Privacy Policy

Overview

RxRouter, Inc. (“RxRouter”, “we”, “us”, “our”) provides multi-tenant telehealth infrastructure to healthcare providers and clinics. This policy describes how we collect, use, and protect personal information and protected health information (“PHI”) processed through the RxRouter platform.

Information we collect

• Account information. Names, email addresses, phone numbers, role, and organizational affiliation of clinic administrators, providers, and developers using the platform.
• Patient-submitted intake. When a tenant clinic uses RxRouter's storefront, patients submit intake information that is stored on behalf of the tenant. RxRouter acts as a Business Associate under HIPAA for this information.
• Usage data. Audit logs, API request metadata, and system telemetry required to operate the platform and comply with healthcare audit requirements.

How we use information

We use the information we collect solely to provide the RxRouter platform, enforce compliance controls, improve the service, and meet legal obligations. We do not sell personal information or PHI.

How we share information

RxRouter shares information only with subprocessors that provide essential infrastructure (hosting, database, identity, e-prescribing, payments) under written agreements that require equivalent confidentiality and security protections. A current subprocessor list is available on request to compliance@rxrouter.ai.

Patient rights

Patients interact with RxRouter through a tenant clinic's storefront. The clinic is the covered entity under HIPAA and is the primary point of contact for rights requests (access, amendment, accounting of disclosures). If you are a patient with questions, please contact the clinic that provided your care.

Data retention

Audit logs are retained for seven years. PHI is retained per the tenant's Business Associate Agreement and applicable state law. Non-PHI account data is deleted within 90 days of account closure unless retention is legally required.

Security

RxRouter uses AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and tenant-isolation enforcement. See our Security overview for more detail.

International users

RxRouter operates primarily in the United States. If you access the platform from outside the U.S., your information will be transferred to and processed in the U.S.

Changes to this policy

We will notify tenant administrators of material changes via email and in-product notifications at least 30 days before they take effect.

Contact

Questions? Email compliance@rxrouter.ai.