This Privacy Policy describes how Apple Specialty Pharmacy LLC ("ASP," "we," "us," "our") collects, uses, shares, and protects personal information about three groups of people:
| Category | Examples | Purpose |
|---|---|---|
| Account info | Username, name, role, password hash, email if provided | Authenticate; authorize actions per role |
| Session metadata | JWT session cookie, CSRF token cookie, last login time, IP address, browser user-agent | Maintain login; security audit |
| Work product | Plans of Treatment (POT) drafts and submissions you authored, signature image you uploaded for clinical documentation | Deliver the service; clinical record-keeping |
| Audit log | Time-stamped records of every privileged action you take (sign-in, role grant, signature send, data export) | HIPAA Security Rule § 164.312(b); breach investigation |
| AI usage | If you use the AI assistant: tokenized prompts (PHI stripped before forwarding), response, token counts, cost | Quality assurance; cost-cap enforcement |
| Feedback | Bug reports, feature requests, and other submissions you make through the feedback widget | Improve the service |
We do not collect personal information directly from patients through this website. Patient health information (PHI) is recorded by ASP clinical staff during the course of treatment and is covered exclusively by our Notice of Privacy Practices. Patients exercise their rights under HIPAA, which we honor in full.
We use the information described above only for the purposes listed alongside it. We do not:
We share personal information only with:
A current registry of business associates and sub-processors is maintained internally and is available on request.
| Data type | Retention |
|---|---|
| Clinical records (POTs, Care Plans, signed PDFs) | 7 years from completion, per California pharmacy regulation (Cal. Code Regs. tit. 22) and HIPAA's minimum 6-year retention requirement |
| Audit log (security events, consent records) | 6 years minimum, per HIPAA Security Rule § 164.530(j) |
| Staff account info | Active while employed; deactivated within 24 hours of termination; identifying fields tombstoned after 90 days |
| Session cookies | Cleared on logout or after 8 hours of inactivity |
| HTTP request logs (Azure App Service) | 30–90 days |
| Feedback submissions | Indefinite, unless deletion requested. Deleted on request unless tied to an active roadmap item. |
| Data Subject Requests | 3 years, to demonstrate compliance with the request |
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the rights below. We extend the same rights to anyone, regardless of residency, as a matter of good practice. Patients additionally have HIPAA rights — see the Notice of Privacy Practices.
You may request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties we have shared it with.
You may request deletion of your personal information. We will honor your request except where retention is required by law (e.g., HIPAA audit retention) or necessary to complete a transaction you initiated, detect security incidents, or comply with a legal obligation. Where we cannot delete, we will explain the reason. Where appropriate, we offer "tombstoning" — replacing identifying fields with redacted placeholders while preserving the legally required audit skeleton.
You may request correction of inaccurate personal information.
We do not sell or share personal information for cross-context behavioral advertising. No opt-out is needed because the activity does not occur. We will update this section if that ever changes.
You may request that we limit the use of your sensitive personal information to what is reasonably necessary to perform the services we provide. We already operate on this principle as a HIPAA-regulated entity, but a formal request will be confirmed in writing.
We will not deny you services, charge you a different price, or provide a different level of quality because you exercised any of these rights.
If you are an EU/EEA/UK resident and we hold personal data about you, you additionally have rights of access, rectification, erasure, restriction, portability, and objection under GDPR. Apple Specialty Pharmacy operates primarily in California and does not intentionally collect data from EU residents; please contact us if you believe we hold your data.
Submit a Data Subject Request through our Data Rights portal. You may also email privacy@applespecialtypharmacy.com or write to us at the address below.
We will:
You may also designate an authorized agent to make a request on your behalf. We may ask for written authorization signed by you.
The ASP POT platform is not directed to children under 13 and we do not knowingly collect personal information from children in the course of operating this website. Pediatric patients may, however, be the subject of clinical records created by ASP staff in the course of treatment, and such records are governed by HIPAA and California minor-consent laws.
We may update this policy. When we make a material change, we will:
For privacy questions, complaints, or to exercise your rights:
If you believe our handling of your information has violated HIPAA, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (hhs.gov/hipaa/filing-a-complaint). California residents may file a complaint with the California Attorney General's office (oag.ca.gov/privacy/ccpa).