Rx Redactly

Privacy Policy

Effective date: June 1, 2026.

The short version. Redactly de-identifies clinical text inside your browser. Your clinical text is never sent to us, never stored anywhere, and never seen by anyone. If you subscribe to Pro, Stripe processes the payment and we receive only what's needed to manage your subscription — your name, email, and a license key. We don't use analytics, cookies, or third-party trackers.

1. Who runs Redactly

Redactly is operated by Douglas Fullington, MD ("we," "us," "Redactly"). For privacy questions, contact Doug@redactly.pro.

2. What Redactly does not collect

3. What Redactly does collect, and from whom

3a. If you subscribe to Pro

Stripe, our payment processor, handles checkout. Stripe collects from you:

Stripe shares with us only what's needed to issue your license key and manage your subscription: your name, email, country, subscription status, and a Stripe-assigned customer identifier. We receive notifications when your subscription is created, paid, canceled, or refunded. See Stripe's privacy practices at stripe.com/privacy.

3b. When you activate a license key

Pasting a key into the license bar sends one HTTPS request to our verification function containing only the key text. The function returns a yes/no answer. This request never carries your clinical text. Once a key is verified, it is cached in your browser's local storage and the tool can be used offline indefinitely.

3c. Standard server logs

Our host, Netlify, automatically records technical request data such as IP address, user agent, timestamp, and the URL or function path requested. This is used only for security, abuse prevention, and operating the site, and is retained for a short period per Netlify's standard practices. See netlify.com/privacy.

4. How we use what we collect

We do not use your information for advertising, profiling, or sale to third parties, and we do not perform automated decision-making with legal effects on you.

5. Who we share data with

These are the only two processors that handle data on our behalf. We do not sell, rent, or trade your information.

6. Where data is stored and for how long

7. Your rights

Depending on where you live, you may have rights to access, correct, delete, export, or restrict processing of your personal information, and to object to certain uses. These include rights under the EU GDPR, UK GDPR, and the California Consumer Privacy Act (CCPA) among others. To exercise any of these rights, email Doug@redactly.pro. We'll respond within the time required by applicable law.

You can also:

8. Legal basis for processing (EU/UK users)

Where the GDPR applies, our legal basis for processing the limited data described above is performance of a contract (delivering the Pro subscription you purchased) and our legitimate interests in operating the service securely and preventing abuse.

9. International transfers

Stripe and Netlify operate globally and may process data in the United States. Both rely on standard contractual clauses and other recognized safeguards for international transfers as described in their privacy notices.

10. Children

Redactly is intended for use by licensed healthcare professionals and is not directed to children under 16. We do not knowingly collect personal information from children.

11. Security

Redactly is delivered over HTTPS with HSTS. The site loads no third-party scripts at runtime and enforces a strict Content Security Policy (see netlify.toml in our public repository). Payments are handled by Stripe, a PCI Level 1 certified processor. No system is perfectly secure — if you believe you've found a vulnerability, please email Doug@redactly.pro.

12. Changes to this policy

If we make material changes, we'll update the effective date above and, for active subscribers, send a notice by email. Continued use after an update means you accept the revised policy.

13. Important non-legal note

This policy describes what happens to your personal data. Redactly is not a HIPAA Business Associate, and using it does not by itself make your prompts to a non-BAA large language model HIPAA-compliant. You remain responsible for verifying that the de-identified output is acceptable before pasting it into any third-party tool.

← Back to Redactly