Privacy Policy
Your privacy and data security are our top priorities. Learn how we protect your medical practice's information.
HIPAA Compliant
Enterprise-grade security with Business Associate Agreement available
No Data Selling
We never sell, rent, or share your practice data with third parties
Your Data, Your Control
Export or delete your data anytime with one-click controls
Information We Collect
When you create a Supplr account, we collect:
- Practice name and business information
- Your name, email address, and phone number
- Billing information (securely processed by Stripe)
- Practice type and location (for service optimization)
To provide inventory management services, we store:
- Product names, SKUs, and category information
- Expiration dates, quantities, and reorder thresholds
- Vendor information and purchase history
- Temperature monitoring data (if applicable)
- Note: We do not collect patient information or medical records
To improve our service, we automatically collect:
- Log data (IP addresses, browser type, pages visited)
- Feature usage patterns and preferences
- Device information and operating system
- Performance and error reporting data
How We Use Your Information
- Provide inventory tracking and alerts
- Generate reports and analytics
- Enable temperature monitoring
- Process payments and billing
- Send expiration and low-stock alerts
- Provide customer support
- Share product updates and features
- Send billing and account notifications
- Analyze usage patterns
- Develop new features
- Improve system performance
- Enhance security measures
- Comply with FDA regulations
- Maintain HIPAA compliance
- Respond to legal requests
- Protect against fraud
HIPAA Compliance
Supplr is HIPAA compliant and can serve as your Business Associate. We provide:
- Data Encryption: All data encrypted in transit and at rest using AES-256
- Access Controls: Role-based permissions and multi-factor authentication
- Audit Logs: Complete tracking of all data access and modifications
- BAA Available: Formal Business Associate Agreements for covered entities
- Staff Training: All employees trained on HIPAA requirements
Important Note:
While Supplr handles practice inventory data, we do not store Protected Health Information (PHI) such as patient records or medical history. Our focus is strictly on inventory management.
Data Sharing and Third Parties
- Marketing companies or advertisers
- Data brokers or analytics firms
- Competitors or other medical software companies
- Social media platforms
Service Providers
Trusted vendors who help operate our service under strict contractual obligations:
- AWS (secure cloud hosting)
- Stripe (payment processing)
- Clerk (authentication services)
- SendGrid (transactional emails)
Legal Requirements
Only when required by law, court order, or regulatory investigation
Business Transfers
In the unlikely event of acquisition or merger (with 30-day advance notice)
Data Security Measures
- AES-256 encryption for all data
- TLS 1.3 for data transmission
- Multi-factor authentication
- Regular security audits
- Automated backup systems
- SOC 2 Type II certified data centers
- 24/7 physical security monitoring
- Biometric access controls
- Redundant power and cooling
- Fire suppression systems
- Background checks for all staff
- Regular security training
- Incident response procedures
- Access logging and monitoring
- Data retention policies
- SOC 2 Type II compliant
- HIPAA Business Associate
- FDA 21 CFR Part 11 ready
- ISO 27001 practices
- Annual penetration testing
Your Rights and Controls
- View all your stored data
- Download your data in CSV format
- Review access logs
- Update incorrect information
- Delete individual records
- Delete entire account
- Request permanent data purge
- 30-day retention for account recovery
- Customize alert preferences
- Opt out of marketing emails
- Choose notification methods
- Set quiet hours for alerts
- Manage user permissions
- Enable/disable integrations
- Export data before leaving
- Request data portability
Data Retention Policy
Active Accounts
Data retained as long as your account is active and for legitimate business purposes
Cancelled Accounts
Data retained for 30 days to allow account reactivation, then permanently deleted unless legally required to retain
Legal Requirements
Some data may be retained longer to comply with regulatory requirements (e.g., tax records for 7 years)
Backup Systems
Backup copies automatically purged within 90 days of data deletion
International Data Transfers
Supplr is based in the United States. If you are located outside the US, your information will be transferred to and processed in the United States where our servers are located.
Data Protection Measures
- Standard Contractual Clauses (SCCs) for EU data transfers
- Adequate protection measures as required by GDPR
- Regular assessment of data protection laws
- Encryption during all international transfers
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal and regulatory reasons.
Notification Process
- Email notification for significant changes
- In-app notifications for policy updates
- 30-day notice period for major changes
- Updated "Last Modified" date at top of policy
Your Options
- Review changes before they take effect
- Contact us with questions or concerns
- Cancel your account if you disagree with changes
- Request data export before cancellation