Privacy Policy

1. Information We Collect

We collect information in three ways: (1) information you provide directly to us, (2) information collected automatically when you use the Services, and (3) information we obtain from third-party sources. The categories and specific types of information we collect are described below.

1.1 Information You Provide Directly

You provide information directly to us when you:

• Create or manage an account
• Place an order for products or services
• Upload or transmit a prescription
• Subscribe to newsletters, promotions, or marketing communications
• Participate in surveys, promotions, or contests
• Contact our customer support or clinical pharmacist team via phone, email, or live chat
• Submit reviews, testimonials, or other user content
• Apply for employment

The types of information you may provide include:

• Contact Information: Full name, email address, phone number, billing and shipping addresses
• Account Credentials: Username, password, and security questions
• Payment Information: Credit/debit card numbers, bank account details, PayPal account information, billing address (processed through PCI-DSS-compliant third-party processors; we do not store full payment card numbers)
• Prescription and Health Information: Prescription details, medication names and dosages, drug allergies, medical history relevant to dispensing, insurance information, patient ID numbers, and other health data necessary to verify and fill your prescription (see Section 8 for more detail)
• Demographic Information: Age, date of birth, gender
• Professional Information: Employment details, education history, professional credentials (when applying for employment)
• Communications: Records of your interactions with our support team, including call recordings (where permitted by law)

Some information is required in order for you to use certain features of the Services. If you do not provide required information, you may be unable to use those features. Required fields are identified by an asterisk (*).

1.2 Information Collected Automatically

When you access or use the Services, we and our third-party partners may automatically collect certain information using cookies, pixels, web beacons, log files, and similar technologies. This information includes:

• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, language preferences
• Usage Data: Pages visited, time spent on pages, links clicked, search queries, referring URL, date and time stamps
• Location Data: General location based on IP address; precise geolocation data (collected only with your explicit consent)
• Interaction Data: How you interact with our emails (opens, clicks), advertisements, and website features
• Session Data: Authentication tokens, session identifiers, shopping cart contents

1.3 Information from Third-Party Sources

We may obtain information about you from the following third-party sources:

• Healthcare Providers: Prescription information transmitted electronically via the Surescripts network or other electronic health record (EHR) systems
• Payment Processors: Payment confirmation and fraud screening results
• Marketing Partners: Demographic and interest data to help us better understand our audience
• Social Networks: Information you authorize us to access when you connect your social media account
• Public Databases: Information from government and regulatory databases for verification and compliance purposes
• Shipping Carriers: Delivery confirmation and tracking status

If you provide information about another individual (e.g., a gift recipient), you represent that you have obtained their consent to disclose their information to us for the purposes described in this Privacy Policy.

2. Categories of Personal Information We Collect

The following table describes the categories of personal information we may have collected about consumers in the preceding twelve (12) months, the sources from which we collected it, and the business or commercial purpose for collection.

3. How We Use Information

We use the information we collect for the following business and commercial purposes. Where required by applicable law, we have identified the legal basis for each purpose (see Section 4).

Provide and Operate Services

• Process and fulfill orders, subscriptions, and transactions
• Verify prescriptions and perform Medication Therapy Management (MTM) reviews
• Screen for Drug-Drug Interactions (DDIs) and contraindications
• Establish, administer, and maintain your account
• Authenticate access and provide customer and clinical support
• Communicate order status, shipping updates, and service-related messages

Business Management and Improvement

• Operate, maintain, and secure our systems and infrastructure
• Perform troubleshooting, data analysis, testing, and research
• Develop new products, services, and features
• Understand user interactions and generate analytics
• Conduct quality assurance and regulatory audits

Communication and Marketing

• Respond to your requests, questions, and concerns
• Send transaction-related communications, invoices, and receipts
• Provide administrative messages and policy updates
• Send promotional and marketing communications (with your consent where required by law)
• Deliver personalized content and product recommendations

Protection and Compliance

• Detect and prevent fraud, abuse, and security incidents
• Protect our rights, property, and safety and those of our users
• Comply with applicable laws, regulations, and legal processes, including pharmacy board regulations
• Report adverse drug reactions to FDA MedWatch and MHRA Yellow Card Scheme
• Respond to law enforcement requests and court orders
• Maintain prescription records as required by federal and state law

We and our partners may use cookies and similar technologies to support the above uses. Please consult our Cookie Policy for more details.

4. Legal Basis for Processing

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data only when we have a valid legal basis as required by the General Data Protection Regulation (GDPR). Our legal bases for processing are as follows:

Where we process special categories of personal data (such as health information), we do so on the basis of your explicit consent, or where necessary for the provision of healthcare services, or where otherwise permitted by applicable law.

5. Disclosure of Information

We may disclose your personal information in the following circumstances, as permitted by applicable law. We require all recipients to maintain the confidentiality and security of your information and to use it only for the purposes for which it was disclosed.

Service Providers

We disclose information to third-party service providers who process data on our behalf. These providers are contractually bound by Data Processing Agreements (DPAs) and are required to implement appropriate technical and organizational measures to protect your data. Categories of service providers include:

• Order fulfillment and dispensing pharmacies
• Payment processing and billing providers
• Shipping and logistics carriers
• Hosting and cloud infrastructure providers
• Email and communications platforms
• Analytics and advertising partners
• Security and fraud prevention services
• Auditors, legal advisors, and compliance consultants

Healthcare Providers and Networks

We may share prescription and health information with your prescribing healthcare provider, the Surescripts network, and other authorized healthcare entities as necessary to verify, fill, and manage your prescriptions and to perform MTM reviews.

Affiliates

We may share information with our parent company and subsidiaries for internal management, business operations, and service improvement. Affiliates are bound by this Privacy Policy.

Publicly

If you submit content for potential publication (e.g., product reviews, comments, testimonials), we may publish your name, screen name, or other information you provide. We will obtain your consent where required by law.

Sale or Merger of Business

We may transfer personal information in connection with a merger, acquisition, sale of assets, bankruptcy, or reorganization. We will require the acquiring entity to honor the privacy protections in this Privacy Policy or provide you with notice and an opportunity to opt out.

Legal Authorities and Compliance

We disclose information in response to court orders, subpoenas, search warrants, or other lawful requests from public authorities, including to meet national security or law enforcement requirements. We also disclose information to protect our legal rights, enforce our Terms and Conditions, and prevent harm.

Marketing Partners

We may disclose limited information to marketing partners and external brands for marketing purposes, where permitted by law and consistent with your communication preferences and opt-out choices. We do not sell your health information or prescription data for marketing purposes.

6. International Data Transfers

Order-CS is based in the United States, with its headquarters and primary data processing operations in Dallas, Oregon. Your personal information may be transferred to, stored, and processed in the United States and other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

Safeguards for International Transfers: Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed adequate by the European Commission or relevant regulatory authority, we rely on one or more of the following lawful transfer mechanisms:

• Standard Contractual Clauses (SCCs): We use the Standard Contractual Clauses approved by the European Commission (EU SCCs) and the UK International Data Transfer Agreement or Addendum, as applicable, to provide appropriate safeguards for cross-border data transfers.
• Adequacy Decisions: Where the European Commission or UK Secretary of State has determined that a destination country provides adequate data protection, we transfer data on that basis.
• Consent: In limited circumstances, we may transfer data based on your explicit consent, after informing you of the potential risks.

If you have questions about the specific safeguards applied to your personal data, please contact our Data Protection Officer at Elaine-Waller@order-cs.com.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements. The specific retention periods are as follows:

• Account Information: Retained for the duration of your active account plus twelve (12) months after account closure or termination, unless a longer period is required by law.
• Prescription and Health Records: Retained in accordance with federal and state pharmacy record-keeping requirements (typically a minimum of two (2) years for non-controlled substances and five (5) years for controlled substances under U.S. law, and as required by applicable laws in other jurisdictions).
• Transaction Records: Retained for the duration required by tax and accounting regulations (typically seven (7) years).
• Usage and Analytics Data: Retained for a period of twenty-six (26) months from the date of collection.
• Communications (Support Tickets, Emails, Chat Transcripts): Retained for three (3) years from the date of the last interaction.
• Call Recordings: Retained in accordance with applicable law, typically six (6) months to three (3) years depending on jurisdiction.
• Marketing Preferences and Consent Records: Retained for the duration of your subscription plus two (2) years after you unsubscribe.

After the applicable retention period, we will securely delete or de-identify your personal information. Where deletion is not feasible (e.g., data stored in backup archives), we will securely isolate the data from further processing until deletion is possible.

8. Health Information and HIPAA Compliance

As a licensed pharmacy reference service and mail-order pharmacy dispensing platform, we collect, use, and disclose protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

8.1 Types of Health Information We Collect

In connection with providing pharmacy services, we may collect the following health information:

• Prescription details (medication name, strength, dosage form, quantity, directions for use)
• Prescriber information (name, DEA number, NPI, contact information)
• Patient medical history relevant to dispensing (diagnoses, allergies, current medications)
• Drug-Drug Interaction (DDI) screening results
• Medication Therapy Management (MTM) review records
• Adverse Drug Reaction (ADR) reports
• Insurance and health plan information
• Laboratory values relevant to medication therapy (when provided by you or your prescriber)

8.2 How We Protect Health Information

We maintain administrative, physical, and technical safeguards that comply with HIPAA Security Rule requirements, including:

• Encryption of PHI in transit (TLS 1.3 with Perfect Forward Secrecy) and at rest (AES-256)
• Strict access controls based on the principle of least privilege
• Multi-factor authentication for all systems containing PHI
• Regular security risk assessments and penetration testing
• Audit logging of all access to PHI
• Business Associate Agreements (BAAs) with all service providers that handle PHI
• Workforce training on HIPAA privacy and security policies
• Incident response and breach notification procedures

8.3 Uses and Disclosures of Health Information

We use and disclose PHI for the following purposes:

• Treatment: To verify prescriptions, perform MTM reviews, screen for DDIs and contraindications, and coordinate with your healthcare providers.
• Payment: To process payments, bill insurance plans, and manage accounts.
• Healthcare Operations: To conduct quality improvement activities, audits, and regulatory compliance.
• As Required by Law: To report adverse events to FDA MedWatch, MHRA Yellow Card Scheme, and other regulatory authorities; to comply with pharmacy board requirements; to respond to lawful requests.

We do not use or disclose your health information for marketing purposes without your written authorization, except as permitted by HIPAA (e.g., refill reminders, treatment alternatives).

8.4 Individual Rights Under HIPAA

If you are a U.S. resident, you have the following rights regarding your health information under HIPAA:

• Right to Access: Request a copy of your protected health information.
• Right to Amend: Request correction of inaccurate or incomplete health information.
• Right to an Accounting of Disclosures: Request a list of disclosures made for purposes other than treatment, payment, or healthcare operations.
• Right to Request Restrictions: Request restrictions on how we use or disclose your health information.
• Right to Confidential Communications: Request that we communicate with you about your health information by alternative means or at alternative locations.
• Right to File a Complaint: File a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated.

View our complete HIPAA Notice of Privacy Practices →

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information. We will handle all requests in accordance with applicable law and will respond within the timeframes required by law (typically 30 to 45 days, with one extension where permitted).

9.1 Your Rights at a Glance

• Right to Know/Access: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose for collection, and the categories of third parties with whom we have shared your information.
• Right to Delete: Request deletion of personal information we have collected from you, subject to legal and operational exceptions (e.g., prescription record-keeping requirements).
• Right to Correct: Request correction of inaccurate personal information that we maintain about you.
• Right to Opt-Out: Direct us not to sell or share your personal information for cross-context behavioral advertising purposes.
• Right to Data Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format and transfer it to another data controller.
• Right to Restrict Processing: Request restriction of processing of your personal data in certain circumstances.
• Right to Object: Object to processing of your personal data for direct marketing purposes or on grounds relating to your particular situation.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising any of your privacy rights.
• Right to Appeal: If your request is denied in whole or in part, you may have the right to appeal that decision. Instructions for submitting an appeal will be provided in our response.

9.2 How to Exercise Your Rights

To exercise any of your privacy rights, please submit a request using one of the following methods:

• Email: privacy@order-cs.com
• Phone: +1-888-523-7141
• Web: Visit our Privacy Policy page and use the contact details in Section 17
• Mail: 625 SE Miller Ave, Dallas, OR 97338, U.S.A, Attn: Privacy Rights Request

We may need to verify your identity before processing your request. Verification may require you to provide personal identifiers that we compare against our records or submit your request through your authenticated account. We will use information collected during verification solely for that purpose.

You may also designate an authorized agent to make requests on your behalf. We will require the agent to provide proof of your written authorization and verify their identity.

If you believe that our processing of your personal data violates applicable law, you have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first at privacy@order-cs.com so that we may attempt to resolve your concerns.

9.3 Additional Rights for EEA/UK Residents

If you are located in the EEA or the UK, you additionally have the right to lodge a complaint with your local supervisory authority under the GDPR (or UK GDPR). Contact details for EU/UK supervisory authorities are available at edpb.europa.eu (EEA) and ico.org.uk (UK).

10. Opt-Out and Preference Choices

We provide you with choices about how we use and share your personal information.

Marketing Communications

You may opt out of receiving promotional emails from us at any time by following the unsubscribe instructions in those emails or by contacting us directly. Even if you opt out of marketing communications, you will continue to receive transaction-related and service-related communications (e.g., order confirmations, shipping updates, policy changes).

Account and Payment Information

If you maintain an account with us, you may update, correct, or delete certain personal information (such as contact details, shipping addresses, and payment methods) by logging into your account settings.

Opt-Out of "Sale" or "Sharing" of Personal Information

Under the CPRA and certain other U.S. state laws, you have the right to opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising. As defined by these laws, we may "sell" or "share" personal information when we allow certain advertising and analytics partners to collect information about your online activities via cookies and similar technologies. You may opt out by:

• Adjusting your cookie preferences on our website (Cookie Consent Manager)
• Enabling a browser-based Global Privacy Control (GPC) signal
• Contacting us directly at privacy@order-cs.com with your opt-out request

Cookies and Personalized Advertising

You may manage cookies through your browser settings or our Cookie Consent Manager. Blocking or deleting cookies may impact the functionality of the Services. You may also use industry tools such as the Network Advertising Initiative or the Digital Advertising Alliance to opt out of certain interest-based advertising.

11. Cookies and Similar Technologies

Our website uses cookies, pixels, web beacons, and similar tracking technologies to enhance your experience, analyze usage, and support our marketing efforts. We categorize cookies as follows:

Categories of Cookies We Use

Your Cookie Choices

When you first visit our website, you will be presented with a cookie consent banner that allows you to:

• Accept all cookies
• Reject all non-essential cookies
• Customize your cookie preferences by category

You can change your cookie preferences at any time by clicking the "Cookie Preferences" link in the website footer.

For a complete list of the specific cookies we use, their purposes, and their retention periods, please see our Cookie Policy.

12. Third-Party Websites and Services

Our Services may contain links to websites, applications, or services operated by third parties, including social media platforms, payment processors, and healthcare networks. We are not responsible for the privacy practices of such third parties, and the inclusion of a link does not imply our endorsement of the third party, its services, or its policies.

13. Security of Personal Information

We maintain a comprehensive security program that includes administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, disclosure, alteration, or destruction. Our security measures include:

• Encryption: All data transmitted between your browser and our systems is encrypted using TLS 1.3 with Perfect Forward Secrecy (PFS). Personal information at rest is encrypted using AES-256.
• Access Controls: Strict role-based access controls, multi-factor authentication, and the principle of least privilege govern access to personal information.
• Network Security: Firewalls, intrusion detection and prevention systems, and 24/7 network monitoring.
• Security Audits: Regular vulnerability assessments, penetration testing, and security risk assessments conducted by independent third parties.
• Incident Response: Documented incident response plan with breach notification procedures to comply with applicable law.
• Workforce Training: Annual privacy and security awareness training for all employees and contractors.
• Physical Security: Secure data centers with biometric access controls, video surveillance, and environmental controls.

14. Children's Privacy

Our Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16 without appropriate parental or guardian consent where required by law. The Services are intended for individuals who are at least 18 years of age or the age of majority in their jurisdiction.

If we learn that we have collected personal information from a child under 16 contrary to law, we will take reasonable steps to delete that information. Our Services are not intended for and do not knowingly collect information from children under 13, and we comply with the Children's Online Privacy Protection Act (COPPA) to the extent applicable.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make changes, we will update the "Effective Date" at the top of this page and post the revised policy on the Services.

Material Changes: If we make a material change to this Privacy Policy, we will provide you with at least thirty (30) days' advance notice by email to the email address associated with your account and/or by posting a prominent notice on our website. Material changes include, but are not limited to, changes in the categories of personal information collected, changes in the purposes for which information is used, and changes in the parties with whom information is shared.

Where required by applicable law, we will obtain your consent before implementing material changes.

16. Your California Privacy Rights (CPRA)

This section applies to residents of California and supplements the information in this Privacy Policy. It is intended to comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CPRA"). Any terms defined in the CPRA have the same meaning when used in this section.

Categories of Personal Information Collected and Disclosed

In the preceding twelve (12) months, we have collected the following categories of personal information from California residents:

• Identifiers: Name, contact information, account credentials, IP address, device ID
• Protected Health Information (PHI): Prescription records, medical history, medication information (see Section 8)
• Commercial Information: Order history, purchase records, customer service records
• Internet/Network Activity: Browsing history, search history, interaction with website
• Geolocation Data: IP-based location
• Audio/Visual: Call recordings, chat transcripts
• Professional Information: Employment and licensing data
• Inferences: Preferences, characteristics, behavior profiles

Sale or Sharing of Personal Information

We may "sell" or "share" personal information as those terms are defined under CPRA when we allow certain advertising or analytics partners to collect or receive information about you via cookies or similar technologies, or when we disclose certain identifiers or contact information to affiliated or third-party marketers, subject to your choices and applicable law. In the preceding twelve (12) months, we may have sold or shared the following categories of personal information for cross-context behavioral advertising:

• Identifiers: IP address, device ID, cookie ID
• Internet/Network Activity: Browsing history, interaction with website features
• Inferences: Preferences and interests

We do not sell or share the personal information of any individual we know to be under 16 years of age.

We do not sell Protected Health Information (PHI) or prescription data for marketing purposes.

Your California Rights

• Right to Know: You have the right to request that we disclose the specific pieces and categories of personal information we have collected about you, the sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom it was shared.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., to complete a transaction, detect security incidents, or comply with legal obligations).
• Right to Correct: You have the right to request correction of inaccurate personal information that we maintain about you.
• Right to Opt-Out: You have the right to direct us not to sell or share your personal information for cross-context behavioral advertising. You may exercise this right by clicking "Do Not Sell or Share My Personal Information" on our website, enabling GPC, or contacting us.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use of your sensitive personal information (including health information) to purposes necessary for providing the Services or as otherwise permitted by law.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising any of your CPRA rights.

Exercising Your California Rights

To exercise your CPRA rights, you may contact us using the details below. Please specify that you are a California resident and the nature of your request.

We may require sufficient information to verify your identity before acting on your request. You may also designate an authorized agent to make requests on your behalf, subject to verification. We will respond to verified requests within 45 days (extended by an additional 45 days where reasonably necessary, with notice).

17. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy, our data practices, or your privacy rights, please contact us using the details below. We will respond to your inquiry as promptly as possible, typically within 30 days.

18. Data Controller and Data Protection Officer

Data Controller

Data Protection Officer (DPO)