Privacy Policy

Account Information: Name, email address, phone number, and role when you create an account.

Pharmacy Information: Pharmacy name, NPI number, DEA number, state license number, address, and contact details.

Protected Health Information (PHI): In the course of providing compliance services, we may process PHI including but not limited to:

• Employee names, credentials, and license information
• OIG exclusion screening results
• Compliance assessment data
• Training completion records
• Documents uploaded to the Document Vault

Usage Data: IP address, browser type, pages visited, and timestamps for audit logging and security purposes.

Payment Information: Billing details processed securely through Stripe. We do not store credit card numbers on our servers.

We use your information to:

• Provide pharmacy compliance consulting and mock inspection services
• Generate compliance checklists, reports, and certificates
• Conduct OIG exclusion screenings and credential verification
• Send expiration alerts, compliance notifications, and training reminders
• Process payments and manage subscriptions
• Maintain audit logs as required by HIPAA
• Improve platform functionality and user experience

As a Business Associate under HIPAA, we implement the following safeguards:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HSTS (HTTP Strict Transport Security) on all connections.

Encryption at Rest: All data stored in our database is encrypted using AES-256 encryption at the infrastructure level.

Access Controls: We enforce role-based access control (RBAC) with four distinct permission levels. Row-level security policies isolate pharmacy data so that each organization can only access its own records.

Audit Logging: All access to PHI is logged in an immutable, tamper-evident audit trail using cryptographic chain hashing (SHA-256). Audit logs cannot be modified or deleted.

Minimum Necessary Standard: Our platform is designed to limit PHI access to the minimum amount necessary for each user to perform their role.

Session Security: Authenticated sessions automatically expire after 30 minutes of inactivity. Users receive a warning before automatic sign-out.

Backup and Recovery: Database backups are performed daily, encrypted with AES-256-GCM, and retained for 30 days.

We use the following third-party services to operate our platform. Where these services process PHI, we maintain Business Associate Agreements (BAAs) as required by HIPAA:

• Clerk - Authentication and user management
• Supabase - Database hosting and file storage
• Stripe - Payment processing (PCI-DSS Level 1 compliant)
• Resend - Transactional email delivery
• Vercel - Application hosting and deployment

We do not sell, rent, or share your information with third parties for marketing purposes.

We retain your information for as long as your account is active or as needed to provide services. Specific retention periods include:

• Account data: Retained while account is active; deleted within 30 days of account closure upon request
• Audit logs: Retained for a minimum of 6 years as required by HIPAA
• Compliance records: Retained for the duration of the business relationship plus 6 years
• Payment records: Retained as required by tax and financial regulations

You may request deletion of your data at any time by contacting us. We will comply within 30 days, except where retention is required by law.

Under HIPAA and applicable state laws, you have the right to:

• Access: Request a copy of your PHI that we maintain
• Amendment: Request corrections to inaccurate PHI
• Accounting of Disclosures: Request a record of when and to whom your PHI has been disclosed
• Restriction: Request restrictions on certain uses or disclosures of your PHI
• Confidential Communications: Request that we communicate with you through a specific channel or at a specific location

To exercise any of these rights, contact us at compliance@rx-perts.com.

In addition to the PHI safeguards described above, we implement:

• Content Security Policy (CSP) headers to prevent cross-site scripting
• Rate limiting on all API endpoints to prevent abuse
• Webhook signature verification for all third-party integrations
• Input validation and parameterized queries to prevent injection attacks
• File upload restrictions with MIME type validation and size limits
• Signed URLs with time-limited access for document downloads

In the event of a breach of unsecured PHI, we will notify affected individuals and the U.S. Department of Health and Human Services (HHS) in accordance with the HIPAA Breach Notification Rule. Notification will be provided without unreasonable delay and no later than 60 days following discovery of the breach.

Breach notifications will include a description of the breach, the types of information involved, recommended steps for affected individuals, a description of our investigation and mitigation actions, and contact information for further inquiries.

For privacy inquiries, data requests, or to report a concern:

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice on our platform at least 30 days before the changes take effect. Your continued use of the platform after changes become effective constitutes acceptance of the revised policy.