The short version
Pace by NeuroMotive, LLC (“Pace,” “we”) is a Business Associate under HIPAA for the psychiatric practices that use our platform. We process protected health information (PHI) of patients only to provide the Remote Therapeutic Monitoring documentation our customers contract us for.
- We do not sell data. Ever. Not to advertisers, not to brokers, not to anyone.
- We do not use patient data for marketing. Patient PHI is never used to inform Pace's own outreach, ad targeting, or product analytics.
- We do not share patient data with third parties except the small set of HIPAA-eligible subprocessors required to run the service (listed below).
- Every patient's data is encrypted at rest (AES-256) and in transit (TLS 1.3), and every read is logged in an append-only audit trail retained for six years per HIPAA.
What we collect
From clinicians (account holders):
- Name, work email, credentials (MD/DO/PMHNP/PA), NPI, optional DEA number
- Practice information (name, address, state)
- Authentication data (password hash, login timestamps)
- Billing information processed by Stripe (we never see card numbers; Stripe returns a customer token)
From patients (enrolled by their psychiatrist):
- Name, date of birth, state of residence, timezone, primary ICD-10 diagnosis
- Email address; optionally mobile phone number (if patient opts in to SMS reminders)
- Caregiver email (optional)
- Mood and sleep check-in responses; PHQ-9, GAD-7, C-SSRS instrument responses
- Photos the patient uploads (optional, used only as personalization in their own check-ins)
- Free-text reflections, “letter to me” content (optional)
- Daily activity timestamps (when the patient checks in)
How we use it
- To provide the Pace service to your psychiatrist: storing your check-ins, surfacing your trends to them, generating the billing documentation they need for CMS Remote Therapeutic Monitoring.
- To send you check-in reminders (email and/or SMS, only if you've opted in to each channel).
- To generate AI-written acknowledgments and weekly reflections — using a HIPAA-eligible AI provider under a Business Associate Agreement.
- To surface safety-screening results to your clinician for their review when our screening identifies risk (a PHQ-9 Q9 endorsement triggers the C-SSRS, where your clinician has enabled it). Pace is not an emergency service and does not provide real-time crisis response.
- For our own internal product analytics — but only on de-identified, aggregated counts. No patient identifiers are ever joined to analytics.
SMS messaging program — explicit disclosure
If you opt in to SMS reminders, you may receive 1–3 messages per day from Pace at the phone number you provide. Message content is limited to a deep link to your check-in and a generic reminder — your name, diagnosis, scores, or any other PHI is never included in the SMS body.
Reply STOP to opt out of SMS at any time. Reply HELP to receive help text. Message and data rates may apply. Opting out of SMS does not end your enrollment in Pace; email reminders continue unless you also disable those.
Phone numbers shared with us for SMS are never shared with third parties for marketing or sold. Our SMS provider (Twilio, Inc.) is a HIPAA-eligible Business Associate.
For the full SMS program details (message frequency, sample opt-in disclosure shown in the patient app, STOP/HELP/START keyword behavior, support contact), see the SMS Program disclosure page.
Who we share data with
Only with the following HIPAA-eligible subprocessors, each under a signed Business Associate Agreement:
- Render, Inc. — application hosting (servers, databases, container orchestration)
- Amazon Web Services, Inc. — object storage (S3) for billing PDFs and patient photos, encryption key management (KMS)
- AI inference subprocessor — generates warm acknowledgments and weekly reflections (HIPAA-eligible, BAA in place)
- Twilio, Inc. — SMS reminder delivery (HIPAA Security Edition)
- Resend, Inc. — transactional email delivery
- Stripe, Inc. — payment processing (clinician subscriptions only — we never share patient PHI with Stripe)
We do not share data with any other third party for any reason without your explicit consent or as required by law.
Your rights
Because we're a Business Associate, requests to access, amend, or delete your PHI go through your treating psychiatrist (the Covered Entity), who has the authority under HIPAA to grant or deny those requests. You can contact your psychiatrist directly, or reach out to us at hello@neuromotive.health and we'll route your request to them.
For clinicians (account holders): you can access, amend, or delete your account information directly from the Pace dashboard, or by contacting us.
You have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your HIPAA rights have been violated. Information at hhs.gov/hipaa/filing-a-complaint.
Data retention
Patient PHI is retained for as long as the patient is enrolled with their psychiatrist, plus any minimum retention period required by state law or the clinician's own retention policy (typically 7–10 years for psychiatric records).
Audit logs are retained for six years from the date of the audited event, per HIPAA.
Account information for inactive clinicians is retained for the duration of the relationship plus any minimum required for tax and accounting purposes.
Security
See our Security & HIPAA page for the full technical posture. The short version: encryption at rest and in transit, role-based access control, append-only audit logs, BAA-covered subprocessors, and a documented SI cascade for patient safety.
Children
Pace is intended for use with patients 18 and older. We do not knowingly collect data from anyone under 18. Clinicians enrolling patients are required to confirm patient age during the enrollment process.
Changes to this policy
We'll update this page when our practices change. The “Last updated” date at the top reflects the most recent revision. Material changes that affect how we handle PHI will be communicated to clinician account holders via email at least 30 days before they take effect.
Contact
Questions about this policy or how we handle data: hello@neuromotive.health.
For HIPAA-specific concerns (Privacy Officer contact): privacy@neuromotive.health.
NeuroMotive, LLC
Pace by NeuroMotive
pace.neuromotive.health

