Rx Vendor Portal
Draft document — version 2026-05-18-DRAFT. Pending legal review.

Privacy Policy

Version: 2026-05-18-DRAFT Last updated: 2026-05-18

DRAFT — pending legal review. This document is a shape-correct template authored as a placeholder for the RX Platform vendor portal Stage 0 signup flow. It does NOT constitute legal advice. The binding version will replace this document after counsel review and re-acknowledgment will be required.

1. Introduction

This Privacy Policy describes how [PLACEHOLDER: Legal Entity Name] (the "Company", "we", "us") collects, uses, and discloses information when you use the RX Platform (the "Platform"), including the vendor portal and the public storefronts deployed through it.

This policy applies to:

  • Vendors (healthcare practices using the Platform to operate

    • storefronts).

  • End users (patients) interacting with vendor storefronts.
  • Visitors to the Company's marketing pages.

2. Information We Collect

2.1 Information You Provide

  • Account information — Email, password (hashed), practice

    • display name, phone number.

  • Practice profile — Legal entity name, EIN, address, hours of

    • operation, regulatory IDs (DEA, NPI, state licenses).

  • Storefront content — Business description, logo, product

    • selections, retail pricing.

  • Payment information — Credit card details (handled by our

    • PCI-DSS-compliant payment processor; we do not store full card numbers).

  • Legal acceptances — Timestamps and IP addresses for ToS / BAA

    • / Privacy acceptance.

2.2 Information Collected Automatically

  • Usage data — Pages visited, actions taken, AI prompts and

    • generation outcomes.

  • Device data — IP address, browser type, operating system.
  • Cookies — Session cookies for authentication; preference

    • cookies for UI state.

2.3 Protected Health Information (PHI)

For vendor accounts, the Platform handles PHI under the terms of the Business Associate Agreement (BAA) executed at signup. PHI handling is governed by the BAA, not by this Privacy Policy.

3. How We Use Information

We use collected information to:

  • Provide, maintain, and improve the Platform.
  • Process payments and manage billing.
  • Generate AI-driven storefront content based on the vendor's

    • business description and product selections.

  • Detect, prevent, and address fraud, security, and technical issues.
  • Comply with legal obligations (DSCSA, HIPAA, tax reporting).
  • Communicate with vendors about service updates, billing, and

    • support.

4. How We Share Information

We do NOT sell your personal information. We share information only:

  • With service providers — Cloud hosting (OVH), CDN (Cloudflare),

    • authentication, AI inference (Anthropic), payment processing (Tycoon), each under contractual confidentiality and data-handling obligations.

  • With pharmacy/3PL fulfillment partners — As necessary to

    • fulfill patient prescriptions ordered through your storefront.

  • For legal reasons — In response to subpoenas, court orders,

    • or other legal processes; to protect rights, property, or safety.

  • In business transfers — In the event of a merger, acquisition,

    • or sale of assets, with notice to affected parties.

5. Data Retention

We retain account information for the duration of your relationship with the Platform plus [PLACEHOLDER: retention period, e.g., 7 years] for regulatory audit purposes (DSCSA, HIPAA Right of Access).

Storefront content is retained while the storefront is active and for [PLACEHOLDER: wind-down period, e.g., 30 days] after termination.

PHI retention follows the BAA and applicable record-retention laws.

6. Security

We implement industry-standard security measures including:

  • TLS 1.2+ encryption in transit.
  • AES-256 encryption at rest.
  • Role-based access controls (RBAC).
  • Audit logging of sensitive operations.
  • Regular security reviews and penetration testing.

No security measure is perfect; in the event of a breach affecting your data, we will notify you in accordance with applicable law and the BAA.

7. Your Rights

Depending on your jurisdiction, you may have rights including:

  • Access — Request a copy of the personal information we hold

    • about you.

  • Correction — Request that we correct inaccurate information.
  • Deletion — Request deletion of your account and associated

    • data, subject to legal retention requirements.

  • Portability — Request a copy of your data in a structured,

    • machine-readable format.

  • Objection — Object to processing of your personal information

    • for certain purposes.

To exercise these rights, contact us at [PLACEHOLDER: [email protected]].

8. Children's Privacy

The Platform is intended for use by licensed healthcare practices and their adult patients. We do not knowingly collect information from children under 13. Patient minors' data on vendor storefronts is handled under the vendor's responsibility and the BAA.

9. International Transfers

The Platform's infrastructure is hosted in the United States. If you access the Platform from outside the U.S., your information may be transferred to and processed in the U.S.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and an in-app banner at least [PLACEHOLDER: 30 days] before the effective date.

11. Contact

For privacy questions or to exercise your rights: [PLACEHOLDER: [email protected]]

This document is a placeholder pending legal review.

RX Platform· developer-dev