Privacy Policy

Effective date: September 2, 2025

At RxReg, we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use RxReg.

Controller: RxReg – Ottosen ApS (CVR DK39620847), Denmark. Contact: contact@rxreg.com

1) Scope & Who This Applies To

This Policy applies to visitors and registered users of RxReg. RxReg is a tool for pharmacovigilance literature review and reporting. It is not intended to receive or process patient-identifiable information. Please avoid uploading any personal or special category data (e.g., health data about identifiable individuals) to the platform.

2) Data We Collect

Account Data (you provide): name, email, password hash, and preferences.
Auth & Security: 2FA codes and verification events (time-limited), login/log-out timestamps, IP (in security logs).
Product Usage: actions such as searches run, compound entries, exports; device/browser metadata (for troubleshooting and security).
Payments: processed by Stripe. We receive transaction records (amount, status, last 4 digits/brand via Stripe tokens). We do not store full card numbers or CVV.
Analytics: page views and events via Google Analytics 4 (GA4). See “Cookies & Analytics” below.

3) Purposes & Legal Bases (GDPR)

Purpose	Examples	Legal Basis
Provide the service	Account management, running searches, generating reports	Performance of a contract (Art. 6(1)(b))
Security & fraud prevention	2FA, rate limiting, audit & access logs	Legitimate interests (Art. 6(1)(f)) and/or legal obligations (Art. 6(1)(c))
Payments & billing	Process payments, receipts, invoices	Performance of a contract (Art. 6(1)(b)) and legal obligations (Art. 6(1)(c))
Product improvement	Diagnostics, error tracking, usage patterns	Legitimate interests (Art. 6(1)(f))
Analytics (optional where consented)	GA4 pageviews & events	Consent (Art. 6(1)(a)), where required
Communications	Service notifications, 2FA, critical updates	Performance of a contract (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f))

4) Cookies & Analytics

RxReg uses Google Analytics 4 to understand aggregate usage and improve the product. GA4 may set cookies or use similar technologies. You can control cookies in your browser and opt out of Google Analytics via the GA opt-out add-on.

If your jurisdiction requires consent for analytics cookies, we will rely on your consent and only run analytics after you consent (via our banner or settings, where applicable).

5) Payment Processing

Payments are processed securely by Stripe. RxReg never sees or stores your full card number or security code. For details on Stripe’s processing, see Stripe’s Privacy Policy.

6) Sharing & Disclosures

We do not sell or rent personal data. We share data only with:

Payment processor: Stripe (billing and payments).
Analytics provider: Google (GA4) for product analytics (subject to consent where required).
Email/communications providers: to send 2FA codes and service emails.
Infrastructure & security: hosting and security service providers to operate the service.
Legal / compliance: if required by law, to protect rights, or in connection with a merger or acquisition.

We use appropriate Data Processing Agreements and, where relevant, Standard Contractual Clauses (SCCs) for international transfers.

7) International Transfers

We primarily process data in the EU/EEA where feasible. If personal data is transferred outside the EU/EEA, we rely on lawful transfer mechanisms (e.g., SCCs) and implement additional safeguards where appropriate.

8) Retention

Account data: kept while you maintain an account and for a reasonable period after closure for compliance, fraud prevention, and record-keeping.
2FA codes: short-lived (minutes) and stored only as needed for verification and audit.
Payment records: kept as required by financial and tax laws.
Logs: retained for security and operational diagnostics for limited periods.

9) Your Rights (GDPR)

If you are in the EU/EEA or a similar jurisdiction, you may have rights to: access, rectification, erasure, restriction, portability, and to object to processing (including objecting to processing based on legitimate interests), and to withdraw consent at any time (where processing is based on consent). You also have the right to lodge a complaint with your local authority (e.g., in Denmark: Datatilsynet).

To exercise rights, contact us at contact@rxreg.com. We may need to verify your identity and confirm account ownership.

10) Security

We implement industry-standard measures (encryption in transit, access controls, least-privilege, auditing). No online system is 100% secure; please use a strong, unique password and enable 2FA.

11) Children

RxReg is not directed to children under 16 and should not be used by them.

12) Changes to This Policy

We may update this Policy from time to time. Material changes will be indicated by updating the “Effective date” above. Continued use of RxReg after changes means you accept the updated Policy.

13) Contact

Questions or requests: contact@rxreg.com.