Privacy Policy | RxFortis

Plain-Language Summary RxFortis is a pharmacy data and compliance platform. We collect account and pharmacy data solely to deliver our services. We do not sell your data. All uploaded pharmacy data is automatically deleted after 7 days. We follow HIPAA where applicable and you have full rights over your data.

01 Introduction & Scope

RxFortis.com ("RxFortis," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, store, protect, and handle information obtained from or about you when you access or use the RxFortis.com platform, website, and all related services (collectively, the "Service").

This Policy applies to all users of the Service, including pharmacy owners, operators, staff, and any other individuals or entities who access the Service in any capacity ("you" or "User"). This Policy is incorporated into and governed by our Terms of Service.

By using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein. If you do not agree with this Policy, you must not use the Service.

02 Information We Collect

We collect only the information necessary to provide you with the Service.

2.1 Information You Provide to Us

Category	Examples
Account Registration	Name, business name, pharmacy name, email address, phone number, billing address, and password.
Payment Information	Billing details and credit/debit card numbers processed by our third-party payment processor. Payment card data is not stored on RxFortis servers.
Business Profile	Pharmacy license numbers, DEA registration numbers, NPI numbers, and other professional identifiers.
Uploaded Pharmacy Data	Claims data, NDC records, supplier purchase records, PBM remittance data, and other files uploaded for analysis. Automatically deleted after 7 days.
Fortis Vault Documents	Licenses, certifications, insurance certificates, PBM contracts, and other documents stored in the Fortis Vault feature.
Support & Communications	Messages, emails, and correspondence you send to us, including support tickets and feedback.

2.2 Information Collected Automatically

Log Data: IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps of access.
Device Information: Device type, screen resolution, and unique device identifiers.
Usage Data: Features accessed, frequency and duration of use, actions taken within the Service, and error reports.
Cookies and Similar Technologies: As described in Section 9 of this Policy.

2.3 Information We Do NOT Collect

Minimum Data Principle RxFortis is designed to operate with the minimum information necessary. We do not intentionally collect Protected Health Information (PHI) without a BAA, patient-identifiable records, Social Security numbers, government-issued ID numbers, biometric data, or any sensitive personal information not required to operate the Service.

03 How We Use Your Information

RxFortis uses your information solely for the purposes described below. We do not use your information for any purpose that is incompatible with these stated purposes without your explicit consent.

3.1 To Operate and Deliver the Service

Process and analyze Uploaded Pharmacy Data to generate NDC discrepancy reports and audit risk assessments.
Operate and maintain the Fortis Vault document storage and renewal reminder features.
Authenticate your identity and maintain your account.
Process payments and manage your subscription.
Enforce our Terms of Service and this Privacy Policy.

3.2 To Communicate With You

Send transactional communications, including account confirmations, invoices, renewal notices, and security alerts.
Respond to your support requests, questions, and feedback.
Send Fortis Vault document expiration and renewal reminders.
Notify you of updates to our Terms of Service or this Privacy Policy.
Send product and service-related announcements that you may opt out of at any time.

3.3 To Improve and Secure the Service

Monitor and analyze usage patterns to improve Service functionality and user experience.
Detect, prevent, and respond to fraud, security incidents, and technical issues.
Conduct internal research and development using aggregated, de-identified data only.
Troubleshoot errors and diagnose technical problems.

3.4 To Comply With Legal Obligations

Comply with applicable laws, regulations, and lawful governmental requests.
Respond to valid legal process, including court orders, subpoenas, and warrants.
Establish, exercise, or defend legal claims.

04 The 7-Day Uploaded Data Deletion Policy

Core Architectural Commitment All pharmacy data you upload to RxFortis — including claims data, NDC records, supplier purchase data, and PBM remittance information — is automatically and permanently deleted from our systems within seven (7) calendar days of upload. This is a core architectural commitment, not merely a policy preference.

4.1 What This Covers

The 7-day deletion policy applies to all Uploaded Pharmacy Data you submit to the Service, including:

Prescription claims files and PBM submission records;
NDC billing and purchase reconciliation data;
Supplier purchase invoices and records;
DIR fee reports and PBM remittance data;
Any other pharmacy operational data files you upload for analysis.

4.2 What This Does NOT Cover

The following categories of data are governed by their own retention terms and are not subject to the 7-day deletion policy:

Account registration and profile information (retained for the duration of your account plus a reasonable wind-down period);
Billing and payment records (retained for seven years for tax and accounting compliance);
Fortis Vault documents (retained until you delete them or your account is terminated);
System logs, audit trails, and security records (retained as necessary for security and legal compliance);
Aggregated, de-identified data derived from your usage (contains no personally identifiable or pharmacy-identifiable information).

4.3 Deletion Is Irreversible

Important Once your Uploaded Pharmacy Data is deleted, it cannot be recovered by you, by RxFortis, or by any third party. You are solely responsible for exporting all reports and outputs you need before the 7-day window expires, maintaining permanent copies outside the Service, and ensuring your own compliance with applicable data retention obligations.

4.4 Why We Have This Policy

The 7-day deletion policy reflects our commitment to minimizing the exposure and risk associated with holding sensitive pharmacy data. By not retaining your uploaded data beyond what is necessary for analysis, we protect your competitive intelligence and limit the potential impact of any security incident.

05 How We Share Your Information

RxFortis does not sell, rent, lease, trade, or otherwise commercially disclose your personal information or Uploaded Pharmacy Data to any third party, under any circumstances.

5.1 We Do Not Share With the Following

RxFortis will NEVER voluntarily share your data with:

Pharmacy Benefit Managers (PBMs) or their affiliates;
Insurance companies, health plans, or their agents;
Government agencies (including CMS, DEA, or state pharmacy boards), except as compelled by valid legal process;
Competitor pharmacy analytics or audit platforms;
Advertisers, marketing companies, or data brokers;
Other pharmacies or pharmacy networks;
Any third party for commercial purposes of any kind.

5.2 Legally Compelled Disclosure

We may disclose your information to a third party only when legally required. When this occurs, RxFortis will:

Provide you with prompt prior written notice of the request, to the extent permitted by law;
Cooperate with your reasonable efforts to contest or limit the scope of disclosure;
Disclose only the minimum information required by the legal process;
Maintain a record of all legally compelled disclosures.

5.3 Aggregated, De-Identified Data

RxFortis may use and share aggregated, de-identified, and anonymized data derived from user activity for internal research, product improvement, and business analytics. This data is processed in a manner that removes all personally identifiable and pharmacy-identifiable information, and cannot reasonably be used to identify any individual user, patient, or pharmacy.

5.4 Service Providers — Internal Operations Only

RxFortis engages a limited number of carefully vetted third-party service providers solely to support internal operations (cloud infrastructure, payment processing, email delivery). These providers are contractually prohibited from using your data for any other purpose and must implement security standards no less protective than those described in this Policy. You may request a list of current sub-processors at privacy@rxFortis.com.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, your information may be transferred to the successor entity. You will be notified prior to any transfer, the successor entity will be required to honor this Privacy Policy, and you will have the opportunity to delete your account before any transfer occurs.

06 Data Retention Schedule

We retain different categories of information for different periods, based on the purpose of collection and applicable legal requirements.

Data Category	Retention Period	Status
Uploaded Pharmacy Data Claims, NDC, PBM, supplier data	7 calendar days from upload	Auto-Deleted
Account & Profile Information	Duration of account + 90 days after closure	Active Account
Fortis Vault Documents	Until deleted by you, or 30 days after account closure	User Controlled
Billing & Payment Records	7 years from transaction date (tax & legal compliance)	Legal Hold
Communication Records Support tickets, emails	3 years from last interaction	Retained
System & Security Logs	12 months	Retained
Usage & Analytics Data (de-identified)	Up to 36 months from collection	Retained
Legal Hold Data	Duration of legal proceedings + applicable statute of limitations	Legal Hold

When retention periods expire, data is permanently deleted or irreversibly de-identified. We do not archive data beyond the periods listed above.

07 Data Security

RxFortis implements and maintains a comprehensive set of technical, administrative, and physical safeguards designed to protect your data from unauthorized access, disclosure, alteration, or destruction.

7.1 Technical Safeguards

Encryption of data in transit using TLS 1.2 or higher for all communications;
Encryption of data at rest using AES-256 encryption for stored files and databases;
Role-based access controls limiting employee access to those with a demonstrated business need;
Multi-factor authentication requirements for all RxFortis employee access to production systems;
Regular vulnerability scanning, penetration testing, and security assessments;
Network segmentation, firewalls, and intrusion detection systems;
Automated monitoring and alerting for anomalous access patterns.

7.2 Administrative Safeguards

Background checks and privacy training for all employees with access to user data;
Binding confidentiality agreements with all employees and contractors;
Documented incident response and data breach notification procedures;
Regular security policy review and updates;
Vendor due diligence and security assessments for all third-party sub-processors.

7.3 Breach Notification

No method of internet transmission or electronic storage is completely secure. In the event of a confirmed data breach affecting your personal information or Uploaded Pharmacy Data, we will notify you without undue delay as required by applicable law, and in no event later than seventy-two (72) hours after we become aware of the breach.

7.4 Your Role in Security

You are responsible for maintaining the security of your account credentials. We strongly recommend that you use a strong, unique password, enable multi-factor authentication, and notify us immediately at security@rxFortis.com if you suspect unauthorized access to your account.

08 HIPAA, Healthcare Data & Business Associate Agreements

HIPAA Commitment RxFortis is committed to operating in compliance with the Health Insurance Portability and Accountability Act (HIPAA) to the extent applicable. A Business Associate Agreement (BAA) is required before uploading any Protected Health Information.

8.1 BAA Requirement

If your use of the Service involves or may involve the transmission or processing of Protected Health Information (PHI) as defined under HIPAA (45 C.F.R. § 160.103), you must execute a Business Associate Agreement (BAA) with RxFortis before uploading any such data. To request a BAA, contact privacy@rxFortis.com. We will not process PHI without an executed BAA in place.

8.2 De-Identification Obligation

If you upload pharmacy data that may contain PHI and have not executed a BAA, you must de-identify all such data prior to upload in accordance with the Safe Harbor or Expert Determination methods set forth in 45 C.F.R. § 164.514(b). Uploading PHI without a BAA constitutes a breach of our Terms of Service and may expose you to HIPAA liability.

8.3 Minimum Necessary Standard

RxFortis applies the HIPAA Minimum Necessary standard to all handling of PHI under an executed BAA. This means we access, use, and disclose PHI only to the extent minimally necessary to perform our obligations under the BAA and deliver the Service.

09 Cookies & Tracking Technologies

9.1 What We Use

Strictly Necessary Cookies: Required for the Service to function, including authentication tokens and session management. These cannot be disabled.
Functional Cookies: Remember your preferences such as language settings and UI configurations.
Analytics Cookies: Help us understand how users interact with the Service so we can improve it. We use privacy-preserving analytics tools that do not fingerprint individual users. You may opt out of these.

9.2 What We Do NOT Use

RxFortis does NOT use advertising or behavioral tracking cookies, third-party social media tracking pixels, cross-site tracking technologies, or any cookies or technologies designed to track you outside of the RxFortis platform.

9.3 Managing Cookies

You can control and manage cookies through your browser settings. However, disabling strictly necessary cookies may prevent you from using the Service. To opt out of analytics cookies, contact privacy@rxFortis.com or adjust your browser settings.

10 Your Privacy Rights

Depending on your location and applicable law, you may have some or all of the following rights with respect to your personal information.

👁 Right to Access

Request a copy of the personal information we hold about you. We respond within 30 days of a verified request.

✏️ Right to Correction

Request correction of inaccurate or incomplete information. Most account info can be corrected directly in your account settings.

🗑 Right to Deletion

Request deletion of your account and personal information within 30 days, subject to legal retention requirements.

📦 Right to Portability

Receive a copy of your account information in a structured, machine-readable format.

🚫 Right to Restrict Processing

Request that we restrict processing of your information in certain circumstances.

⚖️ Right to Object

Object to our processing or opt out of marketing communications at any time.

How to Exercise Your Rights Email privacy@rxFortis.com with subject line "Privacy Rights Request — [Your Name / Pharmacy Name]." We will verify your identity and respond within thirty (30) days. If we cannot fulfill your request, we will explain why.

11 Children's Privacy

The Service is designed for use by businesses and licensed pharmacy professionals and is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@rxFortis.com and we will delete such information promptly.

12 Third-Party Links & Integrations

The Service may contain links to third-party websites, services, or integrations, including pharmacy management systems, clearinghouses, or supplier platforms. RxFortis is not responsible for the privacy practices or content of any third-party service. We encourage you to review the privacy policies of any third party before submitting information to them. The presence of a third-party link or integration does not constitute RxFortis's endorsement of that third party's privacy practices.

13 Do Not Sell or Share — CCPA / CPRA Notice

For users in California, this section applies in addition to the rest of this Policy.

RxFortis does not sell personal information as defined under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), and has not done so in the preceding twelve (12) months. RxFortis does not share personal information for cross-context behavioral advertising.

California residents have the right to:

Know what categories of personal information we collect and why;
Access the specific pieces of personal information we hold about them;
Request deletion of their personal information;
Correct inaccurate personal information;
Opt out of the sale or sharing of personal information (though we do not engage in such practices);
Non-discrimination for exercising their privacy rights.

To submit a CCPA rights request, contact privacy@rxFortis.com with the subject line "CCPA Request." We will respond within forty-five (45) days as required by law.

14 International Users

RxFortis is operated in the United States and is intended primarily for US-based pharmacy businesses. If you access the Service from outside the United States, you acknowledge that your information may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Service, you consent to such transfer and processing. Where required by applicable law, we will implement appropriate safeguards for international data transfers, such as Standard Contractual Clauses or similar mechanisms.

15 Updates to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make material changes, we will:

Post the updated Policy at rxFortis.com/privacy with a revised "Last Updated" date;
Notify you by email at the address associated with your account;
Provide a prominent in-app notification for material changes;
Where required by law, obtain your consent before changes take effect.

Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree with an updated Policy, you must stop using the Service and may request deletion of your account.

16 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

RxFortis.com — Privacy Office

We acknowledge all inquiries within 5 business days and respond substantively within 30 days.

privacy@rxFortis.com security@rxFortis.com

Website: www.rxFortis.com/privacy

Legal Disclaimer: This Privacy Policy has been prepared as a comprehensive framework. RxFortis recommends that this document be reviewed and approved by a licensed attorney in your jurisdiction before it is published or made effective. This document does not constitute legal advice.