Last updated: April 2026
We collect account information (name, email, credentials), facility operational data (controlled substance entries, temperature logs, cart checks), and case numbers/MRNs. We process Protected Health Information (PHI) including patient MRN and names in controlled substance logs.
We use information to provide the service, generate reports, calculate compliance scores, and support anonymized benchmarking when consent is provided.
We do not collect diagnoses, treatment details, insurance information, or social security numbers.
We use the following third-party sub-processors to deliver our services: Supabase (database & authentication), Vercel (hosting), Stripe (payment processing), Sentry (error monitoring), Google Analytics (website analytics), Formspree (contact forms), and MailerLite (email communications).
Data is stored in Supabase (PostgreSQL), encrypted at rest and in transit, and hosted in the United States.
We do not sell your data. We do not sell individual facility data. Anonymized aggregate data may be used for industry research with consent.
Data is retained for 10 years after account closure to support regulatory and compliance obligations. You may export your data at any time.
A HIPAA Business Associate Agreement (BAA) is active with our infrastructure provider. All subscribers are required to execute a BAA. PHI including patient MRN and names in controlled substance logs is processed in accordance with HIPAA requirements.
Security controls include role-based access, PIN authentication, entry immutability, geolocation verification, and rate limiting.
You may access your data, export your data at any time, delete your account, and opt out of data sharing.
For privacy questions, contact jon@tompharmacy.com.