GDPR Notice

• Comments: 0

Controller and Scope

This General Data Protection Regulation (GDPR) Notice explains how YamRight (yamright.com) processes personal data in accordance with applicable data protection laws, including the GDPR where it applies and relevant United States privacy laws. YamRight is owned and operated by Ariana Vasquez, 3500 S Rural Rd, Tempe, AZ 85282, United States. For the purposes of the GDPR, YamRight is the data controller for the processing activities described herein.

YamRight provides tools to compare medications, generics, prices, and therapeutic alternatives. YamRight does not dispense or sell prescription drugs and is not a covered entity or business associate under HIPAA. Information you provide about medications or health interests may still be considered sensitive personal information and is handled with heightened care.

Effective Date

Effective and Last Updated: 26 September 2025

Categories of Personal Data

• Identifiers and contact details: name, email address, account credentials, and user IDs.
• Commercial and service data: saved medications, price alerts, comparison history, click-throughs to partner or pharmacy sites, and preferences.
• Device and technical data: IP address, device identifiers, browser type, operating system, language, time zone, cookie IDs, and approximate location derived from IP.
• Usage and interaction data: pages viewed, searches, filters, time on page, scrolls, referral URLs, and campaign attribution.
• Geolocation data: approximate location (derived from IP); precise location only if you grant explicit permission.
• Inferences and personalization data: segments or interests derived from your activity (e.g., interest in a drug class or savings options).
• Communications: messages sent to us, support inquiries, and feedback.
• Sensitive personal information (where voluntarily provided): health-related interests such as conditions, medications you research, or dosage preferences. We do not collect genetic or biometric identifiers.

Purposes and Legal Bases for Processing

Service Delivery and Account Management

To provide comparison tools, save preferences, set alerts, and respond to inquiries. Legal bases: performance of a contract or pre-contractual steps (GDPR Art. 6(1)(b)); legitimate interests in operating a useful and secure service (Art. 6(1)(f)).

Personalization and Analytics

To tailor content, measure engagement, and improve functionality. Legal bases: consent where required for cookies or similar technologies (Art. 6(1)(a)); legitimate interests in optimizing our services (Art. 6(1)(f)).

Marketing and Communications

To send optional updates or newsletters where you opt in, and to provide price alerts you request. Legal bases: consent (Art. 6(1)(a)); legitimate interests for service-related communications (Art. 6(1)(f)).

Security, Fraud Prevention, and Compliance

To detect, prevent, and investigate security incidents or abuse, and to meet legal obligations. Legal bases: legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)).

Sensitive Information

Where we process health-related interests that you voluntarily provide, we rely on your explicit consent where required (Art. 9(2)(a)) or process only in de-identified/aggregated form.

Sources of Personal Data

• Directly from you: when you create an account, set alerts, or contact us.
• Automatically: via cookies, SDKs, and similar technologies when you use our website.
• From service providers and partners: analytics providers, hosting platforms, and, where applicable, affiliates that help measure referrals and pricing performance.

Children’s Data

YamRight is intended for individuals 16 years of age and older. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, please contact us to request deletion.

Cookies and Similar Technologies

We use cookies, web beacons, and similar technologies to operate the site, remember preferences, perform analytics, and, where applicable, support advertising or cross-context measurement. Where required by law, we request your consent before placing non-essential cookies. You may manage cookie preferences using your browser settings and any on-site controls. Blocking certain cookies may affect functionality.

Disclosures and Recipients

We disclose personal data to the following categories of recipients for the purposes described above:

• Hosting, infrastructure, and security providers.
• Analytics, measurement, and performance monitoring providers.
• Email, communications, and customer support service providers.
• Referral, attribution, and, where applicable, affiliate partners to track outbound clicks and performance metrics.
• Professional advisors (legal, compliance, accounting) under confidentiality duties.
• Authorities, regulators, and courts where required by law or to protect rights, safety, or security.
• Successors in interest in connection with mergers, acquisitions, or reorganization, subject to this Notice’s protections.

We do not disclose personal data to third parties for their own independent marketing without your consent.

International Data Transfers

We are based in the United States and process data on servers located in the U.S. Where GDPR applies and data are transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as EU Standard Contractual Clauses and implement supplementary measures where appropriate. You may contact us for more information on these safeguards.

Retention

• Account information: retained for the duration of your account and up to 24 months after closure (or earlier upon verified deletion request), unless a longer period is required by law or for dispute resolution.
• Price alerts and saved items: retained while active and up to 12 months after last activity.
• Logs and analytics data: typically 12–24 months, depending on system needs and aggregation.
• Cookies: retained in accordance with their set lifetimes or until you clear them.
• Aggregated or de-identified data: retained without time limit where permitted, without re-identification.

Security

We employ administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, access controls, and risk-based monitoring. No method of transmission or storage is fully secure; we maintain and periodically review our controls to mitigate risks appropriately.

Your Rights Under the GDPR

Where the GDPR applies, you have the following rights, subject to conditions and exceptions:

• Right of access to your personal data and to receive a copy.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”).
• Right to restriction of processing.
• Right to data portability.
• Right to object to processing based on legitimate interests, including profiling; and to object to direct marketing at any time.
• Right to withdraw consent at any time where processing is based on consent, without affecting lawfulness of processing before withdrawal.
• Right to lodge a complaint with a supervisory authority in your habitual residence, place of work, or place of alleged infringement.

To exercise your rights, please contact us using the details in the Contact section. We may need to verify your identity and may request additional information to process your request. We will respond within the timeframes required by law.

U.S. State Privacy Disclosures

Residents of certain U.S. states (including California, Colorado, Connecticut, Utah, and Virginia) may have rights such as: access, correction, deletion, portability, and the right to opt out of (i) sales of personal data, (ii) targeted advertising (cross-context behavioral advertising), and (iii) certain profiling. We will not discriminate against you for exercising your rights.

How to exercise U.S. rights: submit a request using the Contact section. If we deny your request (e.g., we cannot verify your identity), you may appeal by replying to our decision with the word “Appeal” in the subject line. If applicable law recognizes a global opt-out preference signal (such as a browser-based global privacy control), we will treat it as a valid request to opt out of sales or sharing for the browser or device that sends the signal, to the extent required by law.

Sale or Sharing of Personal Data and Targeted Advertising

We do not sell personal data for monetary consideration. We may engage in limited “sharing” or “targeted advertising” as defined by certain state laws through cookies or similar technologies for measurement and relevance. Where required, we obtain consent and/or provide an option to opt out. You can adjust your cookie preferences through your browser or any on-site controls and may also contact us to register an opt-out across your account, where applicable.

Automated Decision-Making and Profiling

We do not use automated decision-making that produces legal or similarly significant effects about you. We may use profiling for personalization and analytics to improve content relevance; you can object or opt out where required by law.

Third-Party Websites and Services

Our tools may link to pharmacies, manufacturers, or other third-party sites. Your interactions with those sites are governed by their own policies. We are not responsible for third-party practices; please review their notices before providing data.

Changes to This Notice

We may update this Notice to reflect changes in our practices or legal requirements. Material changes will be indicated by updating the Effective Date and, where appropriate, by providing additional notice. Your continued use of the services after an update signifies acceptance of the revised Notice.

Contact

For questions, to exercise your rights, or to make a request, please contact the controller:

YamRight (Controller): Ariana Vasquez
3500 S Rural Rd, Tempe, AZ 85282, United States
Email: [email protected]