FujiRX
Legal · Privacy Policy

The general privacy policy for peptide telehealth users at Fuji

This policy explains what Fuji collects on the marketing website and across the platform, how that information is used, who it is shared with, and the rights you can exercise under California, European, and other applicable privacy laws. Health-information specifics live in a separate notice linked throughout.

Effective23 May 2026 Last updated23 May 2026 EntityFuji RX LLC State of incorporationDelaware

About this policy

Fuji is a telehealth peptide protocol platform. We connect adults in the United States with independently licensed clinicians who, after reviewing a patient's intake, may issue a prescription that a partner 503A compounding pharmacy fulfils and ships. The platform is operated by Fuji RX LLC, a company organised under the laws of Delaware, trading as "Fuji".

This is the general privacy notice. It covers data collected on the marketing site, during quiz completion, at checkout, and through product analytics. Health information from a clinical relationship is governed by the separate HIPAA Privacy Notice; text-message notifications are described in SMS Privacy and Consent. Where information falls under both, the more specific notice controls. We have written this against the CCPA as amended by the CPRA, the EU and UK GDPR, the FTC Act, and the state laws that took effect in 2024 and 2025. Where the law in your jurisdiction grants a stronger right, that stronger right wins.

One thing up front. Fuji does not sell personal information for money, and does not exchange it with third parties for cross-context behavioural advertising as the CCPA classifies a "sale" or "share". Where marketing-site cookies overlap, we honour opt-out signals and provide a clear toggle in the consent banner.

Information we collect

We collect only what is needed to run the service and answer the questions a clinician would ask before prescribing.

Identifiers, contact, and payment

Legal name, account email, password (salted hash only), Fuji user ID, shipping and billing addresses, and a phone number. Where state law requires identity verification, a government-issued ID and selfie are processed by our identity partner. The phone number supports delivery coordination and, if you opt in to SMS, reminders covered by the SMS Privacy notice. Card data is tokenised by Stripe (or a failover such as Paragon) and never reaches our servers raw; we store the token reference, last four, card brand, expiry, and the amount and date of charge. The full card number is held by the processor under PCI DSS.

Commercial and device activity

Order history, prescription fulfilment status, protocol selected, refill cadence, shipping events, return requests, and correspondence needed to keep your order on track. Internet and device data: pages viewed, time on page, referrer, user agent, screen resolution, approximate location from IP (city level), and quiz interactions. Analytics events store against the Fuji user ID, not a stable advertising identifier.

Inferences, cohort signals, and sources

From quiz answers and limited site behaviour, our adaptive classifier infers a likely age bracket, a likely goal (weight, recovery, performance, longevity), and an interest cluster (GLP-1 curious, recovery-focused, hormone-curious). Inferences personalise the post-quiz landing page and are not written back into your clinical record. Most data comes from you. A second source category covers operational tools: Stripe (tokenised confirmations, decline reasons), Cloudflare (edge security signals, approximate location), the analytics provider (aggregate behaviour). A third, narrow by design, comes from the partner pharmacy and clinician network when they update an order or coordinate care.

How we use information

Regulators want us to be explicit about each purpose and, where GDPR applies, the lawful basis. The list below covers both.

Delivering and communicating

Account data, quiz responses, shipping details, and order history run the intake, route the clinical record to a prescriber, and arrange shipment. Service emails (account confirmation, order updates, refill reminders), care-team responses, and, where opted in, marketing material follow from the same record. Lawful basis: contract performance for service delivery and transactional messages; explicit consent for sensitive health information and for marketing.

Compliance, improvement, and safety

Recordkeeping required by federal and state law, tax filings, AML/KYC, public-health reporting for adverse events, and compliance with valid court orders rest on legal obligation. Aggregate quiz analytics, A/B results, usability research, error logs with no health information, and the bandit algorithm that selects the post-quiz landing page rest on legitimate interest. The same basis covers risk scoring at checkout, device fingerprinting limited to fraud signals, abuse detection, rate-limiting, and protection against scripted attacks. Public reports, investor metrics, and partner dashboards always use aggregated or de-identified data, which we do not re-identify. If we ever want to use your information for a purpose materially different from these, we will tell you first and, where consent is the right basis, ask for it.

Who we share with

The list of organisations that touch your information is short by design.

Clinicians, pharmacy, processors, service providers

Your assigned licensed clinician sees the intake, message history, uploads, and prescription record; a supervising clinician may review certain decisions. Network clinicians act as independent practices and as separate controllers of the clinical record under HIPAA, governed by the HIPAA Privacy Notice and each clinician's own notice. The partner 503A compounding pharmacy, also a HIPAA covered entity, receives your name, shipping address, contact details, and the prescription under written agreement. Stripe handles card payments; a pharma-friendly failover such as Paragon uses the same flow, receiving amount, currency, descriptor, order reference, and card data. Quiz answers, clinical notes, and browsing data are not shared with processors. Service providers cover cloud hosting, encrypted backup, email delivery, error-tracking, customer support, identity verification, and analytics; each is contracted to use personal information only for the service we hired, and PHI-touching vendors sign a HIPAA Business Associate Agreement first.

Legal, safety, corporate transactions

We may disclose information when a law, valid court order, or properly served subpoena requires it; to public-health authorities for adverse drug-event reports under federal MedWatch rules; to defend legal claims; to protect users or the public; and to investigate fraud. Where we can challenge an overbroad request, we will. If Fuji is acquired, merges, or sells a business unit, information may transfer; the acquirer must honour these commitments, and we would notify you before any material change in use.

What we do not do

We do not sell personal information for money, rent contact lists, or share with third-party advertisers for cross-context behavioural targeting as the CCPA defines those terms. Quiz answers, prescription data, and biomarker values never enter advertising pixels; marketing tracking blocks such fields at source.

Cookies and tracking

A cookie is a small file a site places on your device to recognise a return visit, remember a preference, measure performance, or run a feature that depends on a stored token. Fuji uses cookies sparingly. On your first visit a consent banner lets you accept all categories, accept only essential, or open a panel to choose category by category.

Essential cookies

Required to make the site work. They hold your session, remember quiz completion, store the HMAC-signed brand identifier that routes you to the right multi-brand landing page, and protect against cross-site request forgery. The brand identifier cookie is signed with a server-held secret and verified on every request, so it cannot be tampered with from the browser. Set without consent prompt because the site cannot function without them.

Functional, analytics, marketing

Functional cookies remember language, accessibility settings, and saved quiz answers; set only with consent. Analytics cookies power our self-hosted platform with data stored against a rotating internal identifier and truncated IPs; off by default. Marketing cookies measure paid-campaign performance and suppress ads for converted users; off by default. When accepted, pixel partners receive only a hashed identifier, a campaign reference, and an event name. Peptide names, dose values, and biomarker readings never enter these pixels.

Managing your choices

Change preferences through the "Cookie Settings" link in the footer, or clear cookies in your browser (this signs you out and resets saved quiz progress); the banner reappears afterwards.

Your rights

Some rights flow from contract law, others from the privacy statute that applies where you live. The grid covers rights available to most users; the California and European sections add law-specific detail.

Right to access

Ask for a copy of the personal information we hold, in a portable, machine-readable format where possible.

Right to deletion

Ask us to delete information we are not legally required to keep. For medical and tax records, we will explain when deletion becomes possible.

Right to correction

Ask us to correct inaccurate or incomplete information. We will correct it or give a written explanation you may dispute.

Right to portability

Receive your personal information in a common, structured format so you can transmit it elsewhere.

Right to opt out of sale

Fuji does not sell personal information. The opt-out is presented anyway because the CCPA requires it.

Right to non-discrimination

Exercising any privacy right will not affect price, quality of care, or speed of service.

To exercise a right, email [email protected] from the address on your account or write to the Contact address. We verify identity proportionate to sensitivity, respond within 30 to 45 days depending on jurisdiction, and tell you in advance if we need an extension.

Data security

Security at Fuji is a layered programme. The layers are named below so the commitment is something you can hold us to.

Encryption and access

Traffic moves over TLS 1.3 with modern cipher suites; obsolete protocols and weak ciphers are disabled. Sensitive fields at rest are encrypted with AES-256 using per-tenant envelope keys managed by a FIPS 140-2 validated KMS. Backups are encrypted before leaving the primary region. Internal access follows least privilege; production access requires documented justification and a second-engineer approval; MFA is mandatory on every administrative and clinical login; sessions are logged and bulk exports trigger an automated alert.

Audits, vendors, and training

Every read, write, or export of a personal-information record is logged with actor, timestamp, source IP, and operation type, retained at least six years, and reviewed regularly. An external assessor tests the controls each year. Before a vendor joins, we review SOC 2 Type II reports, breach history, sub-processor lists, and willingness to sign our terms; vendors that decline do not receive personal information. Every employee with access completes security and privacy training at onboarding and annually after.

What we will not pretend. No platform can guarantee information will never be exposed. What we can commit to is treating your information as our own, testing our defences honestly, telling you quickly when something goes wrong, and improving the programme when we learn something new.

Data retention

We keep personal information only as long as needed for the purpose collected, or as long as the law requires. Medical records documenting a prescribing relationship are retained at least seven years from the last clinical encounter, the floor most state medical-board rules require; where a state requires longer, the longer period wins, with full detail in the HIPAA Privacy Notice. Account data without a clinical interaction: three years after last activity, then deleted or de-identified. Payment records: per tax and accounting law (typically seven years). Cookie-derived analytics: 14 months. Email lists: inactive subscribers pruned on a rolling 18-month cycle. Encrypted backups: 90-day rollover. Security logs: at least six years. If you ask us to delete information we are not legally required to keep, we will; if we must retain it, we will tell you why, identify the rule, and explain when deletion becomes possible.

International data transfers

Fuji is operated from the United States, with primary data hosting in the US. If you access the service from outside the country, your information will be processed in a jurisdiction whose privacy laws may differ from those in your home country. For users in the EEA, UK, and Switzerland, we transfer personal data to the US under the Standard Contractual Clauses approved by the European Commission, supplemented by the safeguards the EDPB recommends in light of Schrems II. Where we participate in the EU-US Data Privacy Framework, the certification details are listed in our trust centre. If a transfer mechanism is invalidated or a new one becomes available, we will update this policy and, where the change materially affects your rights, contact you through the channel on file.

Children's privacy

Fuji is a service for adults. The intake will not accept a date of birth indicating the user is under 18, and we do not knowingly collect personal information from anyone under 13. COPPA prohibits collection from children under 13 without verifiable parental consent, and we comply by keeping the platform off-limits to that age group. If we learn we have inadvertently collected information from a child under 13, we delete it promptly; a parent or guardian who suspects this should contact [email protected]. California's Eraser Law provides additional removal rights to minors under 18, which we honour where applicable.

California residents

If you live in California, the CCPA as amended by the CPRA adds a specific set of rights on top of the general rights above. This section covers the disclosures the law requires.

Categories collected in the past 12 months

CategoryExamplesSourcesDisclosed for business purpose?
Identifiers

Name, email, account ID, IP, government ID where required.

You; identity partner.

Yes, to service providers.

Contact

Shipping, billing, phone.

You.

Yes, to pharmacy and carrier.

Payment

Token reference, last four, expiry, amount, date.

You; Stripe.

Yes, to processor.

Commercial

Order history, fulfilment status, refill cadence.

You; pharmacy; clinicians.

Yes, to fulfil orders.

Internet activity

Pages viewed, time on page, user agent, approximate location.

Self-hosted analytics; Cloudflare.

Yes, to analytics provider.

Inferences

Cohort classification (age, goal, interest cluster).

Derived internally.

No external disclosure.

Sensitive info

Government ID (where required), health information (HIPAA-governed).

You; clinician.

Yes, for verification and care; never for advertising.

Sale, sharing, rights, and state-specific laws

Fuji does not sell personal information, and does not "share" it for cross-context behavioural advertising as the CCPA defines those terms; the opt-out is presented through the cookie banner because the law requires visibility. You may exercise the rights to know, delete, correct, port, opt out of sale or share, limit use of sensitive personal information, and non-discrimination. Submit to [email protected] or the Contact address; identity is verified against information on file, and an authorised agent may submit with written permission. California's Shine the Light law lets residents request a list of third parties to which we disclosed personal information for direct marketing in the prior year; we do not disclose for third-party direct marketing, so the answer is "none", with a 30-day response. The Eraser Law gives users under 18 a right to remove content they have posted, although Fuji does not accept user-posted content. Our Cal-OPPA response to "Do Not Track" is covered in the next section.

European residents

If you are located in the EEA, UK, or Switzerland, GDPR applies. Fuji acts as controller of the personal data described here, except where it acts as processor on behalf of a clinician or the partner pharmacy for health information; the HIPAA Privacy Notice and the data-processing agreement govern that processor role.

Lawful bases for processing

  • Contract performance: provide the service, deliver orders, send transactional updates.
  • Consent: marketing email and SMS, non-essential cookies, special-category data outside clinical work.
  • Legitimate interests: fraud prevention, product improvement with non-sensitive data, security monitoring.
  • Legal obligation: recordkeeping, tax filings, court orders.
  • Vital interests: narrow emergencies such as a serious adverse drug event report.

Rights, DPO, transfers, automated decisions

You have the right to access, correct, delete, restrict, object to, or port your personal data, and, where processing is based on consent, withdraw consent at any time without affecting lawfulness of prior processing. You may lodge a complaint with the supervisory authority in your country of residence; in the UK this is the ICO. Although not strictly required to appoint a DPO under Article 37, we have designated a privacy contact at [email protected] (subject "EU/UK privacy request"). Transfer mechanisms for EEA, UK, or Swiss data flows to the US are in International Data Transfers. The adaptive cohort classifier produces non-binding inferences for personalisation; it does not make decisions producing legal or similarly significant effects within the meaning of Article 22. Clinical decisions are made by licensed clinicians, not by an algorithm.

Do Not Track

Some browsers send a "Do Not Track" header. The industry has not converged on a response standard, so most platforms ignore it. Fuji takes a stricter line: where DNT is set, we treat it as an opt-out from analytics and marketing cookies for that session, on top of any choice in the cookie banner. Global Privacy Control (GPC) is a newer signal supported by several browsers and extensions; we honour GPC as a valid CCPA opt-out regardless of California residency, because honouring it universally is simpler than asking users to assert location.

Changes to this policy

Privacy law and product scope both evolve, so this policy will too. Revisions apply to information already held and to information received after the effective date. Material changes (anything affecting how we use or share personal information meaningfully) trigger a direct notice through the contact channel on file, and the cookie banner reappears if a category has been redefined. Archived versions are kept and provided on request. We do not silently change material terms.

Contact us

For any privacy question, including requests to exercise the rights above, write to:

Privacy Office
Fuji RX LLC
PO Box [number pending]
Wilmington, DE 19801
Email: [email protected]
General: [email protected]

Related policies:

Effective date

This privacy policy takes effect on 23 May 2026 and was last updated on 23 May 2026. It supersedes any prior privacy policy for the marketing site and platform. If you began using the service earlier, the prior policy governed up to that point; this policy governs from the effective date forward.