R
Reoxis

Privacy Policy

Effective date: May 31, 2026

This Privacy Policy describes how Reoxis LLC (“Reoxis,” “we,” “us”) collects, uses, and protects information when you use the Reoxis platform. Reoxis is a Business Associate under HIPAA with respect to Protected Health Information (PHI) entered by our customers.

1. Information We Collect

Account information: Name, email address, job title, and credentials provided during account creation.

Protected Health Information (PHI): Patient records, insurance information, diagnosis codes, clinical documentation, delivery records, and billing data entered by customers. Reoxis processes this data solely to provide the Service under an executed Business Associate Agreement.

Usage data: Log data including IP addresses, browser type, pages visited, session timestamps, and feature usage. This data is pseudonymized and used only for security monitoring and product improvement.

2. How We Use Information

  • To provide, operate, and maintain the Service;
  • To enforce HIPAA security rule requirements (access logging, session management);
  • To diagnose technical problems and improve platform reliability;
  • To communicate service updates, maintenance notices, and billing information;
  • To comply with legal obligations.

Reoxis does not sell customer data. Reoxis does not use PHI to train machine learning models. Reoxis does not use customer data for advertising.

3. HIPAA & Data Security

All PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to PHI is restricted to authenticated, authorized users within your organization via role-based access controls and row-level security enforced at the database layer.

Reoxis maintains a comprehensive HIPAA Security Rule program including risk assessments, workforce training, access management, audit controls, and incident response procedures. All PHI access is logged to an immutable audit trail.

In the event of a breach affecting PHI, Reoxis will notify the affected Customer within 60 days of discovery as required by the HIPAA Breach Notification Rule.

4. Subprocessors & Business Associates

Reoxis engages the following subprocessors that may process PHI, each of which has executed a HIPAA Business Associate Agreement:

  • Amazon Web Services (AWS) — cloud infrastructure and storage
  • Supabase — database and authentication (AWS-hosted)
  • Phaxio — electronic fax transmission
  • Twilio — SMS and voice communications
  • SendGrid — transactional email

5. Data Retention

Customer data is retained for the duration of the subscription plus 90 days after termination to allow data export. After 90 days, all customer data including PHI is permanently deleted from Reoxis systems. Anonymized usage analytics may be retained indefinitely.

6. Your Rights

Customers may request a copy of their data, correction of inaccurate account information, or deletion of their account by contacting privacy@reoxis.com. Requests related to PHI (patient records) must be directed to the Covered Entity (the DME supplier) per HIPAA requirements, not to Reoxis.

7. Cookies

Reoxis uses session cookies strictly necessary for authentication. No third-party advertising or analytics cookies are used. Cookie consent banners are not displayed because no non-essential cookies are set.

8. Changes to This Policy

We will notify customers of material changes to this Privacy Policy via email and in-app notice at least 30 days before the effective date.

9. Contact

Privacy inquiries: privacy@reoxis.com
Reoxis LLC · Chicago, IL