Novapulse

Privacy Policy

Novapulse by Coconut Ventures LLC

Effective Date: March 10, 2026

SOC 2 Type II CompliantHIPAA Compliant

1. Introduction

This Privacy Policy describes how Coconut Ventures LLC ("Company," "we," "us," or "our"), the operator of Novapulse (accessible at novapulse.care), collects, uses, discloses, and protects information obtained from users of our voicemail management platform. Novapulse is designed for healthcare clinics and may process Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA").

By accessing or using Novapulse, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our services immediately.

2. Scope of This Policy

This Privacy Policy applies to all information collected through:

  • The Novapulse web application at novapulse.care
  • Voicemail data forwarded to or processed by Novapulse
  • Communications between you and Novapulse (e.g., support emails)

This policy does not apply to third-party websites or services linked from our platform.

3. Information We Collect

3.1 Account and Clinic Information

When you register for Novapulse, we collect:

  • Clinic or organization name
  • Contact information (name, email address, phone number)
  • Staff and user credentials (usernames, hashed passwords)
  • Billing information (processed via a third-party payment processor)

3.2 Voicemail Data (May Include PHI)

Novapulse processes voicemail messages forwarded by clinics. This voicemail data may include:

  • Caller names and phone numbers
  • Health or medical condition information
  • Prescription-related inquiries
  • Appointment booking, cancellation, or rescheduling requests
  • General patient inquiries

This data is treated as PHI under HIPAA and is subject to the protections outlined in our Business Associate Agreement (BAA) with each covered entity.

3.3 Transcription and Processed Data

Novapulse transcribes voicemails and applies automated tagging, triaging, and department/staff assignment. The resulting data includes:

  • Voicemail audio recordings
  • Transcribed text of voicemail content
  • Automated tags, triage classifications, and department assignments
  • Processing timestamps and activity logs

3.4 Usage and Technical Data

We automatically collect:

  • IP addresses and device identifiers
  • Browser type, operating system, and version
  • Pages visited, features used, and session duration
  • Referring URLs and interaction patterns

4. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: To provide voicemail transcription, triaging, auto-tagging, and department routing.
  • Account Management: To create and manage your Novapulse account and clinic profile.
  • Platform Improvement: To analyze usage patterns and improve product functionality.
  • Security and Compliance: To detect and prevent unauthorized access, fraud, and security incidents.
  • Communications: To send service-related notifications, updates, and support responses.
  • Legal Obligations: To comply with applicable laws, regulations, and legal processes.

5. HIPAA Compliance and PHI

5.1 Business Associate Agreement (BAA)

Novapulse acts as a Business Associate under HIPAA. We enter into a BAA with each Covered Entity (clinic) prior to processing any PHI. The BAA defines the permitted uses and disclosures of PHI and our obligations to protect it.

5.2 PHI Safeguards

We implement the following safeguards for PHI:

  • Administrative Safeguards: Workforce training, access management policies, incident response procedures, and regular risk assessments.
  • Physical Safeguards: Controlled access to data processing facilities and workstation security.
  • Technical Safeguards: Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256), access controls, audit logging, and automatic session termination.

5.3 Minimum Necessary Standard

We limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose, consistent with HIPAA requirements.

5.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery, in accordance with 45 CFR Part 164, Subpart D.

6. SOC 2 Compliance

Novapulse maintains SOC 2 Type II compliance, which demonstrates our commitment to security, availability, and confidentiality. Our SOC 2 program includes:

  • Continuous monitoring of security controls
  • Regular third-party audits by an independent CPA firm
  • Documented policies and procedures for all trust service criteria
  • Incident management and response protocols
  • Vendor risk management programs

A copy of our most recent SOC 2 report is available upon request under NDA.

7. How We Share Information

We do not sell personal information or PHI. We may share information with:

  • Service Providers: Third-party vendors who assist in delivering our services (e.g., cloud hosting, payment processing) under contractual obligations and, where applicable, BAAs.
  • Covered Entities: We share processed voicemail data back with the clinic that forwarded the voicemail.
  • Legal Requirements: When required by law, subpoena, court order, or government request.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate privacy protections.
  • With Consent: Where you have provided explicit authorization for disclosure.

8. Data Retention

We retain information according to the following principles:

  • Voicemail Data and PHI: Retained for the duration specified in our BAA with each clinic, or as required by applicable law. Clinics may request deletion of their data in accordance with the BAA terms.
  • Account Information: Retained for the duration of the account relationship plus a reasonable period for legal and business purposes.
  • Usage Data: Retained in aggregated or anonymized form for analytics purposes.

Upon termination of services, we will securely delete or return PHI as specified in the BAA.

9. Data Security

We employ industry-standard security measures, including but not limited to:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls (RBAC) with least-privilege principles
  • Multi-factor authentication (MFA) for administrative access
  • Continuous vulnerability scanning and penetration testing
  • 24/7 monitoring and intrusion detection systems
  • Regular security training for all personnel
  • Incident response plan tested and updated regularly

10. Your Rights

10.1 For Patients

If you are a patient whose voicemail has been processed by Novapulse, your rights to access, amend, or request an accounting of disclosures of your PHI are governed by HIPAA and should be directed to your healthcare provider (the Covered Entity). We will assist your provider in fulfilling these requests as required by our BAA.

10.2 For Clinic Users

As a clinic user of Novapulse, you may:

  • Access and update your account information
  • Request export of your clinic data
  • Request deletion of your account (subject to legal retention requirements)
  • Manage notification preferences

10.3 Kentucky and U.S. State Privacy Rights

Depending on your state of residence, you may have additional privacy rights under state laws (e.g., CCPA for California residents). Please contact us at privacy@novapulse.care to exercise any applicable rights.

11. Children's Privacy

Novapulse is not directed to individuals under 18. We do not knowingly collect personal information from minors outside of voicemail content forwarded by clinics in the ordinary course of healthcare operations.

12. Third-Party Services

Novapulse may integrate with or link to third-party services. We are not responsible for the privacy practices of these services. We encourage you to review their privacy policies. Any third-party service that processes PHI on our behalf does so under a BAA.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or an in-app notification at least 30 days before the changes take effect. The updated policy will be posted at novapulse.care with a revised effective date.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Coconut Ventures LLC

Louisville, Kentucky, USA

Email: privacy@novapulse.care

Website: novapulse.care

For HIPAA-related inquiries, please reference your organization's Business Associate Agreement with Coconut Ventures LLC.