Legal

Privacy Policy

This page explains what D3rx collects, how it is used, where it is stored, when it is shared, and what limits apply to healthcare-related uploads and AI workflows.

Effective date

April 26, 2026

Last updated

May 24, 2026

No data sale

D3rx does not sell personal information. Google Ads and Meta Pixel are used for our own advertising measurement, with opt-out mechanisms described below.

PHI caution

Do not upload patient identifiers or other PHI into public beta workflows unless the right agreement and product posture are in place.

Scope and Summary

This Privacy Policy explains how D3rx collects, uses, discloses, and safeguards information when you use our website, dashboard, APIs, and related services (collectively, the “Service”).

We wrote this policy to be specific about what the product actually does today: account creation, billing workflows, analytics, AI-driven drafting and question-answering, and optional compliance-document uploads. The FTC advises businesses to make sure their privacy policy matches their real practices, and that is the standard we are trying to follow here.

Information We Collect

We may collect the following categories of information:

  • Account and profile information. Name, email address, login credentials through our authentication provider, practice name, specialty, service lines, payer mix, billing volume, and other self-reported practice profile details.
  • Workspace and submission content. Questions you ask D3rx, prompts, uploaded documents, compliance-binder materials, generated drafts, appeal or prior-authorization inputs, and support messages you send us.
  • Medicare Revenue Audit public beta inputs. Raw claim lines entered or uploaded for the public beta are processed for that audit run and are not stored by default. Optional beta telemetry is deidentified aggregate usage and finding-pattern telemetry, not raw claim rows. Saved reports are separate and retain report details only when you explicitly save a report.
  • Billing and transaction information. Subscription status, Stripe customer IDs, Stripe subscription IDs, payment event metadata, and purchase history. Payment card numbers and full financial credentials are processed by Stripe and are not stored on our servers.
  • Usage and device information. Log data, IP address, browser type, operating system, approximate device type, pages or features used, timestamps, referrer data, and other service-usage events used for security, debugging, and product analytics.
  • Local browser storage and similar technologies. We store items such as session identifiers, anonymous analytics IDs, theme preference, referral and attribution data, onboarding state, and temporary workflow drafts in local storage or session storage.

How We Use Information

We use information to operate and improve D3rx, including to:

  • Create and secure accounts, authenticate users, and manage access.
  • Generate AI-assisted answers, drafts, templates, and workflow outputs you requested.
  • Process subscriptions, maintain entitlements, and send transactional notices, receipts, support replies, and service announcements.
  • Monitor product performance, diagnose bugs, prevent abuse, enforce limits, and protect the security and integrity of the service.
  • Analyze usage patterns, attribution, and feature adoption so we can improve product quality and prioritize work.
  • Comply with legal obligations and resolve disputes.

How We Share Information

We do not sell personal information.

We may disclose information to service providers that help us operate D3rx, subject to their terms and contractual restrictions, including:

  • Supabase for authentication, database hosting, and private file storage.
  • Vercel for application hosting, delivery, logs, and operational infrastructure.
  • Stripe for billing, checkout, subscription management, and payment processing.
  • Anthropic and, in some flows, OpenAI for AI inference used to answer questions or generate draft content.
  • Resend for transactional and support email delivery.
  • Google for website analytics (Google Analytics 4) and advertising measurement and conversion tracking (Google Ads). Google may use cookies or similar technologies to collect usage data subject to Google's Privacy Policy.
  • Meta for advertising measurement, conversion tracking, and retargeting through the Meta Pixel. Meta may use cookies and tracking technologies subject to Meta's Privacy Policy.

We may also disclose information:

  • When required by law, subpoena, court order, or similar process.
  • To protect the rights, safety, security, or property of D3rx, our users, or others.
  • In connection with a merger, financing, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality measures.

Healthcare Data, PHI, and Compliance Uploads

D3rx is designed to help with billing, coding, denial, template, and compliance-administration workflows. It is not an EHR or clinical record system.

Do not upload patient charts, medical records, or other protected health information unless your organization has separately confirmed that D3rx is authorized to receive that data and that all required agreements are in place. If you are not sure, use placeholders or de-identified information instead.

For the Medicare Revenue Audit public beta, do not upload patient names, MBIs/member IDs, MRNs, dates of birth, addresses, phone numbers, email addresses, or clinical/free-text notes. The beta is designed to process claim-line billing fields for the run, not direct patient identifiers.

HHS guidance states that when a cloud service provider creates, receives, maintains, or transmits ePHI on behalf of a covered entity or business associate, that provider is a business associate and a HIPAA-compliant business associate agreement is required. That means you should not treat a generic upload flow as permission to send PHI.

Compliance Binder uploads such as policies, BAAs, training attestations, and security screenshots are stored in private storage and served through scoped access controls and signed URLs. That said, private storage is not a substitute for your organization's own HIPAA, legal, or compliance review.

For the Medicare Revenue Audit public beta, your original file is parsed in your browser and is never uploaded to our servers. Only the extracted claim-line and billing fields needed to run the audit are sent to our servers; they are processed for that run and are not stored afterward (unless you explicitly save a report). For recovery uploads, we extract only the claim-line and billing data needed for processing and then discard your original uploaded file — we do not store uploaded documents beyond the processing run. If you save a report, only the report details (findings and summary) are retained, never the raw file. The Compliance Binder is the exception: documents you upload there are retained by design so you can work on them over time. Where a Business Associate Agreement is in place, its terms control.

D3rx does not claim that the public beta is HIPAA-ready or BAA-ready. Workflows involving known PHI require the right agreement and product posture before use. If a separately executed BAA is in place between your organization and D3rx, the terms of that BAA will control the use, disclosure, safeguarding, and breach notification obligations for PHI to the extent of any conflict with this Privacy Policy.

If you think you uploaded information by mistake, contact [email protected] promptly so we can help you assess deletion and containment options.

Cookies, Local Storage, and Analytics

D3rx uses a mix of cookies, browser storage, server logs, third-party analytics, and first-party application analytics to keep the service working and to understand product usage.

  • Authentication and session. Session controls rely on browser-based tokens or similar session technologies required for sign-in and access control.
  • Local and session storage. We use browser storage for theme preference, anonymous analytics IDs, session tracking, UTM and referral attribution data, onboarding state, and temporary draft or workflow state.
  • Google Analytics and Google Ads. When enabled, we load the Google global site tag (gtag.js) which sets cookies to measure page views, feature usage, and advertising conversions. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
  • Meta Pixel. When enabled, the Meta Pixel loads tracking scripts and a 1x1 image tag to measure page views and advertising conversions. Meta may use this data for ad targeting across its platforms. You can manage Meta ad preferences at facebook.com/adpreferences.
  • First-party product analytics. We record application events such as feature usage, UTM attribution, and workflow activity to our own database for product improvement. These events are tied to your account when you are signed in and to an anonymous identifier when you are not.

Some browser settings may let you block cookies or clear local storage, but doing so may break sign-in or other parts of the product.

D3rx does not sell personal information. The Google Ads and Meta Pixel integrations are used for advertising measurement and conversion tracking on our own campaigns. If you consider this a “share” under California law, you may opt out by disabling third-party cookies in your browser, using the Google opt-out add-on linked above, or adjusting your Meta ad preferences. When we detect a Global Privacy Control (GPC) signal from your browser, we treat it as a valid opt-out request and will suppress third-party advertising tags for that session. We do not currently take action on generic Do Not Track (DNT) signals, as there is no industry-wide standard for DNT.

Retention and Deletion

We retain information for as long as reasonably necessary to provide the service, maintain security and audit records, enforce agreements, and comply with legal, tax, accounting, and operational obligations.

Retention periods vary by data type. For example, active account data may be kept while your account remains open, while some billing, subscription, security, and support records may be retained longer if needed for compliance or dispute resolution.

You may request account deletion through the product where available or by contacting [email protected]. We may keep limited records after deletion where required or permitted by law.

Security

We use administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, or alteration. These measures include access controls, encryption in transit, private storage controls, and environment-based credential management.

No internet or cloud-based service can guarantee absolute security. A strong privacy program also depends on your organization using appropriate account security, restricting access internally, and reviewing what staff submit into the product.

If we become aware of a security incident that compromises personal information, we will notify affected users and applicable regulators within the timeframes required by law, and will provide information about what happened, what data was involved, and what steps we are taking in response.

Choices and Privacy Rights

Depending on where you live, you may have rights to request access to, correction of, or deletion of personal information we hold about you. You may also have rights to data portability or to appeal a denied request, depending on applicable law.

California residents may have rights under California privacy laws (CCPA/CPRA), including rights to know certain categories of personal information collected, deleted, disclosed, sold, or shared, and the right to opt out of the sale or sharing of personal information. D3rx does not sell personal information. We use Google Ads and Meta Pixel for advertising measurement on our own campaigns; if you consider this a “share” under California law, see the opt-out mechanisms described in the Cookies, Local Storage, and Analytics section above.

To make a privacy request, email [email protected]. We may need to verify your identity before completing a request.

Children

D3rx is intended for business and professional use and is not directed to children under 18. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that threshold applies). If we learn that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.

Governing Law

This Privacy Policy is governed by the laws of the State of California, excluding its conflict-of-law rules, consistent with the governing law provisions in our Terms of Service.

Changes and Contact Information

We may update this Privacy Policy from time to time. If we make a material change, we may update the date at the top of this page, post a notice in the product, or use another reasonable method to let users know.

Questions, requests, or privacy concerns can be sent to [email protected].