Privacy Policy

Last Updated: September 14, 2025

1. INTRODUCTION

PREFERX LLC ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the PrefeRx platform, including our website at usepreferx.com, any web or mobile applications, APIs, and all associated services and features (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service.

Note: This policy describes our general practices and is not legal advice. For customers who have executed a Business Associate Agreement (BAA), the BAA governs in case of conflict with this policy for Protected Health Information (PHI).

2. WHAT WE COLLECT

We collect information from or about users and customer organizations as described below.

2.1 Account & Organization Data

  • Identifiers: name, email address, password or SSO identifiers.
  • Professional details (optional): role, practice name, pharmacy name, NPI/license number.
  • Subscription & billing: plan tier, invoicing details and payment method tokens processed by our payment processor (we do not store full payment card numbers).

2.2 Lookup & Workflow Data

To return formulary results, users may enter payer information and clinical context. This can include insurer, plan, plan year, drug class (e.g., "ACE inhibitor"), medication names (generic/brand), and symptom keywords (e.g., "hypertension").

  • Minimal data use: Enter only what is necessary to perform a lookup.
  • No PHI without a BAA: Unless your organization has a signed BAA with us, do not input PHI (e.g., patient name, full member ID, DOB, address). If you need PHI processing, contact us to execute a BAA.

2.3 Technical & Usage Data

  • Log & device data: IP address, device/browser type, settings, timestamps, pages viewed, referrers.
  • Product analytics: event telemetry such as searches performed, filters applied, and feature interactions.
  • Cookies/SDKs: essential and analytics technologies (see Section 7).

2.4 Support & Communications

Content you send us (tickets, feedback, emails) and related metadata.

2.5 Data Sources We Ingest

PrefeRx programmatically downloads and normalizes Preferred Drug Lists (PDLs) and related documents from insurers and pharmacy benefit managers (PBMs). These materials generally do not contain personal data about you; they are used to power search and display plan rules, tiers, and coverage information.

3. HOW WE USE INFORMATION

  • Provide and operate the Service, including returning formulary results and plan rules.
  • Maintain, troubleshoot, and improve functionality; develop new features.
  • Process payments and manage subscriptions.
  • Monitor, prevent, and detect security incidents and abuse.
  • Communicate with you (account notices, security alerts, product updates, and—where permitted—marketing which you may opt out of).
  • Comply with legal obligations and enforce our Terms of Service.

4. HIPAA, PHI & ROLE

By default, PrefeRx is not intended to receive PHI and operates as a reference tool. Where a customer executes a BAA, we act as a Business Associate and handle PHI in accordance with HIPAA and the BAA (including breach notification obligations). In all other cases, you agree not to submit PHI to the Service.

5. HOW WE SHARE INFORMATION

5.1 Service Providers

We use vendors to host infrastructure, store data, provide analytics, error monitoring, payments, email, and support tooling. They may access information only to perform services for us and must protect it appropriately.

5.2 Customer-Authorized Integrations

If you enable an integration (e.g., with an EHR), we will share information as necessary to operate that integration, according to your settings and the third party’s terms.

5.3 Legal, Safety & Transfers

  • To comply with law, legal process, or governmental requests.
  • To protect the rights, property, or safety of users, patients, us, or the public.
  • As part of a merger, acquisition, financing, or sale of assets (with appropriate safeguards).

5.4 Aggregated/De-identified

We may share aggregated or de-identified information that cannot reasonably be used to identify you.

6. DATA RETENTION

We retain information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Where a BAA applies, retention and deletion will follow the BAA. You or your organization’s administrator may request deletion, subject to legal/contractual requirements and backups.

7. COOKIES & TRACKING

7.1 Types

  • Essential: required for login, security, and core functionality.
  • Analytics/Performance: help us understand usage and improve the Service.
  • Functionality: remember preferences and settings.

7.2 Choices

Most browsers allow you to control cookies. Blocking some cookies may impact the Service.

7.3 Do Not Track & GPC

Our Service does not currently respond to browser Do Not Track signals. We honor Global Privacy Control (GPC) signals for opt-out requests where required by law.

8. DATA SECURITY

We implement administrative, technical, and physical safeguards—including encryption in transit and at rest, access controls, and logging—to protect information. No method of transmission or storage is fully secure; we cannot guarantee absolute security.

If a security incident affects your information, we will notify you as required by law and, if applicable, the BAA.

9. YOUR RIGHTS & CHOICES

Depending on your location and account type, you may have rights to:

  • Access, correct, or delete certain information.
  • Object to or restrict processing, or request portability.
  • Opt out of marketing emails (use the unsubscribe link in the email).

To exercise rights, contact us at privacy@usepreferx.com or your account administrator.

10. CHILDREN'S PRIVACY

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a minor has provided information, contact us to request deletion.

11. INTERNATIONAL TRANSFERS

We may transfer and process information in the United States and other countries with different data protection laws. Where required, we use appropriate safeguards for such transfers.

12. U.S. STATE PRIVACY DISCLOSURES (INCLUDING CALIFORNIA)

For California residents and where similar state laws apply (e.g., CO, CT, UT, VA), we provide the following:

  • Categories collected (12 months): identifiers (e.g., name, email), internet/network activity (usage logs), professional information, and in some cases commercial information (subscription/billing). We do not collect precise geolocation.
  • Purpose of collection: to provide and secure the Service, analytics, support, and billing.
  • Disclosure: to service providers and as described in Section 5.
  • Sale/Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising.
  • Sensitive information: We do not use or disclose sensitive personal information for purposes other than those permitted by law.
  • Rights: access, deletion, correction, and opt-out where applicable. You may also use supported GPC signals (Section 7.3).

13. EEA/UK NOTICE

Where the EU/UK GDPR applies, PREFERX LLC is the controller for non-BAA data. We process personal data on the following legal bases: performance of a contract (to provide the Service), legitimate interests (to improve and secure the Service), consent (where required, e.g., certain cookies/marketing), and legal obligations. You may have rights to access, rectify, erase, restrict, object, or port your data. To exercise these rights, contact us at privacy@usepreferx.com.

14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will post updates on this page and revise the "Last Updated" date. Material changes will be communicated via the Service or by email where appropriate.

15. CONTACT US

PREFERX LLC
Email: team@usepreferx.com

By using the Service, you acknowledge that you have read and understood this Privacy Policy.