Privacy Policy

Effective Date: March 24, 2026

reachDr, Inc. values your privacy. This Privacy Policy describes the information we gather, how we use it, and the steps we take to protect it.

1. Notice at Collection

This Policy satisfies notice requirements under HIPAA, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Texas Health Information Privacy Act (THIPA).

We collect:

Identifiers: name, email, phone number.
Professional/Health Information: NPI, PHI, P&L statements, and claims data.
Technical Data: IP addresses, device identifiers, and usage data.

These are used to operate the platform, provide clinical decision support, and improve de-identified AI algorithms. We do not sell your personal information.

2. Data Retention

PHI: Minimum 6 years per HIPAA.
Account Data: Life of account plus 3 years.
Technical Data: Up to 24 months.

3. 2026 SUD Protections

In compliance with the February 16, 2026 HIPAA/Part 2 Final Rule, Substance Use Disorder records will not be disclosed in legal proceedings without specific written consent or a specialized court order.

4. Security

We employ AES-256 encryption at rest and TLS 1.3 in transit. No security measure is perfect, and we cannot guarantee the security of unencrypted channels.

5. Your Rights

All users may exercise the following rights by emailing privacy@reachdr.com or using the in-app privacy portal. We will respond within 45 calendar days (extendable by 45 days with notice).

Access & Portability: Request a copy of your personal data.
Correction: Request correction of inaccurate data.
Deletion: Request deletion, subject to HIPAA and legal retention obligations.
Opt-Out of Sale/Sharing: We do not sell or share data for behavioral advertising.
California Residents (CCPA/CPRA): You additionally have the right to limit use of sensitive personal information and to designate an authorized agent for requests.
Non-Discrimination: We will not discriminate against you for exercising these rights.

6. Breach Notification

In the event of a breach involving PHI, reachDr will notify affected Covered Entities within 60 calendar days per the HIPAA Breach Notification Rule. For non-PHI breaches, we will notify affected individuals and applicable state authorities per applicable state law timelines. Notifications will describe the breach, affected data categories, and remediation steps.

7. Cookies, Tracking & Third-Party Sharing

We use strictly necessary, performance, and functional cookies. We do not use third-party advertising cookies. We honor Do Not Track (DNT) signals and Global Privacy Control (GPC) opt-outs as required under California law.

We do not sell your data. We share personal information only with:

Service providers under written data-processing agreements;
Covered Entities under executed BAAs; and
Legal authorities with valid legal process.

A current subprocessor list is available at privacy@reachdr.com.

Mobile information will not be shared with third parties/affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

8. Policy Modifications

We will provide at least thirty (30) days' advance written notice of material changes by email or in-Service notification. Continued use after the effective date constitutes acceptance.

9. Contact Information

reachDr, Inc.

Privacy Inquiries: privacy@reachdr.com
Accessibility Support: accessibility@reachdr.com
Legal / BAA Matters: legal@reachdr.com

reachDr, Inc. | Terms of Use & Privacy Policy | Effective March 24, 2026