Privacy & Ethics FAQ

We collect only what is necessary to operate the platform: your username, email address (optional), role, and account creation date. We do not collect personal health information (PHI), social security numbers, or payment card data directly — payments are processed by our PCI-compliant payment partner.

No. We do not sell, rent, or trade your personal information to any third party, ever. We use a small set of infrastructure providers (cloud hosting, database services) who process data strictly on our behalf under data processing agreements. None of them are permitted to use your data for their own purposes.

Session data (which resources you viewed, favorited, or accessed via a learning plan) is used solely to power platform features — such as your personal library, learning plan continuity, and resource recommendations. It is never used for advertising profiling or sold to data brokers.

Yes. Contact support to request full account deletion. Upon verification, we will permanently delete your account, preferences, session history, and any other personal data associated with your profile within 30 days, except where retention is required by applicable law.

We use strictly necessary session cookies to keep you logged in. We do not use third-party advertising cookies, tracking pixels, or behavioral profiling technologies. No cookie consent banner is needed because we only use essential cookies.

Your National Provider Identifier (NPI) is used exclusively to cross-reference the NPPES National Plan and Provider Enumeration System registry to confirm your license type and active status. It is never used for marketing, never shared with third parties, and never used to track your clinical activity outside of ResourceNexus.

Yes. NPI data is encrypted at rest using AES-256 encryption and is transmitted exclusively over TLS 1.2+ encrypted connections. Only the verification service and authorized platform administrators can access it, and all access is logged. Your NPI is used solely for registry cross-referencing — it is not stored in any public-facing database field.

Verification status (a 'Verified Clinician' badge) may be visible to platform administrators and, if you opt in to the Clinical Honor Roll, to other users. The NPI number itself is never displayed publicly. Your taxonomy code (specialty type, e.g., LCSW, PhD) may be used to populate your Honor Roll profile if you opt in.

Your peer review submissions — including rubric scores, clinical notes, and COI attestation records — are stored securely and are accessible only to platform administrators for editorial oversight. Aggregate, de-identified contribution statistics (review count, XP) may appear on your profile or the Honor Roll if you have opted in.

When you submit a peer review, you attest that you have no conflict of interest with the resource creator. This attestation (including the timestamp) is stored alongside your review record. It is used by platform administrators to ensure editorial integrity and is a prerequisite for Honor Roll eligibility. It is never shared externally.

The Honor Roll is a strictly opt-in public recognition feature. You must: (1) be NPI-verified, (2) have submitted at least one peer review with a COI attestation, and (3) explicitly enable the toggle in your Account Settings → Public Recognition. You can opt out at any time and will be removed from the public roll immediately. Administrators have the ability to hide any entry from the roll for platform integrity reasons.

Agency administrators can see aggregate usage statistics (e.g., how many resources were accessed, plan activity) for members under their account. Administrators cannot see individual clinicians' peer review content, clinical notes, or NPI data. Each clinician's professional data remains their own.

Usage reports are visible only to designated agency administrators within that account. ResourceNexus platform administrators can access this data for support and billing purposes only. We never share agency-level usage data with other agencies or third parties.

All payment processing is handled by a PCI-DSS Level 1 compliant payment processor. ResourceNexus never stores raw card numbers, CVVs, or bank account information. We only store a tokenized reference and billing tier information necessary for account management.

Upon cancellation, member accounts are deactivated and access is revoked at the end of the billing period. All personal data associated with your agency account is retained for 90 days (to allow for reactivation) and then permanently deleted, unless a different retention period is required by law. You may request immediate deletion by contacting support.

Yes. Agencies that require a formal DPA — for example, to satisfy HIPAA business associate requirements or state privacy regulations — can request one by contacting our support team. Please note that ResourceNexus is an educational resource platform and does not store, process, or transmit Protected Health Information (PHI) as defined by HIPAA.

NPI numbers are encrypted at rest using AES-256 encryption within our database infrastructure. They are transmitted exclusively over TLS 1.2+ encrypted connections. The NPI verification process performs a one-time cross-reference against the publicly available NPPES registry to confirm license type and status — after which only the verification result (verified/unverified), your NPI taxonomy code, and your NPI-registered name are retained in your profile. The raw NPI number is stored in an access-controlled field visible only to authorized administrators.

ResourceNexus runs on enterprise-grade cloud infrastructure with automatic encryption at rest for all database volumes. All network traffic is encrypted in transit. We use role-based access controls, ensuring that only the minimal set of services can access any given piece of data. Database access credentials are rotated regularly and stored in a secrets management system.

ResourceNexus uses AI-assisted semantic matching to help surface clinically relevant resources (using text embeddings, not personal data). This process operates on resource content — not on user identities or clinical records. No personal or identifiable information is used as input to any AI model.

All accounts require authenticated sessions with server-side session validation. Passwords are hashed using PBKDF2-HMAC-SHA256 with per-user salts. Administrative functions require separate role-based authorization. All sensitive API endpoints validate session identity on every request. We conduct regular dependency security reviews and apply patches promptly.

If you discover a potential security vulnerability or have a concern about how your data is being handled, please contact our support team immediately. We take all reports seriously and will respond within 48 hours.