Privacy Policy.

§ 01 · Information we collect

What we actually ask for.

Three categories cover almost everything: contact details for the practitioner reaching out, clinic verification data we are obligated to collect before we can ship a clinical product, and technical signals from your browser that any modern website produces.

We do not collect data we cannot defend. If a field is not on the form below, we have not asked you for it, and we do not have it.

• Contact form submissions. Name, clinic or practice name, professional email, phone number, and the body of the message you send us.
• Clinic verification. Professional license number, NPI (National Provider Identifier) where applicable, business address, and supporting documentation requested at account-opening.
• Order data. Items ordered, quantities, ship-to address, billing address, and the masked payment reference our processor returns to us (we never see the full card number).
• Support tickets. Anything you write to us about a product, an order, or a clinical question, plus the metadata of the conversation (timestamps, agent assigned).
• Newsletter opt-ins. Only if you affirmatively check the box. Email address, the date of opt-in, and the source page.
• Server logs. IP address, user-agent string, request timestamps, and the URL path requested. Held for the period stated in § 06.

§ 02 · How we use information

Use is tied to a purpose.

Every category of data above has a defined use. We do not repurpose data later for something you did not consent to at collection.

• Fulfill orders. Verify clinic eligibility, prepare the shipment, hand it to a carrier, and confirm delivery.
• Eligibility verification. Match license numbers against the issuing board's public registry before any clinical product leaves the facility.
• Respond to inquiries. Reply to practitioner questions about products, protocols, sourcing, and clinical literature.
• Transactional email. Order confirmations, shipping notifications, and account security notices, sent through Resend infrastructure.
• Clinical updates. Sent only to recipients who have actively opted in. Unsubscribe link in every send. No silent re-additions to the list.
• Site and service quality. Aggregate server log analysis to monitor uptime, error rates, and abuse patterns. Not joined to identifiable accounts.
• Legal obligations. Tax records, controlled-product distribution records, and lawful response to subpoenas, warrants, or court orders.

§ 03 · Sharing & disclosure

We never sell. We share narrowly.

Exocellure does not sell personal data. We do not rent, trade, or barter it. We do not feed it into advertising audiences, lookalike models, or marketing intelligence platforms.

The only parties who see your data are vendors we contractually need to run the business, plus a small set of unavoidable legal recipients.

• Payment processor. Stripe handles card data. We receive only the masked reference, not the full card number.
• Shipping carriers. FedEx and UPS receive ship-to address, phone number, and parcel metadata to deliver your order.
• Email infrastructure. Resend transmits transactional and opt-in clinical emails on our behalf under a data processing agreement.
• Cleanroom and QC partners. Operate under signed NDAs. They handle lot data, never customer identity.
• Legal recipients. Courts, regulators, and law-enforcement agencies, only when legally compelled, and only to the scope the order requires.

Not shared with: advertisers, data brokers, marketing platforms, social networks, or any party seeking data for resale.

§ 04 · Cookies & analytics

Minimal by design.

This site runs on the smallest cookie footprint that still works. There are no third-party tracking pixels, no advertising trackers, and no browser fingerprinting scripts loaded from any page.

• Session cookie. A first-party cookie that keeps your cart and login session alive while you browse. Expires when the session ends.
• Preferences cookie. A single localStorage entry named exo_theme that stores your chosen site palette (Obsidian or Royal Navy). Removable from your browser at any time.
• No third-party scripts. No Google Analytics, no Meta Pixel, no LinkedIn Insight Tag, no Hotjar, no FullStory, no advertising remarketing tags.
• No fingerprinting. We do not load any library whose purpose is to identify a returning visitor across sessions without their consent.

If we ever add a first-party analytics tool, it will be self-hosted, IP-anonymized, and disclosed here before launch.

§ 05 · Patient data & HIPAA

Patient data stays with the clinic.

Exocellure does not collect, store, or process patient health information. We never see who you treated, what you treated them for, or what their outcome was. That information resides with the treating practitioner inside their clinical system, and we do not request access to it.

If a clinic chooses to share de-identified outcome data with us for research, formulation development, or a published case series, that exchange is governed by a separate research agreement. All such data is held to the HIPAA Safe Harbor de-identification standard before it reaches our systems.

We are not a HIPAA Covered Entity for the purpose of patient records. Where any incidental Business Associate relationship is created (rare, project-specific), we sign a BAA before any data transfer.

§ 06 · Data retention

We keep what we must, and we set clocks.

Every record class has a defined retention window. When the window closes, the record is purged, archived to immutable cold storage, or de-identified, depending on the regulatory requirement that governs it.

• Contact inquiries. 24 months from last reply, then purged.
• Clinic accounts. Duration of the partnership, plus 7 years after closure for accounting and tax compliance.
• Order records. 10 years per US tax and controlled-product distribution regulations.
• Server logs. 90 days, then aggregated to anonymous counters and the raw records deleted.
• Newsletter list. Held until unsubscribe, at which point the address is removed from the active list and recorded only as a suppression hash.
• Support tickets. 36 months from last activity, then archived without identifiers.

§ 07 · Security

Defense in layers.

We treat security as a clinical-grade discipline because the people we serve operate at clinical-grade standards themselves. The same engineering teams who build product also harden infrastructure.

• Encryption in transit. TLS 1.3 across the public site, the ordering portal, and all internal API surfaces.
• Encryption at rest. AES-256 for sensitive operational records, customer profiles, and document attachments.
• Role-based access. Least-privilege defaults. Production data is read-only outside a defined break-glass workflow.
• Multi-factor authentication. Required for every staff account, every vendor portal, and every administrative interface.
• Access reviews. Quarterly. Every active credential is reviewed against current role; stale credentials are revoked the same day.
• Vendor audits. We require SOC 2 Type II reports or equivalent from any vendor that processes customer or order data on our behalf.
• Breach notification. If we confirm a breach affecting identifiable data, we notify affected parties and applicable regulators within 72 hours of confirmation.

§ 08 · Your rights · US, GDPR, CCPA

You can ask. We have to answer.

Regardless of the regulation that gives you the right, we treat all of the following requests the same way: receive, verify, fulfill, and confirm within 30 days. If a request needs longer, we tell you why and give you an updated date.

• Access. Request a copy of the personal data we hold about you.
• Correction. Update any record that is inaccurate or out of date.
• Deletion. Request removal of your data, subject only to records we are legally required to retain (tax, controlled-product distribution).
• Portability. Receive your data in a machine-readable format you can move to another provider.
• Opt-out of marketing. Withdraw consent from clinical updates or any other opt-in communication at any time.
• Object to processing. Where we rely on legitimate interests, you can object and we will reassess.

Submit any of the above to privacy@exocellure.com. We respond within 30 days. California residents have additional rights under the CCPA, including the right to know what categories we have collected, sold, or disclosed in the preceding 12 months. We do not sell data, so that disclosure is short: nothing.

§ 09 · International transfers

Where the data sits.

Primary data residency is the United States. Our production databases, document storage, and operational infrastructure are hosted in US regions.

A small number of vendors process data in their own regional jurisdictions as part of how they operate: Stripe (payment data, US and EU), Resend (email delivery, US), and shipping carriers (parcel data, route-dependent).

For EU and EEA visitors whose data is transferred to the US in the course of using this site, transfers are conducted under the European Commission's Standard Contractual Clauses, with supplementary measures where required. A copy of the applicable SCCs is available on request to privacy@exocellure.com.

§ 10 · Children

Not for minors.

This site and its products are not directed at children under 16. We do not knowingly collect data from anyone under that age. If we learn that data from a minor has reached our systems, we delete it.

Our products are clinic-only. They are administered by licensed practitioners as part of an adult treatment plan. They are not sold direct-to-consumer, and they are not appropriate for pediatric use.