Privacy Policy

How We Collect, Use, and Protect Your Information

ASKARX LLC DBA RxGranted • Effective Date: April 16, 2026

This Privacy Policy describes how ASKARX LLC, doing business as RxGranted ("we," "our," or "us"), collects, uses, and protects information when you visit rxgranted.com or use our prior authorization support services. By using our website or services, you agree to the practices described in this policy.

1. Introduction

ASKARX LLC DBA RxGranted ("we," "our," "us") operates rxgranted.com and provides prior authorization letter preparation and submission services to independent medical practices. We are committed to protecting the privacy of both our business clients and the patients whose health information we handle on their behalf.

This policy applies to all information collected through our website, onboarding forms, client portal, and service delivery processes.

2. Information We Collect

Practice and Contact Information

When you sign up or contact us, we collect:

Practice name, specialty, and NPI number
Practice address, phone number, and email
Your name, title, and role at the practice
Payer relationships and estimated PA volume

Protected Health Information (PHI)

We receive PHI solely to perform prior authorization services. We act as a Business Associate under HIPAA, and a BAA is executed with every client before any PHI is shared.

PHI we may receive includes:

Patient demographics (name, date of birth, insurance ID)
Diagnoses, medication history, and clinical documentation
Insurance plan details and payer information
Clinical notes and supporting medical records

PHI is used exclusively to prepare and submit prior authorization requests on behalf of the treating provider. Where Protected Health Information is involved, RxGranted's handling of such information is governed primarily by HIPAA, the applicable Business Associate Agreement, and the instructions of the Client as Covered Entity.

Payment Information

Subscription payments are processed by Stripe, a PCI-DSS compliant payment processor. We do not store, process, or transmit full credit card numbers. We retain subscription status, plan tier, and billing history for account management purposes.

Website Usage

We do not use tracking cookies, third-party analytics, ad pixels, or individual-identifying usage data. Only functional session cookies required for authentication and form state are used.

3. How We Use Your Information

PA Services: Preparing, reviewing, and (for Full Service clients) submitting prior authorization letters and appeals to payers
Account Communication: Sending case updates, portal credentials, billing notices, and service-related emails
Payment Processing: Managing subscriptions, invoices, and additional PA case billing via Stripe
Service Improvement: Reviewing operational metrics (such as turnaround time and case volume) to improve service quality

We will never sell, rent, or share your information — or your patients' information — for marketing, advertising, or any commercial purpose unrelated to your PA services.

4. HIPAA Compliance

RxGranted operates as a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. We execute a Business Associate Agreement (BAA) with every client prior to handling any Protected Health Information.

We apply the minimum necessary standard — only the PHI required to perform the requested PA service is accessed or used
Security safeguards are implemented per 45 CFR §§ 164.308–164.312 (Administrative, Physical, and Technical safeguards)
We maintain a Breach Notification program in compliance with 45 CFR § 164.400 et seq.
Security Officer: Umair Ahmad, PharmD

Our BAA is incorporated by reference into every client agreement. View the full HIPAA BAA here.

5. Data Security

We implement industry-standard technical and organizational safeguards to protect your information:

Encryption at rest: AES-256 encryption for all stored data
Encryption in transit: TLS 1.2 or higher for all data transmission
Access controls: Role-based access control (RBAC) with least-privilege principles; unique user credentials required
Audit logging: Access to PHI is logged and retained for compliance purposes
Risk assessments: Regular security risk assessments conducted per HIPAA Security Rule requirements
Workforce training: All personnel with PHI access complete HIPAA training before access and annually thereafter
Device security: All devices used to access PHI are encrypted, password-protected, and subject to remote wipe capability

6. Data Sharing

We share information only as necessary to perform our services:

Payer portals (Full Service plan only): PA submissions are made to insurance payer portals with client authorization
Supabase: US-based, SOC 2 compliant cloud database used for client account and case management
Google Workspace: Used for internal communication and document handling; subject to our BAA
Stripe: Payment processing only; Stripe never receives PHI

We do not share information with advertisers, data brokers, analytics vendors, or any third party for purposes unrelated to your PA services.

7. Data Retention

PHI and clinical records: Retained for 6 years following the end of the client relationship, then securely destroyed per NIST SP 800-88 (electronic) or shredding (paper)
Financial and billing records: Retained for 7 years per applicable tax and accounting requirements
Account and contact data: Retained until you request deletion, subject to legal retention obligations
Website logs: Retained for 90 days, then purged

8. Your Rights

As a client or as an individual whose PHI we handle, you have the following rights:

Where RxGranted acts as a Business Associate under HIPAA, your rights regarding Protected Health Information are exercised through your healthcare provider (the Covered Entity), not directly against RxGranted. RxGranted supports Covered Entities in responding to PHI-related requests consistent with HIPAA, the applicable Business Associate Agreement, and applicable law.

Access: Request a copy of information we hold about you or your patients
Correction: Request correction of inaccurate information
Deletion: Request deletion of your account and associated data (subject to retention obligations)
PHI Disclosure Accounting: Request an accounting of disclosures of your patients' PHI, as required under HIPAA
HHS Complaint: File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr if you believe your HIPAA rights have been violated
State Privacy Laws: Residents of certain states may have additional rights under applicable state privacy laws; contact us to inquire

To exercise any of these rights, contact us at [email protected].

9. Cookies and Tracking

We use only functional cookies necessary for session management and authentication. Specifically:

Session cookies to maintain your logged-in state in the client portal
Form state cookies to preserve onboarding progress

We do not use:

Advertising or behavioral tracking cookies
Third-party analytics pixels (e.g., Google Analytics, Facebook Pixel)
Individual-identifying usage tracking

We do not sell data. We do not share data with advertising networks. Our cookies exist solely to make the site and portal function.

10. Children's Privacy

Our services are designed for healthcare practices and their administrative staff — not for individuals under the age of 18. We do not knowingly collect personal information directly from children. If we become aware that we have inadvertently received personal information from a minor, we will delete it promptly.

PHI related to pediatric patients may be processed as part of PA services when submitted by a licensed healthcare provider — this is governed by HIPAA and our BAA, not this policy section.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do:

The updated policy will be posted at rxgranted.com/privacy/ with a new effective date
Material changes will be communicated to active clients via email at least 14 days before taking effect
Continued use of our services after the effective date constitutes acceptance of the updated policy

12. Contact Us

For privacy-related questions, requests, or concerns:

Email: [email protected]
Phone: (856) 304-8679
Mail: ASKARX LLC DBA RxGranted • 100 Fellowship Road, Moorestown, NJ 08057
Privacy Officer: Umair Ahmad, PharmD