Legal

Privacy Policy

Your privacy is fundamental to our mission. This policy explains how Conceptual Healthcare Corporation collects, uses, and protects your information.

Last Updated: March 2026

HIPAA Compliance

Conceptual Healthcare Corporation is committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA). We implement administrative, physical, and technical safeguards to protect your Protected Health Information (PHI) in accordance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. All health data processed through our NexusOrb platform is treated as PHI and handled with the highest level of care and security.

Information We Collect

Health Data

We collect health information you provide through the NexusOrb platform, including data across our eight health axes (Physiological Optimization, Neurocognitive Mastery, Emotional Resilience, Spiritual Coherence, Relational & Social Field, Environmental Symbiosis, Technological Augmentation, and Purposeful Vitality), Conceptual Health scores, dream journal entries, lab results, vital signs, medication records, clinical notes, nutrition entries, and appointment data.

Device Data

We collect device identifiers for multi-device account linking, device type and operating system version, and app usage analytics. Device identifiers are used solely for account management and are stored securely in your device's Keychain.

Account Information

When you create an account, we collect your member ID, organization affiliation (if applicable), authentication credentials (biometric and PIN), and contact information. Account data is used for identity verification, access control, and platform administration.

Data Security

We employ industry-leading security measures to protect your data at rest and in transit:

  • AES-256-GCM encryption for all Protected Health Information (PHI) at rest
  • Field-level encryption before any data leaves your device
  • HMAC-SHA256 chain-signed audit logs for tamper-proof activity tracking
  • Multi-factor authentication (biometric + PIN) required for platform access
  • Automatic 5-minute session timeout for inactive sessions
  • Rate limiting and lockout protection against brute-force attacks
  • NSFileProtectionComplete on all local Core Data stores

Data Sharing

We never sell your personal information or health data. We only share your data in the following limited circumstances:

  • With your explicit consent, such as when sharing health records with a healthcare provider
  • With authorized members of your organization (e.g., your clinical care team) as permitted by your role and access settings
  • When required by law, such as in response to a valid subpoena, court order, or regulatory requirement
  • To protect the safety of our users or the public in emergency situations

Third-Party Services

AI Features (xAI Grok-2)

Our platform uses xAI's Grok-2 model to power AI features including dream interpretation and image generation. All Protected Health Information (PHI) is stripped from prompts before they are sent to xAI. We never send identifiable health data to third-party AI services. Only de-identified, generalized content is transmitted for processing.

Apple CloudKit

For multi-device sync, we use Apple's CloudKit infrastructure. All health data is encrypted with AES-256-GCM at the field level before being uploaded to CloudKit. Apple cannot read your encrypted health data. Sync is performed only between devices linked to your account, and unlinked devices are immediately blocked from syncing.

Data Retention & Deletion

We retain your health data for as long as your account is active or as needed to provide you with our services. You have the right to:

  • Request access to all personal and health data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and all associated data
  • Export your health data in a portable format
  • Revoke consent for data processing at any time

Upon account deletion, all personal data and health records are permanently removed from our systems within 30 days, except where retention is required by applicable law or regulation. Audit logs may be retained for compliance purposes.

Children's Privacy

The NexusOrb platform is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will take immediate steps to delete that information. If you believe a child under 13 has provided us with personal information, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of the platform after changes are posted constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Conceptual Healthcare Corporation

Destin, Florida

850-963-0002