Privacy Policy

Effective Date: March 29, 2026 | Last Updated: March 29, 2026 | Operator: RxVortex LLC

1. Introduction

Welcome to verify.doctor (the "Platform"), operated by RxVortex LLC ("we," "us," or "our"). This Privacy Policy describes how we collect, use, disclose, and protect information when you use our prescriber onboarding verification, real-time license status monitoring, license tracking, and single sign-on (SSO) services.

By accessing or using verify.doctor, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Platform.

2. Scope

This Privacy Policy applies to all users of the Platform, including:

Providers (physicians, pharmacists, nurse practitioners, and other licensed prescribers) who create accounts and submit credentials for verification.
Pharmacy Organizations and other healthcare entities that use the Platform to verify and monitor prescriber credentials.
Visitors who browse our website or marketing pages.

3. Information We Collect

3.1 Information You Provide Directly

Identity Information: Full legal name, date of birth, Social Security Number (last four digits or full, as required for verification), NPI number, photographs or headshots.
Contact Information: Email address, phone number, mailing address.
Credential Information: Professional license numbers, DEA registration numbers, state license details, board certifications, education and training history, malpractice history, disciplinary actions.
Account Information: Username, password (hashed), multi-factor authentication settings, security questions.
Employer Information: Organization name, role, practice address, affiliated pharmacies or health systems.

3.2 Information Collected Automatically

Usage Data: Pages viewed, features used, timestamps, click patterns, search queries within the Platform.
Device and Browser Data: IP address, browser type and version, operating system, device identifiers, screen resolution.
Authentication Logs: Login timestamps, session duration, MFA method used, failed login attempts.

3.3 Information from Third Parties

State Licensing Boards: License status, expiration dates, disciplinary records, scope-of-practice details.
FSMB (Federation of State Medical Boards): Board action data, verification records.
NPPES (National Plan and Provider Enumeration System): NPI validation data, provider taxonomy information.
Connected EMR/EHR Systems: When you authorize SSO connections, we may receive provider identity and role information from connected electronic medical record systems.

4. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Legal Basis
Verify and validate prescriber credentials	Contractual necessity; Legitimate interest
Provide real-time license status monitoring	Contractual necessity
Facilitate single sign-on authentication	Contractual necessity; Consent
Maintain audit trails and compliance records	Legal obligation; Legitimate interest
Send account notifications and security alerts	Contractual necessity; Legitimate interest
Improve and develop the Platform	Legitimate interest
Comply with legal and regulatory requirements	Legal obligation

We do not sell your personal information. We do not use your information for advertising purposes.

5. How We Share Your Information

We may share your information only in the following circumstances:

5.1 With Your Consent or at Your Direction

When you authorize a pharmacy or healthcare organization to view your verification status, or when you use SSO to connect to a third-party application.

5.2 Service Providers

We work with trusted service providers who assist in operating the Platform (e.g., cloud hosting, email delivery, customer support). These providers are contractually obligated to protect your information and may only use it to perform services on our behalf.

5.3 Verification Sources

We exchange information with state licensing boards, FSMB, NPPES, and other verification databases as necessary to perform and maintain credential verification.

5.4 Legal Compliance

We may disclose information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

Data Type	Retention Period
Account and identity data	Duration of account plus 3 years after deletion
Credential and license data	Duration of account plus 7 years after deletion
Audit and authentication logs	7 years
Usage and analytics data	2 years (anonymized thereafter)
Marketing and communication preferences	Until withdrawn or account deletion

7. Security

We implement appropriate technical and organizational measures to protect your information, including:

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Access Controls: Role-based access controls, multi-factor authentication, and least-privilege principles govern access to systems and data.
Audit Logging: All access to sensitive data is logged and monitored. Audit logs are retained for compliance and security review.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. HIPAA Compliance

8.1 Scope

verify.doctor is designed to support HIPAA compliance where applicable. The Platform processes credentialing and professional identity data, which may intersect with protected health information (PHI) in certain contexts.

8.2 Credentialing vs. PHI

The primary data processed by verify.doctor is provider credentialing information (license numbers, NPI, DEA registrations), which is generally not classified as PHI. However, when credentialing data is linked to patient care contexts through connected systems, HIPAA safeguards apply.

8.3 Business Associate Agreements

Where required, RxVortex LLC will enter into Business Associate Agreements (BAAs) with covered entities and their business associates. BAAs govern our obligations regarding the protection of PHI.

8.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals, the Department of Health and Human Services (HHS), and, where required, the media, in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

8.5 United States Only

The Platform is intended for use within the United States. All data is stored and processed within the United States. We do not transfer personal data outside the United States.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to legal retention requirements.
Restriction: Request restriction of processing in certain circumstances.
Portability: Request your data in a structured, commonly used, and machine-readable format.
Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@verify.doctor.

10. Cookies

verify.doctor uses essential cookies only. These cookies are strictly necessary for the operation of the Platform (e.g., session management, authentication, CSRF protection). We do not use advertising, analytics, or tracking cookies.

11. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 14 days' notice before the changes take effect, via email notification or a prominent notice on the Platform. Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

RxVortex LLC
5000 Plaza on the Lake, Suite 100 #2020
Austin, TX 78746
Email: privacy@verify.doctor