Privacy Policy & Data Practices

1. Scope

This Privacy Policy covers data collected by NoTimeRx, Inc. ("NoTimeRx," "we") when you use the Services. It works together with our HIPAA Notice of Privacy Practices, which governs how Protected Health Information (PHI) is handled by the independent medical practices and pharmacies that use our platform.

2. Information We Collect

Information you provide

• Account data: name, email, phone, date of birth, U.S. shipping address, password (hashed).
• Medical visit data: medical history, current medications, scalp/skin photos, symptoms.
• Payment data: handled by our PCI-DSS-compliant payment processor — we store only last-4 digits and a token.
• Communications: secure messages with your Provider and support team.

Information collected automatically

• Device and browser metadata (IP address, user agent, OS).
• Usage data (pages viewed, features used, referring URL).
• Approximate location derived from IP — used for state eligibility and fraud prevention.

3. Protected Health Information (PHI)

Information you share during a telehealth visit is PHI and is covered by HIPAA. It is received, stored, and processed by our infrastructure as a business associate of the independent medical practices that provide your care. PHI is treated with strictly separated access controls from non-health data.

4. How We Use Your Information

• Deliver and operate the Services, including secure messaging, visits, prescriptions, and shipping.
• Verify your U.S. location and state of residence for licensing compliance.
• Process payments and manage subscriptions and refunds.
• Prevent fraud, abuse, diversion, and security incidents.
• Comply with legal, regulatory, and pharmacy-board obligations.
• Improve product quality using de-identified, aggregated data — never PHI that can be traced to you.

5. When We Share Information

We share information only with:

• Your Provider and dispensing pharmacy — to deliver your care and medication.
• Service providers (business associates) — e.g., encrypted cloud hosting, shipping carriers, secure payment processors — each bound by BAAs and confidentiality agreements.
• Authorities — when legally required (subpoena, court order, public-health reporting) with the narrowest response permitted by law.
• Successor entities — in a merger, acquisition, or asset sale, with continued protection under this Policy.

We do not sell PHI or personal data. We do not share PHI with advertising networks or data brokers.

6. Security

We use bank-grade and healthcare-grade safeguards, including TLS 1.2+ in transit, AES-256 at rest, least-privilege access controls, audit logging, mandatory 2FA for staff, quarterly penetration testing, and annual HIPAA risk assessments. No internet-based system is perfectly secure, but we work hard to keep yours safe.

7. Your Data Rights

U.S. residents may request:

• Access — receive a copy of the personal data we hold about you.
• Correction — fix inaccurate information.
• Deletion — subject to our legal and medical recordkeeping obligations (prescriptions and PHI must be retained for state-specified minimums).
• Portability — receive your data in a machine-readable format.
• Opt-out of targeted advertising — we do not engage in cross-context targeted advertising of health data.

Email privacy@notimerx.com from the email on your account. We respond within 30 days. California, Colorado, Connecticut, Delaware, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia residents have specific rights under state privacy laws; these are honored without discrimination.

8. Retention

Medical records are retained for the period required by the state where care was delivered (typically 7–10 years for adults, longer for minors). Marketing and analytics data are retained for up to 24 months. You may close your account at any time; we will retain what we must to comply with law and deidentify or delete the rest.

9. Cookies & Analytics

We use cookies and similar browser-storage technologies in three tiers, and we let you control the non-essential ones.

• Essential (always on). Keeping you signed in (Firebase Auth session tokens), confirming you're 18+ (age-verify cookie), remembering where you left off in an intake questionnaire, storing your light/dark theme choice, and CSRF protection. Without these the site will not function and we can't turn them off.
• Analytics (off by default). Aggregate, de-identified product-usage signals — which categories you visit, which features you use, which pages errored. Used only to improve the product. Never sold, never joined back to your identity, never active on patient-portal or PHI pages regardless of this setting.
• Marketing / retargeting (off by default). We do not currently run ad retargeting. This category reserves your preference in case we ever add it — you will not be silently opted in.

You can change your cookie choices at any time by clicking Manage cookie preferences here, or via the "Cookie settings" link in every page footer. If your browser sends Do Not Track, we default analytics and marketing to off on first visit and surface that in the banner.

10. Minors

The Services are not intended for, and not offered to, individuals under 18. We do not knowingly collect data from minors.

11. International Users

NoTimeRx is offered only to U.S. patients, with data hosted in the United States. If you attempt to use the Services from outside the U.S., you acknowledge that the Services are not directed to you and that any information you submit will be processed in and subject to U.S. law.

12. Changes

We'll post the effective date of any update at the top of this page and notify you by email for material changes.

13. Contact

Email privacy@notimerx.com or mail to
NoTimeRx, Inc. · Attn: Privacy Officer · 1209 Orange Street, Wilmington, DE 19801.