Privacy Policy Terms of Service Business Associate Agreement Consent Form

Privacy Policy

Last Updated: February 2026

1. Introduction

NoBackOffice, Inc. ("NoBackOffice," "we," "us," or "our") respects your privacy and is committed to protecting it through our compliance with this Privacy Policy.

This Privacy Policy describes how we collect, use, disclose, and safeguard information when you access or use our software platform, websites, applications, and related services (collectively, the "Services").

By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Scope of This Policy

This Privacy Policy applies to:

  • Visitors to our website
  • Customers (medical practices, providers, staff)
  • End users authorized by our customers
  • Individuals whose data is processed through our Services

Important HIPAA Notice: When NoBackOffice processes Protected Health Information (PHI) on behalf of a covered entity, we act as a Business Associate under HIPAA. In those cases, the handling of PHI is governed primarily by the applicable Business Associate Agreement (BAA) and HIPAA regulations.

3. Information We Collect

3.1 Practice and Provider Information

We collect the following information from healthcare practices and providers who use our platform:

  • Practice Details: practice name, business address, NPI number, tax identifiers
  • Provider Credentials: license information and professional credentials
  • Staff Accounts: name, email address, phone number, job title, and role
  • Billing Information: payment method details (processed via third-party payment processors)
  • Communications: emails, support requests, chat messages
  • User-Generated Content: configuration data, uploaded documents, forms

3.2 Patient Information

When enabled by our customers, we process patient information on behalf of participating healthcare practices, including:

  • Personal Identifiers: full name, date of birth, email address, phone number, home address
  • Clinical Information: diagnoses, treatment notes, prescriptions, and other clinical documentation
  • Appointment History: scheduling records, confirmations, and cancellations
  • Billing and Insurance Data: insurance information, claims, and payment records
  • SMS Consent Records: consent status, opt-in method, and communication preferences

Patient information constitutes Protected Health Information (PHI) and is processed solely on behalf of our customers and in accordance with HIPAA, our Business Associate Agreements (BAAs), and applicable law.

3.3 Automatically Collected Information

We may automatically collect:

  • IP address
  • Device type and browser
  • Operating system
  • Usage logs and timestamps
  • Performance and diagnostic data

This information is used for security, analytics, and service improvement.

4. How We Use Information

We use collected information to:

  • Provide, operate, and maintain the Services
  • Authenticate users and manage access
  • Process transactions and billing
  • Provide customer support
  • Improve functionality and performance
  • Ensure security and fraud prevention
  • Comply with legal and regulatory obligations

We do not sell personal data.

5. Legal Bases for Processing (Where Applicable)

Depending on jurisdiction, our legal bases may include:

  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate business interests
  • User consent (where required)

6. Data Sharing and Disclosure

We may share information only as necessary with:

6.1 Service Providers

Third parties that help us operate the Services, such as:

  • Cloud infrastructure providers
  • Payment processors
  • Email and communications providers
  • Analytics and monitoring tools

All vendors are contractually obligated to maintain appropriate security and confidentiality. NoBackOffice has executed Business Associate Agreements (BAAs) with all third-party microservices and subprocessors that create, receive, maintain, or transmit Protected Health Information (PHI).

6.2 Legal and Regulatory Requirements

We may disclose information if required to:

  • Comply with laws, regulations, or court orders
  • Respond to lawful requests by public authorities
  • Protect rights, safety, and property

6.3 Business Transfers

In connection with a merger, acquisition, or asset sale, information may be transferred subject to confidentiality obligations.

7. SMS and Voice Communication Data

As part of our practice management platform, NoBackOffice operates SMS and voice communication services on behalf of participating healthcare practices. The following applies to data collected through these channels:

  • We do not sell, share, or disclose patient phone numbers or opt-in information to third parties or affiliates for marketing or promotional purposes. The above excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties.
  • Patient phone numbers, opt-in status, and message content are used solely to deliver healthcare administrative communications that patients have provided express written consent to receive, and to maintain records of consent and communication preferences.
  • SMS consent records (including timestamp, method of consent, and opt-in/opt-out history) are stored in compliance with applicable regulations.
  • NoBackOffice does NOT place outbound calls to patients. Our voice assistant only answers inbound calls initiated by patients.

All SMS and voice data handling complies with HIPAA requirements. For details on how consent is obtained, see our Consent Form. For SMS service terms, see Section 21 of our Terms of Service.

8. Data Security

We implement administrative, technical, and physical safeguards, including:

  • Encryption in transit and at rest
  • Access controls and role-based permissions
  • Audit logging
  • Network segmentation
  • Regular security reviews

Despite these measures, no system can be 100% secure.

9. Data Retention

We retain information only for as long as necessary to:

  • Provide the Services
  • Fulfill contractual obligations
  • Comply with legal and regulatory requirements

PHI retention is governed by customer agreements and applicable healthcare laws.

10. Your Rights and Choices

Depending on your location, you may have the right to:

  • Access your personal information
  • Request correction or deletion
  • Object to or restrict processing
  • Request data portability

Requests should be directed to your healthcare provider or practice when applicable.

11. California Privacy Rights (CCPA/CPRA)

California residents may have additional rights, including:

  • Right to know what personal data is collected
  • Right to request deletion
  • Right to opt out of certain data uses

NoBackOffice does not sell personal information.

12. Children's Privacy

The Services are not intended for individuals under 18. We do not knowingly collect personal information from children.

13. Third-Party Links

Our Services may contain links to third-party sites. We are not responsible for their privacy practices.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Changes will be posted with an updated "Last Updated" date.

15. Contact Information

For privacy-related inquiries, contact:

NoBackOffice, Inc.

Email: [email protected]

Website: https://www.nobackoffice.com