NurseSuite — Privacy Policy

Effective [DATE] · NurseSuite LLC

TEMPLATE — HAVE COUNSEL REVIEW BEFORE PUBLISHING. Complete every [bracketed] item, confirm each statement is true for your actual practices, and have a qualified attorney review before publishing. This document is a starting draft, not legal advice.

1. Overview and scope

This Privacy Policy explains how NurseSuite LLC (“NurseSuite,” “we,” “us”) collects, uses, shares, and protects information when you use our websites, mobile applications, and related services (the “Service”). NurseSuite helps nursing institutions prepare for accreditation and regulatory survey readiness and improve nursing workflow. The Service is built on a no-PHI principle and is not a medical device. Where a separate written agreement or Business Associate Agreement (BAA) applies, that agreement governs to the extent of any conflict.

2. Information we collect

• Business contact data: name, work email, organization, role, and any message you submit through demo or contact forms.

• Account data: institutional user login credentials for the Service; passwords are stored salted and hashed, never in plaintext. [Confirm.]

• Operational and compliance content you submit: non-PHI content such as policy documents, audit/tracer/readiness records, accreditation-standards content, and de-identified, unit-level operational summaries. [Confirm scope.]

• Usage and log data: limited technical data such as IP address, browser/device type, pages viewed, and timestamps, used to operate and secure the Service. [Confirm what is logged and for how long.]

We do not collect protected health information (PHI) or direct patient identifiers (patient names, MRNs, dates of birth, diagnoses, or clinical results) by design, and you should not submit them to the Service.

3. How we use information

We use information to provide, operate, secure, and improve the Service; to authenticate users and administer accounts; to respond to inquiries and provide support; to power optional AI-assisted features (see Section 4); and to comply with legal obligations. We do not sell personal information, and we do not use it for third-party advertising.

4. AI features and AI providers

Certain optional features use third-party artificial-intelligence (large language model, “AI”) services to assist you — for example, a compliance assistant, policy gap analysis, and paraphrasing of accreditation-standards content. To provide these features, the Service sends limited non-PHI text (such as your policy documents, standards content, and de-identified operational summaries) to the applicable AI provider, which processes it on our behalf as a service provider / subprocessor. We do not knowingly send protected health information to AI providers.

The AI provider is configurable and may change. AI providers used or available for the Service include DeepSeek, OpenAI, and Zhipu AI (Z.ai / GLM). The provider currently in use and a current subprocessor list are available on request to customer@nursesuite.com. [Confirm the active provider and any no-training / retention terms in place with it.] AI output may be inaccurate and is decision support only; it must be reviewed by qualified personnel before you rely on it.

5. How we share information

We share information only with service providers that process it on our behalf under contract, and as required by law. Our subprocessors include:

• Amazon Web Services: cloud hosting (Lightsail), DNS (Route 53), and related infrastructure — United States.

• AI / LLM providers: DeepSeek, OpenAI, and Zhipu AI (Z.ai / GLM), for the optional AI features described in Section 4 (non-PHI text only).

• Email delivery: [if configured, name your email/SMTP provider].

• Web fonts: the public marketing site loads typography from Google Fonts. [Optional: self-host to avoid third-party requests.]

We may also disclose information to comply with law, enforce our terms, or protect the rights, safety, and security of NurseSuite, our customers, or others. We do not sell or share personal information for advertising. A current subprocessor list is available on request.

6. Data retention and deletion

We retain information for as long as needed to provide the Service and for legitimate business or legal purposes. Business contact data is retained [for X / until the inquiry is resolved] and deleted on request to customer@nursesuite.com. Operational data retention follows the applicable agreement. On contract termination, we return or destroy customer data as specified in that agreement. [Confirm retention periods, including backups.]

7. Security

We use administrative, technical, and physical safeguards appropriate to the non-PHI nature of the data, including encryption in transit (TLS), access controls, and hosting on AWS infrastructure. See the NurseSuite Security & Privacy Overview for details. No method of transmission or storage is completely secure.

8. Your privacy choices and rights (where applicable)

Depending on your location, you may have rights to access, correct, delete, or port your personal information, and to opt out of certain processing. Residents of California and other U.S. states with applicable privacy laws (where applicable) may exercise the rights those laws provide; we do not sell personal information. To make a request, contact customer@nursesuite.com. We will verify and respond as required by applicable law. [Confirm which state/other privacy laws apply to you and align this section with counsel.]

9. Cookies and analytics

[Confirm and complete: whether the websites use cookies or analytics, which providers, and how visitors can control them. The marketing site currently loads Google Fonts.]

10. Children's privacy

The Service is intended for institutional and professional use and is not directed to children. We do not knowingly collect personal information from children.

11. Data location and international users

The Service is hosted in the United States (AWS, US East region). If you access the Service from outside the United States, you understand that your information will be processed in the United States. [Confirm whether any cross-border transfer mechanism is required for your users.]

12. HIPAA and no-PHI design

NurseSuite is designed to avoid creating, receiving, storing, or transmitting PHI. If a feature ever requires PHI, we will execute a BAA and apply the corresponding HIPAA safeguards before that feature is enabled for your organization.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by [reasonable means — e.g., updating the effective date and/or notifying account administrators]. Your continued use of the Service after changes take effect constitutes acceptance.

14. Contact

Privacy questions or requests: customer@nursesuite.com · NurseSuite LLC, [address].