Effective Date: 12/5/2025
This Privacy Policy describes how Willow Life Sciences, Inc., doing business as Neru Health ("Neru," "we," or "us"), collects, uses, protects, and discloses information through its websites, applications, AI-assisted communication systems, automated support tools, and related technology (collectively, the "Services"). These Services may be used by individuals who interact directly with Neru ("Direct Users") or by individuals whose access is furnished through a healthcare provider, durable medical equipment supplier, pharmacy, clinic, or other enterprise partner ("Customer"). In such cases, Neru may process information governed by a Business Associate Agreement ("BAA"), including information that constitutes Protected Health Information ("PHI") under HIPAA.
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. This Privacy Policy must be read together with the Terms of Service, including the limitations on reliance, oversight requirements, and safety obligations associated with artificial intelligence-generated responses ("AI Outputs"). If there is any conflict between this Privacy Policy and an applicable BAA, the BAA controls with respect to Customer-governed users and PHI.
This Privacy Policy applies to information collected or generated through the Services, including information transmitted through Neru's websites, AI-assisted communication systems, and voice- and text-based engagement tools, as well as information collected through Customer-integrated operational workflows. It applies to all information processed by the Services, whether supplied by Users, transmitted by a Customer, or generated automatically through system functionality.
Neru collects information that Users provide when interacting with the Services, including contact details, onboarding responses, device-related or therapy-related inquiries, troubleshooting descriptions, adherence updates, and other communications submitted through voice or text channels. Neru also receives information from Customers, including demographic information, device usage and adherence metrics, communication preferences, and other operational data necessary to support Customer workflows. To the extent any such information constitutes PHI, its use is governed exclusively by the applicable BAA.
The Services also automatically collect technical and usage-related information such as device identifiers, browser metadata, IP address information, timestamps, interaction logs, and AI-generated transcripts or summaries. These data support security, auditing, analytics, quality assurance, and improvement of Service functionality. Users must not transmit PHI to Neru unless such transmission is authorized under a Customer relationship and complies with HIPAA and the applicable BAA.
Neru uses information to operate, maintain, and improve the Services; to support onboarding, device setup, adherence workflows, troubleshooting, and resupply coordination; to facilitate administrative and operational communications; to maintain the accuracy, safety, and performance of AI-assisted functionality; to develop new features and capabilities; to fulfill obligations to Customers; and to comply with legal, regulatory, and auditing requirements. This Privacy Policy does not modify or affect the limitations on reliance described in the Terms of Service, and nothing in this Policy should be interpreted as medical advice. Neru does not use PHI for advertising, marketing, or cross-context behavioral profiling and does not sell personal information.
When Neru processes PHI on behalf of a Customer, such processing is governed solely by the applicable BAA and must comply with HIPAA. Neru uses PHI only for purposes permitted under the BAA and applicable law, such as facilitating operational workflows, supporting Service functionality, and maintaining system safety and reliability. Neru will not use or disclose PHI for advertising, marketing, or analytics not authorized by the BAA. Requests to access, amend, or delete PHI must generally be submitted to the Customer, consistent with HIPAA's allocation of individual rights.
Neru may create de-identified or aggregated information in accordance with HIPAA de-identification standards. Once information is de-identified, it is no longer considered PHI. Neru may use de-identified information to operate, analyze, research, develop, improve, and enhance the Services and the underlying AI models; to support analytics and product enhancements; and to advance the safety, reliability, and functionality of the Services. These uses are essential to the continued improvement and integrity of the Services. Neru will not attempt to re-identify de-identified information or disclose it in a form reasonably expected to identify a User or Customer.
Neru may share information with Customers whose users access the Services; with service providers that support hosting, communication delivery, analytics, data storage, monitoring, and security; with subcontractors bound to confidentiality and security obligations; and with regulators or authorities when necessary to comply with law or protect the rights, safety, or integrity of Users or the Services. Neru does not sell personal information and does not disclose PHI for marketing.
The Services may facilitate automated, human-assisted, or AI-assisted communications related to onboarding, device support, adherence encouragement, troubleshooting, patient education, or resupply coordination. Users may opt out of SMS communications by replying "STOP," although certain operational or legally required communications may continue. When communications are delivered on behalf of a Customer, the Customer is solely responsible for obtaining and maintaining any consent required under the TCPA or other applicable law.
Neru retains information for as long as necessary to operate the Services; to fulfill obligations to Customers; to meet legal, regulatory, or auditing requirements; and to maintain safety, reliability, and integrity. Specifically, AI interaction logs and related system data are retained only for as long as necessary to maintain and improve the Services, ensure safety and security, and comply with legal or contractual requirements. When information is no longer required, Neru deletes, de-identifies, or archives it in accordance with applicable laws and any relevant BAA.
Neru implements administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, or destruction. For information qualifying as PHI, Neru maintains safeguards consistent with HIPAA and its obligations under the applicable BAA. Users should notify Neru promptly if they suspect unauthorized access to their information.
Depending on applicable state law, Direct Users may have rights relating to their personal information, including rights to access, correct, delete, or restrict certain uses of such information. Requests may be submitted to tech@neruhealth.com. Where information constitutes PHI and is governed by a BAA, Neru may be required to direct such requests to the appropriate Customer under HIPAA.
The Services are not intended for individuals under eighteen years of age. Neru does not knowingly collect information from minors. If Neru becomes aware that information has been collected from a minor, the information will be deleted promptly.
Neru does not market or operate the Services outside the United States. Users accessing the Services from outside the United States do so voluntarily and are responsible for complying with local laws.
The Services do not respond to browser-based "Do Not Track" signals, as no industry standard governs such requests.
Neru may update this Privacy Policy periodically to reflect changes in operational practices, legal obligations, or Service functionality. Updated versions will display a revised effective date, and continued use of the Services after publication constitutes acceptance of the updated terms.
Neru Health
127 Western Avenue
Allston, MA 02134
tech@neruhealth.com