Privacy Policy

Last updated: March 2026

Rapport7 (“we,” “us,” or “our”) operates the website rapport7.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

Information We Collect

Information You Provide

When you create an account or subscribe to our membership, we collect:

  • Name — used to personalize your experience and for printed directives
  • Email address — used for account authentication, transactional emails (welcome, password reset, case submission confirmations), and a one-time automated onboarding email sequence
  • Password — stored in hashed form; we never store or have access to your plain-text password
  • Clinic/organization name and address — optionally provided by you for use with the Directive Printer tool
  • Logo — optionally uploaded by you for use with the Directive Printer tool

Information Collected Automatically

  • Browsing history — we record the last 50 articles you view within Rapport7 to provide a “Recent History” feature in your account. This data is stored in your user profile and is not shared.
  • Favorites — articles and tools you choose to save are stored in your user profile.
  • Cookies — we use a session cookie (httpOnly, secure) to keep you logged in. We also use a cookie consent preference cookie to remember your consent choice. We do not use third-party advertising cookies.
  • Analytics — we use Cloudflare’s built-in analytics (privacy-focused, no personal data collected) and Google Tag Manager for basic site usage data. No third-party advertising trackers are used.

Case Submissions

If you submit a case through our Case of the Week feature, we collect the anonymized case information you provide. By design, cases must not contain identifying information about real individuals. Submissions are reviewed by the site owner and may be selected for publication in anonymized form.

How We Use Your Information

We use the information we collect to:

  • Provide and maintain your account and membership
  • Authenticate your identity and manage access to gated content
  • Process subscription payments through Freemius (our payment processor)
  • Send transactional emails (account confirmation, password resets, case submission status updates)
  • Send a one-time automated onboarding email sequence (4 emails over 14 days) when you create a free account
  • Provide personalized features (favorites, history, directive printing with your details)
  • Respond to case submissions through the Case of the Week feature
  • Improve and maintain the website

We do not:

  • Sell your personal information to third parties
  • Send marketing emails beyond the one-time onboarding sequence
  • Use your data for advertising purposes
  • Share your browsing history or favorites with anyone
  • Use automated decision-making or profiling

Third-Party Services

We use the following third-party services:

  • Cloudflare (Pages, Workers, R2) — hosts our website and stores user data. Cloudflare’s privacy policy applies to infrastructure-level data processing. Data is stored in Cloudflare’s global network.
  • Freemius — processes membership payments. When you subscribe, your payment information is handled entirely by Freemius. We do not store credit card numbers or payment details. Freemius’s privacy policy governs payment data.
  • Resend — delivers transactional emails on our behalf. Email addresses are shared with Resend solely for email delivery.
  • Google Tag Manager — used for basic analytics. Subject to Google’s privacy policy.

Data Storage and Security

  • Your account data (profile, favorites, history) is stored in Cloudflare R2 object storage
  • Passwords are cryptographically hashed before storage
  • Authentication uses signed JWT tokens in httpOnly secure cookies
  • All data transmission uses HTTPS encryption
  • We do not store credit card or payment information

Data Retention

  • Active accounts: Your data is retained for as long as your account is active
  • Deleted accounts: If you request account deletion, we will remove your personal data within 30 days
  • Case submissions: Published cases (anonymized) remain on the site indefinitely. Unpublished submissions are retained for up to 12 months and then deleted

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data — available through your account profile page
  • Correct inaccurate data — editable through your account profile
  • Delete your account and associated data — contact us at the email below
  • Export your data — contact us at the email below
  • Withdraw consent — you may close your account at any time
  • Object to processing — contact us at the email below

For EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis for processing: We process your data based on (a) your consent when you create an account, (b) contractual necessity to provide the services you’ve subscribed to, and (c) our legitimate interest in improving and securing our services
  • Data transfers: Your data may be processed outside the EU/EEA by our service providers (Cloudflare, Freemius, Resend). These transfers are protected by appropriate safeguards
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority
  • Data Protection Officer: For GDPR-related inquiries, contact us at the email below

For California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

Children’s Privacy

Rapport7 is designed for professional practitioners and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top of this page indicates when the policy was last revised.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: [email protected]