Nemira is a clinic operations platform used by independent healthcare providers to manage bookings, patient communication, financing options, and billing. This notice describes what we collect, why we collect it, how we store and share it, and how you can revoke access.
Contact information (name, email, phone), inquiry and visit details (treatment interest, preferred date and time, chart notes authored by the clinic), financing inputs (treatment amount, term preference, self-reported credit range, employment status, state), and the data we receive from connected third-party services that a clinic chooses to link, such as QuickBooks Online.
To route booking requests to the clinic you select, compute sample financing payment options, maintain your account, deliver communications you have asked for, sync invoice and payment data into the clinic's accounting system when they have authorized it, and operate basic platform features. We do not sell personal information to advertisers.
Clinics can connect their QuickBooks Online company file to Nemira. The connection is established by the clinic owner using Intuit's standard OAuth 2.0 flow. We never see the clinic's Intuit password. The clinic can disconnect at any time from Settings, QuickBooks, Disconnect, and also from inside QuickBooks Online under Apps, Manage my apps.
With the clinic's authorization, Nemira requests the QuickBooks Online accounting scope. We use this access to read chart of accounts, customers, items, and invoices so the clinic can map Nemira's services to QuickBooks accounts, and to write invoices, payments, and credit memos that reflect activity recorded inside Nemira. We do not read or write payroll, time tracking, or 1099 contractor data.
We store the OAuth access token, refresh token, the realm identifier of the connected company, and the timestamps of when the connection was created and last synced. Access and refresh tokens are encrypted at rest using AES-256-GCM with a key held in our server-side configuration and never exposed to the browser. Tokens are decrypted in memory only for the duration of an outbound API request to Intuit. We retain these records while the connection is active. When a clinic disconnects, we revoke the refresh token with Intuit and delete the stored tokens within seven days. Aggregate sync history (timestamps and counts, no QuickBooks field values) is retained for thirteen months for audit and support, then deleted.
Clinics can request a copy or deletion of QuickBooks-derived data we hold about their company by emailing support@nemira.app. Patient-facing data that originates in QuickBooks (for example, an invoice line) is treated under the same rules as the rest of the patient's record.
When a clinic enables Stripe for payments, Twilio for SMS, Resend for email, or other integrations, those providers receive the minimum data needed to perform their function (for example, a payer's card details flow directly to Stripe and are not stored on Nemira). Each provider operates under its own privacy notice, and the clinic remains the controller of the underlying patient data.
Account and booking data are retained while the account is active and for a period afterwards consistent with the clinic's recordkeeping obligations. Encrypted backups roll off on a thirty-five day cycle. Audit logs are retained for thirteen months. Specific deletion requests are honored within thirty days, subject to legal holds.
When the platform connects to real lenders, additional disclosures will appear at the time of application, including credit pull authorization, FCRA permissible purpose, and an electronic-signature consent. Those disclosures do not apply yet because financing offers shown today are estimates and not offers of credit.
Questions, access requests, deletion requests, or anything else: support@nemira.app.
Last updated: 2026-05-20.
