Privacy Policy

Protected Health Information (PHI) refers to individually identifiable health information that is created, received, maintained, or transmitted by QR Rx on behalf of a healthcare provider. This includes your name, date of birth, procedure details, medications, symptom logs, recovery progress, and any other information linked to your care.

Covered Entity refers to the healthcare provider (hospital, clinic, dental practice, pharmacy, or therapy practice) that uses QR Rx to manage your aftercare.

Business Associate refers to QR Rx when we handle PHI on behalf of a Covered Entity under a Business Associate Agreement (BAA).

Patient health information:

• Name, date of birth, phone number, and email address
• Procedure and encounter details (type, date, provider notes)
• Medication names, dosages, schedules, and adherence records
• Symptom logs, severity ratings, and recovery milestones
• Messages between you and your care team
• Survey responses and feedback

Provider account information:

• Practice name, address, phone number, and website
• Team member names, email addresses, and roles
• Account credentials (passwords are hashed and never stored in plain text)
• Google account information if you sign in with Google (email address, name, and profile picture)
• Practice branding (logo, colors, custom messages)

Usage and device information:

• Device type, browser, and operating system
• Pages visited and features used
• QR code scan events and verification attempts
• IP address (used for security and audit logging only)

• Treatment: Delivering personalized care plans, medication reminders, and recovery milestone tracking to support your aftercare.
• Healthcare operations: Enabling providers to monitor patient progress, generate outcome analytics, and coordinate care among authorized team members.
• Communication: Sending appointment reminders, medication alerts, and care-related messages via email.
• Service improvement: Analyzing de-identified, aggregate data to improve QR Rx features and patient outcomes (no individual can be identified from this data).
• Security: Logging access attempts, verifying identity through access PINs, and detecting unauthorized use.
• AI-assisted features: Providing language translation of care plans and automated brand color extraction. AI-generated content is not used for clinical decision-making.

We take the security of your data seriously. Our safeguards include:

• Encryption: All data is encrypted in transit using TLS 1.2+ and encrypted at rest.
• Access controls: Role-based access ensures only authorized team members can view patient data. Providers manage their own team permissions.
• Access PINs: Patient care plans are protected by unique access PINs that must be verified before any health information is displayed.
• Session security: Patient sessions are protected by secure tokens that expire at the end of the recovery window (typically the procedure date plus the recovery period plus seven days). Session data is stored locally on your device and is not accessible to other users.
• Remember this device (optional): When you check the "Remember this device for 30 days" box on the care plan sign-in form, your session token is saved to this device's local storage so you can reopen the care plan without re-entering your date of birth and access PIN. The remembered session is capped at 30 days regardless of recovery length, is scoped to the specific device you opted in on, and can be cleared at any time by tapping "Sign out of this device" on your care plan. This option is off by default and should not be enabled on a shared or public device.
• Audit logging: We maintain detailed logs of data access and modifications for security monitoring and compliance.
• Minimum necessary standard: We limit access to PHI to the minimum amount needed to accomplish the intended purpose.

QR Rx is designed to support HIPAA compliance for healthcare providers (Covered Entities). When we handle PHI on behalf of a provider, we act as a Business Associate under HIPAA.

• Business Associate Agreements: All provider accounts are required to accept our Business Associate Agreement (BAA) during registration before accessing the platform.
• Administrative safeguards: Staff training, access management policies, and incident response procedures.
• Physical safeguards: Data hosted on infrastructure with SOC 2 Type II certification, with physical access controls and environmental protections.
• Technical safeguards: Encryption, access controls, audit trails, and automatic session termination.
• Notice of Privacy Practices: This Privacy Policy serves as our notice regarding how PHI may be used and disclosed. Your healthcare provider may have their own Notice of Privacy Practices that also applies to your care.

We share your information only in the following circumstances:

• With your healthcare provider: Your care plan data is accessible to the provider who created it and their authorized team members.
• Service providers: We use trusted third-party services for hosting, file storage, email delivery, SMS delivery, translation, and AI-assisted features. Current service providers include Render, Inc. (compute hosting and Postgres database), Amazon Web Services, Inc. (file storage on S3, encryption keys via AWS KMS), Paubox, Inc. (HIPAA-compliant transactional email delivery), Telnyx LLC (SMS delivery), Google LLC (Cloud Translation API for procedure-level care plan translation; no patient identifiers transmitted), and Anthropic, PBC (the Cura AI care plan assistant described in Section 13). All providers that handle Protected Health Information maintain signed Business Associate Agreements with QR Rx. Anthropic does not handle PHI; we de-identify every payload before it leaves our infrastructure. All service providers are bound by confidentiality agreements and, where applicable, BAAs. The most current subprocessor list, including role, region, data accessed, and BAA status, is at qrrx.io/subprocessors.
• As required by law: We may disclose PHI when required by law, including in response to court orders, subpoenas, or government investigations. We may also disclose information for public health activities, to report abuse or neglect, or to avert a serious threat to health or safety.
• De-identified data: We may use and share data that has been de-identified in accordance with HIPAA standards. De-identified data cannot be traced back to any individual.

QR Rx does not sell, rent, or trade your personal health information. Period. We do not use your data for advertising purposes. We do not share your information with data brokers or marketing companies.

QR Rx does not use advertising cookies or third-party tracking pixels. We use your browser's local storage to maintain patient session tokens (which remain valid for the duration of your recovery window, typically the procedure date plus the recovery period plus seven days) and to remember your language and display preferences. When you opt into "Remember this device for 30 days" on the care plan sign-in form, your session token is also persisted to this device with a 30-day maximum lifetime, scoped to the specific device you opted in on. You can clear the remembered session at any time using the "Sign out of this device" link on your care plan. No health information is stored in cookies.

• Care plan data: Retained for the duration of the provider's active subscription. Upon account termination, providers have 30 days to export their data, after which all data is permanently deleted.
• Patient sessions: Session tokens remain valid for the duration of the recovery window (typically the procedure date plus the recovery period plus seven days) and are automatically removed once expired.
• Audit logs: Retained for a minimum of six years as required for HIPAA compliance.
• Provider accounts: Retained while the account is active. Providers may request deletion by contacting support.
• Patient data deletion: Patients may request deletion of their data at any time by contacting their provider or by reaching out to us directly. We will process deletion requests within 30 days, subject to legal retention requirements.

QR Rx may be used by healthcare providers who treat minors, including pediatric practices. Care plans for patients under 13 are created and managed by the treating provider. We do not knowingly collect personal information directly from children under 13 without a provider or parent/guardian acting on their behalf. If you believe a child's information has been collected improperly, please contact us immediately.

You have the right to:

• Access: Request a copy of the personal and health information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your data, subject to legal retention requirements.
• Restriction: Request that we limit certain uses of your information.
• Portability: Receive a copy of your data in a commonly used, machine-readable format.
• Complaint: File a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated. We will never retaliate against you for filing a complaint.

To exercise any of these rights, contact us at privacy@qrrx.io.

In the unlikely event of a breach involving your unsecured PHI, we will notify affected individuals within 30 days of discovering the breach, consistent with the HIPAA Breach Notification Rule. We will also notify the U.S. Department of Health and Human Services and, where required, prominent media outlets. Breach notifications will describe the nature of the breach, the types of information involved, steps you can take to protect yourself, and what we are doing to investigate and mitigate the breach.

Our platform includes an optional AI care plan assistant called Cura that helps patients find information within their own provider's care plan. Cura is enabled or disabled by your healthcare provider at their discretion.

When a patient submits a question, Cura answers in this order: (1) the provider's own verified FAQ library for that procedure; (2) the cross-clinic verified knowledge base described below; (3) a short-term cache of recent answers; and only as a last resort (4) a third-party large language model operated by Anthropic, PBC. Before any payload reaches Anthropic, all personally identifiable information, including patient names, dates of birth, email addresses, and phone numbers, is removed from the question. Only care plan content (instructions, medication names, dosages, and milestone descriptions) created by your healthcare provider is sent. No protected health information (PHI) is transmitted to the AI service. Questions and responses are not used by Anthropic for model training, are not retained beyond the immediate response, and are subject to Anthropic's standard zero-retention controls for API traffic.

Cross-clinic verified knowledge base. Over time, when multiple independent clinical teams verify the same procedure-specific aftercare answer (for example, "is bruising at week two normal after this procedure"), that answer pattern may be promoted into a shared, non-PHI library called the Cura Knowledge Base. Patients see entries from this library labeled with a "Verified by N clinical teams" trust signal. The Knowledge Base is keyed by procedure type, recovery-day window, and answer category, never by clinic identity, never by patient identity, and never by the original asking patient's question text. We do not republish your question to other clinics or patients. We do not display which clinic contributed which answer. We do not sell, license, or share the Knowledge Base with third parties for any commercial purpose, and we do not use it for advertising.

Why this exists. A single clinic answers a few thousand questions a year. A verified, clinician-reviewed library across thousands of clinics answers many more, with consistency that no single clinic can match alone. Our long-term intent is to build a trustworthy, clinician-verified layer of aftercare information that patients across the platform can rely on, without ever exposing any individual clinic's patient population or proprietary protocols. Healthcare providers may request, at any time, that their contributions be removed from the Knowledge Base by emailing privacy@qrrx.io. See the BAA at qrrx.io/baa for the provider-side mechanics.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). These rights apply to information that QR Rx collects in our role as a service provider to your healthcare provider, and they sit on top of (not in place of) the HIPAA rights described elsewhere in this policy.

We do not sell or share personal information. QR Rx does not sell personal information for monetary or other valuable consideration, and does not share personal information for cross-context behavioral advertising. We have not done either of these things in the past twelve months and we have no intention of doing them in the future.

Categories of personal information we collect. Identifiers (name, email, phone, account credentials), protected health information (procedure type, medications, recovery and symptom logs, messages with your care team), commercial information (subscription and billing records, on the provider side), internet or other electronic network activity (pages visited, scan and verification events), geolocation data (only to the extent your IP address resolves to a coarse region), professional information (provider role, practice affiliation), and inferences drawn from the above to operate the platform. We do not collect biometric information, sensory data, or precise geolocation.

Sources, purposes, retention, and disclosures. The sources, purposes for collection, retention periods, and categories of recipients for each of the above are described in Sections 2, 3, 6, and 9 of this policy. We disclose personal information only as described in Section 6 (with your healthcare provider, with HIPAA-aligned service providers under signed BAAs, as required by law, or in de-identified form). We do not disclose personal information for any other business purpose.

Your California rights. You may request to (i) know what personal information we hold about you, (ii) access a copy of that information in a portable format, (iii) correct inaccurate information, (iv) delete your information (subject to legal retention requirements such as the six-year HIPAA audit trail), and (v) limit the use and disclosure of sensitive personal information to what is necessary to deliver the service. We will never discriminate against you for exercising any of these rights, including by denying service, charging a different price, or providing a different level of service.

How to exercise these rights. Email privacy@qrrx.io with the subject line "California Privacy Request" and a description of which right you are exercising. We will verify your identity using information already on file and respond within 45 days, with one possible 45-day extension if more time is needed (we will notify you in advance). You may also designate an authorized agent in writing to make a request on your behalf; we will require proof of authorization.

PHI carve-out. Some of the information we hold is Protected Health Information under HIPAA. For PHI, your HIPAA rights described in Section 11 take precedence over the CCPA rights above. If a request would conflict with HIPAA (for example, requesting deletion of a record we are required to retain for the HIPAA audit trail), we will explain the conflict in our response.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting a prominent notice within the application or by sending you a notification. We encourage you to review this policy periodically. Your continued use of QR Rx after changes are posted constitutes your acceptance of the updated policy.

For privacy-related questions, concerns, or to exercise your rights, please reach out to us:

Email: privacy@qrrx.io
Subject line: Privacy Inquiry

We aim to respond to all privacy inquiries within 10 business days.