Privacy Policy

Effective Date: March 18, 2026 · Version 1.0

This Privacy Policy describes how Ferrum Consulting, LLC (“Ferrum Consulting,” “we,” “us,” or “our”) collects, uses, stores, and discloses information in connection with the Rdn.FacLT platform (“Platform”), including its web application, mobile applications, and associated APIs and services. This policy applies to all users of the Platform, including facility administrators, staff members, and patients who interact with the Platform through scheduling links, mobile applications, or notification services.

Rdn.FacLT is a multi-tenant facility operations and scheduling platform designed for infusion centers, clinics, and medical spas. The Platform is operated in conjunction with the Rdn Identity authentication service (“RdnId”), which manages user authentication and authorization separately from facility operational data.

1. Information We Collect

1.1 Account and Authentication Data

User authentication is managed through the RdnId identity service. When you create an account or sign in, RdnId collects your name, email address, and credentials. The Platform receives an authenticated identity token from RdnId but does not store your password. Role assignments, permissions, and tenant associations are managed within the Platform based on your authenticated identity.

1.2 Facility and Organizational Data

Facility administrators provide information about their organizations, including facility names, addresses, phone numbers, email addresses, hours of operation, and operational settings such as booking lead times and scheduling preferences. This data is provided directly by the organization and is necessary for the Platform to function.

1.3 Staff Data

Information about staff members is entered by facility administrators and may include names, contact information, hire dates, hourly rates, role assignments, availability windows, and schedule records. Staff data is scoped to the tenant and facility that created it.

1.4 Patient Data

Patient information is entered by facility administrators and staff, and may include names, dates of birth, gender, contact information (addresses, phone numbers, email addresses), facility enrollment records, booking history, and notes associated with appointments. Patients who interact with the Platform through self-scheduling links or mobile applications may have their scheduling selections and confirmation records stored.

1.5 Booking and Scheduling Data

The Platform records appointment details including the facility, patient, staff member, station, service, date, time, duration, estimated and actual costs, supply usage, patient instructions, and status changes. Each booking generates an audit log that captures a snapshot of the booking state at the time of each status change.

1.6 Supply Chain Data

The Platform tracks supplies, suppliers, inventory levels, pricing, lead times, and associations between services and required supplies. This data is entered by facility administrators.

1.7 Notification and Consent Data

When notifications are sent (via email, SMS, or push notification), the Platform logs the recipient address, notification type, channel, delivery status, and timestamp. Notification content is generated from configurable templates using booking and patient data.

The Platform collects and stores messaging consent records, including: the channel consented to (email, SMS, or push), the method of consent (web form, SMS keyword, or API), the date and time consent was granted, IP address and browser information at the time of consent, and a versioned hash of the consent text that was presented. If consent is revoked (for example, by replying STOP to an SMS message), the revocation date and method are recorded. Consent records are retained for compliance and audit purposes even after revocation.

1.8 Device and Technical Data

When you use the Platform’s mobile applications, device registration information (device tokens for push notifications) is stored to enable notification delivery. Standard web server logs may record IP addresses, browser types, and access timestamps for security and operational purposes.

1.9 AI Agent Interactions

The Platform includes an AI-powered agent chat feature that allows staff to query facility data using natural language. Chat messages and responses are processed in real-time and are not stored permanently by the Platform. The agent accesses only the data that the authenticated user is authorized to view based on their tenant and role.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Operating the Platform and providing its core functionality, including scheduling, booking management, staff and station assignment, and supply tracking.
  • Authenticating users and enforcing role-based access controls through integration with RdnId.
  • Sending transactional notifications related to bookings, including confirmations, reminders, cancellations, and scheduling invitations, via the communication channels you have consented to (email, SMS, or push notifications).
  • Generating audit logs for booking status changes and operational accountability.
  • Evaluating booking constraints through the booking engine, including facility hours, staff availability, station conflicts, supply lead times, and role qualifications.
  • Providing customer support and responding to inquiries.
  • Maintaining the security, integrity, and availability of the Platform.

We do not use patient data for marketing purposes. We do not sell, rent, or lease personal information to third parties.

3. Data Storage and Security

3.1 Infrastructure

The Platform is hosted on Microsoft Azure. Data is stored in Microsoft SQL Server databases. All data is encrypted at rest using Azure’s storage encryption and in transit using TLS 1.2 or higher. Authentication tokens are issued as signed JWTs and sensitive values such as booking confirmation tokens and scheduling invite tokens are encrypted using ASP.NET Data Protection.

3.2 Multi-Tenant Isolation

The Platform operates on a multi-tenant architecture. Each organization’s data is logically isolated within the database using tenant-scoped queries. Users can only access data belonging to the tenant(s) they are authorized to view. Cross-tenant data access is not permitted through the application layer.

3.3 Access Controls

Access to the Platform is controlled through role-based permissions managed via RdnId. API endpoints require authenticated requests with valid JWT tokens. Administrative operations require specific permissions that are granted based on the user’s role within their organization.

3.4 Audit Logging

The Platform maintains audit trails for bookings, schedules, shifts, and notification deliveries. Audit records include timestamps, the identity of the user who performed the action, and a snapshot of the affected data at the time of the change. Audit records are append-only and are not modified after creation.

4. Data Sharing and Disclosure

We may share information in the following circumstances:

  • Within the tenant organization: Staff members within the same organization can view patient, booking, and facility data according to their assigned roles and permissions.
  • Notification delivery providers: When sending SMS, email, WhatsApp, or push notifications, message content and recipient contact information are transmitted to the applicable delivery service provider (e.g., Twilio or Microsoft Azure Communication Services for SMS, Twilio for WhatsApp, SMTP providers for email, Azure Notification Hubs with Apple/Google push notification services for mobile).
  • Legal requirements: We may disclose information when required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity.

We do not sell personal information. We do not share patient data with third parties for their marketing or advertising purposes.

5. Patient Self-Scheduling and Magic Links

The Platform offers a patient self-scheduling feature where patients receive a link (via SMS, email, WhatsApp, or push notification) to select an available appointment slot. These scheduling links contain an encrypted token that identifies the patient, facility, and service. The token is time-limited and single-use. When a patient opens a scheduling link:

  • The token is validated server-side. No patient credentials are required.
  • The patient sees only available time slots that meet the booking criteria pre-configured by staff.
  • No patient health records, diagnoses, or treatment details are displayed on the scheduling page.
  • Upon selecting a slot, the appointment is created and the patient receives a confirmation.

6. Data Retention

We retain data for as long as the customer’s subscription is active and as necessary to fulfill our obligations under this policy and applicable law. The Platform uses soft-delete for most records, meaning deleted data is marked as inactive but retained in the database for audit and recovery purposes. Upon termination of a subscription, we will delete or anonymize customer data within a reasonable period, subject to any legal retention requirements.

7. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal information. To exercise these rights, contact us at the address below. We will respond to requests within a reasonable timeframe and in accordance with applicable law.

Facility administrators can access, modify, and delete staff, patient, and booking records through the Platform’s administrative interface. Patients may request access to or deletion of their data by contacting their healthcare facility or by contacting us directly.

You may revoke your consent to receive SMS communications at any time by replying STOP to any SMS message received from the Platform. You may manage your notification preferences, including which types of notifications you receive and on which channels, through the Platform’s mobile application settings. Revoking communication consent does not affect your ability to use the Platform.

8. Children

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. Patient records for minors are created and managed by authorized facility staff, not by the minors themselves.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. We will notify active subscribers of material changes via email or through the Platform. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated policy.

10. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your personal data, contact:

Ferrum Consulting, LLC
Email: support@ferrumconsulting.com
Web: https://www.ferrumconsulting.com

© 2026 Ferrum Consulting, LLC · FacLT.com

Terms·Privacy·License