Privacy Policy

Introduction

Welcome to MedXFill ("we," "us," "our," "Platform"). We are committed to protecting your privacy and securing your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform.

By using the Platform, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Personal Information

Information you provide directly:
- Account Information: Name, email address, phone number, date of birth, mailing address
- Profile Information: Username, password, profile photo, preferences
- Identity Verification: Government-issued ID, Social Security Number (for healthcare providers)
- Payment Information: Credit card number, billing address, bank account details

1.2 Protected Health Information (PHI)

For patients and healthcare recipients:
- Medical history and current conditions
- Symptoms and health concerns
- Medications and allergies
- Lab results and diagnostic reports
- Treatment plans and prescriptions
- Appointment notes and consultation records
- Health tracking data (weight, blood pressure, etc.)

For healthcare providers:
- Professional licenses and DEA registration
- Malpractice insurance information
- Board certifications and credentials

1.3 Usage Data

Automatically collected when you use the Platform:
- IP address, browser type, device information
- Operating system, mobile carrier
- Pages visited, time spent on pages
- Referring/exit pages, clickstream data
- Geolocation data (with permission)
- App usage analytics (for mobile app)

1.4 Communication Data

• Customer service inquiries and responses
• Email correspondence
• SMS/text messages
• Chat conversations with support or providers
• Phone call recordings (with notice and consent)

1.5 Social Media

If you connect social media accounts:
- Profile information from social networks
- Friends/contacts list (with permission)
- Social media activity related to our Platform

1.6 Cookies & Similar Technologies

• Session cookies (temporary, deleted when browser closes)
• Persistent cookies (remain until deleted or expired)
• Web beacons, pixels, and tags
• Local storage and cache

2. How We Use Your Information

2.1 To Provide Services

• Account Management: Create and maintain your account
• Healthcare Services: Connect you with providers, process consultations
• E-commerce: Process orders, fulfill prescriptions, ship products
• Payment Processing: Charge your payment method, issue refunds
• Customer Support: Respond to inquiries, resolve issues

2.2 To Improve the Platform

• Analytics: Understand how users interact with the Platform
• Research & Development: Develop new features and services
• Quality Assurance: Test and optimize performance
• A/B Testing: Compare different versions of features

2.3 To Communicate with You

• Transactional Emails: Order confirmations, shipping updates, appointment reminders
• Service Notifications: Password resets, security alerts, policy changes
• Marketing: Promotions, newsletters, product recommendations (with your consent)
• Surveys: Feedback requests, satisfaction surveys

2.4 To Ensure Safety & Compliance

• Fraud Prevention: Detect and prevent fraudulent transactions
• Security: Protect against unauthorized access, cyberattacks
• Legal Compliance: Comply with laws, regulations, court orders
• Risk Management: Assess creditworthiness, verify identities
• Healthcare Compliance: Meet HIPAA, FDA, DEA, and state medical board requirements

2.5 For Marketing & Advertising

• Personalization: Show relevant products and content
• Retargeting: Display ads on other websites
• Lookalike Audiences: Reach similar potential customers
• Attribution: Measure effectiveness of marketing campaigns

You can opt out of marketing at any time (see Your Privacy Rights).

3. How We Share Your Information

3.1 With Healthcare Providers

When you book a consultation or purchase prescription products:
- We share your PHI with licensed providers for treatment purposes
- Providers may share information with pharmacies for prescription fulfillment
- Providers may consult with specialists (with your consent)

Legal Basis: HIPAA Treatment, Payment, and Healthcare Operations (TPO)

3.2 With Service Providers

Third parties who provide services on our behalf:
- Payment Processors: Stripe, Square (credit card processing)
- Shipping Carriers: USPS, UPS, FedEx (order fulfillment)
- Email Services: SendGrid (transactional emails)
- SMS Services: Twilio (text message notifications)
- Cloud Hosting: AWS, Google Cloud (data storage)
- Analytics: Google Analytics, Mixpanel (usage tracking)
- Customer Support: Zendesk, Intercom (help desk)

All service providers sign Business Associate Agreements (BAAs) as required by HIPAA.

3.3 With Vendors & Pharmacies

• Product vendors and wholesalers (for order fulfillment)
• Pharmacies (for prescription dispensing)
• Labs (for diagnostic testing)

3.4 For Legal & Compliance Reasons

We may disclose information when required by law:
- Court Orders: Subpoenas, warrants, legal process
- Government Agencies: FDA, DEA, state medical boards, law enforcement
- Emergency Situations: To prevent imminent harm to you or others
- Public Health: Disease outbreaks, adverse drug reactions
- Legal Claims: To defend against lawsuits, enforce our Terms

3.5 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, or sale of assets:
- Your information may be transferred to the successor entity
- You will be notified by email and/or prominent notice on the Platform
- The successor must honor this Privacy Policy

3.6 With Your Consent

We will not share your information for purposes other than those described above without your explicit consent.

3.7 Aggregated & De-Identified Data

We may share anonymized, de-identified data that cannot reasonably be used to identify you:
- Research institutions (medical research, public health studies)
- Business partners (market trends, analytics)
- Public reports (aggregate statistics)

This data is NOT considered PHI under HIPAA.

4. Hipaa Compliance

4.1 HIPAA Covered Entity

MedXFill acts as a "Covered Entity" under HIPAA when:
- Providing healthcare services (telemedicine consultations)
- Processing healthcare payments
- Transmitting PHI electronically

4.2 HIPAA Business Associate

MedXFill also acts as a "Business Associate" when:
- Healthcare providers (tenants) use our Platform to manage patient records
- We process PHI on behalf of covered entities

Business Associate Agreements (BAAs) are executed with all healthcare providers using the Platform.

4.3 HIPAA Privacy Rule

We comply with HIPAA Privacy Rule requirements:
- Minimum Necessary: We only use/disclose the minimum PHI needed
- Notice of Privacy Practices: Provided to all patients (see below)
- Patient Rights: You have rights to access, amend, and restrict PHI
- Accounting of Disclosures: We track PHI disclosures for 6 years

4.4 HIPAA Security Rule

We implement HIPAA Security Rule safeguards:
- Administrative: Security policies, workforce training, risk assessments
- Physical: Secure data centers, access controls, workstation security
- Technical: Encryption, access controls, audit logs, automatic logoff

4.5 HIPAA Breach Notification

In the event of a PHI breach:
- We will notify affected individuals within 60 days
- We will notify the U.S. Department of Health & Human Services (HHS)
- We will notify media (if breach affects 500+ individuals in a state)

4.6 Your HIPAA Rights

Under HIPAA, you have the right to:
- Access: Obtain a copy of your PHI (within 30 days)
- Amend: Request corrections to inaccurate PHI
- Restrict: Request restrictions on certain uses/disclosures
- Accounting: Receive list of PHI disclosures (past 6 years)
- Confidential Communication: Request PHI be sent to alternate address
- Complaint: File complaint with us or HHS Office for Civil Rights

To exercise HIPAA rights: Email hipaa@medxfill.com

5. Data Security

5.1 Security Measures

We implement industry-standard security measures:

Encryption:
- In Transit: TLS 1.3 encryption for all data transmission
- At Rest: AES-256 encryption for stored data
- Database: Encrypted database fields for sensitive data (SSN, payment info)

Access Controls:
- Multi-factor authentication (MFA) for staff accounts
- Role-based access control (RBAC) - minimum necessary access
- Automatic logoff after 15 minutes of inactivity
- Password requirements: 12+ characters, complexity rules

Network Security:
- Firewalls and intrusion detection systems (IDS)
- DDoS protection and rate limiting
- Vulnerability scanning (quarterly)
- Penetration testing (annually)

Physical Security:
- Data centers with 24/7 monitoring, biometric access
- Redundant power and climate control
- Geographic redundancy and disaster recovery

Monitoring & Auditing:
- Real-time security monitoring and alerts
- Audit logs of all PHI access (retained 6 years)
- Security incident response plan

5.2 PCI DSS Compliance

For payment card data:
- We are PCI DSS Level 1 compliant
- We never store full card numbers or CVV codes
- We use tokenization (Stripe, Square) to minimize PCI scope

5.3 Employee Training

• All employees undergo annual HIPAA and security training
• Background checks for employees with PHI access
• Confidentiality agreements signed by all staff

5.4 Third-Party Security

• All vendors undergo security assessments
• Business Associate Agreements (BAAs) required
• Service-level agreements (SLAs) include security standards

5.5 Your Responsibility

You are responsible for:
- Keeping your password secure and confidential
- Not sharing your account with others
- Using secure internet connections (avoid public Wi-Fi for PHI)
- Logging out after each session on shared devices
- Updating your software and antivirus regularly

If you suspect unauthorized access, change your password immediately and contact us.

6. Data Retention

6.1 Retention Periods

We retain your information as follows:

6.2 Account Deletion

To delete your account:
- Email: support@medxfill.com
- Subject: "Account Deletion Request"
- Include: Full name, email, account ID

Upon deletion:
- We will delete your personal information within 30 days
- Exception: PHI and prescription records retained per legal requirements (6-7 years)
- De-identified data may be retained indefinitely for research/analytics

6.3 Data Minimization

We only retain data as long as necessary for the purposes described in this Policy or as required by law.

7. Your Privacy Rights

7.1 Access & Correction

Right to Access: Request a copy of your personal information
Right to Correction: Request corrections to inaccurate information

To exercise: Email privacy@medxfill.com with "Access Request" or "Correction Request"

Response Time: Within 30 days (may extend 30 days with notice)

7.2 Deletion

Right to Delete: Request deletion of your personal information (subject to legal retention requirements)

Exceptions (we may not delete if needed for):
- Legal compliance (HIPAA, DEA, tax law)
- Completing transactions or providing services
- Detecting security incidents or fraud
- Defending legal claims

To exercise: Email privacy@medxfill.com with "Deletion Request"

7.3 Opt-Out of Marketing

Right to Opt-Out: Stop receiving marketing emails or SMS

How to Opt-Out:
- Click "Unsubscribe" link in marketing emails
- Reply "STOP" to marketing text messages
- Email: marketing-opt-out@medxfill.com
- Account Settings → Notifications → Uncheck marketing preferences

Note: You will still receive transactional emails (order confirmations, appointment reminders, security alerts).

7.4 Do Not Sell My Information

We do NOT sell your personal information.

If you are a California resident, you have the right to opt out of sales. Since we don't sell data, this right does not apply, but you can verify by contacting us.

7.5 Data Portability

Right to Data Portability: Receive your data in a structured, machine-readable format (e.g., CSV, JSON)

To exercise: Email privacy@medxfill.com with "Data Portability Request"

7.6 Restrict Processing

Right to Restrict: Request we limit how we use your information

Example: You may restrict marketing uses while still receiving healthcare services.

To exercise: Email privacy@medxfill.com with "Restriction Request"

7.7 Object to Processing

Right to Object: Object to processing based on legitimate interests (e.g., analytics, marketing)

To exercise: Email privacy@medxfill.com with "Objection"

7.8 Withdraw Consent

If we process data based on your consent (e.g., marketing), you can withdraw consent at any time.

Withdrawal does not affect lawfulness of processing before withdrawal.

8. Cookies & Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites. They help us:
- Remember your preferences and login status
- Understand how you use the Platform
- Personalize content and ads
- Analyze performance and traffic

8.2 Types of Cookies We Use

Essential Cookies (Required for Platform to function):
- Session management (login, shopping cart)
- Security (fraud detection, authentication)
- Load balancing

Functional Cookies (Enhance user experience):
- Remember language preference
- Remember shipping address
- Save form data

Analytics Cookies (Help us improve):
- Google Analytics (page views, bounce rate)
- Heatmaps (Hotjar) - understand user behavior
- A/B testing (Optimizely)

Marketing Cookies (Personalized advertising):
- Facebook Pixel (retargeting ads)
- Google Ads (search ads, display ads)
- AdRoll (display ads across websites)

8.3 Cookie Lifespan

8.4 Managing Cookies

Browser Settings: You can block or delete cookies in your browser settings:
- Chrome: Settings → Privacy → Cookies
- Firefox: Options → Privacy → Cookies
- Safari: Preferences → Privacy → Cookies
- Edge: Settings → Privacy → Cookies

Cookie Consent Banner: When you first visit, you can accept or reject non-essential cookies.

Opt-Out Tools:
- Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
- NAI Opt-Out: https://www.networkadvertising.org/choices/
- DAA Opt-Out: https://www.aboutads.info/choices/

Note: Blocking cookies may affect Platform functionality (e.g., cannot stay logged in).

8.5 Do Not Track (DNT)

Some browsers have "Do Not Track" (DNT) signals. We currently do not respond to DNT signals, as there is no industry standard for DNT.

9. Third-party Services

9.1 Third-Party Links

Our Platform may contain links to third-party websites (e.g., pharmacies, labs, news articles).

We are not responsible for third-party privacy practices. Please review their privacy policies before providing information.

9.2 Third-Party Integrations

If you connect third-party services (e.g., Apple Health, Fitbit):
- You authorize us to access data from that service
- The third party's privacy policy also applies
- You can disconnect at any time in Account Settings

9.3 Social Media Plugins

Social media buttons (Facebook, Twitter, LinkedIn) may allow those platforms to track your visit, even if you don't click the button.

To prevent tracking: Use browser extensions like Privacy Badger or disconnect from social media before visiting.

10. Children's Privacy

10.1 Age Restriction

The Platform is NOT intended for children under 13.

We do not knowingly collect personal information from children under 13. If you are under 13, do not use the Platform or provide any information.

10.2 Parental Consent

For minors aged 13-17:
- Parental or guardian consent is required
- Parent/guardian must create account and manage minor's profile
- Parent/guardian must consent to consultations and treatments

10.3 If We Learn of Child Data

If we discover we have collected information from a child under 13 without parental consent:
- We will delete the information as soon as possible
- We will terminate the account

If you believe we have information about a child under 13, contact us immediately: privacy@medxfill.com

11. State-specific Rights

11.1 California Residents (CCPA/CPRA)

California Consumer Privacy Act (CCPA) grants California residents additional rights:

Right to Know: Request details about personal information collected, used, and shared (past 12 months)

Right to Delete: Request deletion of personal information (subject to exceptions)

Right to Opt-Out of Sale: Opt out of sale of personal information (we don't sell data)

Right to Non-Discrimination: We will not discriminate for exercising CCPA rights

Shine the Light Law: Request list of personal information shared with third parties for marketing (past year)

To Exercise CCPA Rights:
- Email: california-privacy@medxfill.com
- Website: www.medxfill.com
- Online: [Privacy Request Form]

Verification: We will verify your identity before fulfilling requests (to prevent fraud).

Response Time: Within 45 days (may extend 45 days with notice)

11.2 Virginia Residents (CDPA)

Virginia Consumer Data Protection Act grants similar rights to CCPA:
- Right to access, correct, delete, and data portability
- Right to opt out of targeted advertising and profiling

To Exercise: Email virginia-privacy@medxfill.com

11.3 Colorado Residents (CPA)

Colorado Privacy Act grants:
- Right to access, correct, delete, and data portability
- Right to opt out of targeted advertising, sale, and profiling

To Exercise: Email colorado-privacy@medxfill.com

11.4 Connecticut Residents (CTDPA)

Connecticut Data Privacy Act grants similar rights to CCPA.

To Exercise: Email connecticut-privacy@medxfill.com

11.5 Utah Residents (UCPA)

Utah Consumer Privacy Act grants:
- Right to access, delete, and data portability
- Right to opt out of sale and targeted advertising

To Exercise: Email utah-privacy@medxfill.com

11.6 Nevada Residents

Nevada SB 220 grants right to opt out of sale of personal information.

To Exercise: Email nevada-privacy@medxfill.com

12. International Users

12.1 U.S.-Based Service

MedXFill is based in the United States and primarily serves U.S. customers.

If you access the Platform from outside the U.S.:
- Your information will be transferred to and processed in the U.S.
- U.S. privacy laws may differ from your country's laws
- By using the Platform, you consent to transfer to the U.S.

12.2 European Union (GDPR)

If you are in the EU/EEA:
- You have rights under the General Data Protection Regulation (GDPR)
- Right to access, rectification, erasure, restriction, portability, object
- Right to lodge complaint with supervisory authority

Legal Basis for Processing:
- Consent: For marketing, cookies, optional features
- Contract: To provide services you requested
- Legal Obligation: To comply with laws (HIPAA, tax law)
- Legitimate Interest: For analytics, fraud prevention, improving services

Data Controller: MedXFill is the data controller for personal information collected via the Platform.

Data Protection Officer: Email dpo@medxfill.com

To Exercise GDPR Rights: Email gdpr@medxfill.com

12.3 International Data Transfers

If we transfer data outside the U.S.:
- We use Standard Contractual Clauses (SCCs) approved by the EU Commission
- We ensure adequate safeguards are in place

13. Changes to This Policy

13.1 Updates

We may update this Privacy Policy from time to time to reflect:
- Changes in our practices
- Changes in laws or regulations
- New features or services

13.2 Notification

For material changes:
- We will notify you by email (to address on your account)
- We will post prominent notice on the Platform
- We will update "Last Updated" date at top of Policy

13.3 Review

We encourage you to review this Policy periodically.

Continued use after changes constitutes acceptance of the updated Policy.

14. Contact Us

14.1 Privacy Inquiries

General Privacy Questions:
Email: privacy@medxfill.com
Website: www.medxfill.com

HIPAA-Specific Questions:
Email: hipaa@medxfill.com

Data Protection Officer (GDPR):
Email: dpo@medxfill.com

California Privacy Requests:
Email: california-privacy@medxfill.com

14.2 Mailing Address

MedXFill
Attn: Privacy Officer
8 The Green, Suite B
Dover, DE 19901

14.3 HIPAA Complaints

If you believe your privacy rights have been violated:

File complaint with us:
- Email: hipaa@medxfill.com
- Mail: Address above, Attn: HIPAA Compliance Officer

File complaint with HHS:
- U.S. Department of Health & Human Services
- Office for Civil Rights
- Online: https://www.hhs.gov/hipaa/filing-a-complaint/index.html
- Phone: 1-800-368-1019

You will not be retaliated against for filing a complaint.

Notice of Privacy Practices (Hipaa)

This Notice describes how medical information about you may be used and disclosed and how you can get access to this information.

Uses & Disclosures

We may use and disclose your PHI for:
- Treatment: Provide, coordinate, or manage healthcare services
- Payment: Obtain payment for services, verify insurance coverage
- Healthcare Operations: Quality improvement, training, business planning

Other uses require your written authorization, except:
- As required by law (court orders, public health, law enforcement)
- To prevent serious threat to health or safety
- For workers' compensation claims
- For coroners, medical examiners, funeral directors

Your Rights

You have the right to:
- Inspect and copy your medical records
- Request amendments to your medical records
- Receive accounting of disclosures (past 6 years)
- Request restrictions on certain uses/disclosures
- Request confidential communications (alternate contact method)
- Receive paper copy of this Notice

Our Responsibilities

We are required to:
- Maintain privacy of your PHI
- Provide this Notice of privacy practices
- Follow terms of current Notice
- Notify you if we are unable to agree to requested restriction

Changes to This Notice

We reserve the right to change this Notice and make new provisions effective for all PHI we maintain.

Complaints

You may file a complaint if you believe your privacy rights have been violated:
- With us: hipaa@medxfill.com
- With HHS Office for Civil Rights: https://www.hhs.gov/hipaa/filing-a-complaint/index.html

You will not be penalized for filing a complaint.

Acknowledgment

By using the Platform, you acknowledge that you have read and understood this Privacy Policy, including the Notice of Privacy Practices.

If you do not agree with this Policy, please do not use the Platform.

Last Updated: April 6, 2026
Version: 1.0
Document ID: PP-20260406-v1
Effective: Immediately upon acceptance