Privacy Policy
1. Who we are
PharmaScript ("PharmaScript", "we", "us", "our") provides software used by independent pharmacy delivery drivers and pharmacy operators to scan manifests, build routes, capture proof of delivery, generate reports, and invoice pharmacies.
This Privacy Policy explains what personal information we collect, how we use it, and the choices you have. It applies to pharmascript.app, app.pharmascript.app, and any related services we provide.
For privacy questions, write to support@pharmascript.app.
2. What we collect, and why
Account data
When you sign up we collect your email address, name, and (if you use email/password) a password hash. If you sign in with Google, we collect your Google account email and profile name. We use this data to authenticate you and to send you product communications.
Subscription and billing data
If you subscribe, our payment processor (Stripe) collects and stores your payment method. We receive metadata about your subscription (status, plan, period end) but never your full payment card number.
Delivery operational data
While you use PharmaScript, we collect:
- Photographs of pharmacy delivery manifests (which contain patient names, addresses, and prescription counts)
- The structured data we extract from those manifests via optical character recognition
- GPS coordinates of your device during active routes
- Time-stamped photographs and signatures captured at delivery
- Mileage and time data computed from your GPS trace
Communications
If you email us, we keep that correspondence to respond and improve our service.
Diagnostic data
We log application errors (without personal data) to Sentry so we can fix bugs. We use Cloudflare to log request metadata (IP, user agent, response code) for security and performance.
3. Protected Health Information (PHI)
Pharmacy manifests typically contain Protected Health Information as defined under the Health Insurance Portability and Accountability Act (HIPAA). When PharmaScript processes manifests on behalf of a pharmacy that has signed a Business Associate Agreement (BAA) with us, we act as a Business Associate.
We apply the HIPAA Minimum Necessary rule throughout the product. Drivers see only the patient and delivery information needed to complete the route; aggregated reports are limited to the pharmacies authorized to receive them.
If you operate a pharmacy and need a BAA before sending PHI through PharmaScript, our template BAA is available for your counsel to review. Email sales@pharmascript.app to execute.
4. How we use the information
- To provide, maintain, and improve PharmaScript
- To authenticate you and prevent unauthorized access
- To process subscriptions and prevent fraud
- To send transactional emails (welcome, trial reminders, receipts) and product updates
- To generate delivery reports, invoices, and audit logs you and your contracted pharmacies are entitled to receive
- To debug, investigate security incidents, and comply with legal obligations
5. Who we share it with
We do not sell your personal data. We share data only with sub-processors that help us run the service, and only the data they need to do their job. Current sub-processors:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Clerk | Authentication | Email, name, password hash, sign-in events |
| Stripe | Payment processing | Email, payment method, subscription metadata |
| Cloudflare | Edge hosting, DNS, email routing | All API request traffic, encrypted in transit |
| Anthropic | Manifest optical character recognition | Manifest image (transient — not stored long-term) |
| Resend | Transactional email delivery | Email address, message contents |
| Sentry | Application error tracking | Error stack traces with personal data scrubbed |
| Optional OAuth sign-in | Email, name (only if you choose Google sign-in) |
We may disclose information if compelled by valid legal process or to protect the rights, property, or safety of PharmaScript, our users, or the public.
6. How long we keep it
- Account data: for as long as your account is active, plus 30 days after deletion.
- Subscription records: 7 years, to comply with US tax and accounting requirements.
- Delivery audit logs (PHI-adjacent): 6 years, to comply with HIPAA documentation requirements.
- Manifest images: 30 days (configurable for pharmacy customers with custom BAAs).
- Application logs: 30 days.
7. Your rights and choices
You can:
- Access the personal data we hold about you
- Correct inaccurate data through your account settings
- Delete your account and personal data (we will honor deletion of PHI subject to legally required retention)
- Export your delivery history, mileage log, and invoices in CSV format
- Unsubscribe from marketing emails via the link in every message; transactional emails (receipts, password resets) continue regardless
To exercise these rights, email support@pharmascript.app.
8. Cookies and tracking
PharmaScript uses cookies only as necessary to keep you signed in (a session cookie set by Clerk). The marketing site does not use third-party advertising or tracking cookies.
9. Security
All traffic to PharmaScript is encrypted in transit with TLS 1.2 or higher. API credentials are stored in Cloudflare Worker secrets, not in browser-accessible code. Database backups are encrypted at rest. Access to production systems is limited to authorized personnel and logged.
No system is 100% secure. If you suspect a vulnerability, please report it to support@pharmascript.app.
10. Children
PharmaScript is intended for use by professional delivery drivers and pharmacy operators. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, contact us and we will delete it.
11. International users
PharmaScript is operated from the United States. Our sub-processors operate primarily in the United States and may transfer data to other regions in accordance with their own published policies. If you access PharmaScript from outside the US, you consent to the transfer of your information to the US.
12. Changes
We will post any changes to this Privacy Policy on this page and update the "Last updated" date. If changes are material, we will email all active users at least 30 days before the changes take effect.
13. Contact
Questions, requests, or concerns:
Email: support@pharmascript.app
Domain: pharmascript.app