Scope and Summary
This Privacy Policy explains how D3rx collects, uses, discloses, and safeguards information when you use our website, dashboard, APIs, and related services (collectively, the “Service”).
We wrote this policy to be specific about what the product actually does today: account creation, billing workflows, analytics, AI-driven drafting and question-answering, and optional compliance-document uploads. The FTC advises businesses to make sure their privacy policy matches their real practices, and that is the standard we are trying to follow here.
Information We Collect
We may collect the following categories of information:
- Account and profile information. Name, email address, login credentials through our authentication provider, practice name, specialty, service lines, payer mix, billing volume, and other self-reported practice profile details.
- Workspace and submission content. Questions you ask D3rx, prompts, uploaded documents, compliance-binder materials, generated drafts, appeal or prior-authorization inputs, and support messages you send us.
- Medicare Revenue Audit public beta inputs. Raw claim lines entered or uploaded for the public beta are processed for that audit run and are not stored by default. Optional beta telemetry is deidentified aggregate usage and finding-pattern telemetry, not raw claim rows. Saved reports are separate and retain report details only when you explicitly save a report.
- Billing and transaction information. Subscription status, Stripe customer IDs, Stripe subscription IDs, payment event metadata, and purchase history. Payment card numbers and full financial credentials are processed by Stripe and are not stored on our servers.
- Usage and device information. Log data, IP address, browser type, operating system, approximate device type, pages or features used, timestamps, referrer data, and other service-usage events used for security, debugging, and product analytics.
- Local browser storage and similar technologies. We store items such as session identifiers, anonymous analytics IDs, theme preference, referral and attribution data, onboarding state, and temporary workflow drafts in local storage or session storage.
How We Use Information
We use information to operate and improve D3rx, including to:
- Create and secure accounts, authenticate users, and manage access.
- Generate AI-assisted answers, drafts, templates, and workflow outputs you requested.
- Process subscriptions, maintain entitlements, and send transactional notices, receipts, support replies, and service announcements.
- Monitor product performance, diagnose bugs, prevent abuse, enforce limits, and protect the security and integrity of the service.
- Analyze usage patterns, attribution, and feature adoption so we can improve product quality and prioritize work.
- Comply with legal obligations and resolve disputes.
Healthcare Data, PHI, and Compliance Uploads
D3rx is designed to help with billing, coding, denial, template, and compliance-administration workflows. It is not an EHR or clinical record system.
Do not upload patient charts, medical records, or other protected health information unless your organization has separately confirmed that D3rx is authorized to receive that data and that all required agreements are in place. If you are not sure, use placeholders or de-identified information instead.
For the Medicare Revenue Audit public beta, do not upload patient names, MBIs/member IDs, MRNs, dates of birth, addresses, phone numbers, email addresses, or clinical/free-text notes. The beta is designed to process claim-line billing fields for the run, not direct patient identifiers.
HHS guidance states that when a cloud service provider creates, receives, maintains, or transmits ePHI on behalf of a covered entity or business associate, that provider is a business associate and a HIPAA-compliant business associate agreement is required. That means you should not treat a generic upload flow as permission to send PHI.
Compliance Binder uploads such as policies, BAAs, training attestations, and security screenshots are stored in private storage and served through scoped access controls and signed URLs. That said, private storage is not a substitute for your organization's own HIPAA, legal, or compliance review.
For the Medicare Revenue Audit public beta, your original file is parsed in your browser and is never uploaded to our servers. Only the extracted claim-line and billing fields needed to run the audit are sent to our servers; they are processed for that run and are not stored afterward (unless you explicitly save a report). For recovery uploads, we extract only the claim-line and billing data needed for processing and then discard your original uploaded file — we do not store uploaded documents beyond the processing run. If you save a report, only the report details (findings and summary) are retained, never the raw file. The Compliance Binder is the exception: documents you upload there are retained by design so you can work on them over time. Where a Business Associate Agreement is in place, its terms control.
D3rx does not claim that the public beta is HIPAA-ready or BAA-ready. Workflows involving known PHI require the right agreement and product posture before use. If a separately executed BAA is in place between your organization and D3rx, the terms of that BAA will control the use, disclosure, safeguarding, and breach notification obligations for PHI to the extent of any conflict with this Privacy Policy.
If you think you uploaded information by mistake, contact [email protected] promptly so we can help you assess deletion and containment options.
Retention and Deletion
We retain information for as long as reasonably necessary to provide the service, maintain security and audit records, enforce agreements, and comply with legal, tax, accounting, and operational obligations.
Retention periods vary by data type. For example, active account data may be kept while your account remains open, while some billing, subscription, security, and support records may be retained longer if needed for compliance or dispute resolution.
You may request account deletion through the product where available or by contacting [email protected]. We may keep limited records after deletion where required or permitted by law.
Security
We use administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, or alteration. These measures include access controls, encryption in transit, private storage controls, and environment-based credential management.
No internet or cloud-based service can guarantee absolute security. A strong privacy program also depends on your organization using appropriate account security, restricting access internally, and reviewing what staff submit into the product.
If we become aware of a security incident that compromises personal information, we will notify affected users and applicable regulators within the timeframes required by law, and will provide information about what happened, what data was involved, and what steps we are taking in response.
Choices and Privacy Rights
Depending on where you live, you may have rights to request access to, correction of, or deletion of personal information we hold about you. You may also have rights to data portability or to appeal a denied request, depending on applicable law.
California residents may have rights under California privacy laws (CCPA/CPRA), including rights to know certain categories of personal information collected, deleted, disclosed, sold, or shared, and the right to opt out of the sale or sharing of personal information. D3rx does not sell personal information. We use Google Ads and Meta Pixel for advertising measurement on our own campaigns; if you consider this a “share” under California law, see the opt-out mechanisms described in the Cookies, Local Storage, and Analytics section above.
To make a privacy request, email [email protected]. We may need to verify your identity before completing a request.
Children
D3rx is intended for business and professional use and is not directed to children under 18. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that threshold applies). If we learn that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.
Governing Law
This Privacy Policy is governed by the laws of the State of California, excluding its conflict-of-law rules, consistent with the governing law provisions in our Terms of Service.
Changes and Contact Information
We may update this Privacy Policy from time to time. If we make a material change, we may update the date at the top of this page, post a notice in the product, or use another reasonable method to let users know.
Questions, requests, or privacy concerns can be sent to [email protected].