RxCaller - Solve Medication Shortage

Introduction

RxCaller, Inc. ("RxCaller," "we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal and health information. This Privacy Policy explains what information we collect, how we use it, with whom we share it, how long we retain it, and the rights you have over it when you use our website (rxcaller.com) and mobile application (the "Service").

As a service that handles protected health information (PHI), we are committed to complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR) where applicable, and all other applicable privacy laws.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

We collect the following categories of information from users of our Service:

Account Information: Name, email address, phone number, and account password (stored as a hashed value, never in plain text).
Health Information (PHI): Medication names, dosages, prescription metadata (date of last refill, prescriber name where you provide it), preferred refill timing, and pharmacy preferences.
Location Information: Your address or approximate location, used to identify pharmacies near you. You may provide this manually or grant location permission via the operating system.
Pharmacy Call History: Records of automated calls placed on your behalf, including the pharmacy contacted, the result of the call (e.g., medication in stock or out of stock), and call timestamps.
Device and Usage Information: Device type, operating system version, application version, IP address, an anonymous device identifier generated by our analytics SDK, and product interaction events (e.g., screens viewed, features used) used for service operation, debugging, and to understand how the app is used.
Subscription and Purchase Information: Subscription status, renewal dates, and anonymous purchase identifiers received from Apple or Google. We do not receive or store your full payment card information.

2. How We Use Your Information

We use the information we collect to:

Provide the core Service: place automated AI calls to pharmacies on your behalf to identify which have your medication in stock
Schedule recurring refill checks based on your last refill date and preferred timing
Notify you when a pharmacy is found to have your medication available
Authenticate your account and process subscription payments
Communicate with you about service updates, security alerts, and customer support
Understand which app features are used and where users encounter problems, so we can improve the Service
Detect, prevent, and respond to fraud, abuse, security incidents, or violations of our Terms
Comply with legal obligations and respond to lawful requests from public authorities

We do not use your data for advertising, do not sell or rent your personal information, and do not share your data with data brokers. We do not include any third-party advertising SDKs in the app.

3. Third-Party Service Providers and Data Sharing

To provide the Service, RxCaller shares specific, minimum-necessary data with the following named third-party providers. Each provider is contractually required to protect your data with safeguards equivalent to those described in this Privacy Policy.

3.1 VAPI (Vapi Inc.)

Role: Voice AI infrastructure provider used to place automated calls to pharmacies on your behalf.
Data shared: Medication name and dosage, prescription metadata (last refill date, prescriber name where applicable), and the destination pharmacy's phone number. Personal identifiers (your name, email, account credentials, address) are not shared with VAPI.
Purpose: Solely to enable the AI agent to place a phone call to the pharmacy and ask about your medication's availability.
Restrictions: VAPI is contractually prohibited from using your data for advertising, profiling, model training, or any purpose other than completing the pharmacy call. VAPI maintains HIPAA-compliant infrastructure with appropriate technical and organizational safeguards equivalent to those described in this policy.
Provider's privacy practices: https://vapi.ai/privacy

3.2 Supabase (Supabase Inc.)

Role: Backend database, authentication, and serverless function hosting.
Data shared: All Account Information, Health Information, Location Information, and Pharmacy Call History described above. Supabase hosts the database in which this data resides.
Purpose: To store your account and prescription information so the Service can authenticate you, schedule refill calls, and display your pharmacy results.
Restrictions: Supabase acts as a HIPAA-compliant infrastructure provider. Data is encrypted at rest and in transit. Supabase is contractually prohibited from accessing or using your data for any purpose other than providing the database service to RxCaller.
Provider's privacy practices: https://supabase.com/privacy

3.3 RevenueCat (RevenueCat, Inc.)

Role: Subscription and in-app purchase management.
Data shared: Anonymous app-generated user identifier, subscription status, and purchase events received from Apple App Store or Google Play. No health information, name, email, or address is shared with RevenueCat.
Purpose: To manage your subscription state and grant access to paid features after a successful purchase.
Provider's privacy practices: https://www.revenuecat.com/privacy

3.4 Pharmacies

To check whether your medication is in stock, our AI agent may state your medication name and the prescription details necessary to make the inquiry to a pharmacy employee. The AI agent does not share your name, contact information, or insurance details with the pharmacy unless you have explicitly enabled features (such as prescription transfer) that require it.

3.5 Apple and Google

Subscription billing is handled exclusively by the Apple App Store (iOS) or Google Play (Android). Apple and Google receive your payment information directly and provide RxCaller (via RevenueCat) only with anonymous purchase confirmation. RxCaller never sees or stores your full payment card details.

3.6 PostHog (PostHog Inc.)

Role: Product analytics provider used to help us understand which features of the app are working well and which need improvement.
Data shared: An anonymous device identifier generated by the PostHog SDK, product interaction events (screens viewed, buttons tapped, feature usage), device type, operating system version, app version, and basic crash/performance diagnostics.
Data NOT shared: Your name, email address, phone number, home address, date of birth, insurance details, medication names, prescription details, or any other protected health information. We do not share the Apple Identifier for Advertisers (IDFA) or any cross-app advertising identifier with PostHog.
Purpose: Solely to analyze product usage and improve the Service. PostHog data is not used for advertising, not used for cross-app tracking, and not shared with advertisers or data brokers.
Restrictions: PostHog acts as a data processor and is contractually prohibited from using your data for any purpose other than providing analytics services to RxCaller.
Provider's privacy practices: https://posthog.com/privacy

4. In-App Consent for Data Sharing

Before any of your prescription or pharmacy data is sent to VAPI to place a pharmacy call, you are presented with an in-app disclosure and consent screen during onboarding. That screen identifies VAPI by name, lists exactly what data is shared, and explains that data is used solely to place pharmacy calls on your behalf. The same disclosure also names PostHog and describes the anonymous product analytics it receives. You must explicitly consent before the Service will share data with these providers. You may withdraw consent at any time by deleting your account, which will halt all future pharmacy call dispatches and analytics collection.

5. App Tracking Transparency

RxCaller does not engage in tracking as defined by Apple's App Tracking Transparency framework. We do not link user or device data collected by our app with third-party data for targeted advertising, do not share device data with data brokers, and do not include any third-party advertising SDKs in the app. The anonymous device identifier used by our analytics provider (PostHog) is not the Apple Identifier for Advertisers (IDFA), is not used for advertising, and is not linked with data from other apps or websites.

6. HIPAA Compliance

RxCaller is designed as a HIPAA-compliant Service. We implement physical, technical, and administrative safeguards to protect protected health information (PHI) as required by HIPAA. Specifically:

We maintain a comprehensive security program designed to protect PHI
We conduct regular risk assessments and security evaluations
We implement role-based access controls limiting who can view PHI
We encrypt PHI at rest and in transit using industry-standard encryption (TLS 1.2+ in transit; AES-256 at rest where applicable)
We maintain audit logs of all access to PHI
We have written breach notification procedures and will notify affected users within 60 days of discovery in the event of a reportable breach, as required by HIPAA
We require all third-party providers handling PHI on our behalf to maintain HIPAA-compliant infrastructure with safeguards equivalent to ours. Providers that do not handle PHI (such as PostHog, which receives only anonymous product analytics) are subject to standard data processing agreements rather than HIPAA Business Associate Agreements.

7. Data Retention

We retain your information only for as long as necessary to provide the Service and meet legal obligations:

Account and prescription data: Retained for the life of your account. Deleted within 30 days of account deletion.
Pharmacy call history: Retained for 12 months for service reliability and audit purposes, then automatically deleted.
Subscription records: Retained for 7 years to comply with tax and accounting requirements.
Server logs containing IP addresses and device identifiers: Retained for 90 days for security and debugging purposes, then deleted.
PostHog analytics events: Retained for 12 months on PostHog's infrastructure for product analysis, then automatically deleted.

8. Your Rights

You have the following rights with respect to your personal information:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information. See Section 9 for the in-app and web deletion process.
Portability: Request a portable copy of your data in a common machine-readable format.
Restriction or objection: Restrict or object to certain types of processing.
Withdrawal of consent: Withdraw any consent previously given.

To exercise these rights, contact us at privacy@rxcaller.com. We will respond within 30 days. We will not discriminate against you for exercising any of these rights.

9. Account and Data Deletion

You can delete your account and all associated personal information at any time:

From the app: Open the app, go to the Account tab, tap "Privacy & Data," and select "Delete Account."
From the web: Email privacy@rxcaller.com from your registered email address with the subject line "Delete My Account."

Account deletion permanently removes your account, prescription information, pharmacy call history, and any associated data from our active systems within 30 days. Some records may be retained longer where required by law (e.g., financial records for tax purposes).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with the following additional rights:

The right to know what personal information is collected, used, shared, or sold
The right to delete personal information held by us
The right to correct inaccurate personal information
The right to opt out of the sale or sharing of personal information
The right to limit use and disclosure of sensitive personal information
The right to non-discrimination for exercising your CCPA rights

RxCaller does not sell or share personal information for cross-context behavioral advertising as defined by the CCPA. To exercise your California rights, contact us at privacy@rxcaller.com.

11. International Users and Data Transfers

RxCaller is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Service, you consent to this transfer. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) to protect international data transfers.

If you are in the European Economic Area (EEA) or United Kingdom, you have rights under the GDPR including the right to lodge a complaint with your local data protection authority.

12. Children's Privacy

RxCaller is not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or the equivalent minimum age in the relevant jurisdiction). If you believe a child has provided us with personal information, please contact us at privacy@rxcaller.com and we will promptly delete it.

13. Data Security

We implement appropriate technical and organizational security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of sensitive data in transit (TLS 1.2+) and at rest
Secure, HIPAA-compliant infrastructure providers (Supabase, VAPI)
Role-based access controls and least-privilege principles
Regular security assessments and software updates
Mandatory authentication for all administrative access
Audit logging of access to PHI

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where the changes are material, we will provide additional notice (such as an in-app notification or email). Continued use of the Service after the updated Privacy Policy takes effect constitutes acceptance of the updated terms.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

RxCaller, Inc.
Email: privacy@rxcaller.com
General support: support@rxcaller.com

Introduction

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

We collect the following categories of information from users of our Service:

Account Information: Name, email address, phone number, and account password (stored as a hashed value, never in plain text).
Health Information (PHI): Medication names, dosages, prescription metadata (date of last refill, prescriber name where you provide it), preferred refill timing, and pharmacy preferences.
Location Information: Your address or approximate location, used to identify pharmacies near you. You may provide this manually or grant location permission via the operating system.
Pharmacy Call History: Records of automated calls placed on your behalf, including the pharmacy contacted, the result of the call (e.g., medication in stock or out of stock), and call timestamps.
Device and Usage Information: Device type, operating system version, application version, IP address, an anonymous device identifier generated by our analytics SDK, and product interaction events (e.g., screens viewed, features used) used for service operation, debugging, and to understand how the app is used.
Subscription and Purchase Information: Subscription status, renewal dates, and anonymous purchase identifiers received from Apple or Google. We do not receive or store your full payment card information.

2. How We Use Your Information

We use the information we collect to:

Provide the core Service: place automated AI calls to pharmacies on your behalf to identify which have your medication in stock
Schedule recurring refill checks based on your last refill date and preferred timing
Notify you when a pharmacy is found to have your medication available
Authenticate your account and process subscription payments
Communicate with you about service updates, security alerts, and customer support
Understand which app features are used and where users encounter problems, so we can improve the Service
Detect, prevent, and respond to fraud, abuse, security incidents, or violations of our Terms
Comply with legal obligations and respond to lawful requests from public authorities

3. Third-Party Service Providers and Data Sharing

3.1 VAPI (Vapi Inc.)

Role: Voice AI infrastructure provider used to place automated calls to pharmacies on your behalf.
Data shared: Medication name and dosage, prescription metadata (last refill date, prescriber name where applicable), and the destination pharmacy's phone number. Personal identifiers (your name, email, account credentials, address) are not shared with VAPI.
Purpose: Solely to enable the AI agent to place a phone call to the pharmacy and ask about your medication's availability.
Restrictions: VAPI is contractually prohibited from using your data for advertising, profiling, model training, or any purpose other than completing the pharmacy call. VAPI maintains HIPAA-compliant infrastructure with appropriate technical and organizational safeguards equivalent to those described in this policy.
Provider's privacy practices: https://vapi.ai/privacy

3.2 Supabase (Supabase Inc.)

Role: Backend database, authentication, and serverless function hosting.
Data shared: All Account Information, Health Information, Location Information, and Pharmacy Call History described above. Supabase hosts the database in which this data resides.
Purpose: To store your account and prescription information so the Service can authenticate you, schedule refill calls, and display your pharmacy results.
Restrictions: Supabase acts as a HIPAA-compliant infrastructure provider. Data is encrypted at rest and in transit. Supabase is contractually prohibited from accessing or using your data for any purpose other than providing the database service to RxCaller.
Provider's privacy practices: https://supabase.com/privacy

3.3 RevenueCat (RevenueCat, Inc.)

Role: Subscription and in-app purchase management.
Data shared: Anonymous app-generated user identifier, subscription status, and purchase events received from Apple App Store or Google Play. No health information, name, email, or address is shared with RevenueCat.
Purpose: To manage your subscription state and grant access to paid features after a successful purchase.
Provider's privacy practices: https://www.revenuecat.com/privacy

3.4 Pharmacies

To check whether your medication is in stock, our AI agent may state your medication name and the prescription details necessary to make the inquiry to a pharmacy employee. The AI agent does not share your name, contact information, or insurance details with the pharmacy unless you have explicitly enabled features (such as prescription transfer) that require it.

3.5 Apple and Google

Subscription billing is handled exclusively by the Apple App Store (iOS) or Google Play (Android). Apple and Google receive your payment information directly and provide RxCaller (via RevenueCat) only with anonymous purchase confirmation. RxCaller never sees or stores your full payment card details.

3.6 PostHog (PostHog Inc.)

Role: Product analytics provider used to help us understand which features of the app are working well and which need improvement.
Data shared: An anonymous device identifier generated by the PostHog SDK, product interaction events (screens viewed, buttons tapped, feature usage), device type, operating system version, app version, and basic crash/performance diagnostics.
Data NOT shared: Your name, email address, phone number, home address, date of birth, insurance details, medication names, prescription details, or any other protected health information. We do not share the Apple Identifier for Advertisers (IDFA) or any cross-app advertising identifier with PostHog.
Purpose: Solely to analyze product usage and improve the Service. PostHog data is not used for advertising, not used for cross-app tracking, and not shared with advertisers or data brokers.
Restrictions: PostHog acts as a data processor and is contractually prohibited from using your data for any purpose other than providing analytics services to RxCaller.
Provider's privacy practices: https://posthog.com/privacy

4. In-App Consent for Data Sharing

5. App Tracking Transparency

6. HIPAA Compliance

RxCaller is designed as a HIPAA-compliant Service. We implement physical, technical, and administrative safeguards to protect protected health information (PHI) as required by HIPAA. Specifically:

We maintain a comprehensive security program designed to protect PHI
We conduct regular risk assessments and security evaluations
We implement role-based access controls limiting who can view PHI
We encrypt PHI at rest and in transit using industry-standard encryption (TLS 1.2+ in transit; AES-256 at rest where applicable)
We maintain audit logs of all access to PHI
We have written breach notification procedures and will notify affected users within 60 days of discovery in the event of a reportable breach, as required by HIPAA
We require all third-party providers handling PHI on our behalf to maintain HIPAA-compliant infrastructure with safeguards equivalent to ours. Providers that do not handle PHI (such as PostHog, which receives only anonymous product analytics) are subject to standard data processing agreements rather than HIPAA Business Associate Agreements.

7. Data Retention

We retain your information only for as long as necessary to provide the Service and meet legal obligations:

Account and prescription data: Retained for the life of your account. Deleted within 30 days of account deletion.
Pharmacy call history: Retained for 12 months for service reliability and audit purposes, then automatically deleted.
Subscription records: Retained for 7 years to comply with tax and accounting requirements.
Server logs containing IP addresses and device identifiers: Retained for 90 days for security and debugging purposes, then deleted.
PostHog analytics events: Retained for 12 months on PostHog's infrastructure for product analysis, then automatically deleted.

8. Your Rights

You have the following rights with respect to your personal information:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information. See Section 9 for the in-app and web deletion process.
Portability: Request a portable copy of your data in a common machine-readable format.
Restriction or objection: Restrict or object to certain types of processing.
Withdrawal of consent: Withdraw any consent previously given.

To exercise these rights, contact us at privacy@rxcaller.com. We will respond within 30 days. We will not discriminate against you for exercising any of these rights.

9. Account and Data Deletion

You can delete your account and all associated personal information at any time:

From the app: Open the app, go to the Account tab, tap "Privacy & Data," and select "Delete Account."
From the web: Email privacy@rxcaller.com from your registered email address with the subject line "Delete My Account."

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with the following additional rights:

The right to know what personal information is collected, used, shared, or sold
The right to delete personal information held by us
The right to correct inaccurate personal information
The right to opt out of the sale or sharing of personal information
The right to limit use and disclosure of sensitive personal information
The right to non-discrimination for exercising your CCPA rights

RxCaller does not sell or share personal information for cross-context behavioral advertising as defined by the CCPA. To exercise your California rights, contact us at privacy@rxcaller.com.

11. International Users and Data Transfers

If you are in the European Economic Area (EEA) or United Kingdom, you have rights under the GDPR including the right to lodge a complaint with your local data protection authority.

12. Children's Privacy

13. Data Security

We implement appropriate technical and organizational security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of sensitive data in transit (TLS 1.2+) and at rest
Secure, HIPAA-compliant infrastructure providers (Supabase, VAPI)
Role-based access controls and least-privilege principles
Regular security assessments and software updates
Mandatory authentication for all administrative access
Audit logging of access to PHI

14. Changes to This Privacy Policy

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

RxCaller, Inc.
Email: privacy@rxcaller.com
General support: support@rxcaller.com

HIPAA & Privacy Policy

Introduction

1. Information We Collect

2. How We Use Your Information

3. Third-Party Service Providers and Data Sharing

3.1 VAPI (Vapi Inc.)

3.2 Supabase (Supabase Inc.)

3.3 RevenueCat (RevenueCat, Inc.)

3.4 Pharmacies

3.5 Apple and Google

3.6 PostHog (PostHog Inc.)

4. In-App Consent for Data Sharing

5. App Tracking Transparency

6. HIPAA Compliance

7. Data Retention

8. Your Rights

9. Account and Data Deletion

10. California Privacy Rights (CCPA/CPRA)

11. International Users and Data Transfers

12. Children's Privacy

13. Data Security

14. Changes to This Privacy Policy

15. Contact Us

HIPAA & Privacy Policy

Introduction

1. Information We Collect

2. How We Use Your Information

3. Third-Party Service Providers and Data Sharing

3.1 VAPI (Vapi Inc.)

3.2 Supabase (Supabase Inc.)

3.3 RevenueCat (RevenueCat, Inc.)

3.4 Pharmacies

3.5 Apple and Google

3.6 PostHog (PostHog Inc.)

4. In-App Consent for Data Sharing

5. App Tracking Transparency

6. HIPAA Compliance

7. Data Retention

8. Your Rights

9. Account and Data Deletion

10. California Privacy Rights (CCPA/CPRA)

11. International Users and Data Transfers

12. Children's Privacy

13. Data Security

14. Changes to This Privacy Policy

15. Contact Us