← Back

Privacy Policy

Version 1.0.0 · Effective 2026-05-30

Contents

  1. Scope of this policy
  2. What information we collect
  3. How we use it
  4. Who we share it with
  5. How we protect it
  6. How long we keep it
  7. Your rights (CCPA / GDPR-style)
  8. How to exercise your rights
  9. Children
  10. Changes to this policy
  11. Contact us
Quick read. This privacy policy explains how Apple Specialty Pharmacy LLC ("ASP," "we") handles personal information collected by the ASP POT clinical platform. Patient health information (PHI) collected by Apple Specialty Pharmacy is handled under HIPAA and is described in our separate Notice of Privacy Practices.

1. Scope of this policy

This Privacy Policy describes how Apple Specialty Pharmacy LLC ("ASP," "we," "us," "our") collects, uses, shares, and protects personal information about three groups of people:

  • Staff users — nurses, pharmacists, administrators, and other authorized personnel who log into the ASP POT platform to perform their job duties.
  • Visitors — anyone who visits this website without logging in (e.g., the login page, this policy page, the data-rights request form).
  • Patients — individuals whose health information is recorded in the platform by ASP clinical staff. Patient health information is governed by HIPAA and described separately in our Notice of Privacy Practices. This Privacy Policy supplements, but does not replace, those HIPAA protections.

2. What information we collect

From staff users (with consent at first login)

CategoryExamplesPurpose
Account infoUsername, name, role, password hash, email if providedAuthenticate; authorize actions per role
Session metadataJWT session cookie, CSRF token cookie, last login time, IP address, browser user-agentMaintain login; security audit
Work productPlans of Treatment (POT) drafts and submissions you authored, signature image you uploaded for clinical documentationDeliver the service; clinical record-keeping
Audit logTime-stamped records of every privileged action you take (sign-in, role grant, signature send, data export)HIPAA Security Rule § 164.312(b); breach investigation
AI usageIf you use the AI assistant: tokenized prompts (PHI stripped before forwarding), response, token counts, costQuality assurance; cost-cap enforcement
FeedbackBug reports, feature requests, and other submissions you make through the feedback widgetImprove the service

From visitors (no login required)

  • HTTP request metadata logged by Azure App Service: IP address, user-agent, requested URL, timestamp.
  • If you submit a Data Subject Request form: your name, contact information, identifying details to verify your identity, and the contents of your request.
  • Cookies — see our Cookie Notice.

From patients

We do not collect personal information directly from patients through this website. Patient health information (PHI) is recorded by ASP clinical staff during the course of treatment and is covered exclusively by our Notice of Privacy Practices. Patients exercise their rights under HIPAA, which we honor in full.

3. How we use it

We use the information described above only for the purposes listed alongside it. We do not:

  • Sell or rent personal information to third parties.
  • Share data with advertising networks or behavioral-targeting platforms.
  • Use staff information to make automated decisions that produce legal effects.
  • Train external AI models on patient data. The AI assistant tokenizes potential PHI server-side before any request leaves our infrastructure, and our AI provider (Anthropic) operates under a signed Business Associate Agreement and zero-retention API tier.

4. Who we share it with

We share personal information only with:

  • Microsoft (Azure) — our hosting provider. Covered by Microsoft's enterprise BAA.
  • Anthropic — our AI provider. Covered by a signed BAA; receives only PHI-tokenized text.
  • DocuSign — for physician electronic signatures. (Currently disabled pending BAA finalization.) Only the assessment data needed to render the signing document is shared at the moment of envelope creation.
  • Law enforcement or regulators — only when required by law (e.g., court order, HHS OCR investigation).
  • Successor entity — in the event of a merger, acquisition, or sale of ASP's assets, with notice to affected individuals.

A current registry of business associates and sub-processors is maintained internally and is available on request.

5. How we protect it

  • Transport encryption. All connections to the platform require HTTPS (TLS 1.2 or higher). HTTP traffic is rejected.
  • At-rest encryption. Data stored in Azure is encrypted at rest using Microsoft-managed keys; sensitive secrets are stored in Azure Key Vault and accessed via managed identity.
  • Access control. Role-based permissions (currently {{ROLE_COUNT}} roles, {{PERMISSION_COUNT}} permission keys) restrict each user to only the data needed for their job. Authentication uses bcrypt password hashing and short-lived session tokens.
  • Audit logging. Every privileged action is recorded in an append-only security log with timestamp, user, action, resource ID, IP address, and outcome. The audit log itself is guarded against PHI leakage by automated pattern checks.
  • Rate limiting. Login, signature-send, and feedback endpoints are rate-limited per IP to deter abuse.
  • Threat modeling. High-value endpoints are STRIDE-reviewed; the threat model is refreshed annually and after any major architectural change.
  • PHI redaction. The AI assistant tokenizes potential PHI in messages server-side (SSN, DOB, MRN, phone, email, ZIP, address patterns) before forwarding to the AI provider.
  • Incident response. We maintain a written vulnerability response process. Confirmed breaches of unsecured PHI trigger HIPAA breach notification within 60 days as required by 45 CFR § 164.404.

6. How long we keep it

Data typeRetention
Clinical records (POTs, Care Plans, signed PDFs)7 years from completion, per California pharmacy regulation (Cal. Code Regs. tit. 22) and HIPAA's minimum 6-year retention requirement
Audit log (security events, consent records)6 years minimum, per HIPAA Security Rule § 164.530(j)
Staff account infoActive while employed; deactivated within 24 hours of termination; identifying fields tombstoned after 90 days
Session cookiesCleared on logout or after 8 hours of inactivity
HTTP request logs (Azure App Service)30–90 days
Feedback submissionsIndefinite, unless deletion requested. Deleted on request unless tied to an active roadmap item.
Data Subject Requests3 years, to demonstrate compliance with the request

7. Your rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the rights below. We extend the same rights to anyone, regardless of residency, as a matter of good practice. Patients additionally have HIPAA rights — see the Notice of Privacy Practices.

Right to know

You may request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties we have shared it with.

Right to delete

You may request deletion of your personal information. We will honor your request except where retention is required by law (e.g., HIPAA audit retention) or necessary to complete a transaction you initiated, detect security incidents, or comply with a legal obligation. Where we cannot delete, we will explain the reason. Where appropriate, we offer "tombstoning" — replacing identifying fields with redacted placeholders while preserving the legally required audit skeleton.

Right to correct

You may request correction of inaccurate personal information.

Right to opt out of "sale" or "sharing"

We do not sell or share personal information for cross-context behavioral advertising. No opt-out is needed because the activity does not occur. We will update this section if that ever changes.

Right to limit use of sensitive personal information

You may request that we limit the use of your sensitive personal information to what is reasonably necessary to perform the services we provide. We already operate on this principle as a HIPAA-regulated entity, but a formal request will be confirmed in writing.

Right to non-discrimination

We will not deny you services, charge you a different price, or provide a different level of quality because you exercised any of these rights.

GDPR-style rights (extended as best practice)

If you are an EU/EEA/UK resident and we hold personal data about you, you additionally have rights of access, rectification, erasure, restriction, portability, and objection under GDPR. Apple Specialty Pharmacy operates primarily in California and does not intentionally collect data from EU residents; please contact us if you believe we hold your data.

8. How to exercise your rights

Submit a Data Subject Request through our Data Rights portal. You may also email privacy@applespecialtypharmacy.com or write to us at the address below.

We will:

  • Acknowledge your request within 10 business days.
  • Verify your identity before disclosing or deleting personal information.
  • Respond within 45 calendar days (CCPA standard), with a one-time 45-day extension if reasonably necessary.
  • Provide our response in writing, by email or postal mail, in a portable format where applicable.

You may also designate an authorized agent to make a request on your behalf. We may ask for written authorization signed by you.

Patient records note. If you are a patient seeking your health records, follow the HIPAA process described in our Notice of Privacy Practices. CCPA does not apply to medical information governed by HIPAA (Cal. Civ. Code § 1798.145(c)).

9. Children

The ASP POT platform is not directed to children under 13 and we do not knowingly collect personal information from children in the course of operating this website. Pediatric patients may, however, be the subject of clinical records created by ASP staff in the course of treatment, and such records are governed by HIPAA and California minor-consent laws.

10. Changes to this policy

We may update this policy. When we make a material change, we will:

  • Increment the version shown at the top of this page.
  • Update the effective date.
  • Re-prompt staff users to acknowledge the new version on their next login.
  • For changes affecting patient PHI handling, follow the HIPAA notice-distribution requirements separately.

11. Contact us

For privacy questions, complaints, or to exercise your rights:

  • Privacy Officer, Apple Specialty Pharmacy LLC
  • Email: privacy@applespecialtypharmacy.com
  • Postal: Apple Specialty Pharmacy LLC, Santa Ana, CA
  • Phone: {{PHONE_TO_BE_PROVIDED}}

If you believe our handling of your information has violated HIPAA, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (hhs.gov/hipaa/filing-a-complaint). California residents may file a complaint with the California Attorney General's office (oag.ca.gov/privacy/ccpa).

Privacy· Terms· Cookies· HIPAA Notice· Data Rights
© Apple Specialty Pharmacy LLC. All rights reserved.