Privacy Policy
Last updated 27 June 2026
1. Introduction
This Privacy Policy explains how [Legal Entity Name], doing business as RxRules ("RxRules," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with the RxRules websites, applications, and services (the "Service"). By using the Service, you agree to this Policy. RxRules is designed to operate on de-identified data and does not require protected health information ("PHI") to function.
2. Information we collect
Account and identity information. When you are invited and sign in, our identity provider, Auth0 (Okta, Inc.), processes your name, email address, authentication credentials, and role so we can create, authenticate, and secure your account.
Compliance Facts. To return guidance, the Service processes de-identified prescription facts drawn from a fixed, closed set of fields (for example, drug schedule, days supply, quantity, prescriber attributes, and attestation flags). We do not request or require patient names, contact details, identifiers, or free-text clinical notes.
Evaluation and audit records. We retain records of evaluations, including the facts submitted and the Output returned, for audit, quality, security, and legal purposes.
Payment information. Subscription payments are processed by Stripe, Inc. RxRules does not collect or store full payment card numbers; we receive limited billing metadata (such as subscription status and the last four digits or card brand) from Stripe.
Technical and usage data. We automatically collect log, device, and usage data such as IP address, browser or device type, timestamps, and pages or features accessed, to operate and secure the Service.
Cookies. We use strictly necessary cookies for authentication, session management, and security. We do not use the Service to sell personal information or to serve cross-context behavioral advertising.
3. How we use information
- to provide, operate, secure, and improve the Service and return compliance guidance;
- to authenticate users and prevent fraud, abuse, and security incidents;
- to maintain audit and evaluation records;
- to manage subscriptions, billing, and customer support;
- to communicate with you about the Service, including service and security notices; and
- to comply with legal obligations and enforce our terms.
4. No protected health information
The Service is intentionally scoped to de-identified data, and its field set is closed by design to support this posture. You must not submit PHI, patient identifiers, or any data you are not authorized to share. If you believe PHI has been submitted inadvertently, contact us so we can address it.
5. Legal bases
Where required by law, we process information on the bases of performing our contract with you, our legitimate interests in operating and securing the Service, your consent where applicable, and compliance with legal obligations.
6. How we share information
We do not sell your personal information. We share information only:
- Service providers / subprocessors that help us operate the Service, including Auth0 (authentication), Stripe (payments), and our hosting and infrastructure providers, under contractual confidentiality and security obligations;
- Legal and safety purposes, where required by law, subpoena, or to protect the rights, safety, and security of RxRules, our users, or the public; and
- Business transfers, in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
7. Data retention
We retain account, evaluation, audit, and billing information for as long as needed to provide the Service, meet legal, tax, and regulatory requirements, resolve disputes, and enforce our agreements, after which we delete or de-identify it.
8. Security
We apply administrative, technical, and organizational safeguards designed to protect information, including encryption in transit, access controls, and least-privilege data access. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
9. Your rights and choices
Depending on your location, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, and to object to certain processing. You may access or update account details and cancel your Subscription at any time. To exercise rights, contact us using the details below; we will respond as required by applicable law and may need to verify your identity. You will not be discriminated against for exercising these rights.
10. Children's privacy
The Service is intended for professional users and is not directed to children under 18, and we do not knowingly collect their personal information.
11. International users
The Service is operated in the United States. If you access it from elsewhere, your information may be transferred to and processed in the United States and other countries with different data-protection laws.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be posted with a revised "Last updated" date and, where appropriate, additional notice. Your continued use after changes take effect constitutes acceptance.
13. Contact
[Legal Entity Name], [Mailing Address]. Privacy questions or requests: privacy@rxrules.com.