Privacy Policy

Effective Date: May 2026 · Last Updated: May 19, 2026

Introduction

PharmaLink MD ("Company," "we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our website and platform.

1. Information We Collect

We collect information you voluntarily provide (name, email, phone, healthcare credentials) and information automatically generated during your use (IP address, browser type, pages viewed, referral source).

Health Information: When you use PharmaLink MD to route prescriptions, we process Protected Health Information (PHI) as defined under HIPAA (US) and personal health information under PIPEDA and Quebec Law 25 (Canada). We treat all health data as highly sensitive and apply stringent controls.

2. Legal Basis for Processing

United States: We process PHI as a HIPAA Business Associate under covered entity contracts. Processing is authorized by treatment, payment, and healthcare operations.

Canada (Federal PIPEDA): Processing is authorized by consent and legitimate business interest (prescription routing). You retain the right to withdraw consent at any time.

Quebec (Law 25): We comply with Quebec's heightened privacy standards. Processing is authorized by explicit consent for PHI and legitimate organizational interests for non-health data. You have the right to access, correct, and delete your data within applicable legal timeframes.

3. How We Use Your Information

  • Prescription Routing: To process cross-border prescriptions, verify prescriber credentials, and coordinate with pharmacies.
  • Service Operations: To authenticate users, maintain account security, and provide customer support.
  • Compliance: To maintain audit logs, satisfy regulatory requirements, and defend against fraud.
  • Analytics: To improve service quality and measure platform performance (using de-identified data only).

4. Data Retention

We retain prescription data in accordance with regulatory requirements:

  • US (HIPAA): Minimum 6 years from date of service
  • Canada (PIPEDA/Law 25): Minimum 7 years from date of service
  • Audit Logs: 10 years (both jurisdictions)

Account data is retained for the duration of your subscription and 1 year thereafter for dispute resolution.

5. Data Security

We employ industry-leading controls to protect your data:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Jurisdictional Isolation: US patient data remains in us-east-1; Canadian data in ca-central-1
  • Access Controls: Role-based access, principle of least privilege
  • Logging: Comprehensive audit trail; tamper-evident (hash-chained) for compliance verification
  • Business Associate Agreements: All subprocessors sign BAAs per HIPAA

6. Sharing and Disclosure

We do not sell your data. We share information only when necessary to deliver the service:

  • Pharmacy Partners: We share prescription details to coordinate dispensing (with your consent embedded in the prescription flow)
  • Delivery Partners: We share patient address and delivery instructions with RXNexusFlow (our owned delivery service) only when you request delivery
  • Legal Compliance: We disclose data when required by law (court order, subpoena) after notification where legally permissible
  • Business Transfers: In the event of acquisition, data transfers apply; you will be notified

7. Your Rights

HIPAA (US Patients): Right to access, amend, receive accounting of disclosures, and request restrictions.

PIPEDA (Canadian Individuals): Right to know about and challenge collection, use, and disclosure. Right to access and correct personal information.

Quebec Law 25: Enhanced rights including access, correction, deletion, and data portability. Requests processed within 30 days of receipt.

To exercise your rights, contact us at privacy@medescript.com.

8. Cookies and Tracking

We use essential cookies for authentication and session management. Non-essential cookies are used only with your consent. You may disable non-essential cookies in your browser settings at any time.

9. Third-Party Links

Our site contains links to third-party services (Auth0, Stripe, etc.). We are not responsible for their privacy practices. We recommend reviewing their privacy policies before sharing your data.

10. Children's Privacy

PharmaLink MD is not directed at individuals under 18. We do not knowingly collect information from minors. If we become aware of such collection, we will delete the data immediately.

11. Policy Updates

We may update this policy periodically. Material changes will be communicated via email. Your continued use of PharmaLink MD constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions or to exercise your rights, contact our Privacy Officer:

Email: privacy@medescript.com
Mail: MedEScript Inc., Toronto, Ontario, Canada