R
RUDY

RUDY — Privacy Policy

Effective Date: June 2026 · Operated by 420 Xchange, Inc ("RUDY," "we," "us," or "our")

Draft for attorney review — not legal advice. This is an original starting draft tailored to RUDY's business model. Privacy law for a patient-financing platform is especially complex and high-stakes — it may touch HIPAA, the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), state privacy laws (e.g., the Florida Digital Bill of Rights, CCPA/CPRA for California residents), and breach-notification rules, all of which vary by state and by your exact data practices. Have qualified counsel review and finalize this before you publish or rely on it. Sections flagged [counsel] are higher-risk and should not be finalized without legal advice.

1. Overview

RUDY operates a free, healthcare-focused platform that helps participating practices connect their patients to third-party financing through a single application. This Privacy Policy explains what information we collect, how we use it, and with whom we share it. It applies to your use of the RUDY website and platform (the "Service") and works alongside our Terms of Use.

2. Information We Collect

Practice account information. When a practice creates an account, we collect information such as the practice name, location, the name and contact details of authorized users, and login credentials.

Patient applicant information. When a practice or patient submits a financing application, we collect information needed to route it to lenders — such as the patient's name and contact information, the requested financing amount, a description of the treatment or procedure, and information relevant to the financing request. We do not collect full Social Security numbers or full payment-card numbers through the Service.

Usage and device information. We may automatically collect technical information such as IP address, browser type, device identifiers, and how you interact with the Service.

Information from lenders. We may receive status and decision information from third-party lenders in connection with applications routed through the Service.

[counsel: confirm the exact data inventory matches the production system, and whether any element constitutes PHI under HIPAA or "nonpublic personal information" under GLBA.]

3. How We Use Information

We use the information we collect to: operate and provide the Service; route financing applications to third-party lenders; communicate with practices and patients about applications and the Service; maintain security and prevent fraud; improve the Service; and comply with legal obligations.

4. How We Share Information

With third-party lenders. The core function of the Service is to route a patient's application to one or more independent lenders so the patient can seek financing. By submitting an application, the practice and patient authorize this sharing.

With service providers. We may share information with vendors who help us operate the Service (such as hosting and infrastructure providers), bound by confidentiality obligations.

For legal and safety reasons. We may disclose information if required by law, to enforce our Terms, or to protect the rights, safety, or property of RUDY, our users, or others.

In a business transfer. If RUDY is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction.

We do not sell your personal information.

5. Third-Party Lenders' Privacy Practices

Once information is shared with a third-party lender, the lender's own privacy policy and practices govern its handling of that information. RUDY is not responsible for the privacy practices of independent lenders. We encourage patients to review each lender's privacy policy before accepting financing.

6. Sensitive Health and Financial Information

Some information submitted through the Service may relate to a patient's medical treatment or financial situation. Practices are responsible for obtaining all required patient consents before submitting such information, and for ensuring submission complies with applicable healthcare and privacy laws. We handle this information consistent with this Policy and applicable law. [counsel: determine HIPAA covered-entity / business-associate status and whether a Business Associate Agreement framework is required; confirm GLBA and FCRA obligations.]

7. Data Retention

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements, after which we delete or de-identify it. [counsel: set specific retention periods.]

8. Security

We use reasonable administrative, technical, and physical safeguards designed to protect information. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. [counsel: confirm safeguards meet applicable standards before production launch, including server-enforced access controls and breach-notification procedures.]

9. Your Choices and Rights

You may access or update your account information through the Service or by contacting us. Depending on your state of residence, you may have rights to access, correct, delete, or restrict the use of your personal information, and to appeal a decision about a request. To exercise any right, contact us using the information below. [counsel: insert state-specific rights and response procedures, including for Florida and California residents.]

10. Children's Privacy

The Service is intended for use by practices and adult patients. It is not directed to children, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact us and we will take appropriate steps to delete it.

11. Cookies and Tracking

We may use cookies and similar technologies to operate the Service, remember preferences, and understand usage. You can control cookies through your browser settings, though some features may not function without them. [counsel: confirm cookie-consent requirements for applicable jurisdictions.]

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted with an updated Effective Date. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

13. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights, contact:

420 Xchange, Inc
6586 Hypoluxo Rd, Suite 319
Lake Worth, FL 33467
Email: info@nexgenerationpayments.com

Original draft prepared for 420Xchange, Inc. Confidential.