Privacy Policy

Introduction

PactRX, LLC ("PactRX," "we," "us," or "our") operates a specialty pharmacy service that provides medication management, multi-dose packaging, and home delivery for patients. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our website (pactrx.com), use our mobile application, log into a patient or care partner portal, or interact with our services in any other way.

Health information you share with PactRX as a patient is also governed by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA-protected uses and disclosures are described in our Notice of Privacy Practices, which controls over this policy for protected health information.

By using our services you agree to the collection and use of information as described in this policy. If you do not agree, please do not use our services.

Information we collect

• Information you give us — when you enroll, contact us, request a refill, or message your care team: name, date of birth, contact information, insurance details, prescriber information, medication list, allergies, caregiver designations, payment information.
• Information we receive from your healthcare network — prescriptions from prescribers, transferred records from your prior pharmacy, benefits verification responses from your insurer.
• Information we collect automatically — limited technical information such as IP address, browser type, device type, and pages visited. On marketing pages, with your opt-in consent, this can include analytics or advertising signals — see the "Cookies, analytics, and advertising" section below for the constraints we place on those.
• Communications — calls (recorded for quality and compliance), text messages, emails, and chat or voice agent conversations.

How we use information

We use personal information to:

• Provide pharmacy services and fulfill prescriptions.
• Coordinate with your prescribers, insurers, and care partners.
• Communicate with you about refills, shipments, payments, and service updates.
• Process payments and resolve billing questions.
• Meet legal, regulatory, and accreditation obligations (HIPAA, URAC, NABP, state pharmacy boards).
• Improve service quality and train staff (using de-identified data where possible).
• Detect and prevent fraud, abuse, or security threats.

We do not sell your personal information. We do not share it for cross-context behavioral advertising. We do not use it for any purpose that would require an authorization under HIPAA without obtaining that authorization first.

Cookies, analytics, and advertising

PactRX uses a small set of strictly necessary and preference cookies. With your opt-in consent, we may also use analytics and advertising tags on our marketing pages (homepage, About, How It Works, For Caregivers, blog, FAQ, legal pages). These tags help us understand how people learn about PactRX and which channels bring patients to us.

We run analytics and advertising through a single, system-enforced chokepoint:

• Marketing-only. Tags are server-side blocked from loading on enrollment, contact, upload, refill, and every authenticated portal page. This block cannot be overridden.
• Consent-gated. No analytics or advertising tag fires until you opt into the corresponding category in our cookie banner.
• Centrally registered. Every tag we deploy is registered inside PactRX with a written justification, the consent category it requires, and the pages it may load on. Only designated administrators can add or change a tag. We do not use Google Tag Manager or any other tool that would bypass this registry.
• Server-side conversion measurement. When we measure conversions for paid advertising, we use Conversions API integrations on the server so the URLs you visit (especially enrollment URLs) and anything you type are not transmitted to advertising platforms.
• Off the table. We do not use session-replay tools (FullStory, Hotjar, LogRocket, Microsoft Clarity), heatmap tools, third-party A/B testing platforms, or third-party chat widgets. Our voice and text chat is powered by ElevenLabs under a Business Associate Agreement.

Our consent banner uses an opt-in model regardless of where you are located. The current list of cookies and active tags, the consent category each one belongs to, the pages each one loads on, and how to withdraw consent are all published on our Cookie Policy page. We respect Global Privacy Control (GPC) signals where supported.

SMS and text messaging

We do not sell, rent, or share your phone number, SMS opt-in data, or mobile information with third parties for promotional or marketing purposes. Your consent to receive text messages is not a condition of purchasing any goods or services. Reply STOP to opt out at any time. Reply HELP for help. Full SMS terms are on our SMS Terms page.

Calls may be recorded

Inbound and outbound calls with PactRX, including conversations with our voice agent, may be recorded for quality, compliance, and training. We will tell you this at the start of every call. Recordings are stored under our HIPAA safeguards and accessed only by authorized staff.

Service providers

We use a small set of vetted service providers to run our pharmacy. Each one that touches protected health information has executed a Business Associate Agreement with PactRX. Categories include cloud infrastructure (Aptible), error monitoring (Sentry), telephony (Telnyx), voice AI (ElevenLabs), language models (Anthropic), payment processing (Stripe), shipping (ShipEngine, AfterShip), document storage (Box), and business productivity (Google Workspace). We do not share information with advertising networks, data brokers, or social media platforms.

Your privacy rights

Depending on where you live, you may have one or more of the following rights with respect to your personal information:

• Right to know — request a copy of the personal information we hold about you.
• Right to correct — request that we fix inaccurate information.
• Right to delete — request that we delete personal information, subject to retention requirements for pharmacy records under HIPAA and state pharmacy law.
• Right to opt out of sale or sharing for cross-context behavioral advertising — we do not sell or share for this purpose, so there is nothing to opt out of, and we will treat any request as a confirmation.
• Right to limit use of sensitive personal information — we only use sensitive information to provide the pharmacy services you requested and to meet legal obligations.
• Right to non-discrimination — exercising any of these rights will not affect your service.
• Right to lodge a complaint with your state attorney general or, for HIPAA matters, the U.S. Department of Health and Human Services Office for Civil Rights.

California residents have specific rights under the California Consumer Privacy Act and California Privacy Rights Act (collectively, the "CCPA"). EU, UK, and other international visitors have rights under the GDPR or local equivalents.

How to submit a request

To make a privacy request:

1. Email privacy@pactrx.com with the subject line "Privacy Request."
2. Tell us the type of request and which of our services it relates to.
3. We will confirm your identity using information we already hold (we will not ask for unnecessary documents).
4. We will respond substantively within 45 calendar days. If we need more time we will tell you within those 45 days and finish within an additional 45 days.

An authorized agent may submit a request on your behalf. We may ask for evidence of the authorization.

Data retention

We keep personal information for as long as we need it to provide services and to meet retention requirements under HIPAA, state pharmacy law, accreditation standards, and tax law. Pharmacy records are typically kept for at least the period required by the patient's state (commonly five to ten years following the last interaction). Marketing inquiries that do not become patients are kept for a shorter period.

Security

We protect personal information with administrative, technical, and physical safeguards designed to meet HIPAA Security Rule and accreditation requirements. That includes encryption in transit and at rest, role-based access control, audit logging, breach response procedures, and continuous monitoring. No system is perfectly secure, but we take this seriously.

Children

Our services are not directed to children under 13 and we do not knowingly collect personal information from children under 13 outside of a guardian-led pharmacy enrollment. If you believe a child has provided us with information without guardian consent, contact privacy@pactrx.com and we will delete it.

International visitors

PactRX operates in the United States and stores data in the United States. If you access our website from outside the United States, your information will be transferred to and processed in the United States under safeguards appropriate to your jurisdiction.

Changes to this policy

We will update this policy when our practices change. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated in advance through the website and, where appropriate, by email.

Contact us