FujiRX
Legal · HIPAA Privacy Notice

How Fuji protects the health information behind your peptide protocol

This notice describes how protected health information about you may be used and disclosed, and how you can get access to that information. Read it carefully. If anything is unclear after the first pass, that is on us, and our privacy team is happy to walk you through it.

Effective23 May 2026 Last reviewed23 May 2026 EntityFuji RX LLC State of incorporationDelaware

About this notice

Fuji is a telehealth platform. We connect adults seeking peptide protocols with independently licensed clinicians, and we coordinate fulfilment of medically appropriate prescriptions through a partner 503A compounding pharmacy. Because that workflow involves protected health information, or PHI, federal law requires us to give you a clear written summary of how your information moves through the system. This document is that summary.

We have written it in plain language and kept the regulatory citations to the minimum needed. Where a sentence sounds clinical, the underlying obligation is genuinely clinical, and softening the language would obscure your rights rather than help them. The full statutory framework is the Health Insurance Portability and Accountability Act of 1996, the HITECH Act of 2009, and the implementing rules at 45 CFR Parts 160 and 164.

One honest caveat. Fuji is operating as HIPAA-aligned from day one. That phrase matters. We follow the technical, administrative, and physical safeguards that the rule requires of a covered entity and its business associates, and we have executed business associate agreements with the vendors that touch PHI on our behalf. Where a vendor has not yet completed a BAA, no PHI flows to that vendor. We will mark this notice as HIPAA Compliant only once an independent assessor has signed off on the full programme.

Who and what this notice covers

It applies to information you give us, or that a clinician generates on your behalf, when you do any of the following on Fuji or through our partner pharmacy:

  • complete an intake questionnaire or a follow-up health survey;
  • speak with, message, or upload documents to a licensed clinician retained through our platform;
  • receive a prescription, a refill, or a clinician-issued protocol adjustment;
  • have a compounded medication shipped to you by the partner 503A pharmacy;
  • contact our care team about a clinical question, an adverse event, or a return.

The notice does not cover information you give to third-party services we do not control, even where you reach them through a link on our site. Lab vendors, identity-verification partners, and payment processors each maintain their own privacy practices, and we link to them where relevant.

Fuji is structured as a hybrid covered entity for HIPAA purposes. The clinical components are health-care components subject to the Privacy Rule. Marketing and product analytics are operated separately and never receive identifiable health information. Where we act as a business associate to the clinicians and the pharmacy, the same protections apply, and the disclosures we are permitted to make are narrower, not broader.

The information we collect, and why

We collect only the information a clinician needs to evaluate you safely and to issue, fulfil, and follow up on a prescription. The categories below describe what may end up in your clinical record at Fuji.

Identifiers and contact details

Legal name, date of birth, residential address, shipping address (when different), email address, and at least one telephone number. If a state requires us to verify identity before a clinician can prescribe, we may collect a government identification document and a selfie, which our identity-verification partner processes under its own BAA and deletes once verification is complete.

Health history relevant to peptide care

Current and past medications, known allergies, prior or active diagnoses, surgical history where relevant, family history flagged by the intake form, lifestyle inputs such as alcohol and tobacco use, pregnancy status where applicable, and the goal you describe for your protocol (weight, recovery, performance, longevity, and so on). If you upload lab results or imaging, those become part of the record as well.

Treatment information

The prescription a clinician writes for you, dose, route, frequency, refill schedule, pharmacy notes, dispensing dates, shipping events, and any clinical correspondence between you and your clinician. We also retain a record of declined prescriptions and the reason a clinician chose not to prescribe.

Operational and payment information

The fact that you paid, the amount, the date, and the last four digits of the card. Full card data is handled by our payment processor under PCI DSS, never stored on Fuji servers. If you use insurance benefits to cover any portion of a visit, plan and member identifiers are collected for that limited purpose.

What we do not collect through the website

Continuous biometric streams, daily symptom journals, sleep traces, and other long-form self-tracking data are reserved for the Fuji mobile companion app, which is governed by its own privacy notice and a separate, more restrictive data architecture. The marketing website does not gather that material.

How your information is used

HIPAA allows a covered entity to use and disclose PHI for three core purposes without separately asking your permission each time: treatment, payment, and health-care operations. Those terms have specific meanings.

Treatment

A clinician on our platform reviews what you submit, decides whether a peptide protocol is medically appropriate, writes a prescription if so, monitors your response, and adjusts the plan over time. To do that, the clinician needs your full clinical picture, and they may consult with another licensed provider on our network when a second opinion improves your care.

Payment

We charge for visits, for the medication dispensed by the pharmacy, and for shipping. The amount, date, and minimum identifying information move to our payment processor and, where applicable, to your insurer. We do not sell payment data.

Health-care operations

This covers the work of keeping the platform running safely: quality assurance, adverse-event review, clinician credentialling, supervised peer review, training, audits, compliance work, and the legal and accounting tasks that any health-care organisation has to perform. Internal analytics that use PHI are limited to the minimum necessary and run inside our protected environment, not in third-party marketing tools.

Things we will not do without your written authorisation

  • Sell your PHI.
  • Use your PHI for marketing communications that include third-party messages.
  • Disclose psychotherapy notes, where such notes exist.
  • Use your PHI for fundraising in a way that prevents you from opting out.

You may revoke an authorisation in writing at any time. Revocation applies to future uses, not to disclosures we have already made in reliance on it.

Who your information is shared with

Sharing is narrower than most people expect, and we have tried to keep this list short by design.

Your clinician and their care team

The licensed prescriber assigned to you sees the full intake, the message history, your uploads, and the prescription record. A clinical pharmacist, a medical assistant, or a supervising physician may review the record where their role calls for it.

The 503A compounding pharmacy

To dispense and ship your medication, the pharmacy receives your name, shipping address, contact information, and the prescription itself. The pharmacy is a separate covered entity bound by HIPAA in its own right, and we exchange information with it under a written agreement.

Business associates

Vendors that perform functions on our behalf and need PHI to do so are required to sign a business associate agreement before any PHI reaches them. The categories include our electronic-health-record platform, our identity-verification partner, our HIPAA-aligned email and SMS transports, our hosting and storage provider, our encrypted backup vendor, and our quality-assurance auditor. We maintain a current list and will provide it on written request.

Public-health and legal obligations

We may disclose information without your authorisation when the law requires it: to public-health authorities for reporting an adverse drug event, to the Food and Drug Administration if a medication issue triggers a MedWatch report, to law-enforcement in narrowly defined circumstances, in response to a valid court order or subpoena, to coroners and medical examiners, to organ-procurement organisations, and to workers' compensation programmes when state law allows. Where we are permitted to challenge a request, and the request looks improper, we will challenge it.

People you ask us to talk to

If you direct us in writing to share information with a family member, a caregiver, or another clinician outside our network, we will. You can scope that permission narrowly. You can withdraw it.

Your rights under HIPAA

The rights below belong to you, full stop. Exercising them does not affect the care you receive from your clinician, and no employee at Fuji will treat you any differently for using one.

Right to access

Ask for a copy of the PHI we hold about you, in the format you prefer where readily producible. We respond within 30 days, with one 30-day extension if reasonable notice is given.

Right to amend

If something in your record is incorrect, request a correction in writing. We will amend it or, if we disagree, give you a written explanation that you may dispute.

Right to an accounting

Request a list of certain disclosures we made of your PHI in the prior six years, excluding disclosures for treatment, payment, and operations or those you authorised.

Right to request restrictions

Ask us not to use or share specific information for treatment, payment, or operations. We are not always required to agree, but if we do, we will honour it. If you pay in full out of pocket for a visit, you may restrict disclosure of that visit to a health plan.

Right to confidential communications

Tell us how and where to reach you. You can ask for messages only at a particular phone number, or only by email, or only by post. We will accommodate reasonable requests.

Right to a paper copy

You may request a printed copy of this notice at any time, even if you have already received it electronically. Email [email protected] and we will send one.

Right to be notified of a breach

If a breach affects your unsecured PHI, we will notify you in writing, in plain language, within the timeframes federal and state law require.

Right to complain

File a complaint with our privacy officer, or directly with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate.

A patient portal is on our roadmap and will let you exercise most of these rights with a few clicks. Until it ships, the email and postal channels below are the supported routes, and we treat both with the same urgency.

How we safeguard your information

Security is not a single switch. It is a layered programme, and we will name the layers so the commitment is auditable rather than rhetorical.

Encryption

All PHI is encrypted at rest using AES-256 with per-tenant envelope keys managed by a FIPS 140-2 validated key-management service. Traffic between your browser, our servers, our clinician console, and the pharmacy moves over TLS 1.3 with modern cipher suites. Backups are encrypted before they leave the primary region.

Access controls

Only personnel whose job requires PHI access have it, and access is granted under the principle of least privilege. Multi-factor authentication is required for every administrative and clinical login. Each session is logged. Production access requires a documented justification and an approval from a second engineer.

Audit logs

Every read, write, or export of a PHI record is recorded with the actor, timestamp, source IP, and operation type. Logs are retained for a minimum of six years and reviewed on a regular cadence by our compliance lead. Anomalies trigger an incident-response workflow.

Separation of data systems

PHI is kept in a dedicated environment that is logically separated from marketing analytics and product telemetry. Our analytics tools never receive identifiers that can be linked back to an individual, and our marketing pixels do not transmit peptide names, dosing information, or biomarker values under any circumstance.

Vendor due-diligence

Before a vendor is added to the stack, we review its SOC 2 Type II report, its breach history, its sub-processor list, and its willingness to sign our BAA without watered-down terms. Vendors that decline our terms do not receive PHI, regardless of how convenient their product would be.

People and training

Every workforce member who can reach PHI completes HIPAA training at onboarding and annually thereafter. Failures to follow policy are addressed through a documented sanctions framework. We expect a culture in which it is normal to escalate a concern and abnormal to stay quiet.

Honest about limits. No system can promise that information will never be exposed. What we can promise is that we treat your information as if it were our own clinical record, that we test our defences, that we tell you quickly when something goes wrong, and that we improve the programme when we learn something new.

How long records are kept

Medical records associated with a prescribing relationship are retained for at least seven years from the date of the last clinical encounter, which is the floor set by most state medical-board rules. Where a state requires a longer retention period, the longer period applies. Records related to minors, where applicable, are retained until the patient reaches age 21 or for the standard seven-year window, whichever is longer.

Operational records, such as audit logs and billing data, follow their own retention schedules and may be held for shorter or longer periods depending on the legal and accounting obligations attached to them. When the retention window for a record closes, we destroy or de-identify the record using methods consistent with NIST guidance.

If you ask us to delete information we are not legally required to keep, we will. If we are required to keep it, we will tell you why, identify the rule, and explain the next available point at which deletion will be possible.

What happens if there is a breach

Federal law requires us to notify affected individuals within 60 calendar days of discovering a breach of unsecured PHI. Several states require shorter timelines. Our internal target is faster than either, because the operational value of an early heads-up is greater than the legal value of a deadline.

A notification, where required, will include a brief description of what happened, the date of the breach and the date of discovery if known, the categories of information involved, the steps you can take to protect yourself, what we are doing to investigate and contain the incident, and how to contact us with follow-up questions. Where a breach affects more than 500 residents of a state, we notify the U.S. Department of Health and Human Services and prominent media outlets in that state as the rule requires.

Smaller incidents are logged and reported to HHS in our annual breach log. We do not minimise small incidents internally on the assumption that they will stay small.

State-law considerations

HIPAA is a floor, not a ceiling. Several states impose stricter rules on telehealth, on the handling of mental-health information, on substance-use records, on minors' health information, and on breach notification timelines. Where a state rule is more protective than HIPAA, the state rule controls.

A few examples worth flagging. California residents have rights under the California Consumer Privacy Act and the Confidentiality of Medical Information Act in addition to HIPAA. Texas extends covered-entity duties to a broader range of businesses under the Texas Medical Records Privacy Act. New York's SHIELD Act adds breach-notification triggers. Washington's My Health My Data Act creates separate consent and authorisation duties for consumer-health information that overlaps with PHI.

If you are unsure how your state's rules interact with this notice, write to [email protected]. We will not give you legal advice, but we will tell you which state rules we apply to your record and where the additional protections kick in.

Changes to this notice

We may revise this notice from time to time, and the revised notice will apply to all information already held by Fuji and to information we receive after the effective date. When a material change happens, we will post the revised version here, update the Last reviewed date at the top of the page, and, where the change affects how we use or disclose your information in a meaningful way, send you a direct notice through the contact channel you have on file.

Past versions are archived and available on request. We do not silently change material terms.

How to reach us

For anything privacy-related, including requests to exercise your rights, questions about a vendor on our BAA list, or a complaint, write to the privacy office:

Privacy Officer
Fuji RX LLC
PO Box [number pending]
Wilmington, DE 19801
Email: [email protected]
General: [email protected]

For complaints to the federal government, the U.S. Department of Health and Human Services Office for Civil Rights accepts filings online at hhs.gov/ocr, by mail, and by telephone. There is no fee, and we will not retaliate against you for filing one.

For other policies that govern your relationship with us, see: