RxTro

RxTro Privacy Policy

How We Collect, Use, and Protect Your Information

Effective Date

1^st February 2025

Introduction

Your privacy is important to us. We value the trust you place in RxTro when you share your personal data with us. We are dedicated to protecting your information and handling it responsibly in accordance with all applicable privacy laws and regulations around the world.

This Privacy Policy applies to all individuals who interact with RxTro, including:

• Patients: Individuals whose personal data is shared through the RxTro platform for healthcare purposes.
• Website Visitors: Individuals who visit our website or use our online services. This includes those who browse our website, create an account, make a purchase, or interact with our online content.
• Customers: Individuals who purchase our products or services, either online or offline. This includes those who provide us with their personal information for the purpose of fulfilling their orders.
• Employees: Individuals who are employed by RxTro, including current and former employees, as well as job applicants.

We are committed to transparency and will always inform you about why we are collecting your personal data and how we will use it at or before the time of collection. This information will be provided through clear and accessible privacy notices or other appropriate means.

Collection of Solicited Personal Information

At the time of collection, we will inform you about the specific types of personal data we are collecting, which may include but are not limited to:

• Contact Information: Name, email address, phone number, mailing address.
• Account Information: Username, password, security questions and answers.
• Financial Information: Credit card details, billing address.
• Demographic Information: Age, gender, location.
• Employment Information: Job title, work history, references.
• Health Information: This may include information about your health conditions, medications, treatments, allergies, and other relevant health-related data.
• Technical Information: IP address, browser type, device information, cookies.
• Usage Data: Information about how you use our website or services, such as pages visited, time spent on each page, and clicks.

We collect this information through various means, including:

• Directly from you: When you create an account, make a purchase, fill out a form on our website, email us or through a telephone conversation with you.
• Automatically: Through cookies and other tracking technologies when you visit our website.
• From third parties
  • Publicly available sources. 
  • Our business partners. 
  • Referring partners: This may include healthcare providers or other entities who refer patients to other users of our platform. We rely on our referring partners' authority to disclose relevant patient information to us for treatment or coordination of care purposes.

We are committed to data minimisation and only collect the information necessary to provide and improve our services, personalise your experience, and comply with applicable laws and regulations.

RxTro's services rely on establishing trusted connections between healthcare practitioners and the people from the broader healthcare industry. To facilitate this, we require users to provide verifiable contact details. While we respect the desire for privacy, we do not currently offer the option to interact anonymously or using a pseudonym.

Use of Government-Issued Identifiers

To verify the registration status of healthcare professionals, facilitate patient referrals, and ensure compliance with relevant regulations, we may collect government-issued identifiers from healthcare professionals. These may include:

• Registration or license numbers.   
• In Australia, Healthcare Provider Identifier - Individual (HPI-I) and Healthcare Provider Identifier - Place (HPI-O), but only where you have specifically opted in to provide these.   

We use registration or license numbers solely for the purpose of validating professional registration and granting access to specific sections of the RxTro platform that contain information related to regulated products or services.   

We use HPI-Is to enable seamless communication between different practice management systems/EMRs and with individual patients' eHealth records, facilitating efficient patient referrals. HPI-Os are used to facilitate patient referrals and ensure smooth communication between different practice management systems and with patients' eHealth records.   

We do not use or disclose these identifiers for any other purpose without explicit consent. These identifiers are used only in the backend of our system and are not displayed to or shared with end-users.

HIPAA Compliance

RxTro recognises the importance of protecting the privacy and security of protected health information (PHI). We comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, which establish national standards for the protection of PHI.

Unsolicited Personal Information

• Assessment: When RxTro receives unsolicited personal information, it will assess whether it could have lawfully collected that information. This means determining if the information is reasonably necessary for its functions or activities and if it has a lawful basis for collection (like consent).
• Action: If RxTro determines it could not have collected the information, we will take reasonable steps to destroy the information or ensure it is de-identified as soon as practicable.
• Exceptions: In certain limited circumstances, we may be permitted or required by law to retain unsolicited personal information that we could not have otherwise collected. These circumstances may include:
  • Where the information is necessary to prevent or investigate a serious threat to the life, health or safety of any individual, or to public health or safety.
  • Where the information is required or authorised by law or a court/tribunal order.
  • Where the information is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.
• Proportionality: Even in cases where we are permitted or required to retain unsolicited personal information, we will only do so for the period necessary to fulfil the specific purpose for which it was retained. Once that purpose is no longer relevant, the information will be promptly deleted or de-identified.
• Security: Any unsolicited personal information that we retain in accordance with applicable laws will be subject to the same strict security measures and safeguards that we apply to all other personal data we collect and process.

Purposes of Data Collection and Use

At the time of collection, we will inform you about the specific purposes for which we are collecting your personal data, which may include:

• Facilitating interactions: Your information, such as practice details, contact information, and preferred interaction times, is shared with other users on the platform to help them plan and schedule appointments at your practice.
• Showcasing representatives: If you are a representative, your name, image, contact details, and information about the products or services you offer are shared with other users to facilitate their interaction with you.

• Providing and improving our services: To personalise your experience, process your orders, and communicate with you about our products and services.
• Marketing and advertising: To send you promotional materials and targeted advertising.
  • You have the right to opt out of receiving direct marketing communications from us at any time. You can do this by:
    • Clicking the "unsubscribe" link at the bottom of any marketing email or SMS message.
    • Contacting us via the contact details on the site.
    • Updating your communication preferences in your account settings (if applicable).
    • We will honour your request promptly and will no longer send you marketing communications unless you give us your consent again.
• Analytics: To understand how our website and services are used and to improve their performance.
• Legal compliance: To comply with applicable laws and regulations.

Legal Basis for Processing

We process your personally identifiable information based on your explicit consent. By using our platform, you agree to have your information shared as described above.

• Consent: We process your personally identifiable information based on your explicit consent, which you provide each time you submit data or complete a form on our platform. This consent allows us to share your information as described in this Privacy Policy and as outlined when you complete the form. In some cases, we may seek your additional, explicit consent for specific purposes, such as sending you marketing communications or using your data for research. You have the right to withdraw your consent for any of these purposes at any time.
• Contract: We may process your personal data when it is necessary to fulfil a contract we have with you, such as processing your payment for a purchase or providing you with the services you requested.
  • Customer support: Using your email address or phone number to respond to your inquiries or resolve issues with your account.
  • Account management: Storing your billing information for recurring payments or subscription services.
  • Contractual communication: Sending you emails or notifications related to your contract, such as renewal reminders or updates to terms and conditions.
• Legitimate Interests: We may process your personal data when it is necessary for our legitimate interests, such as improving our products and services, preventing fraud, or ensuring the security of our network and systems. We always balance our legitimate interests against your privacy rights.
• Legal Obligations: We may process your personal data to comply with applicable laws and regulations, such as responding to a court order or fulfilling tax obligations.

Protecting Your Information

We take your privacy seriously and will make every effort to prevent your information from being shared with competitors or any users you do not wish to share it with.

Sharing Your Personal Data

We may share your personal data with the following categories of third parties:

• Service Providers: We engage trusted service providers to perform various functions on our behalf, such as payment processing, data hosting, marketing and advertising, and customer service. These providers have access to personal data only to the extent necessary to perform their functions and are contractually obligated to maintain its confidentiality and security.
• Business Partners: We may share your personal data with our business partners, such as affiliates, joint venture partners, or co-branded partners, to provide you with products or services that you have requested or to jointly offer products or services that we believe may be of interest to you.
• Government Agencies or Law Enforcement: We may disclose your personal data to government agencies or law enforcement authorities if required by law, court order, or other legal process.

Your Rights to Access and Correct Your Personal Information

You have the right to request access to and correction of your personal information held by RxTro.

• To request access or correction: Please submit a written request to our Privacy Officer at support@rxtro.com.
• Our response: We will respond to your request within 30 days and may ask you to verify your identity beforehand.
• Format and cost: The requested information will typically be provided electronically in an easily understandable format. In some cases, we may provide it in hard copy or other formats depending on your needs. While access is generally free, we may charge a reasonable fee for excessive or repetitive requests to cover administrative costs. We will inform you in advance if a fee applies and explain how it's calculated.

If you believe your information is inaccurate, incomplete, or out-of-date, please let us know. We will take reasonable steps to verify and correct any inaccuracies. If we cannot make the correction, we will explain why and inform you of your right to complain to the relevant authority.

Our Commitment to Data Protection

As the data controller, we adhere to the following principles in handling your personal data:

• Lawfulness, fairness, and transparency: We process your data lawfully, fairly, and transparently.
• Purpose limitation: We collect your data only for specific, explicit, and legitimate purposes.
• Accuracy: We ensure your data is accurate and kept up to date.
• Storage limitation: We retain your data only for as long as necessary for the purposes for which it was collected.
• Integrity and confidentiality: We implement appropriate technical and organisational measures to protect your data.  
• Accountability: We are accountable for demonstrating compliance with these data protection principles.

Data Security

We take the security of your personal data seriously and are committed to protecting it from unauthorised access, disclosure, alteration, or destruction. We have implemented a range of technical and organisational measures to safeguard your information, including:

• Encryption: We use industry-standard encryption technologies to protect your data in transit and at rest.
• Access Controls: We restrict access to your personal data to authorised personnel only, who are bound by confidentiality obligations.
• Firewalls and Intrusion Detection Systems: We employ firewalls and intrusion detection systems to monitor and prevent unauthorised access to our systems.
• Regular Security Assessments: We conduct regular security assessments and vulnerability scans to identify and address potential risks.
• Employee Training: We provide regular training to our employees on data security best practices.
• Incident Response Plan: We have a robust incident response plan in place to deal with any security breaches or incidents promptly and effectively.

While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. No method of transmission over the Internet or electronic storage is completely secure. Therefore, we encourage you to take precautions to protect your personal information, such as choosing a strong password and keeping it confidential.

Data Breach Response

At RxTro, we take data security seriously. In the unlikely event of a data breach that compromises the security of your personal data, we have established procedures to respond promptly and effectively.

Notification Procedures

If we determine that a data breach has occurred and poses a risk of harm to individuals, we will notify affected individuals and relevant regulatory authorities as required by applicable law. This notification will typically include information about the nature of the breach, the types of personal data affected, and the steps we are taking to mitigate the impact of the breach.

Remedial Actions

In the event of a data breach, we will take immediate steps to:

• Contain the Breach: We will work to isolate the affected systems and contain the breach to prevent further unauthorised access.
• Investigate: We will conduct a thorough investigation to determine the cause and extent of the breach, identify any vulnerabilities, and assess the potential impact on individuals.
• Remediate: We will take appropriate remedial actions to address any vulnerabilities and mitigate the risk of harm to individuals. This may include implementing additional security measures, notifying affected individuals, and offering credit monitoring or identity theft protection services (where appropriate).
• Communicate: We will communicate with affected individuals and relevant authorities transparently and promptly throughout the incident response process.
• Learn and Improve: We will review the incident and our response to identify lessons learned and improve our data security practices preventing future breaches.

We are committed to continuously improving our security measures and incident response procedures to safeguard your personal data.

Data Retention

• Retention Period: RxTro retains personally identifiable information for a period of seven years from the date of last activity or interaction, after which it is automatically deleted from our systems. This includes information such as your name, contact details, practice information, and other relevant data collected during your use of our services.
• User-Requested Deletion: If you wish to have your information removed from our systems before the seven-year retention period expires, you may request deletion by contacting us through the designated channels provided in the "Contact Us" section of this policy. Upon receipt of your deletion request, we will promptly delete your personally identifiable information, unless retention is necessary for legal compliance, dispute resolution, or other legitimate purposes.
• Interactions with Other Users: Information that relates to your interactions with other users of the platform, such as communication history or shared content, may be retained until both parties involved in the interaction have requested the data's removal from our systems. This ensures consistency and fairness in managing data related to shared interactions and collaborations on the platform.
• Exceptions to Deletion: In some cases, we may be required to retain certain information for legal or regulatory purposes, such as tax records, compliance with court orders, or ongoing investigations. However, such retained information will be securely stored and access restricted to authorised personnel only.
• De-identified and Aggregated Data: We may retain and use de-identified or aggregated data derived from personally identifiable information for statistical analysis, research, product improvement, and business intelligence purposes. This data does not contain identifiable information and is not subject to deletion requests.
• Updates to Retention and Deletion Practices: We may periodically review and update our data retention and deletion practices to ensure compliance with legal requirements, industry standards, and best practices. Any significant changes to these practices will be communicated to you through updates to this privacy policy or other appropriate means.

Failure to provide information

The accuracy of the personal information you provide is important to us. If the personal information you provide is incomplete or inaccurate, we may not be able to provide you, or someone else you know, with the services you, or they, are seeking. It is your responsibility to inform us of any changes to your personal information to ensure it is up to date.

International Data Transfers

We may transfer your personal data to countries outside of your home country. These countries may have different data protection laws than your own.

When we transfer your personal data to another country, we implement appropriate safeguards to ensure that your data is protected in accordance with applicable data protection laws. These safeguards may include:

• Standard Contractual Clauses (SCCs): We may use SCCs approved by the European Commission or other relevant data protection authorities, which provide contractual obligations for the recipient of the data to protect your personal data.
• Adequacy Decisions: We may transfer your personal data to countries that have been deemed to have adequate data protection laws by the relevant regulatory bodies.

We will only transfer your personal data to third parties who have implemented appropriate safeguards to protect your information. You can obtain more information about the specific safeguards we have in place by contacting our Data Protection Officer at the contact details listed below.

Children's Privacy

RxTro does not knowingly collect personal data from children under the age of 13. If we become aware that we have inadvertently collected personal data from a child under 13 without parental consent, we will take steps to delete the information as soon as possible.  

While we strive to maintain a platform that is not attractive to children and do not anticipate them using our services, we cannot guarantee that children under 13 will not attempt to access our platform. We encourage parents and guardians to monitor their children's online activity and to contact us if they believe their child has provided us with personal data without their consent.

Changes to the Policy

RxTro reserves the right to update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or industry standards. We will post the updated Privacy Policy on our website and indicate the date of the latest revision.  

Notification of Significant Changes

If we make material changes to this Privacy Policy, we will notify you by email (if you have provided us with your email address) or through a prominent notice on our website before the changes become effective. Material changes might include, but are not limited to, changes to how we collect or use your personal data, changes to the types of third parties with whom we share your data, or changes to your rights under this policy.  

Your Continued Use

Your continued use of the RxTro website, services, or products after the posting of any updated Privacy Policy, or after receiving notice of material changes, constitutes your acceptance of the revised terms. If you do not agree with any changes or updates to the Privacy Policy, you may discontinue using our services and request deletion of your personal information as outlined in this policy.

Contact Information

Email: support@rxtro.com