Skip to main content
← Back to CheapRX.AI

Privacy Policy

Last updated: April 2026

1. Information We Collect

CheapRX.AI collects information in several categories depending on how you use the Service.

Account Information

  • Name and email address
  • Password (stored as a cryptographic hash, never in plain text)
  • Account preferences and notification settings

Medication Data

  • Drug names, dosages, and quantities when you save prescriptions to your account
  • Price alerts and saved medication lists

Usage Data

  • Drug searches (drug name, dosage, quantity)
  • Click-through events (which outbound links you click)
  • Page views and navigation patterns
  • IP addresses are anonymized — hashed with a daily-rotating salt when HIPAA mode is enabled, never stored in raw form

Device Data

  • Browser type and operating system
  • Referring URL and general device category
  • We do not use browser fingerprinting techniques

Organization Data

  • Company name, department, and job title (for business accounts)
  • Organization membership and role information

Enneagram Personality Data

  • Test responses and calculated Enneagram type (if you choose to take the test)

Payment Information

  • Payments are processed by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers.
  • We retain a Stripe customer ID and last-four digits for display purposes only.

2. How We Protect Your Data

  • Encryption at rest: Medication data is encrypted using AES-256-GCM when HIPAA mode is enabled. Encryption keys are managed separately from the encrypted data.
  • Encryption in transit: All data is transmitted over TLS/HTTPS. We enforce HTTPS on all connections.
  • IP anonymization: IP addresses are hashed with a daily-rotating salt. Raw IP addresses are not stored in our database.
  • Access controls: Role-based access controls restrict data visibility. Sessions automatically time out after 30 minutes of inactivity.
  • Audit logging: All access to health-related data is logged for security and compliance purposes.
  • Database security: Hosted on Google Cloud SQL with encryption at rest enabled at the infrastructure level.

3. How We Use Your Data

We use the information we collect to:

  • Provide prescription price comparison results
  • Send price drop alerts (opt-in only)
  • Generate monthly savings reports (opt-out available in Account Settings)
  • Power Team Enneagram features within your organization
  • Improve the Service through anonymized analytics
  • Prevent fraud and ensure platform security

4. Data Sharing

We do NOT sell your personal data.

Third-Party Services

  • Stripe — payment processing
  • SendGrid — email delivery (price alerts, savings reports, account notifications)
  • Google Analytics / PostHog — anonymized usage analytics

Affiliate Links

When you click through to a pharmacy website, the pharmacy may see that you arrived from CheapRX.AI. They do NOT receive your medication list, saved prescriptions, or any account data.

Organization Administrators

Organization admins can see member names, email addresses, departments, and Enneagram types (if shared). Organization admins cannot see individual prescription data, saved medications, or price alerts.

Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Your Rights

  • Right to access: Export all your data as JSON from Account Settings.
  • Right to delete: Permanently delete your account and all associated data from Account Settings.
  • Right to opt out: Disable email communications from Account Settings at any time.
  • Right to correct: Update your profile information at any time.
  • California residents (CCPA): All the above rights, plus the right to know what categories of personal data we collect about you. We do not sell personal information as defined by the CCPA.
  • EU residents (GDPR): All the above rights, plus the right to data portability and the right to lodge a complaint with a supervisory authority.

6. Data Retention

  • Account data: Retained while your account is active, plus 30 days after deletion to allow for recovery.
  • Search and click analytics: Anonymized data retained for up to 2 years.
  • Audit logs: Retained for 6 years in accordance with HIPAA requirements.
  • Email queue: Processed emails purged after 30 days.
  • Price cache: 24-hour TTL, automatically expired.

7. Children's Privacy

The Service is not directed to or intended for use by children under the age of 13. We do not knowingly collect information from children under 13. If we become aware that we have collected information from a child under 13, we will take steps to delete that information promptly.

8. HIPAA Compliance

CheapRX.AI implements HIPAA-aligned technical safeguards for users who save medication data to their accounts. These safeguards include:

  • PHI encryption at rest (AES-256-GCM)
  • Comprehensive audit logging of all health data access
  • Role-based access controls with organizational isolation
  • Automatic session timeout after 30 minutes of inactivity
  • IP anonymization with daily-rotating salt

Healthcare organizations requiring a Business Associate Agreement (BAA) can request one at our BAA request page. We conduct regular security assessments to maintain compliance.

9. Organizational Accounts

Company and organization accounts have additional data isolation controls:

  • Admins can see: Member names, work email addresses, departments, job titles, and Enneagram types (if members have shared them).
  • Admins cannot see: Individual prescription data, saved medications, price alerts, or personal health information.
  • SSO/SAML data: Identity provider configuration is encrypted and accessible only to organization owners.

Data is isolated between organizations. Members of one organization cannot view data belonging to another organization.

10. Cookies & Local Storage

CheapRX.AI uses cookies for session management and basic analytics. We also use your browser's localStorage to save preferences locally on your device.

We use PostHog for product analytics, which may set its own cookies. PostHog collects anonymized usage data to help us understand how the Service is used and improve the user experience.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email. Changes will be effective upon posting to the Service. We will update the “Last updated” date at the top of this page.

12. Contact

If you have questions or concerns about this Privacy Policy or our data practices:

Terms of ServiceDisclaimerBAA