agreement (DPA).

2. The kind of product we are

Nahshii provides self-help and supportive mental-health tools. We are not an emergency service and do not replace diagnosis, treatment, or crisis intervention. If you are in danger, call your local emergency number or a crisis hotline in your region.

3. Information we collect

We design for data minimization—collect the least necessary, protect it, and give you control. The information we may collect depends on how you use the Services:

A. Information you provide

  • Account & contact: nickname or name, email, phone, password, preferred pronouns, age range, time zone, and communication preferences.
  • Self-reported wellness & clinical inputs: moods, goals, reflections, journaling entries, assessments (e.g., PHQ-9/GAD-7), care history you choose to share, risk/safety signals you disclose.
  • Conversation data: text you type to the AI Companion or Human Support; optional audio/video session content if you choose those modes.
  • Human Support notes (if applicable): your coach/clinician may create notes to coordinate your care.
  • Payment & subscription data: plan type, purchase date, and status (we do not store full card numbers; payments are handled by PCI-compliant processors).
  • Research/feedback: survey responses, beta-testing input, product satisfaction ratings.
  • Institutional enrollment data (if provided by you or your Institution): member ID, benefit eligibility, program cohort, or referral status.

B. Information collected automatically

  • Device & app events: device/OS type, language, time zone, app version, feature use, click/tap events, crash/error logs.
  • Network & identifiers: IP address, coarse geolocation (region/city level), app store ID or push token.
  • Cookies & similar tech (Sites only): essential cookies for security and session management; limited analytics cookies to understand site usage. We do not use ad-tech pixels to profile you for behavioral advertising.

C. Information from others

  • Institutions or care partners may share limited data (e.g., eligibility, cohort, program usage) to enable your access.
  • Service providers (e.g., payment, messaging, analytics) may provide derived/aggregated info to help us operate the Services.

4. Special categories & HIPAA/health data

Some of the information you share may constitute Protected Health Information (PHI) or other sensitive health data. Where Nahshii acts as a Business Associate, we handle PHI under a BAA and applicable law. Where we act as an independent provider to you directly, we still apply heightened safeguards, honor consent choices, and avoid secondary uses without your permission.

5. How we use information

We use your information only for the purposes below and the legal bases that apply (consent, contract, legitimate interests, legal obligations, vital/public interest, and—when acting as a BA—on your Institution’s instructions):

a. Provide & maintain the Services

  • Authenticate you, deliver features, personalize tools, process payments, troubleshoot, and support.
  • Remember your preferences and show relevant self-help resources.

b. AI companion operation with safety guardrails

  • Interpret your inputs and generate supportive responses.
  • Screen for safety keywords to surface crisis resources or escalate per your program’s protocol.
  • Filter accidental identifiers before sending to certain AI components.

c. Human support (optional)

  • Enable secure messaging and sessions with coaches/clinicians.
  • Share relevant AI companion summaries with your Human Support only with your consent or as required to keep you safe.
  • Quality assurance (a small, authorized team may review de-identified samples to improve quality and safety).

d. Assessments, insights, and reminders

  • Offer validated check-ins, mood tracking, and auto-generated insights.
  • Send in-app, email, or SMS reminders you opt into.

e. Research & product improvement

  • De-identified or pseudonymized data to evaluate outcomes, improve safety, measure engagement, and enhance models and features.
  • Model training: We do not use identifiable conversation content to train foundation models. Where we use de-identified/pseudonymized conversation snippets to refine our private models, we do so only if you opt in (you can opt out at any time in Settings). We do not allow third-party model providers to train on your data.

f. Institutional reporting (if applicable)

  • Provide aggregated, de-identified usage and outcomes to your Institution.
  • Share individual-level information with your Institution only as permitted by your program (e.g., eligibility, engagement flags, safety escalations) and applicable law/BAA.

g. Security, fraud, and compliance

  • Detect abuse, prevent spam, protect the Services, respond to lawful requests, enforce agreements, and comply with regulations.

h. Marketing (limited)

  • With your consent, send product updates or newsletters. You can opt out at any time. Your data (including mobile number and consent) will not be sold or shared for marketing or promotional purposes.

6. Generative AI & third-party models

  • We use a combination of Nahshii-controlled models and vetted third-party Generative AI providers to support certain features (e.g., language understanding, summarization, insights).
  • All inputs and outputs pass through safety guardrails; content flagged as unsafe does not reach generative components.
  • We mask or strip personal identifiers where technically feasible before use.
  • We contractually prohibit third-party providers from training on your data and enable no-retention controls whenever available.
  • We do not send device identifiers to model providers.

7. SMS/WhatsApp & communications

When you opt in to text-based programs, we will send/receive messages related to your care, reminders, and program notices. Message frequency varies. Message and data rates may apply. You may opt out at any time by replying STOP(help: HELP). See our separate Messaging Terms for carrier-required disclosures.

8. When we share information

We do not sell personal information. We share only as described:

  • Vendors and subprocessors under contract (cloud hosting, analytics, email/SMS, in-app communications, EHR integrations, payments). They may access information only to provide services to us and must protect it.
  • Human Support providers you choose to engage.
  • Institutions for program delivery and permitted reporting (see Section 5.f.).
  • Legal and safety: to comply with law, respond to lawful requests, protect rights/safety, investigate fraud, or in emergencies.
  • Corporate transactions: if we undergo a merger, acquisition, or reorganization, your information may transfer to the successor subject to this Policy or a substantially similar policy.

9. Cookies & analytics (Sites)

We use essential cookies for security and session continuity, and first-party analytics to understand site performance. We do not use advertising pixels to build behavioral profiles. Your browser may send “Do Not Track” signals; while there is no industry standard, we limit tracking to essential/analytics and honor applicable opt-out rights.

10. Your choices & rights

Your available rights depend on where you live and how you access the Services (direct vs. Institutional):

  • Access/portability – get a copy of your information.
  • Correction – fix inaccurate information.
  • Deletion – delete your account and data (subject to legal or clinical retention needs).
  • Opt-out – marketing emails/SMS; optional data uses (e.g., de-identified model tuning).
  • Restrict/object – limit certain processing where applicable (GDPR/UK).
  • Do not sell/share – we do not sell data; if your state provides a “do not sell or share” right, we honor it.
  • Sensitive data consent – withdraw consent for processing sensitive data you provided directly to us (may limit service).

How to exercise: Use in-app settings, reply STOP to SMS, or email privacy@nahshiihealth.com. We may verify your request and respond within the time required by law. If your Services are through an Institution, some requests must be directed to your Institution.

“Reset my data”

You can permanently delete your conversation history and assessments inside the app. Deletion does not affect (i) security logs, (ii) payment/transaction records required by law, or (iii) clinical records Human Support must retain under professional/practice rules.

11. Data retention

We keep information only as long as necessary:

  • Conversations & app data: while your account is active and for up to 7 years after last activity (or a shorter/longer period if required by law or your Institution agreement).
  • Human Support records: per clinical and state retention rules (commonly 7–10 years).
  • Research: de-identified/pseudonymized data may be stored longer for longitudinal analyses.
  • Cookies/logs: short operational periods unless needed for security or audits.

You can request deletion earlier where permitted.

12. Security

We implement administrative, technical, and physical safeguards, including:

  • encryption in transit and at rest;
  • least-privilege, role-based access and MFA for staff;
  • data segmentation and pseudonymization;
  • vulnerability management, penetration testing, and security audits;
  • vendor due diligence and DPAs/BAAs;
  • incident response with user/institution notification where required.

No method is 100% secure; please protect your account, use strong passwords, enable device locks, and avoid sharing sensitive information in public channels.

13. Children & teens

Our consumer Services are intended for individuals 18+ unless a program explicitly authorizes a younger age with verified parental/guardian consent and applicable law. We do not knowingly collect information from children under applicable age thresholds without proper consent. If you believe a child provided information without consent, contact us to delete it.

14. International data transfers

We may process data in the United States and other countries where we or our vendors operate. When transferring data internationally, we use appropriate safeguards (e.g., SCCs/UK Addendum, vendor contractual commitments, and technical measures).

15. Research & studies (optional)

From time to time, we may invite you to participate in research approved under an IRB/ethics framework. Participation is voluntary and subject to a separate consent that explains what is collected, how long it is kept, and withdrawal options. Withdrawing will not affect your access to core Services.

16. Third-party links & communities

Our Sites/Apps may link to third-party resources (e.g., crisis lines, educational content) or host community events/webinars. Their privacy practices are not ours. Review their policies before sharing information.

17. State & regional supplements

  • California (CCPA/CPRA): We do not sell or share personal information for cross-context behavioral advertising. California consumers have rights to know, delete, correct, and limit use of sensitive information; see Section 10 for how to exercise.
  • Virginia/Colorado/Connecticut/Utah: We honor applicable opt-out and access/correction/deletion rights.
  • EU/UK GDPR: When we act as controller, our legal bases are consent, contract, legitimate interests (safety, fraud prevention, service improvement), legal obligation, or vital/public interest. You can contact our EU/UK representative (if appointed) and your local DPA.

18. Responsible use of AI

  • AI features are assistive and operate under clinical and safety oversight.
  • We monitor for bias and quality, maintain human-in-the-loop escalation for safety, and routinely test models.
  • You can turn off certain AI personalization features in Settings; core service effectiveness may be reduced.

19. Changes to this policy

We may update this Policy from time to time. If we make material changes, we will notify you via email, in-app notice, or through the Sites. The “Effective date” reflects the latest version. Continued use of the Services after notice means you accept the updated Policy.

20. Contact us

  • Privacy questions/rights requests: privacy@nahshiihealth.com
  • Security reports (responsible disclosure): security@nahshiihealth.com
  • Mailing address: Nahshii Health, Inc., 28 Geary St, Suite 650, San Francisco, CA 94108