Effective Date: January 1, 2025 · Last Updated: June 2025
Novos Leaf operates at the intersection of healthcare and cannabis regulation. This Privacy Policy explains how we collect, use, and protect your information — including Protected Health Information governed by HIPAA. Please read it carefully.
We collect information you provide directly to us when you create an account, complete a beta application, or contact us. This includes name, email address, phone number, state of residence, and role type.
For medical patients and providers, we collect Protected Health Information (PHI) as defined under HIPAA, including medical history, cannabis recommendations, consultation records, and prescription information. This data is handled under our HIPAA Privacy Rule compliance program.
For cultivators, we collect grow cycle data, environmental parameters, batch records, and plant diagnostic photos. For dispensary operators, we collect inventory data, sales records, and customer analytics.
We also collect technical information automatically when you use the platform: IP address, browser type, device identifiers, usage patterns, and session data. This information is used for security, performance optimization, and platform improvement.
We use the information we collect to provide, maintain, and improve the Novos Leaf platform; to process beta applications and onboard new users; to facilitate telemedicine consultations between patients and providers; to generate AI-powered recommendations and insights tailored to your role; to submit required reports to state cannabis registries (Metrc, BioTrack) on behalf of licensed operators; to send transactional communications related to your account; to comply with legal obligations; and to protect the security and integrity of our platform.
We do not use your information for advertising purposes. We do not sell your personal information to third parties. We do not use PHI for marketing or commercial purposes beyond the direct provision of healthcare services.
Novos Leaf is a HIPAA Business Associate for medical providers who use our telemedicine platform. All PHI is handled in accordance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
PHI is used only for treatment, payment, and healthcare operations purposes as defined under HIPAA. Patients have the right to access, amend, and receive an accounting of disclosures of their PHI. Requests should be submitted to legal@novosleaf.com.
We maintain Business Associate Agreements (BAAs) with all covered entities that use our platform. A copy of our standard BAA is available upon request.
We share information in the following limited circumstances: with licensed medical providers and patients in the course of providing telemedicine services; with state cannabis regulatory systems (Metrc, BioTrack, FL OMMU) as required for licensed operators; with service providers who process data on our behalf under confidentiality agreements; in response to legal process or to protect the safety of users; and in connection with a merger, acquisition, or sale of assets, with appropriate notice to users.
We do not share PHI with employers, life insurers, marketing firms, or data brokers.
Medical records and PHI are retained for a minimum of 7 years from the date of creation, or longer where required by applicable state law. Account data is retained for the duration of your account plus 2 years. Cannabis batch records and compliance documentation are retained in accordance with state regulatory requirements, typically 3–5 years.
You may request deletion of non-PHI account data at any time by contacting legal@novosleaf.com. PHI deletion requests are subject to HIPAA requirements and applicable state medical record laws.
Depending on your location and role, you may have rights to: access personal information we hold about you; correct inaccurate information; request deletion of personal information (subject to retention obligations); object to processing; data portability; and withdraw consent where processing is based on consent.
To exercise these rights, contact legal@novosleaf.com. We will respond within 30 days. For PHI-specific rights under HIPAA, see Section 3.
Questions about this Privacy Policy should be directed to legal@novosleaf.com. For HIPAA-specific inquiries, include "HIPAA" in the subject line. Our mailing address and full legal entity information are available upon request.