Privacy Policy | RuleResource

1. About This Policy

This Privacy Policy describes how RuleResource ("we," "us," or "our") collects, uses, discloses, and protects information when you access or use our healthcare compliance research platform at https://ruleresource.com (the "Platform"). This Privacy Policy applies to all users of the Platform, including visitors, free trial users, and paid subscribers.

Important: The Platform is an informational research tool only. Nothing in this Privacy Policy or in the operation of the Platform constitutes legal advice, healthcare advice, financial advice, tax advice, or any other professional advice. The Platform does not create any professional-client relationship of any kind. Please review our Terms of Use for complete disclaimers.

2. No Protected Health Information (PHI)

IMPORTANT NOTICE REGARDING PHI AND HIPAA

The Platform is designed for regulatory research only. It does not collect, receive, store, process, maintain, or transmit protected health information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.

No PHI Storage. The Platform does not store PHI. Users should not input any patient-identifiable health information, medical records, or other PHI into the Platform. Any PHI inadvertently submitted will be deleted upon discovery.
No HIPAA Business Associate Agreement Required. Because the Platform does not create, receive, maintain, or transmit PHI on behalf of any covered entity or business associate, no HIPAA Business Associate Agreement ("BAA") is required or offered. The Platform is an informational research tool that queries publicly available regulatory sources, not a clinical system or health information exchange.
User Responsibility. You are solely responsible for ensuring that you do not input PHI or other sensitive patient data into the Platform. If you inadvertently submit PHI, notify us immediately at support@ruleresource.com.

3. Information We Collect

Account Information. When you create an account, request a demo, or subscribe to the Platform, we collect your name, email address, job title, organization name, and organizational profile information (such as operating states, service lines, and provider types).

Research Queries and Outputs. We store the compliance research questions you submit, your topic and jurisdiction selections, and the structured research reports generated by the Platform. These are stored in your private organizational account and are accessible only to authorized users within your organization.

Usage and Analytics Data. We collect information about how you interact with the Platform, including pages visited, features used, query frequency, session duration, and interaction patterns. We use PostHog for product analytics (see Section 6 for details on cookies and tracking).

Device and Log Data. We automatically collect standard server log information, including your IP address, browser type and version, operating system, referring URL, and access timestamps. This data is used for security monitoring, fraud prevention, and platform performance.

Payment Information. If you subscribe to a paid plan, payment card information is collected and processed directly by Stripe. We do not receive, access, or store your full payment card number, CVV, or other sensitive payment credentials. We receive only a payment confirmation, transaction ID, and the last four digits of your card for billing records.

4. How We Use Your Information

We use the information we collect for the following purposes:

To deliver research results in response to your queries and provide the core functionality of the Platform
To monitor regulatory sources relevant to your organization's profile and deliver change alerts and notifications
To maintain your research history, saved reports, and export functionality
To process payments and manage your subscription
To send transactional communications about your account, including subscription confirmations, usage alerts, and service announcements
To send periodic digest emails summarizing regulatory updates relevant to your profile (you may opt out of non-transactional emails at any time)
To analyze usage patterns and improve the Platform's functionality, performance, and content coverage
To detect, prevent, and respond to security threats, fraud, abuse, and technical issues
To comply with applicable legal obligations and respond to lawful requests from government authorities

5. Research Privacy

Your research queries and outputs are private to your organization. Specifically:

Your queries and research outputs are never shared with, visible to, or accessible by other organizations on the Platform.
Your queries are never indexed publicly or made searchable by third parties, search engines, or web crawlers.
Your queries are never used to train any third-party model or system. When we send query text to processing services, we use configurations that explicitly exclude your data from any form of model training.
Access to your organization's data requires your organization's authenticated credentials. We implement row-level database isolation between organizations.
We may use anonymized, aggregated usage data (such as the number of queries per topic area) to improve the Platform, but such data will never be attributable to any individual user or organization.

6. Cookies and Tracking Technologies

The Platform uses cookies and similar tracking technologies for the following purposes:

Essential Cookies. Required for Platform functionality, including authentication session management, CSRF protection, and user preferences. These cannot be disabled.
Analytics Cookies. We use PostHog, a product analytics platform, to understand how users interact with the Platform. PostHog collects anonymized usage data such as page views, feature usage, and session recordings. PostHog data is used solely to improve the Platform and is not shared with third parties for advertising purposes. You can learn more at PostHog's Privacy Policy.

We do not use advertising cookies, retargeting pixels, or third-party behavioral advertising trackers on the Platform. We do not sell your data to advertisers or data brokers.

7. Third-Party Services

We use the following third-party service providers to operate the Platform. Each provider receives only the minimum data necessary for its function:

Research Processing Service. Research synthesis is performed via a third-party processing service. Your query text and relevant source excerpts are sent to this service for processing. The service provider does not use API data to train its models, and your data is excluded from all model training.

Neon (Database). Your account and research data is stored in a Neon Postgres database hosted on AWS infrastructure in the United States. Data is encrypted at rest and in transit.

Vercel (Hosting). The Platform is hosted on Vercel's edge network. Standard web server logs, including IP addresses, may be retained per Vercel's Privacy Policy.

Resend (Email). We use Resend to send transactional emails, account notifications, and regulatory digest emails. Email addresses and message content are transmitted to Resend for delivery purposes only.

Stripe (Payments). Payment processing is handled by Stripe. We do not store payment card information on our servers. See Stripe's Privacy Policy.

PostHog (Analytics). We use PostHog for product analytics and usage tracking. See PostHog's Privacy Policy.

8. Data Retention

We retain your information as follows:

Account and Research Data: Retained for the duration of your active subscription and for twelve (12) months following account termination, after which it is permanently deleted.
Server Logs: Retained for up to ninety (90) days for security and performance analysis.
Payment Records: Retained as required by applicable tax and accounting regulations.
Analytics Data: Aggregated and anonymized analytics data may be retained indefinitely for Platform improvement purposes.

You may request early deletion of your data at any time by contacting support@ruleresource.com. We will process deletion requests within thirty (30) days, subject to any legal retention requirements.

9. Data Security

We implement industry-standard technical and organizational security measures to protect your information, including:

TLS/SSL encryption for all data in transit
Encryption at rest for stored data
Row-level database isolation between organizations
Authenticated and authorized session management with secure token handling
Regular security reviews and monitoring
Access controls limiting employee and contractor access to user data on a need-to-know basis

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee its absolute security. If you become aware of a security vulnerability or suspect unauthorized access to your account, please contact us immediately at support@ruleresource.com.

10. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

Investigate the breach promptly and take reasonable steps to contain and remediate it
Notify affected users by email without unreasonable delay and no later than required by applicable law (including within 60 days for Texas residents under the Texas Identity Theft Enforcement and Protection Act)
Provide information about the nature of the breach, the types of information involved, and the steps we are taking in response
Notify applicable state attorneys general and regulatory authorities as required by law
Offer appropriate remediation measures where warranted, such as credit monitoring services for breaches involving financial information

11. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

Access. You may request a copy of the personal information we hold about you.
Correction. You may request correction of inaccurate or incomplete personal information.
Deletion. You may request deletion of your personal information, subject to certain legal exceptions.
Data Portability. You may request an export of your research data in a structured, commonly used format.
Opt-Out of Non-Essential Communications. You may opt out of non-transactional emails at any time using the unsubscribe link in any email or by contacting us.

To exercise any of these rights, contact us at support@ruleresource.com. We will respond to verified requests within thirty (30) days. We will not discriminate against you for exercising your privacy rights.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"):

Right to Know. You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct. You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing. We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising purposes.
Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a CCPA/CPRA request, contact us at support@ruleresource.com. We will verify your identity before processing your request.

13. CalOPPA Compliance

In accordance with the California Online Privacy Protection Act ("CalOPPA"), we disclose the following: this Privacy Policy is accessible via a conspicuous link on our homepage. We will notify users of material changes to this Privacy Policy as described in Section 17. Users can review changes by checking the "Last updated" date. We honor Do Not Track ("DNT") browser signals by not engaging in cross-site tracking of Platform users. We do not permit third parties to collect personally identifiable information about your online activities over time and across different websites when you use the Platform.

14. European Privacy Rights (GDPR)

If you are located in the European Economic Area ("EEA"), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation ("GDPR") or equivalent legislation:

Legal Basis for Processing. We process your personal data based on: (a) performance of our contract with you (providing Platform services); (b) our legitimate interests (improving the Platform, security monitoring, fraud prevention); and (c) your consent (where applicable, such as for non-essential analytics).
Data Transfers. Your data is processed and stored in the United States. By using the Platform, you acknowledge that your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses and other appropriate safeguards for international data transfers where required.
Additional Rights. In addition to the rights listed in Section 11, you have the right to: restrict processing of your personal data, object to processing based on legitimate interests, lodge a complaint with your local data protection authority, and withdraw consent at any time (where processing is based on consent).
Data Protection Contact. For GDPR-related inquiries, contact us at support@ruleresource.com.

15. Children's Privacy

The Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided personal information to us, please contact us immediately at support@ruleresource.com.

16. Governing Law

This Privacy Policy and any disputes arising out of or relating to this Privacy Policy or your privacy rights shall be governed by, construed, and enforced in accordance with the laws of the State of Texas, without regard to its conflict of law provisions, consistent with the governing law and dispute resolution provisions set forth in our Terms of Use.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify active account holders of material changes by email at least thirty (30) days before the changes take effect. The "Last updated" date at the top of this policy indicates when the most recent revisions were made. Your continued use of the Platform after the effective date of any revised Privacy Policy constitutes your acceptance of the revised policy.

18. Contact

If you have questions about this Privacy Policy or our data practices, please contact us at support@ruleresource.com.