Privacy Policy

Effective Date: May 2026 · Last Updated: May 19, 2026

Introduction

RXNexusFlow ("Company," "we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our website and platform.

1. Information We Collect

We collect information you voluntarily provide (pharmacy name, email, phone, business information) and information automatically generated during your use (IP address, browser type, pages viewed, referral source).

Health Information: When you use RXNexusFlow to manage pharmacy deliveries, we process Protected Health Information (PHI) as defined under HIPAA (US) and personal health information under PIPEDA and Quebec Law 25 (Canada). We treat all health data as highly sensitive and apply stringent controls. Patient data (address, delivery notes) is treated with the same rigor as prescription data.

2. Legal Basis for Processing

United States: We process PHI as a HIPAA Business Associate under covered entity and pharmacy contracts. Processing is authorized by treatment, payment, and healthcare operations.

Canada (Federal PIPEDA): Processing is authorized by consent and legitimate business interest (pharmacy delivery operations). You retain the right to withdraw consent at any time.

Quebec (Law 25): We comply with Quebec's heightened privacy standards. Processing is authorized by explicit consent for PHI and legitimate organizational interests for non-health data. You have the right to access, correct, and delete your data within applicable legal timeframes.

3. How We Use Your Information

  • Delivery Operations: To process pharmacy delivery orders, assign drivers, coordinate logistics, and provide tracking to patients.
  • Pharmacy Management: To authenticate pharmacy staff, manage tenant subscriptions, and maintain account security.
  • Compliance: To maintain audit logs, satisfy regulatory requirements, and defend against fraud.
  • Analytics: To improve service quality and measure platform performance (using de-identified data only).
  • Driver Background Checks: We share name and contact info with Certn (Canada) and Sterling (USA) for background verification required by insurance.

4. Data Retention

We retain delivery and patient data in accordance with regulatory requirements:

  • US (HIPAA): Minimum 6 years from date of service
  • Canada (PIPEDA/Law 25): Minimum 7 years from date of service
  • Audit Logs: 10 years (both jurisdictions)

Account data is retained for the duration of your subscription and 1 year thereafter for dispute resolution.

5. Data Security

We employ industry-leading controls to protect your data:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Jurisdictional Isolation: US patient data remains in us-east-1; Canadian data in ca-central-1
  • Access Controls: Role-based access, principle of least privilege (drivers never see drug names or dosages)
  • Logging: Comprehensive audit trail; tamper-evident (hash-chained) for compliance verification
  • Business Associate Agreements: All subprocessors sign BAAs per HIPAA

6. Sharing and Disclosure

We do not sell your data. We share information only when necessary to deliver the service:

  • Drivers: We share patient address and delivery instructions with assigned drivers (not drug names or dosages)
  • Patients: We provide tracking and status updates directly to end patients
  • Background Check Providers: Name and contact info for driver verification (Certn, Sterling)
  • Customs Brokers: For cross-border deliveries, we share address and destination pharmacy with customs brokers
  • Legal Compliance: We disclose data when required by law (court order, subpoena) after notification where legally permissible
  • Business Transfers: In the event of acquisition, data transfers apply; you will be notified

7. Your Rights

HIPAA (US Patients): Right to access, amend, receive accounting of disclosures, and request restrictions.

PIPEDA (Canadian Individuals): Right to know about and challenge collection, use, and disclosure. Right to access and correct personal information.

Quebec Law 25: Enhanced rights including access, correction, deletion, and data portability. Requests processed within 30 days of receipt.

To exercise your rights, contact us at privacy@rxnexusflow.com.

8. Cookies and Tracking

We use essential cookies for authentication and session management. Non-essential cookies are used only with your consent. You may disable non-essential cookies in your browser settings at any time.

9. Third-Party Links

Our site contains links to third-party services (Auth0, Stripe, etc.). We are not responsible for their privacy practices. We recommend reviewing their privacy policies before sharing your data.

10. Children's Privacy

RXNexusFlow is not directed at individuals under 18. We do not knowingly collect information from minors. If we become aware of such collection, we will delete the data immediately.

11. Policy Updates

We may update this policy periodically. Material changes will be communicated via email. Your continued use of RXNexusFlow constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions or to exercise your rights, contact our Privacy Officer:

Email: privacy@rxnexusflow.com
Mail: RXNexusFlow, Toronto, Ontario, Canada