How we handle your data.

01What we collect

Once you sign a Business Associate Agreement (BAA) with us, your pharmacy hands us claims data. That includes:

• Pharmacy dispensing data — fills, refills, drug NDCs, days' supply, dispense dates, your NPI/NCPDP, your pharmacy's identifiers.
• Patient identifiers — names, dates of birth, addresses, plan IDs. This is PHI. It comes in because we need it to find opportunities tied to specific patients (a missed refill, an interaction, a switch that pays better).
• Prescriber information — names, NPIs, contact info from the claims.
• Payer data — BIN/PCN/group, plan name, paid amounts, copays, ingredient costs, dispensing fees, DIR fees if they're in the claim.
• Account info — your name, email, phone, pharmacy name, login credentials. This is the only thing you type in directly.

The scope is whatever your BAA says. If your BAA limits us to a subset, that's the subset we get.

02What we do with it

Three things, all on behalf of your pharmacy:

• Analytics — calculating your real economics, claim by claim. Margin, DIR exposure, payer mix, prescriber concentration, the actual unit economics most pharmacies have never seen on their own data.
• Opportunity identification — finding the dollars hiding in your file. Therapeutic switches that pay better, MTM cases, vaccines you're qualified to bill, refill gaps, billing errors, contract terms PBMs aren't honoring.
• Audit and compliance support — when a PBM audits you, your data is already structured to defend yourself. We don't represent you in an audit, but the analytics make the response faster.

That's it. We don't use your data to train models for sale, build industry benchmarks we sell back to PBMs, or run market research for pharma manufacturers. The BAA forbids most of that anyway, and even where it wouldn't, we won't.

03Who we share it with

The only exceptions are:

• Subprocessors that run the platform — Supabase (database and auth), our cloud infrastructure provider, our email vendor for transactional notifications. These are bound by their own BAAs with us. They process data so the product works, not for their own use.
• You — we send you your own data, your own reports, and your own opportunity lists. Obviously.
• Legal compulsion — if a court orders it, we comply, and we'll tell you unless we're legally barred from doing so.

We're forming as a Public Benefit Corporation specifically so that "we don't sell pharmacy data" can't be quietly changed by a future board.

04Where it lives

• Storage — Supabase, on US-based infrastructure. We do not replicate or store data outside the United States.
• Encryption at rest — AES-256 at the database layer.
• Encryption in transit — TLS 1.2+ on every connection.
• Access controls — role-based, least-privilege. Stanley is the only person with production database access today; that expands only with documented training and access review.
• Audit logging — every access to PHI is logged. Logs are kept for six years per HIPAA.

05HIPAA compliance

TheRxOS operates as a Business Associate under HIPAA. Concretely that means:

• We sign a BAA with every pharmacy before any PHI moves. Not optional, not negotiable away.
• We follow the HIPAA Security Rule: administrative, physical, and technical safeguards documented and reviewed.
• We follow the Privacy Rule: PHI is used only for the purposes in the BAA.
• We follow the Breach Notification Rule: if there's a breach, you hear from us within 60 days, with the facts.
• Our subprocessors sign BAAs with us where they touch PHI. We don't move PHI to a vendor without one.

If you want a copy of our security documentation or our subprocessor list, email us. We send it.

06How long we keep it

• While you're a customer — for as long as you use the platform.
• After you cancel — within 30 days of cancellation, you choose: we delete your data, or we return it to you in a portable format and then delete it. Default is delete.
• Audit logs — kept for six years per HIPAA, even after the underlying PHI is deleted. The logs themselves don't contain the patient data, just the access record.
• Account info (your name, email) — kept while we have a business relationship; deleted on request after that.

07Your rights

You can ask us to:

• Show you what data we hold.
• Correct anything that's wrong.
• Export your data.
• Delete your data (subject to the HIPAA-required retention windows above).

Email Stanley directly. We turn these around in days, not months.

08Changes to this policy

If we change anything material — what we collect, who we share it with, where it lives — we'll email every active customer before the change takes effect, and update the date at the top of this page. We don't quietly broaden things.

09Contact

Privacy questions, breach reports, BAA requests, audit follow-ups — all go to Stanley directly. There is no privacy-team inbox; there is one person, and it's him.