Pharity

Legal

Privacy Notice

Effective 2026-05-08 · Last reviewed 2026-05-13

Pharity is a HIPAA Business Associate, not a covered entity

Protected Health Information (PHI) handled by Pharity is governed by the executed Business Associate Agreement (BAA) with your clinic or pharmacy. This Privacy Notice covers non-PHI account data and platform behavior.

What we collect

  • Account data: name, work email, work phone, timezone, hashed password, MFA enrollment state
  • Organization data: clinic/pharmacy entity info, NPI, licenses, FDA registration, insurance
  • Operational data: prescriptions you create, orders, audit log of every state-changing action
  • Patient data (PHI): demographics + Rx history, handled per BAA, never used for marketing or analytics
  • Payment data: payment card saved with Stripe; Pharity never stores card numbers — only the card brand and last four digits for display

How we use it

  • Operate the marketplace platform per your executed agreements
  • Verify credentials of clinics, pharmacies, and prescribers
  • Route prescriptions and process payments via the card on file (Stripe)
  • Maintain HIPAA-required audit logs (7-year retention)
  • Send transactional notifications you've enabled in /clinic/notifications
  • Provide quarterly Service Delivery Reports to pharmacy counterparties

What we don't do

  • Sell PHI or account data, ever
  • Use PHI for advertising, lookalike audiences, or analytics
  • Share PHI with non-BAA-covered subcontractors
  • Bill Medicare, Medicaid, Tricare, or VA

Subprocessors with BAAs

DigitalOcean (Postgres + hosting), AWS SES (email), Twilio (SMS), BoldSign (e-signature), Sentry (error monitoring), Persona (ID verification), Middesk (KYB). Stripe (card payments and pharmacy payouts) is a payment processor under the HIPAA payment-processing exemption.

Your rights under HIPAA

Patient PHI rights (access, amendment, accounting of disclosures) flow through the covered entity (your clinic or pharmacy). Pharity supports clinic/pharmacy responses to patient requests within the timelines required by HIPAA and applicable state law.

Breach notification

If Pharity discovers a breach of unsecured PHI, we notify the affected covered entity per HIPAA §164.410 (within 60 days, typically much sooner). State-law timelines (e.g., CMIA 15 business days; CCPA 30 days for individual notice and 15 days for CA AG notice) are also met.

Contact

HIPAA Privacy Officer / Security Officer: see your executed BAA for the current named officer. General privacy questions: [email protected].