Back to Nocturne Health

Privacy Policy

Last updated: June 27, 2026

1. Who We Are

Nocturne Health ("Nocturne Health," "we," "us") is a cash-pay virtual sleep medicine practice operated by a licensed physician. We currently see patients located in Arkansas, California, Massachusetts, Missouri, Ohio, Oklahoma, and Pennsylvania. This Privacy Policy explains what information we collect when you use our website, sleep tools, screeners, and booking flow, and how we use and share that information. By using the site you agree to this policy.

2. Information We Collect

We collect three categories of information:

  • Information you provide: name, email address, responses to the STOP-BANG and other sleep screeners, free-text notes, and payment information you submit when booking a consultation.
  • Protected Health Information (PHI): once you become a patient, clinical information you share during your visit, intake forms, and any home sleep test results we order on your behalf.
  • Automatically collected information: IP address, device and browser type, pages viewed, referring URL, ad click identifiers (e.g. Google gclid, Reddit rdt_cid, Meta fbclid), and interactions with on-site tools. Collected via cookies and similar technologies — see Section 5.

3. How We Use Your Information

  • Provide and improve our clinical services, including scheduling, conducting, and following up on virtual consultations.
  • Send transactional messages (booking confirmations, appointment reminders, tool results you request by email).
  • Operate, secure, and improve the website and the on-site sleep tools.
  • Measure marketing performance and (where you have consented) deliver retargeted advertising on Google, Meta, and Reddit.
  • Comply with legal, regulatory, and professional obligations, including HIPAA, state medical-board rules, and tax/accounting requirements.

4. Service Providers and Third Parties We Share Data With

We do not sell your personal information. We share information with the following service providers, each under a written agreement that limits their use of the data to providing services to us:

  • Cal.com — booking and scheduling. Receives the name, email, and any intake details you submit when booking.
  • Resend — transactional email delivery (tool results, booking confirmations, follow-ups). Receives your email address and the contents of the messages we send you.
  • Stripe (via Cal.com) — payment processing. Receives the payment information you enter at checkout. We do not store full card numbers.
  • Google Analytics 4 (Google LLC) — website analytics. Receives pseudonymous usage data including IP address (truncated where supported), device data, and event data.
  • Meta Pixel (Meta Platforms, Inc.) — advertising measurement and retargeting for Facebook and Instagram. Receives pseudonymous event data and, where consented, hashed identifiers.
  • Reddit Pixel (Reddit, Inc.) — advertising measurement and retargeting for Reddit Ads. Receives pseudonymous event data and Reddit's own click identifiers.
  • PostHog — product analytics for understanding how on-site tools are used. Receives pseudonymous usage data.
  • Hosting and infrastructure providers (e.g. Vercel) — required to operate the website.

We never share PHI with advertising platforms. The events we send to Google, Meta, Reddit, and PostHog describe interactions with marketing surfaces (page views, tool opens, screener completions, booking-button clicks, booking confirmations) — they do not include screener answers, free-text inputs, or any clinical content.

5. Cookies and Tracking Technologies

We use first-party and third-party cookies and similar technologies. When you first visit the site, a consent banner offers three choices: accept all, accept analytics only, or decline non-essential tracking. Your choice is stored locally on your device for seven days, after which the banner reappears. You can change your choice at any time by clearing the cookie or contacting us. Categories:

  • Strictly necessary — required for the site to function (session, security, consent storage). Always on; no opt-out.
  • Analytics — Google Analytics 4 and PostHog. Loaded only after you accept analytics or accept all.
  • Marketing — Meta Pixel and Reddit Pixel, plus Google Ads conversion tracking. Loaded only after you accept all. Used for measuring ad campaigns and serving retargeted ads.

We also support Google's Consent Mode v2: if you decline marketing, Google receives cookieless pings that count modeled conversions without identifying you. You can additionally opt out of personalized advertising at the platform level via Google Ads Settings, Meta Ad Preferences, and Reddit's Personalize Ads setting.

6. HIPAA and Protected Health Information

Once you become a patient of Nocturne Health, the clinical information you share with us is Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA"). We use and disclose PHI only as permitted by HIPAA — for treatment, payment, healthcare operations, and as otherwise required by law. PHI is not used for marketing, is not shared with advertising platforms, and is not sold. Our Notice of Privacy Practices, provided to you at intake, describes your HIPAA rights in detail, including the right to inspect and request amendments to your records and to receive an accounting of disclosures.

7. Your Rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. California residents have specific rights under the California Consumer Privacy Act (CCPA), including the right to know what we collect and the right to opt out of the sale or sharing of personal information — we do not sell personal information, and you can opt out of advertising-related sharing by declining marketing cookies in the consent banner. To exercise any right, email us at the address below. We will respond within the time required by applicable law (generally 45 days).

8. Data Retention

Medical records are retained for the period required by the medical-board rules of the state in which care was delivered (typically 7–10 years from the last visit, longer for minors). Marketing analytics data is retained for up to 14 months in GA4 by default and according to each ad platform's standard retention. Email subscribers remain on our list until they unsubscribe.

9. Data Security

We use TLS encryption in transit, encryption at rest for stored PHI, role-based access controls, and audit logging on systems that handle PHI. No method of transmission or storage is perfectly secure; we work to mitigate risk but cannot guarantee absolute security.

10. Children

Our services are intended for adults aged 18 and older. We do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, contact us and we will delete it.

11. International Visitors

Nocturne Health operates in the United States and provides clinical services only to patients physically located in the states listed above. If you visit the site from outside the United States, you understand that your information will be processed in the United States.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date above and, where appropriate, communicated by email or an on-site notice. Continued use of the site after a change indicates acceptance of the updated policy.

13. Contact Us

Questions about this Privacy Policy, requests under HIPAA, CCPA, or other privacy laws, or complaints can be sent to hello@nocturnehealth.com. We will respond within the time required by applicable law.