Privacy Policy

This policy covers personal information and business information we process in two contexts: (a) our public marketing website and lead forms, and (b) the Fizy Health ordering platform used by clinic organizations and their authorized staff.

When we create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered clinic, that processing is governed by our Business Associate Agreement (BAA) and HIPAA, which supplement — and in case of conflict, control over — this policy for PHI.

• We act as a business associate when handling PHI submitted through the platform.
• We act as a controller for account administration, billing, security, and marketing-site data unrelated to patient care.
• Pharmacy partners act under their own privacy practices when fulfilling orders routed from the platform.

Account and organization data

When a clinic creates an organization, we collect business identity information such as legal entity name, clinic locations, billing contacts, tax identifiers where required, NPI and DEA numbers, prescriber credentials, user names, work email addresses, phone numbers, and role assignments.

Clinical and operational data

Through the platform you may submit patient identifiers, demographics, chart references, prescription details, ship-to addresses, and order history necessary to route fulfillment. You control what is submitted; we process it only to provide the services you request.

Payment information

Payment methods are tokenized through our payment processor integration. We do not store full card numbers or bank account numbers on Fizy servers. We retain tokens, billing addresses, charge metadata, invoices, and reconciliation records required for accounting and dispute resolution.

Platform usage and security data

We log authentication events, IP addresses, device and browser characteristics, API activity, error diagnostics, and audit records for sensitive reads and writes (including PHI-tagged access). This supports security monitoring, fraud prevention, and compliance obligations.

Marketing website and communications

If you submit a contact or demo request, we collect the fields you provide (name, work email, clinic name, role, message, and optional phone). We may also collect coarse analytics on page views and referral sources through standard web technologies.

• Provide, maintain, and improve the ordering platform, catalog, cart, checkout, autoship, notifications, and support.
• Route orders and payment instructions to pharmacy fulfillment partners and payment processors.
• Verify clinic, prescriber, and organization credentials (including NPI and DEA validation signals).
• Process subscription fees, software facilitation fees, and disclosed processing fees.
• Hold medication pass-through funds in segregated accounts and reconcile monthly transfers to our certified pharmacy network partner, as described in our platform terms.
• Detect fraud, abuse, and security incidents; enforce our terms; and comply with law.
• Send service, billing, and security notices to administrators and authorized users.
• Respond to marketing inquiries and, with appropriate consent where required, send product updates to business contacts.

We do not use platform data to make clinical decisions, prescribe medications, or sell personal information. We do not use patient data for third-party advertising.

We share information only as needed to operate the service, comply with law, or with your direction:

• Pharmacy fulfillment network (including our certified aggregator partner and dispensing pharmacies) — order details required to compound, dispense, and ship.
• Payment processors — to tokenize, authorize, capture, and refund charges you approve.
• Cloud infrastructure and database providers — hosting, backups, and encryption at rest under contract.
• Email, SMS, and notification vendors — transactional messages you configure.
• Professional advisors — lawyers, accountants, and auditors under confidentiality obligations.
• Authorities — when required by valid legal process or to protect rights, safety, and security.

We require service providers that handle personal information or PHI to use it only for our instructions and to apply appropriate safeguards. We do not sell personal information and we do not share lead data with third parties for their independent marketing.

Clinic payments for medication orders may flow through Fizy Health’s merchant account before medication costs are transferred to fulfillment partners. Medication amounts are pass-through — they are not Fizy revenue. We maintain separate accounting for software fees versus medication pass-through amounts.

Payment metadata (amounts, timestamps, tokens, and dispute records) is retained for billing integrity, chargeback response, and audit. Details appear on checkout receipts and organization billing exports.

PHI submitted through the platform is protected by administrative, technical, and physical safeguards, including tenant isolation (organization-scoped access controls), encryption in transit, structured audit logging on sensitive access, and role-based permissions.

• A executed BAA is required before processing live PHI in production workflows.
• Access to PHI is limited to authorized clinic users and Fizy personnel with a need to know for support, security, or legal compliance.
• Breach notification and other HIPAA obligations are addressed in the BAA.

We retain information for as long as your organization maintains an account and as required thereafter for legal, tax, audit, and dispute purposes. Audit and order records may be retained for multi-year periods consistent with healthcare and payment industry practice.

When you request account closure, we will deactivate access and apply retention or deletion schedules consistent with our BAA, applicable law, and legitimate business needs (such as completed order records and payment reconciliation).

We implement industry-standard measures including TLS for data in transit, access controls, multi-factor authentication options, monitoring, and least-privilege internal access. No method of transmission or storage is completely secure; you are responsible for safeguarding credentials and promptly reporting suspected compromise to support@fizy.health.

Clinic administrators may update organization profile data, manage user access, and export certain operational records through the platform. Marketing contacts may opt out of non-essential email by following unsubscribe instructions or contacting us.

Depending on your jurisdiction, you or your patients may have rights to access, correct, delete, or restrict certain personal information. PHI rights requests involving patients should generally be directed through the clinic (as covered entity); we will assist our customers as required by the BAA and law.

Our marketing site may use cookies and similar technologies for basic functionality, security, and aggregated analytics. The authenticated platform uses session and security cookies necessary to keep you signed in and protect accounts. You can control browser cookie settings; disabling certain cookies may limit site functionality.

The platform is intended for licensed clinics and their authorized staff, not for patients or consumers acting on their own behalf. We do not knowingly collect personal information from children under 13 through the marketing site. If you believe we have received such information in error, contact us for deletion.

Fizy Health is based in the United States and the platform is designed for U.S. clinic operations. If you access the service from other regions, you consent to processing in the United States subject to applicable transfer mechanisms where required.

We may update this Privacy Policy from time to time. We will post the revised policy with a new “Last updated” date and, for material changes to platform processing, provide notice to organization administrators through email or in-product messages where appropriate.

Privacy questions, requests, or security reports: support@fizy.health. For HIPAA-related inquiries, include your organization name and reference your executed BAA.