ArtifactRx Privacy Policy

1. Introduction

ArtifactRx ("we," "us," or "our") operates a healthcare SaaS platform that captures, processes, stores, and generates forensic-grade clinical documentation and evidence artifacts. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with the ArtifactRx platform and related services (the "Services"). This Policy is intended for healthcare providers, clinical staff, compliance officers, and legal and audit teams.

We are committed to transparency, security, and compliance with applicable privacy and healthcare regulations, including HIPAA, where applicable.

2. Information We Collect

3. How We Use Information

• Evidence Creation: To create, store, and manage forensic-grade evidence artifacts, chain-of-custody records, and compliance reports.
• Compliance Verification: To operate our ROV Logic engine and related tools that assist with protocol-based documentation and medical necessity validation.
• Platform Security: To maintain platform security, detect and prevent unauthorized access, and enforce role-based access controls.

4. HIPAA and Protected Health Information (PHI)

When ArtifactRx acts as a Business Associate under HIPAA, we process PHI in accordance with our BAA and applicable HIPAA requirements. We implement administrative, physical, and technical safeguards intended to protect the confidentiality, integrity, and availability of PHI.

ArtifactRx does not sell PHI. We do not sell, rent, or otherwise monetize Protected Health Information or personal information for marketing or any other purpose.

5. Chain-of-Custody and Evidence Integrity

The platform is designed to support forensic-grade evidence capture and chain-of-custody requirements. Captured evidence is associated with metadata, timestamps, and cryptographic hashes to support immutability and auditability. We do not alter or overwrite stored evidence in a manner that would compromise its forensic value; corrections or amendments are handled through additive processes that preserve the original record and audit trail.

6. Data Storage and Security Safeguards

We store data using enterprise-grade cloud infrastructure with encryption at rest and in transit. Access to production systems is restricted, monitored, and logged. We implement access controls, network security, and incident response procedures intended to protect against unauthorized access, loss, or disclosure.

7. Role-Based Access Controls

Access to data within the platform is governed by role-based access controls ("RBAC"). Users are granted access only to the data and functions necessary for their role. Administrators within your organization control role assignments and clinic-level access. ArtifactRx personnel access production data only as necessary to provide support, resolve incidents, or comply with legal obligations, and such access is logged and monitored.

8. Data Sharing and Disclosures

We share information only in limited, lawful circumstances:

• With your organization: Data is accessible to authorized users within your organization in accordance with RBAC.
• Service providers: We may engage third-party service providers that process data on our behalf under contractual obligations consistent with this Policy and our BAA.
• Legal and regulatory: We may disclose information when required by law, court order, or government request.
• With your consent: We may disclose information as directed by you or with your explicit authorization.

We do not sell, rent, or trade PHI or personal information. We do not share data with advertisers or data brokers.

9. User Rights and Access Requests

Authorized users may access, correct, or update account information through the platform or by contacting us. Requests related to PHI are handled in accordance with HIPAA and your organization's policies. For questions about your rights, data access, or correction requests, contact your organization's administrator or our Privacy Officer at privacy@artifactrx.com.

10. Data Retention Policy

We retain data in accordance with applicable legal and contractual obligations and your organization's retention requirements. Evidence and documentation are retained for the duration of your subscription and for a reasonable period thereafter as necessary for audit, dispute resolution, or legal compliance. Upon termination, we follow defined procedures for data return or secure deletion, subject to applicable retention requirements.

11. Cookies and Analytics

We use cookies and similar technologies necessary for authentication, session management, and security. We do not use third-party advertising cookies or tracking for marketing purposes. Analytics, where employed, are used for platform performance, error monitoring, and security in a manner that minimizes collection of identifying information.

12. International Users

The ArtifactRx platform is designed for use by U.S.-based healthcare organizations. Data is processed and stored in the United States. If you access the Services from outside the United States, you consent to the transfer and processing of your data in the United States.

13. Policy Updates

We may update this Privacy Policy from time to time. Material changes will be communicated via email, in-app notification, or posting on the ArtifactRx website. Continued use of the Services after such changes constitutes acceptance of the updated Policy.

14. Contact Information

For privacy-related inquiries, access requests, or questions about this Privacy Policy:

Privacy Officer
privacy@artifactrx.com

For HIPAA-related matters, please also refer to your Business Associate Agreement and any designated HIPAA contact in your service agreement.