Privacy Policy

This Privacy Policy describes how RxRoute ("we", "us", or "our"), operated by Scalater LLC, collects, uses, and protects your personal information when you use our website at rxroute.io and our medication shipment tracking platform at app.rxroute.io (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Account Information

When you create an account, we collect:

• Name and email address
• Company or organization name
• Billing information (processed securely by Stripe)
• Password (stored as a cryptographic hash, never in plain text)

Usage Data

We automatically collect information about how you interact with the Service:

• API request logs (endpoints called, timestamps, response codes)
• Tracking volume and usage metrics
• Browser type, IP address, and device information
• Pages visited and time spent on the Service

Tracking Data

When you submit shipment tracking numbers through our API, we store:

• Tracking numbers and carrier identifiers
• Shipment status updates and event history
• Metadata you associate with trackings (e.g., order IDs, store identifiers)

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process your transactions and manage your subscription
• Monitor carrier shipment statuses and deliver webhook notifications
• Send transactional emails (account verification, billing, alerts)
• Maintain audit logs for security and compliance purposes
• Detect, prevent, and address fraud or technical issues
• Comply with legal obligations

3. Data Minimization

RxRoute is designed with data minimization as a core principle. We do not store Protected Health Information (PHI) as defined by HIPAA. Our platform handles tracking numbers and generic metadata only. The association between a tracking number and a patient is maintained exclusively in your system, not ours.

4. Data Sharing

We do not sell your personal information. We share data only with:

• Shipping carriers (USPS, UPS, FedEx, DHL, OnTrac) — to register and monitor trackings on your behalf
• Stripe — to process payments securely
• Infrastructure providers (Vercel, database hosting) — to operate the Service
• Law enforcement — only when required by law or valid legal process

5. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.2+) for all communications
• Encryption at rest (AES-256) for sensitive data
• Cryptographic hashing for API keys and passwords
• HMAC-SHA256 signatures for webhook payloads
• Role-based access controls
• Immutable audit logging of all system actions

6. Data Retention

We retain your account data for as long as your account is active. Tracking data is retained for the duration of your subscription plus 90 days. Audit logs are retained for a minimum of 6 years in accordance with healthcare compliance standards. You may request deletion of your account and associated data at any time by contacting us.

7. Cookies

We use essential cookies to operate the Service (e.g., session management, authentication). We may also use analytics cookies to understand how the Service is used. For more details, see our Cookie Policy.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to or restrict processing of your data
• Data portability (receive your data in a structured format)
• Withdraw consent at any time

To exercise any of these rights, contact us at privacy@rxroute.com.

9. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To make a request, contact privacy@rxroute.com.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

11. International Data Transfers

Your data may be processed in the United States. By using the Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy, contact us at:

• Email: privacy@rxroute.com
• Company: Scalater LLC