Effective Date: April 2, 2026
nouri ("nouri," "we," "us," or "our") is a technology platform that connects individuals with licensed, independent healthcare providers and pharmacy services. nouri does not provide medical advice, diagnose conditions, prescribe medication, or fulfill prescriptions. nouri is not a licensed medical provider and is not a pharmacy.
All clinical decisions — including diagnosis, treatment recommendations, and prescriptions — are made solely by licensed healthcare providers in our network, based on their independent medical judgment. Pharmacy services, including the compounding and dispensing of medications, are performed by state-licensed pharmacies that are separate entities from nouri.
When we refer to "our services" in this policy, we mean the nouri website (joinnouri.com and its subdomains), our technology platform, and the administrative services we provide to facilitate your access to healthcare providers and pharmacy services.
This Notice of Privacy Practices ("Notice") describes how nouri ("we", "us", or "our") may use and disclose your Protected Health Information (PHI) to carry out treatment, payment, or healthcare operations and for other purposes that are permitted or required by law. This Notice also describes your rights regarding your PHI. We are required by law to maintain the privacy of your PHI, provide you with this Notice of our legal duties and privacy practices, and to abide by the terms of this Notice.
We may use and disclose your PHI for the following purposes:
Treatment: We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. This may include communication with other healthcare providers about your treatment and coordinating your care with other providers.
Payment: We may use and disclose your PHI to obtain payment for healthcare services provided to you. This may include contacting your insurance company to verify your coverage, billing and collection activities, and sharing PHI with other healthcare providers, insurance companies, or collection agencies.
Healthcare Operations: We may use and disclose your PHI for healthcare operations, including quality assessment, improvement activities, case management, accreditation, licensing, credentialing, and conducting or arranging for medical reviews, audits, or legal services.
As Required by Law: We may use and disclose your PHI when required to do so by federal, state, or local law.
Public Health and Safety: We may use and disclose your PHI to prevent or control disease, injury, or disability, to report child abuse or neglect, to report reactions to medications or problems with products, and to notify persons who may have been exposed to a communicable disease or may be at risk of spreading a disease or condition.
Health Oversight Activities: We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, and licensure.
Judicial and Administrative Proceedings: We may disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.
Law Enforcement: We may disclose your PHI for law enforcement purposes, such as to report certain types of wounds or injuries, or to comply with a court order, warrant, or other legal process.
Research: We may use and disclose your PHI for research purposes when the research has been approved by an institutional review board and privacy protections are in place.
Organ and Tissue Donation: If you are an organ donor, we may disclose your PHI to organizations that handle organ procurement, transplantation, or donation.
Workers' Compensation: We may disclose your PHI for workers' compensation or similar programs that provide benefits for work-related injuries or illnesses.
Military and Veterans: If you are a member of the armed forces, we may disclose your PHI as required by military authorities.
Inmates: If you are an inmate, we may disclose your PHI to the correctional institution or law enforcement official having custody of you.
You have the following rights with respect to your PHI:
Right to Inspect and Copy: You have the right to inspect and copy your PHI that we maintain, with certain exceptions. To request access, submit a written request to our Privacy Officer. We may charge a reasonable fee for the costs of copying, mailing, or other supplies associated with your request.
Right to Amend: You have the right to request an amendment to your PHI if you believe it is incorrect or incomplete. To request an amendment, submit a written request to our Privacy Officer, specifying the information you believe is incorrect and why. We may deny your request if we believe the information is accurate and complete, or if we did not create the information.
Right to an Accounting of Disclosures: You have the right to request an accounting of disclosures of your PHI made by us in the past six years, except for disclosures made for treatment, payment, or healthcare operations, and certain other disclosures. To request an accounting, submit a written request to our Privacy Officer.
Right to Request Restrictions: You have the right to request a restriction on our use or disclosure of your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request but will consider it. To request a restriction, submit a written request to our Privacy Officer, specifying the restriction you are requesting and to whom it applies.
Right to Request Confidential Communications: You have the right to request that we communicate with you about your PHI in a certain way or at a certain location. To request confidential communications, submit a written request to our Privacy Officer, specifying how or where you wish to be contacted.
Right to a Paper Copy of This Notice: You have the right to receive a paper copy of this Notice, even if you have agreed to receive it electronically. To obtain a paper copy of this Notice, contact our Privacy Officer.
Right to be Notified of a Breach: You have the right to be notified in the event that we discover a breach of your PHI.
We are committed to protecting the privacy of your PHI and will ensure that any electronic transmission of PHI complies with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR 164). This includes the use of Secure-Socket Layer (SSL) or equivalent technology for the transmission of PHI, as well as adherence to all applicable security standards for online transmissions of PHI.
We reserve the right to change this Notice and the revised Notice will be effective for PHI we already have about you, as well as any information we receive in the future. We will post a copy of the current Notice in our office and on our website. The Notice will contain the effective date on the first page.
If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the Secretary of the Department of Health and Human Services. You will not be retaliated against for filing a complaint.
To exercise any of your rights, or if you have any questions about this Notice or our privacy practices, please contact our Privacy Officer at:
nouri
This Notice is provided in accordance with the Notice of Privacy Practices for Protected Health Information from the Department of Health and Human Services' Model and is applicable across all US states. Certain states may have additional privacy protections that apply to your PHI. If you reside in a state with additional privacy protections, you may have additional rights related to your PHI.
Right to Access: In addition to the rights described above, California residents have the right to request access to their PHI in a readily usable electronic format, as well as any additional information required by California law. To request access, submit a written request to our Privacy Officer.
Right to Restrict Certain Disclosures: California residents have the right to request restrictions on certain disclosures of their PHI to health plans if they paid out-of-pocket for a specific healthcare item or service in full. To request such a restriction, submit a written request to our Privacy Officer.
Confidentiality of Medical Information Act (CMIA): California residents are protected by the Confidentiality of Medical Information Act (CMIA), which provides additional privacy protections for medical information. We are required to comply with CMIA in addition to HIPAA.
Marketing and Sale of PHI: California residents have the right to request that their PHI not be used for marketing purposes or sold to third parties without their authorization. To request a restriction on the use of your PHI for marketing or the sale of your PHI, submit a written request to our Privacy Officer.
Minor's Rights: If you are a minor (under the age of 18), you have the right to request that certain information related to certain sensitive services, such as reproductive health, mental health, or substance use disorder treatment, not be disclosed to your parent or guardian without your consent. To request a restriction on the disclosure of such information, submit a written request to our Privacy Officer.
For residents of California, we comply with the Confidentiality of Medical Information Act (CMIA), as well as California's specific privacy laws related to marketing, sale of PHI, and minors' rights. We will obtain written consent before disclosing certain information and adhere to additional privacy protections, as required by California law.
For residents of New York, we comply with the New York State Confidentiality of Information Law, which provides additional privacy protections for HIV-related information, mental health records, and genetic testing results. We will obtain written consent before disclosing such information, even for treatment, payment, or healthcare operations.
For residents of Texas, we comply with the Texas Medical Privacy Act, which offers privacy protections beyond HIPAA, including requiring consent for certain disclosures of PHI, additional safeguards for electronic PHI, and specific requirements for the destruction of PHI. We also adhere to Texas's specific privacy protections for mental health records and substance use treatment records.
For residents of Florida, we comply with Florida's privacy laws, which offer additional protections for mental health records, HIV/AIDS-related information, and substance abuse treatment records. We will obtain written consent before disclosing such information, even for treatment, payment, or healthcare operations. We also implement specific security measures to protect electronic PHI, as required by Florida law.
For residents of Illinois, we comply with Illinois's specific privacy laws related to mental health records, HIV/AIDS-related information, and genetic testing results. We will obtain written consent before disclosing such information, even for treatment, payment, or healthcare operations. In addition, we will notify patients of any unauthorized access to their electronic PHI, as required by Illinois law.
For residents of Massachusetts, we comply with Massachusetts's specific privacy laws related to mental health records, HIV/AIDS-related information, and genetic testing results. We will obtain written consent before disclosing such information, even for treatment, payment, or healthcare operations. We also implement specific security measures to protect electronic PHI, as required by Massachusetts law.
If you reside in a state other than those listed above, please consult your state's specific privacy laws for information about any additional rights you may have regarding your PHI. You may also contact our Privacy Officer for more information about your rights under specific state laws.
In addition to Protected Health Information described above, we collect the following categories of personal information when you visit or use our website and services:
Name, email address, phone number, date of birth, and mailing address when you create an account or complete an assessment
Payment and billing information when you make a purchase
Communications you send to us (e.g., support requests, feedback)
Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution
Usage data: Pages visited, time spent on pages, referring URLs, and click behavior
Cookies and similar technologies: We use cookies to facilitate site functionality, remember preferences, and — with your consent — to support advertising measurement (see "Cookies and Tracking Technologies" below)
We use the personal information we collect for the following purposes:
Facilitating healthcare services: To connect you with licensed healthcare providers, coordinate your consultations, and facilitate the fulfillment of prescriptions through our pharmacy partners.
Account management: To create and maintain your account, authenticate your identity, and communicate with you about your account and services.
Payment processing: To process payments, manage subscriptions, and handle billing inquiries.
Communications: To send you service-related notifications (e.g., appointment reminders, order updates, provider messages) and, with your consent, marketing communications.
Advertising measurement: With your consent, to measure the effectiveness of our advertising campaigns through server-side integrations with advertising platforms. As described in "Third-Party Data Sharing," all data is sanitized and hashed before transmission.
Site improvement: To analyze how our website is used, diagnose technical issues, and improve user experience.
Safety and security: To detect and prevent fraud, protect the security of our platform, and ensure compliance with our Terms of Service.
Legal compliance: To comply with applicable laws, regulations, and legal processes, and to respond to lawful requests from public authorities.
We use cookies and similar technologies on our website. Below is a summary of the types of cookies we use:
Required for site functionality, such as session management and security. These cannot be disabled.
Help us understand how visitors interact with our site (e.g., pages visited, traffic sources). These are only placed with your consent.
With your explicit consent, we may set cookies (such as _fbp and _fbc) to measure the effectiveness of advertising campaigns. These cookies are set on the .joinnouri.com domain and are used to associate site visits with ad interactions. No health-related information is stored in or transmitted via these cookies.
You can manage your cookie preferences at any time through our consent banner or by contacting us. See "Your Choices" below for more details.
We may share limited personal information with the following categories of third parties, subject to your consent where required by law:
Advertising platforms (e.g., Meta, Google): With your consent, we transmit conversion event data (such as that a purchase or sign-up occurred) to advertising platforms via server-side integrations. Before transmission, all data is processed as follows: (1) personal identifiers (email, phone, name, date of birth, zip code) are cryptographically hashed using SHA-256 so that the original values are never shared; (2) all URLs are sanitized to remove any health-related terminology; (3) event names are mapped to generic categories (e.g., "Purchase," "Lead") that contain no health context; and (4) only a limited set of non-sensitive parameters (purchase value, currency, order ID) are included. No health information, medical conditions, treatment details, or medication names are ever transmitted to advertising platforms.
Analytics providers: We may use analytics services to understand site usage. These services receive anonymized or aggregated data.
Service providers: We share information with vendors who help us operate our business (e.g., payment processors, email services, hosting providers), under contractual obligations to protect your data.
Healthcare providers and pharmacies: As described in the HIPAA Notice above, we share PHI with licensed providers and pharmacies to facilitate your treatment.
Legal and regulatory: We may disclose information when required by law, regulation, or legal process.
When you interact with our website and consent to advertising measurement, event data (such as page views and conversions) is sent from your browser to our servers — not directly to third-party advertising platforms. On our servers, we apply a multi-step data sanitization process before any information is forwarded:
URLs are scrubbed to remove health-related terms, conditions, and medication references
Event names are mapped to standard, generic categories that carry no health context
All personal identifiers are normalized and cryptographically hashed (SHA-256)
A prohibited-word filter scans the entire outgoing payload as a final safety check
Only a strict allowlist of non-sensitive parameters is permitted through
This server-side architecture ensures that advertising platforms never receive raw personal information or any data that could identify you as a user of health-related services.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), in addition to the HIPAA rights described above:
Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain legal exceptions.
Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising. You may exercise this right through our consent management banner or by contacting us directly.
Right to Limit Use of Sensitive Personal Information: Health-related data is classified as sensitive personal information under CPRA. We do not use sensitive personal information for purposes beyond what is necessary to provide our services.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
To submit a request, email privacy@joinnouri.com or contact our Privacy Officer. We will verify your identity before processing your request and respond within 45 days. You may also designate an authorized agent to submit a request on your behalf. If an authorized agent submits a request, we may require proof of authorization and may still verify your identity directly.
If you are a Washington state resident, the Washington My Health My Data Act (MHMDA) provides you with additional protections regarding your consumer health data. Under this law:
Consent: We will obtain your affirmative, opt-in consent before collecting or sharing consumer health data, including data that identifies you as seeking or receiving healthcare services.
Right to Access: You may request a copy of the consumer health data we have collected about you.
Right to Delete: You may request that we delete your consumer health data.
Right to Withdraw Consent: You may withdraw your consent to the collection or sharing of your consumer health data at any time.
No Geofencing: We do not use geofencing technology around healthcare facilities for the purpose of collecting consumer health data or delivering advertising.
To exercise these rights, email privacy@joinnouri.com.
Residents of the following states have additional privacy rights under their respective laws. In each case, you may exercise your rights by emailing privacy@joinnouri.com.
Colorado (Colorado Privacy Act): Right to access, correct, delete, and opt out of targeted advertising, sale of personal data, and profiling. You may appeal a denied request by contacting us.
Connecticut (Connecticut Data Privacy Act): Right to access, correct, delete, obtain a portable copy of your data, and opt out of targeted advertising, sale of personal data, and profiling.
Virginia (Virginia Consumer Data Protection Act): Right to access, correct, delete, obtain a portable copy of your data, and opt out of targeted advertising, sale of personal data, and profiling. You may appeal a denied request, and if unsatisfied, contact the Virginia Attorney General.
Oregon (Oregon Consumer Privacy Act): Right to access, correct, delete, and opt out of targeted advertising, sale of personal data, and profiling. Includes the right to obtain a list of third parties to whom your data has been disclosed.
Texas (Texas Data Privacy and Security Act): Right to access, correct, delete, obtain a portable copy of your data, and opt out of targeted advertising, sale of personal data, and profiling.
If you reside in a state not listed above that has enacted consumer privacy legislation, please contact us to learn about your rights.
We do not sell your personal information in the traditional sense. However, certain data-sharing activities — such as transmitting hashed, non-health conversion data to advertising platforms for ad measurement — may be considered "sharing" under California law. You may opt out of this sharing at any time by:
Declining advertising cookies through our consent management banner
Emailing privacy@joinnouri.com with the subject "Do Not Share"
When you opt out, we will cease transmitting your data to advertising platforms. You may still see ads from us, but they will not be personalized based on your activity on our site.
Consent management: When you first visit our website, a consent banner will ask whether you permit advertising and analytics cookies. You may change your preferences at any time through the privacy choices section at the bottom of this page or by contacting us.
Global Privacy Control (GPC): We recognize and honor Global Privacy Control signals sent by your browser. When we detect a GPC signal, we treat it as a valid opt-out of the sale or sharing of your personal information, as required by applicable law.
Browser settings: Most browsers allow you to block or delete cookies through their settings. Note that disabling essential cookies may affect site functionality.
Email opt-out: You can unsubscribe from marketing emails by clicking the "unsubscribe" link in any marketing email or by contacting us.
Text message opt-out: Reply "STOP" to any text message to opt out of SMS communications.
We retain your personal information for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:
Health records: Retained in accordance with applicable federal and state medical record retention laws (typically 6–10 years after the last date of service).
Account information: Retained for the duration of your account and for a reasonable period thereafter to fulfill legal and business obligations.
Advertising and analytics data: Cookie identifiers are retained for up to 90 days. Hashed, anonymized conversion data transmitted to advertising platforms is subject to those platforms' own retention policies.
We implement administrative, technical, and physical safeguards to protect your personal information, including encryption of data in transit (TLS/SSL), secure server infrastructure, and access controls. While no method of transmission over the Internet is completely secure, we take reasonable steps to protect your information consistent with industry standards and regulatory requirements.
Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected information from a person under 18, we will take steps to delete that information promptly.