Privacy Policy

1. Scope

This Privacy Policy applies to personal information collected through the Services and the Website. It does not apply to third-party websites, applications, or services that may be linked from the Services.

The Services are designed exclusively for 503A compounding pharmacies operating under state Board of Pharmacy oversight. The Services are not designed for, and should not be used by, 503B outsourcing facilities or any entity subject to a different regulatory framework.

2. Information We Collect

2.1 Information You Provide

Account and Pharmacy Profile Information. When you register for the Services and complete the onboarding wizard, you provide pharmacy name, address, state, phone number, compounding types (sterile, non-sterile, or both), and DEA number. You also create login credentials (email address and password) and may set an administrator PIN.

Staff Information. You may enter staff member names, roles, license numbers, certification dates (garbing/fingertip testing, media fill, annual training, competency evaluation dates), and contact information.

Equipment and Operational Data. You may enter equipment types, model numbers, serial numbers, certification dates, and recertification frequencies. During daily operations, you may record checklist completions (with staff attribution), quantitative readings (temperature, humidity, differential pressure), cleaning documentation (agent, lot number, contact time), and environmental monitoring results.

AI Interaction Data. When you use the Ask AI feature, we collect the questions you submit, the AI-generated responses, associated citations, and confidence scores. Chat transcripts are stored in your account.

Documents. You may generate compliance documents using the AI document generation feature and register existing standard operating procedures (SOPs) and compliance documents in the document registry, including review dates and frequencies.

Training and Competency Data. We collect competency evaluation records for staff members across USP skill areas, including evaluator identity, evaluation dates, and proficiency ratings.

Support Communications. When you contact us for support, we collect the information you provide in your communications, including your name, email address, and the content of your request.

2.2 Information Collected Automatically

Usage Data. We collect information about how you interact with the Services, including login activity, features accessed, and general usage patterns. This data is used to maintain and improve the Services.

Technical Data. We collect device and browser information, IP addresses (for security and authentication purposes), and basic server log data necessary to deliver the Services.

Observability Data. We use an AI observability platform to monitor AI response quality. Each AI query generates a trace that includes the question, response, retrieval scores, and deterministic quality metrics. These traces are associated with your user ID for quality assurance and debugging purposes.

2.3 Information We Do Not Collect

No Cookies or Tracking. The Services do not use cookies, advertising trackers, or third-party analytics tools. Authentication is handled through standard browser mechanisms, not cookies. Local browser data is used exclusively for functional purposes: session authentication, in-progress checklist state preservation, and dashboard display preferences. No data stored locally is transmitted to third parties.

No Protected Health Information. The Services are not designed to collect, store, or process Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA"). You must not upload, enter, or transmit PHI into the Services. PharmComplyAI is not a HIPAA Business Associate and does not execute Business Associate Agreements. For additional detail, see Section 10.3 of our Terms of Service.

3. How We Use Your Information

We use your information for the following purposes:

To Provide the Services. We process your information to operate the platform, including generating AI-powered compliance guidance, tracking deadlines and checklists, producing compliance documents, managing staff and equipment records, calculating compliance scores, and generating PDF exports.

To Maintain and Improve the Services. We use usage data, technical data, and AI observability traces to monitor system performance, identify and fix errors, and improve the accuracy and reliability of AI responses.

To Communicate with You. We use your contact information to send transactional communications (account notifications, subscription confirmations, renewal reminders, security alerts), respond to support requests, and, with your separate opt-in consent, send marketing communications such as product updates, compliance tips, and educational content.

To Protect Our Services and Users. We use technical data and login activity to detect unauthorized access, prevent fraud, and maintain the security and integrity of the Services.

To Comply with Legal Obligations. We process your information as necessary to comply with applicable laws, regulations, and legal processes.

To Generate Aggregated Insights. As described in Section 8.3 of our Terms of Service, we may use anonymized and aggregated data derived from your use of the Services for product improvement, analytics, research, and development. Such data is de-identified so that it cannot reasonably be used to identify you, any Authorized User, or any individual.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. PharmComplyAI does not sell personal data as defined under any applicable state privacy law, including the Texas Data Privacy and Security Act and the California Consumer Privacy Act. We share your information only in the following circumstances:

Service Providers (Sub-Processors). We use third-party service providers to operate and deliver the Services. These providers process your data solely on our behalf, are contractually obligated to protect your data, and are prohibited from using your data for their own purposes. See Section 5 for a complete list of sub-processors.

Legal Requirements. We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of PharmComplyAI, our customers, or others.

Business Transfers. In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice within the Services before your information becomes subject to a different privacy policy.

With Your Consent. We may share your information with third parties when you have given us your explicit consent to do so.

Aggregated or De-Identified Data. We may share aggregated or de-identified data that cannot reasonably be used to identify you for any legitimate business purpose, including product improvement, research, and industry benchmarking.

5. Sub-Processors and AI Data Processing

5.1 Categories of Service Providers

We use third-party service providers in the following categories to operate and deliver the Services. All service providers store and process data within the United States.

• Cloud hosting and application infrastructure. We use cloud hosting providers to run the Services, serve the application, and maintain server logs necessary for operation and security.
• Database and authentication. We use a cloud database provider for persistent storage of Customer Data (profiles, staff records, equipment, checklists, chat transcripts, documents) and for user authentication.
• AI model providers. We use AI language model providers to generate compliance guidance in response to your questions. See Section 5.2 for specific AI data practices.
• Search and retrieval infrastructure. We use embedding, vector database, and reranking providers to power the semantic search that retrieves relevant regulatory content for AI responses. These providers process your query text transiently and do not retain your data beyond the duration of the API request.
• AI quality monitoring. We use an observability platform to monitor AI response quality, including traces of questions, responses, and deterministic quality scores associated with your user ID.
• Error monitoring. We use an error monitoring service to identify and resolve technical issues. This service is configured to exclude personally identifiable information from error reports.

A current list of specific sub-processors is available upon request by contacting support@pharmcomplyai.com.

5.2 AI-Specific Data Practices

PharmComplyAI uses a commercial AI API to power its AI features. Under our AI provider's commercial terms of service:

• Customer inputs (your questions) and outputs (AI-generated responses) are not used to train the provider's AI models.
• Our AI provider may retain inputs and outputs for up to thirty (30) days solely for abuse monitoring and safety purposes, after which they are deleted.
• All processing occurs on US-based infrastructure.

Your questions are combined with retrieved regulatory content from our knowledge base to generate responses. The regulatory knowledge base contains publicly sourced interpretive guides, enforcement data, and compliance operations content authored by PharmComplyAI. It does not contain Customer Data.

Additional AI service providers process your query text transiently to perform semantic search and result reranking. These providers do not retain your data beyond the duration of the API request.

6. Data Storage and Security

6.1 Data Location

All Customer Data is stored and processed within the United States. We do not transfer Customer Data outside of the United States.

6.2 Security Measures

PharmComplyAI implements commercially reasonable administrative, technical, and physical safeguards to protect your information, including:

• Encryption in transit (TLS/HTTPS for all data transmission)
• Database-level security isolating each customer's data
• Role-based access controls
• Cryptographically hashed administrator PINs with rate-limited verification
• Error monitoring configured to exclude personally identifiable information
• Server-side beta access code validation
• Immutable audit trail design for compliance-critical records (checklist completions, competency evaluations, monitoring results, document reviews)

While we use reasonable measures to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.

6.3 Breach Notification

In the event of a data breach affecting your personal information, we will notify you in the most expedient time possible and without unreasonable delay, but no later than forty-five (45) days from the discovery of the breach, in accordance with the Tennessee Identity Theft Deterrence Act (T.C.A. Section 47-18-2107) and any other applicable breach notification laws. If the breach affects more than one thousand (1,000) individuals, we will also notify applicable consumer reporting agencies as required by law.

7. Data Retention and Deletion

7.1 During Active Subscription

Your Customer Data is retained and available through the Services for the duration of your subscription.

7.2 Selective Deletion During Active Subscription

You may request deletion of specific Customer Data (such as chat transcripts, departed staff records, or historical operational data) at any time by contacting support@pharmcomplyai.com. We will process deletion requests within thirty (30) days. Certain data necessary to maintain your account and provide the Services (such as your pharmacy profile and active subscription information) will be retained until account termination.

7.3 Post-Termination

Upon termination or expiration of your subscription, you have thirty (30) days to export your data using the available PDF export features. After the thirty-day export window, we will delete your Customer Data within sixty (60) calendar days, including from backup systems.

7.4 Exceptions

We may retain limited data beyond the periods described above as required by applicable law or to resolve disputes. We may also retain anonymized and aggregated data as described in Section 8.3 of our Terms of Service, which survives termination.

8. Your Rights

Depending on your jurisdiction, you may have specific rights regarding your personal information. PharmComplyAI supports the following rights for all customers, regardless of location:

Access. You may request confirmation of whether we process your personal information and obtain a copy of that information.

Correction. You may request correction of inaccurate or incomplete personal information. Many corrections can be made directly through the Services (for example, updating staff records or pharmacy profile information in Settings).

Deletion. You may request deletion of your personal information, subject to the retention requirements described in Section 7.

Data Portability. You may export your data using the PDF export features available within the Services, which cover checklist logs, staff records, audit trails, readings logs, training reports, monitoring logs, and generated documents.

Opt-Out of Marketing. You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting support@pharmcomplyai.com. Opt-out requests will be honored within ten (10) business days. Opting out does not affect transactional communications.

To exercise any of these rights, contact us at support@pharmcomplyai.com. We will respond to verified requests within forty-five (45) days. If we need additional time, we will notify you of the extension and the reason.

9. California Privacy Rights

This section applies to California residents and supplements the information in this Privacy Policy.

9.1 Categories of Personal Information

In the preceding twelve (12) months, PharmComplyAI has collected the following categories of personal information as defined by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"):

• Identifiers: Name, email address, phone number, IP address
• Professional or Employment-Related Information: Job title, role, license numbers, certification dates, competency evaluation records
• Internet or Other Electronic Network Activity: Login activity, feature usage patterns, device and browser information
• Geolocation Data: Approximate location derived from IP address (state-level, used for regulatory content personalization)

9.2 Use and Disclosure

We collect this information for the business purposes described in Section 3. We do not sell or share (as defined by the CCPA) your personal information for monetary consideration or for cross-context behavioral advertising. We do not use sensitive personal information for purposes beyond those permitted by the CCPA.

9.3 Your CCPA Rights

California residents have the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to not be discriminated against for exercising these rights. To exercise your rights, contact us at support@pharmcomplyai.com.

10. Children's Privacy

The Services are designed for pharmacy professionals and are not directed at individuals under eighteen (18) years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from an individual under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at support@pharmcomplyai.com.

11. Third-Party Links

The Services may contain links to third-party websites or resources that are not operated by PharmComplyAI. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party websites you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. Material changes will be communicated via email or through the Services at least thirty (30) days before taking effect. Non-material changes (such as clarifications or formatting updates) may be made without prior notice. The "Effective Date" at the top of this policy indicates when it was last revised.

If you disagree with any changes, you should discontinue use of the Services before the changes take effect. Continued use after the effective date of any modifications constitutes acceptance of the updated Privacy Policy.

13. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Tennessee, without regard to its conflict of laws principles, consistent with the Terms of Service.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your information is handled, please contact us:

Email: support@pharmcomplyai.com

We will respond to privacy inquiries within forty-five (45) days.