This privacy policy (“Privacy Policy”) governs how we, FlowRx Inc. (“FlowRx”, “we”, “our” or “us”) collect, use, disclose, and store Personal Data and electronic Protected Health Information (ePHI) when you use our website (https://FlowRx.AI/) and our pharmacy orchestration platform. Please read this Privacy Policy carefully to understand our practices. We may update this policy periodically to reflect changes in our practices or regulatory requirements.
1. What information we collect, why we collect it, and how it is used
In the context of patient data, FlowRx acts strictly as a "Business Associate" under HIPAA, while our pharmacy clients act as "Covered Entities." We adhere to the HIPAA "minimum necessary" standard, collecting only the essential account details, system metadata, and necessary ePHI required to orchestrate your pharmacy's workflow, synchronize your systems, provide technical support, and maintain secure audit trails. We use this information strictly to deliver our contracted services, and we never sell, rent, or monetize your patient data for marketing. In accordance with our Master Services Agreement, we may aggregate and de-identify data to strict HIPAA standards; once it can no longer be linked to any individual, we may use this anonymous data to improve our platform's functionality. Furthermore, because we operate as a Business Associate, we do not fulfill patient data requests directly; any patient requests for data access or deletion must be routed to the relevant pharmacy using the administrative tools within our platform.
2. Artificial Intelligence & Machine Learning
FlowRx utilizes enterprise-grade Artificial Intelligence to power data structuring and workflow automation, such as parsing unstructured text. Our AI is used strictly for operational and administrative purposes; it is not a clinical decision support system or medical device, and all AI-assisted extractions require "human-in-the-loop" verification by your licensed pharmacy staff. We operate under a strict zero-data-retention policy for AI model training, meaning your ePHI is never used to train or fine-tune public foundational AI models. AI prompts are processed ephemerally, and any system prompts retained for internal performance monitoring are subjected to automated data-masking protocols to strip and de-identify ePHI prior to retention.
3. How we protect, share, and retain your information
We do not share ePHI with third parties except as necessary to provide our services, utilizing secure enterprise-tier sub-processors who are legally bound by strict Business Associate Agreements. All primary live production data, backups, and AI processing infrastructure are hosted strictly within the United States. To protect your data, we have implemented rigorous safeguards aligned with SOC 2 standards, including AES-256 encryption at rest, TLS 1.2 or higher in transit, strict role-based access control with mandatory multi-factor authentication for administrative access, and continuous cloud security monitoring. We retain active workflow data for the duration of our contract, while system backups and audit logs are retained for up to six years to comply with standard HIPAA requirements, unless your Master Services Agreement specifies otherwise. Upon contract termination and following any agreed transition period, customer data is securely exported and subsequently permanently purged from our active databases and backups in accordance with NIST 800-88 media sanitization guidelines.
4. Contact Us
For questions regarding this Privacy Policy, our security practices, or to report a potential vulnerability, please contact our Privacy/Security Official:
FlowRx Security Team
Email: security@flowrx.ai
Address: 117 Kendrick Street, Suite 300 Needham, MA 02494, USA