Home Data Rights

Data Rights

Posted by Roger Baraldes Comments 0

Scope and Applicability

This Data Protection Notice describes how CIPA Booking processes personal data in connection with our price-comparison and informational services offered in the United States. While our operations are U.S.-based, we align our practices with the principles of the EU/UK General Data Protection Regulation (GDPR) and comply with applicable U.S. privacy laws, including state privacy statutes such as the California Consumer Privacy Act as amended by the CPRA (collectively, “U.S. Privacy Laws”). Where laws differ, we apply the framework that best protects your privacy or is legally required for your jurisdiction.

We are not a pharmacy and do not dispense medications. We provide medication information and price-comparison resources and may refer you to reputable sources. This Notice covers personal data collected online and offline, including through our website, communications, and related services.

Identity of the Data Controller and Contact

The data controller and business contact for your personal data is:

CIPA Booking
Owner: Roger Baraldes
1221 Williamson St, Madison, WI 53703, United States

Email: [email protected]

If you have any questions or wish to exercise your rights, contact us using the details above.

Categories of Personal Data We Process

  • Identifiers and contact details: name, email address, postal address, telephone number, and identifiers you provide when contacting us.
  • Account and preference data: username, saved comparisons, subscription preferences, and communication settings.
  • Commercial and transactional data: product views, clicks, saved items, referrals you follow; we do not collect payment card numbers on our site.
  • Internet or device information: IP address, device and browser type, operating system, language, approximate geolocation (city/region), pages viewed, session duration, and interactions with features.
  • Cookies and similar technologies: unique IDs, session data, attribution and campaign parameters, and consent preferences.
  • Inferences and profile data: preferences for generics or brand medications, cost-sensitivity, and browsing-derived interests.
  • Health-related interest data (sensitive): self-reported medication interests or conditions you choose to search or save. We treat this as sensitive and handle it with heightened care. We do not request or store protected health information (PHI) under HIPAA and do not access your medical records.
  • Communications: messages, inquiries, survey responses, and support interactions.

Sources of Personal Data

  • Directly from you when you create an account, submit forms, save items, or contact us.
  • Automatically via cookies, SDKs, and server logs when you use our services.
  • From service providers and partners that support analytics, advertising, referrals, and measurement.
  • From publicly available sources necessary to confirm or enrich limited data (e.g., IP-to-region mapping).

Purposes of Processing and Legal Bases

  • Providing and improving services: to operate the site, enable comparisons, and deliver requested features (GDPR: contract; legitimate interests).
  • Account administration and support: to manage registrations, preferences, and support requests (GDPR: contract; legitimate interests).
  • Personalization and recommendations: to tailor content and rank options that may interest you (GDPR: consent where required; legitimate interests).
  • Marketing communications: to send updates and offers where permitted; you may opt out at any time (GDPR: consent or legitimate interests, depending on jurisdiction and channel).
  • Analytics and measurement: to understand usage, diagnose issues, and improve quality (GDPR: consent where required; legitimate interests).
  • Security and fraud prevention: to protect accounts, investigate misuse, and maintain integrity (GDPR: legitimate interests; legal obligation).
  • Legal compliance: to comply with laws, respond to lawful requests, and enforce terms (GDPR: legal obligation).
  • Business operations: corporate governance, audits, and potential mergers or acquisitions (GDPR: legitimate interests).

Cookies and Similar Technologies

We use cookies, pixels, and similar technologies to enable core functionality, remember preferences, analyze traffic, and support advertising measurement.

  • Essential: required for site functionality and security.
  • Functional: save settings and improve experience.
  • Analytics: measure usage and performance.
  • Advertising/measurement: support interest-based ads and campaign attribution; may constitute “sharing” under certain U.S. state laws.

You can manage cookies through your browser or device settings. Where required, we seek consent for non-essential cookies. You may opt out of analytics and advertising cookies by contacting us at [email protected] with the subject line “Privacy Request: Cookie Preferences.” We endeavor to honor applicable opt-out preference signals (such as Global Privacy Control) where technically feasible.

Disclosure of Personal Data

We disclose personal data for the purposes described above to the following categories of recipients:

  • Service providers and processors that host, maintain, analyze, and secure our services under contractual confidentiality and data protection obligations.
  • Analytics, measurement, and advertising partners to support performance metrics and interest-based advertising, subject to your choices.
  • Affiliates and referral partners involved in tracking outbound clicks and conversions.
  • Professional advisors (legal, accounting) under confidentiality.
  • Authorities and regulators when required by law or to protect rights, safety, and security.
  • Business transferees in connection with mergers, acquisitions, or asset sales, subject to continued protections.

We do not sell personal information for money. We may “share” personal information for cross-context behavioral advertising as defined by certain U.S. state laws; you can opt out as described in the “Your Privacy Rights” section.

Cross-Border Data Transfers

We primarily store and process personal data in the United States. If you are located in the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses for transfers to the U.S., alongside supplementary measures as needed. You may contact us for more information about these safeguards.

Retention Periods

We retain personal data only as long as necessary for the purposes described, including to comply with legal, accounting, or reporting obligations.

  • Account data: retained for the life of the account and up to 24 months after inactivity or closure, unless longer retention is required by law.
  • Analytics and logs: typically 12–24 months, aggregated or de-identified thereafter.
  • Marketing records: maintained while you subscribe and up to 24 months after opt-out, to respect your preferences.
  • Dispute and compliance records: retained as needed for legal obligations and defense of claims.

Security Measures

We implement appropriate technical and organizational measures, including encryption in transit, access controls, role-based authorizations, logging, backups, and vendor due diligence. No system is entirely secure; we cannot guarantee absolute security. Please use unique, strong passwords and notify us promptly of any suspected compromise.

Children’s Privacy

Our services are not directed to children under 13, and we do not knowingly collect personal data from them. If we learn that a child under 13 has provided personal data, we will delete it. Where GDPR applies, minors under the applicable age of consent (up to 16) require consent from a holder of parental responsibility.

Your Privacy Rights

Rights for EEA/UK/Swiss Users

Subject to conditions and exceptions under GDPR, you may have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Request erasure of your data.
  • Restrict or object to processing, including profiling based on legitimate interests.
  • Data portability for data you provided to us.
  • Withdraw consent at any time where processing is based on consent.

You may also lodge a complaint with your supervisory authority. To exercise rights, contact [email protected].

Rights for U.S. Residents

Depending on your state, you may have rights to:

  • Know/access the categories and specific pieces of personal information we collected about you.
  • Delete personal information, subject to lawful exceptions.
  • Correct inaccurate personal information.
  • Opt out of sale or sharing for cross-context behavioral advertising and targeted advertising.
  • Limit the use and disclosure of sensitive personal information (where applicable).
  • Receive data portability in a readily usable format.
  • Non-discrimination for exercising privacy rights.
  • Appeal our decision if we deny a request.

To exercise your rights or to opt out of sale/sharing, email [email protected] with the subject line “Privacy Request,” describing your request. You may use an authorized agent consistent with state law; we may require verification of your identity (e.g., confirming control of your email address or other reasonably necessary information) and, where applicable, proof of agent authorization. We aim to respond within 45 days (or as permitted by law) and will explain any denial and how to appeal.

Preferences for Marketing and Analytics

You may unsubscribe from marketing emails using the instructions in the message or by contacting us. You can manage cookies via your browser/device. For analytics/advertising, you may request opt-out by emailing [email protected]. We endeavor to honor applicable opt-out preference signals where feasible.

Automated Decision-Making and Profiling

We do not engage in automated decision-making that produces legal or similarly significant effects about you. We may use limited profiling to personalize content or measure advertising effectiveness; you may object or withdraw consent where required by law.

Third-Party Links and Services

Our site may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review their privacy notices when you visit those properties.

Changes to This Notice

We may update this Notice from time to time to reflect changes in our practices or legal requirements. Material changes will be indicated by updating the “Effective Date.” Your continued use of our services after updates constitutes acceptance of the revised Notice.

Effective Date: 2025-09-26

How to Contact Us

CIPA Booking
Owner: Roger Baraldes
1221 Williamson St, Madison, WI 53703, United States
Email: [email protected]

Definitions

  • Personal Data/Personal Information: Information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable individual or household.
  • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
  • Sale/Share: As defined by applicable U.S. state laws; generally, selling is transferring personal information for monetary or other valuable consideration; sharing often refers to disclosure for cross-context behavioral advertising.
  • Sensitive Personal Information: Data requiring heightened protections, which may include precise geolocation, health-related interest data, and other categories defined by law.
Roger Baraldes
About author Roger Baraldes
I'm a clinical pharmacologist with deep expertise in pharmaceuticals, working at the intersection of evidence and access. I evaluate drug safety and effectiveness and translate complex data into plain-language insights. I often write about affordable generics and head-to-head medication comparisons for common conditions. My aim is to help patients and clinicians make confident, cost-conscious choices.

© 2025. All rights reserved.