Privacy & Ethics FAQ

We collect only what is necessary to operate the platform: your username, email address (optional), role, and account creation date. We do not collect personal health information (PHI), social security numbers, or payment card data directly — payments are processed by our PCI-compliant payment partner.

No. We do not sell, rent, or trade your personal information to any third party, ever. We use a small set of infrastructure providers (cloud hosting, database services) who process data strictly on our behalf under data processing agreements. None of them are permitted to use your data for their own purposes.

Session data (which resources you viewed, favorited, or accessed via a learning plan) is used solely to power platform features — such as your personal library, learning plan continuity, and resource recommendations. It is never used for advertising profiling or sold to data brokers.

Yes. Contact support to request full account deletion. Upon verification, we will permanently delete your account, preferences, session history, and any other personal data associated with your profile within 30 days, except where retention is required by applicable law.

We use strictly necessary session cookies to keep you logged in. We do not use third-party advertising cookies, tracking pixels, or behavioral profiling technologies. No cookie consent banner is needed because we only use essential cookies.

Agency administrators can see aggregate usage statistics (e.g., how many resources were accessed, plan activity) for members under their account. Administrators cannot see individual clinicians' peer review content or clinical notes. Each clinician's professional data remains their own.

Usage reports are visible only to designated agency administrators within that account. ResourceNexus platform administrators can access this data for support and billing purposes only. We never share agency-level usage data with other agencies or third parties.

All payment processing is handled by a PCI-DSS Level 1 compliant payment processor. ResourceNexus never stores raw card numbers, CVVs, or bank account information. We only store a tokenized reference and billing tier information necessary for account management.

Upon cancellation, member accounts are deactivated and access is revoked at the end of the billing period. All personal data associated with your agency account is retained for 90 days (to allow for reactivation) and then permanently deleted, unless a different retention period is required by law. You may request immediate deletion by contacting support.

Yes. Agencies that require a formal DPA — for example, to satisfy HIPAA business associate requirements or state privacy regulations — can request one by contacting our support team. Please note that ResourceNexus is an educational resource platform and does not store, process, or transmit Protected Health Information (PHI) as defined by HIPAA.

ResourceNexus runs on enterprise-grade cloud infrastructure with automatic encryption at rest for all database volumes. All network traffic is encrypted in transit. We use role-based access controls, ensuring that only the minimal set of services can access any given piece of data. Database access credentials are rotated regularly and stored in a secrets management system.

ResourceNexus uses AI-assisted semantic matching to help surface clinically relevant resources (using text embeddings, not personal data). This process operates on resource content — not on user identities or clinical records. No personal or identifiable information is used as input to any AI model.

All accounts require authenticated sessions with server-side session validation. Passwords are hashed using PBKDF2-HMAC-SHA256 with per-user salts. Administrative functions require separate role-based authorization. All sensitive API endpoints validate session identity on every request. We conduct regular dependency security reviews and apply patches promptly.

If you discover a potential security vulnerability or have a concern about how your data is being handled, please contact our support team immediately. We take all reports seriously and will respond within 48 hours.