MedRock Pharmacy Extension Privacy Policy

Last Updated: October 31st, 2025

1. Introduction

MedRock Pharmacy operates the MedRock Pharmacy Extension, a Chrome browser extension designed exclusively for internal use by MedRock Pharmacy employees to automate workflow tasks in the LifeFile pharmacy management system.

Key Privacy Protections:

Internal Use Only: This Extension requires a validation key and is accessible only to authorized MedRock Pharmacy employees.
No Patient Names: The Extension does NOT collect or process patient names, dates of birth, addresses, or Social Security numbers. It processes only prescription data (medication names, quantities, directions) and order identifiers.
HIPAA Compliant: All PHI processing complies with HIPAA regulations. We maintain Business Associate Agreements with Supabase and OpenAI.

2. What Data We Collect

2.1 Local Data (Never Leaves Your Browser)

User Settings: Role selection, feature toggles, validation key, UI preferences
Username: LifeFile username for auto-fill
Cached Data: Temporary shipping rates, compound form data

This data never leaves your device unless you actively use features that transmit it.

2.2 Protected Health Information (PHI)

When you actively use specific features, the Extension processes:

Prescription Details: Medication names, strengths, forms, quantities, directions
Order Information: Order IDs, prescription numbers, compound formulations
Shipping Information: ZIP codes for delivery estimates

Important: NO patient names, dates of birth, addresses, or Social Security numbers are collected.

2.3 Data Transmission by Service

Service	Data Transmitted	Purpose
Supabase Database	Prescription data, compound orders, queue queries, validation checks	Store pharmacy operational data, validate extension access
MedRock Backend API	ZIP codes, coupon codes, prescription numbers	Calculate shipping costs, redeem coupons
OpenAI API	Medication names, directions, notes, quantities	AI-powered prescription parsing

3. Service Details

Supabase Database

HIPAA BAA: Yes - Business Associate Agreement in place

Prescription Reconciliation: Stores order ID, medication details, parsed directions, compound flags
Compound Orders: Stores compound formulations, ingredients, username, order/product IDs
Queue Monitor: Reads queue status every 10.5 minutes for real-time updates
Validation: Validates access keys and checks version

                MedRock Backend API
                Shipping: Sends ZIP code, receives shipping rates and delivery estimates
Coupons: Sends coupon code, prescription number for redemption

            

OpenAI

HIPAA BAA: Yes - Zero data retention, not used for training

AI lookup makes 3 parallel calls to fine-tuned GPT-4 models for:

Drug/Strength/Form detection
Directions/Days supply parsing
Quantity parsing

Data sent: Medication name, directions, notes, quantities
Data NOT sent: Patient names, DOB, addresses, or other direct identifiers

4. Security

Access Control: Validation key required, domain restrictions (lifefile.net, medrockpharmacy.com only)
Encryption: All external API calls use HTTPS/TLS 1.2+
Local Processing: Many features process data entirely within your browser
No Remote Code: All code locally bundled and reviewed

5. Third-Party Service Providers

Supabase: PostgreSQL database hosting with HIPAA BAA | Privacy Policy
OpenAI: AI prescription parsing with HIPAA BAA, zero retention | Privacy Policy
Render.com: Hosts MedRock backend API | Privacy Policy

No Data Sale: We do NOT sell, rent, or trade any information. Data is used exclusively for internal pharmacy operations within the MedRock ecosystem.

6. HIPAA Compliance

MedRock Pharmacy maintains HIPAA-compliant Business Associate Agreements with Supabase and OpenAI.

Employee Responsibilities:

Use Extension only on authorized, secure devices
Do not share validation keys
Lock workstation when away
Access only PHI necessary for your job duties
Report suspected security breaches immediately

Breach Notification: In the event of a PHI breach, MedRock will investigate, notify affected individuals per HIPAA requirements, report to HHS if applicable, and take corrective action.

7. Your Rights and Data Retention

Access and Control:

View/Modify Settings: Open Extension popup to change role, features, preferences
Clear Local Data: Chrome Settings → Privacy and security → Clear browsing data
Disable Features: Toggle off any feature to prevent data transmission
Uninstall: Right-click Extension icon → Remove from Chrome

HIPAA Rights:

You have the right to access, amend, or request an accounting of PHI. Contact MedRock's Privacy Officer at [email protected].

Data Retention:

Local Data: Persists until Extension uninstalled or browser data cleared
Supabase: Prescription data retained 6+ years per pharmacy regulations; compound orders retained indefinitely for compliance
OpenAI: Not retained beyond processing period under BAA
MedRock Backend: Shipping logs retained 30-90 days; coupon redemptions per financial record retention policy

8. International Data Transfers

The Extension operates in the United States. Supabase and OpenAI services are U.S.-hosted. If you use the Extension outside the U.S., your data will be transferred to and processed in the United States.

9. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date will be revised. Material changes will be communicated via email or internal notice. Continued use after changes constitutes acceptance.

10. Contact Information

Questions about this Privacy Policy, HIPAA rights, or data practices?

MedRock Pharmacy - Privacy Officer
Email: [email protected]
Website: medrockpharmacy.com

11. Consent

By installing and using the MedRock Pharmacy Extension, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, processing, and disclosure of your information as described herein. As a MedRock Pharmacy employee, you also acknowledge your responsibilities under HIPAA and MedRock's privacy and security policies when using this Extension.