Loading…
Loading…
Effective date: January 1, 2025
Thank you for using Navix Hub, a Software-as-a-Service subscription service of Navix Health Inc., a Delaware corporation. These Terms of Use ("Terms") govern your use of Navix Hub Facilities, Navix Hub Professional, and NavixAI (collectively, the "Services").
These Terms incorporate by reference: (a) our Privacy Policy, and (b) for users who are Covered Entities under HIPAA, our Business Associate Agreement, which governs our handling of Protected Health Information.
You must be of legal age to manage your personal affairs to use Navix Health Services. You warrant that: (i) you have not previously been suspended or removed from using the Services; (ii) your registration and use is in compliance with all applicable laws and regulations; and (iii) if you are an entity, the individual accepting these Terms on your behalf has authority to bind you to these Terms.
If you use the Services on behalf of another person or entity, you must have authority to accept these Terms on their behalf. Should you cease engagement with that person or entity, you must cease use of the Services and that account immediately.
You must provide accurate and complete information to register for an account and keep it current. Information that is more than 30 days out of date may be grounds for account cancellation. You may not share your account credentials with others outside your organization, and you are responsible for all activities that occur using your credentials.
You agree to receive communications by email and text, including push notifications, and to undertake two-factor authentication as we determine necessary. We may communicate with you about related Navix Health products or services. You may opt out of marketing communications at any time.
We grant you a non-exclusive, non-transferable right to use the Services in accordance with these Terms. You shall comply with these Terms and all applicable laws. We are the owner of all rights, title, and interest in and to the Services.
We welcome feedback, comments, ideas, and suggestions for improvements. You grant us a perpetual, royalty-free license to use such input without restriction or compensation.
You may not:
The Services may integrate with third-party services. Your use of such third-party services is governed by the terms of those services. We are not responsible for third-party services or any interactions between you and those services.
You retain all rights to data and content you submit to the Services ("Your Content"), including patient records, clinical notes, and Facility data. You grant us a limited license to host, store, and process Your Content as necessary to provide the Services and as permitted by our Business Associate Agreement.
We may use de-identified information derived from Your Content to improve the Services, train AI/ML models, develop new features, and generate aggregated benchmarks and insights. De-identification follows the HIPAA Safe Harbor standard (45 CFR 164.514(b)(2)). De-identified information is not Protected Health Information and may be used for any lawful purpose.
Our AI/ML features process information as described in our Privacy Policy. You acknowledge and consent to the use of de-identified information for AI/ML training and product improvement as described therein.
We may compile aggregated data from multiple Facilities for benchmarking, analytics, and industry reporting. Aggregated data does not identify any individual or specific Facility and may be used for any lawful purpose.
Upon termination of your account, data retention is governed by our Privacy Policy and your Business Associate Agreement. PHI will be retained for a transition period (typically 25 years for treatment records as required by law) before being securely deleted or returned at your direction.
For users that are Covered Entities under HIPAA, our Business Associate Agreement ("BAA") governs our handling of Protected Health Information ("PHI"). The BAA is a separate document that supplements these Terms.
We comply with the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and 42 CFR Part 2 governing substance use disorder records. We are SOC 2 certified and undergo regular security assessments.
Your obligations. You are responsible for: obtaining appropriate patient consents and authorizations; configuring access controls within your account in accordance with the minimum-necessary standard under 45 CFR 164.502(b); training your workforce on the appropriate use of the Services and on HIPAA Security Rule administrative safeguards (45 CFR 164.308); and maintaining annual HIPAA training records for users with PHI access.
Incident reporting. You will report any suspected privacy or security incident, credential compromise, ransomware exposure, or unauthorized PHI access — whether involving the Services, your endpoints, or your downstream integrations — to support@navixhealth.com within twenty-four (24) hours of discovery. Earlier reporting is required where the BAA, applicable law, or specific contract terms so provide.
Workforce changes. You will promptly disable Navix accounts and revoke API credentials for any workforce member who departs your organization, changes roles such that PHI access is no longer required, or whose credentials may have been compromised. Disablement should occur the same business day where practicable and in any event within seventy-two (72) hours.
Our enforcement basis. The HIPAA Security Rule (45 CFR 164.308(a)(3) — Workforce Security and (a)(4) — Information Access Management) requires us to terminate access when unauthorized use of the Services threatens the confidentiality, integrity, or availability of PHI. You acknowledge that our right to suspend or terminate the Services for the reasons set out in these Terms is necessary for our compliance with these obligations.
All programmatic access to the Services — including our REST API, Model Context Protocol (MCP) servers, webhooks, and any AI agent, bot, autonomous system, or automation that interacts with the Services on your behalf — requires a current, paid subscription to our Developer Platform (the "API Suite") in addition to your underlying Navix subscription.
We encourage you to build internal tools, automations, AI assistants, dashboards, and third-party products around Navix. Such activity is permitted, subject to these Terms and the API Suite agreement. Authentication credentials (API keys, OAuth client secrets, MCP bearer tokens) are issued only to active API Suite subscribers, are non-transferable, and may not be embedded in client-side code or shared across organizations.
Any AI agent, autonomous system, or automated process that reads from, writes to, or otherwise interacts with PHI in the Services must (a) authenticate via the official API Suite under credentials issued to your organization, (b) operate under a current Business Associate Agreement, (c) attribute every action to an identifiable workforce member where HIPAA accountability requires it, and (d) comply with all rate limits, audit logging, and access-control requirements we publish.
Unauthorized automation is strictly prohibited and includes, without limitation: scraping the Navix web user interface; running headless browsers or browser-automation frameworks against the Services; replaying recorded user sessions; routing AI-agent traffic through human user accounts; and any technique that disguises automated activity as human use.
We monitor session-level request volume, request patterns, agent fingerprints, and other signals consistent with automated activity. Anomalous patterns may trigger automated rate limiting, suspension pending investigation, or termination as set out below.
Subject to these Terms and a current API Suite subscription, you may:
Without limiting Section 2.3, you may not:
We log every API call, MCP invocation, webhook delivery, and agent action against PHI. Logs include the calling identity, timestamp, endpoint, source IP, and (where applicable) the patient or chart accessed. Logs are retained for at least seven (7) years.
You consent to our review of these logs (i) when we have a good-faith basis to suspect a violation of these Terms, (ii) when required by HIPAA Breach Notification investigation procedures, or (iii) as part of routine security operations. You will reasonably cooperate with audits, evidence requests, or interviews we conduct under the BAA when we present a good-faith concern about API or agent activity, and you will produce relevant access logs from your systems within ten (10) business days of request.
Material non-cooperation with such an audit is itself an independent ground for the termination remedy described in Section 5.7.
API Suite plans include defined request limits per minute, per hour, and per month. Sustained or burst traffic exceeding the contracted volume may incur overage charges or trigger throttling, at our option.
We track a session-volume metric for every authenticated session. Sessions that exhibit machine-like volume from human user accounts (for example, request rates inconsistent with human interaction patterns, or sustained high-throughput activity outside published API endpoints) are presumed to be unauthorized automation under Section 5.2 and may be suspended without further notice pending investigation.
Material breach of this Section 5 — including unauthorized automation, redistribution of API access, exfiltration patterns, refusal to cooperate with an audit, or repeated lower-severity violations after warning — is grounds for termination of the entire customer relationship, not solely the API Suite. This is necessary for our HIPAA Security Rule obligations as set out in Section 4.
Notice. Except as otherwise provided in this Section, we will deliver thirty (30) calendar days' written notice of termination to the support and privacy-officer addresses you have on file. The notice will state the alleged violation, any remediation required, and the effective termination date if cure is not achieved within the notice period.
During the notice period. We may immediately suspend API Suite access, MCP access, webhook deliveries, and AI-agent traffic. We will continue to provide read-only web access to PHI sufficient to support continuity-of-care obligations during the notice period. You must complete any data export requests and provider transition steps within the notice window.
Immediate suspension. We may suspend access immediately and run the 30-day notice period from the suspension date where the breach involves an active or imminent threat to PHI, including credential compromise, exfiltration in progress, ransomware activity, ongoing unauthorized automation, or where required by HIPAA Breach Notification or other reporting obligations.
Cure. If you fully cure the violation to our reasonable satisfaction within the notice period — including production of audit logs, removal of unauthorized automation, rotation of credentials, and any other remediation we specify — we may, in our sole discretion, reinstate the Services. Reinstatement does not waive any other right or remedy.
Within five (5) business days of the effective termination date, we will deliver a complete export of your PHI in a documented, structured format. Default formats are JSON and HL7 FHIR R4; CSV is available on written request. Exports are encrypted in transit and at rest, delivered through a customer-specific secure channel, and accompanied by a manifest enumerating each exported chart.
Export fee. A data export fee of five United States dollars (US$5.00) per unique medical record is payable in advance of export delivery. "Medical record" means a unique patient or client chart in your tenant, regardless of the number of notes, documents, or other items associated with that chart. The fee covers extraction, integrity verification, encryption, secure delivery, key escrow, and decommissioning of the export environment. Where applicable law (including 42 CFR Part 2 or any state record-retention statute) requires a different return-or-destruction process, the statutory standard governs and the fee may be waived to the extent required by law.
Decommissioning. After your written confirmation of receipt of the export, or after thirty (30) calendar days from delivery if you do not respond, we will securely delete your PHI from production systems in accordance with our Privacy Policy and Business Associate Agreement. Backup copies persist for the standard backup retention period and are then permanently destroyed.
Termination does not relieve you of: (a) fees incurred for usage prior to termination, including any accrued API Suite overage, AI-agent volume charges, or other consumption-based fees; (b) the data export fee described in Section 5.8; (c) confidentiality obligations under Section 9; (d) indemnification obligations under Section 11; and (e) any audit-cooperation obligations related to the events that led to termination.
Following termination, we may assert any contractual remedy available to us, including collection of outstanding fees, injunctive relief in cases of credential abuse, exfiltration, or competing-model training, and any other equitable remedy. Outstanding amounts are subject to interest under Section 8.2.
The API Suite is provided "as available." We will use commercially reasonable efforts to maintain availability and backwards compatibility, but we do not warrant any specific uptime for customer-built integrations, AI agents, or third-party tools beyond the service-level commitments expressly stated in your API Suite agreement.
We may introduce, version, deprecate, or modify API endpoints with reasonable advance notice. For breaking changes affecting documented endpoints, we will provide at least ninety (90) days' notice except where the change is required for security, regulatory compliance, or to mitigate active abuse.
If you opt in to SMS notifications, you consent to receive service-related text messages including appointment reminders, scheduling updates, telehealth links, and account notifications.
Message frequency varies. Standard message and data rates may apply. Reply STOP to opt out, HELP for assistance.
SMS communications are subject to the TCPA (Telephone Consumer Protection Act). Our SMS opt-in flow includes mobile number verification and explicit consent disclosures.
Support is provided by email at support@navixhealth.com and by phone at 855-490-1982 (Mon–Fri, 9am–5pm PST). Enterprise customers receive a dedicated customer success manager.
We may update, modify, or discontinue features at any time. We will provide reasonable notice of material changes that adversely affect your use of the Services. Continued use after an update constitutes acceptance of the updated Services.
Free trials are offered as described on our pricing page. At the end of the trial period, your subscription will convert to a paid plan unless you cancel before the trial ends.
Fees are charged according to the plan you select (per-professional, per-location, or, for the API Suite, per the metered tier you select). Fees are billed monthly in advance and are non-refundable except as required by law. Payment is due on the billing date for each cycle.
Failure to pay may result in suspension or termination of your account. Past-due amounts may be subject to interest at the lesser of 1.5% per month or the maximum rate permitted by law. Outstanding API overage, AI-agent volume charges, or data-export fees described in Section 5.8 are collected on the same basis as Subscription fees.
Fees are exclusive of taxes. You are responsible for all sales, use, value-added, and similar taxes associated with your use of the Services, except for taxes based on our net income.
We may change pricing with at least 30 days' notice for existing customers. The introductory rate locked in at sign-up will be honored for as long as your subscription remains active and continuous.
Billing disputes must be raised within 30 days of the invoice date. Undisputed amounts must be paid by the due date.
Each party will protect the other's Confidential Information using the same degree of care it uses to protect its own confidential information, but no less than reasonable care. Confidential Information does not include information that is publicly available, independently developed, or rightfully obtained from a third party.
We implement administrative, technical, and physical safeguards designed to protect data in accordance with HIPAA Security Rule requirements (45 CFR Part 164 Subpart C). Data is encrypted in transit and at rest. Audit logs capture all PHI access at the user, session, and request level.
Our handling of personal data is described in our Privacy Policy. By using the Services, you consent to the collection, use, and disclosure of information as described therein.
You will: (a) enable multi-factor authentication for every account with access to PHI; (b) issue individual user accounts to each workforce member who accesses the Services and not share credentials, API keys, OAuth secrets, or MCP tokens; (c) rotate API and MCP credentials at least annually, and within twenty-four (24) hours of any suspected compromise, departure of a credentialed workforce member, or notice from us of an integrity event; (d) store credentials only in approved secret-management systems and never in source code, client-side bundles, public repositories, or unencrypted configuration files; and (e) report any suspected credential compromise to support@navixhealth.com within twenty-four (24) hours of discovery.
You consent to our reset, revocation, or rotation of any credential we reasonably believe has been compromised or is being used in violation of these Terms.
These Terms apply for as long as you have an active account with Navix Health.
You may terminate your account at any time by following the cancellation process in your account settings or by contacting support. Termination takes effect at the end of your current billing cycle. Pre-paid fees are non-refundable.
We may suspend or terminate your account for material breach of these Terms (including Section 5), non-payment, fraudulent use, threats to other customers, regulatory violations, or other use that violates applicable law. We will provide notice of termination as set out in these Terms except in cases involving security risks, active threats to PHI, or legal violations that make immediate action necessary.
Upon termination: your right to use the Services ends immediately or at the end of any applicable notice period; you remain liable for all fees incurred prior to termination, including any accrued API or data-export fees; we will retain or return your data in accordance with the Business Associate Agreement, the export procedure in Section 5.8, and applicable law; and provisions that by their nature should survive termination (including confidentiality, indemnification, audit cooperation, and limitation of liability) will survive.
Indemnity. You agree to indemnify and hold harmless Navix Health, its officers, directors, employees, and agents from claims, damages, losses, fines, penalties, and reasonable expenses (including attorneys' fees) arising from: (a) your breach of these Terms, including any breach of Section 5 (Developer Platform, API Suite, and AI Agents); (b) your violation of HIPAA, 42 CFR Part 2, or other applicable law; (c) your misuse of the Services or of any credential issued to you; (d) any unauthorized automation or AI-agent activity originating from your accounts; or (e) any claim by your end customers, workforce, or third parties arising from your use of the Services.
Disclaimer. THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT AI/ML OUTPUTS WILL BE ACCURATE OR COMPLETE.
Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NAVIX HEALTH'S TOTAL LIABILITY FOR ANY CLAIM ARISING FROM THESE TERMS OR YOUR USE OF THE SERVICES SHALL NOT EXCEED THE AMOUNT PAID BY YOU TO NAVIX HEALTH IN THE TWELVE MONTHS PRECEDING THE CLAIM. WE SHALL NOT BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES.
Exceptions. The limitations above do not apply to: (a) liability arising from gross negligence, willful misconduct, or fraud; (b) liability for breach of confidentiality, IP infringement, or unauthorized use of the API Suite; (c) your indemnification obligations; or (d) violations that cannot be limited under applicable law.
Mandatory Process. Disputes arising from these Terms shall be resolved through the process described in this Section before any litigation is filed.
Informal Resolution. The parties shall first attempt to resolve disputes informally by good-faith negotiation between authorized representatives for at least 30 days.
Mediation. If informal resolution fails, the parties shall attempt mediation through a mutually agreed mediator.
Arbitration. If mediation fails, disputes shall be resolved by binding arbitration administered by JAMS under its commercial rules. Arbitration shall be conducted in Delaware. The arbitrator's decision shall be final and binding.
Costs. Each party bears its own costs of mediation and arbitration unless the arbitrator awards costs to the prevailing party.
Exceptions. Either party may seek injunctive or equitable relief in court for breaches involving intellectual property, confidentiality, the API Suite (Section 5), or data security without first proceeding through mediation or arbitration.
No Class Actions. Disputes shall be resolved on an individual basis. The parties waive the right to participate in class actions or class arbitrations.
The parties are independent contractors. These Terms do not create a partnership, joint venture, or agency relationship.
You may not assign these Terms without our prior written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets.
We may update these Terms from time to time. Material changes will be communicated by email or in-product notice. Continued use of the Services after changes constitutes acceptance of the updated Terms.
Notices to Navix Health shall be sent to support@navixhealth.com. Notices to you will be sent to the email address associated with your account and, where designated, to the address of your Privacy Officer or technical contact.
If any provision of these Terms is held invalid or unenforceable, the remaining provisions will continue in full force and effect.
These Terms, together with our Privacy Policy, our Business Associate Agreement (where applicable), and any API Suite agreement, constitute the entire agreement between the parties regarding the Services and supersede all prior agreements.
These Terms are governed by the laws of the State of Delaware, without regard to its conflict-of-laws principles.
Navix Health Inc.
Email: support@navixhealth.com
Phone: 855-490-1982