This Privacy Policy ("Policy") applies to MyRxWallet North America Corporation ("MyRxWallet," "Company," "we," "us," "our"), a Wyoming corporation operating the MyRxWallet health information technology platform accessible at https://myrxwallet.io and related subdomains, APIs, and mobile applications (collectively, the "Platform").

This Policy describes how we collect, use, disclose, and protect personal information — including Protected Health Information (PHI) — when you use our Platform. For information specific to HIPAA-governed health data, please also review our HIPAA Notice of Privacy Practices.

By accessing or using the Platform, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with this Policy, do not use the Platform.

Account & Identity Information

When you create an account, we collect:

• →
  Name, email address, phone number, date of birth
• →
  Government-issued ID information (for identity verification, if provided)
• →
  Authentication credentials (password hash — we never store plain-text passwords)
• →
  Multi-factor authentication identifiers (phone number for SMS OTP, device tokens)
• →
  MyRx-ID (blockchain-based patient identifier, assigned upon enrollment)
• →
  National Provider Identifier (NPI) for healthcare providers signing up as providers

Protected Health Information (PHI)

If you are a patient using the Platform, we collect, store, and process PHI including:

• →
  Medical history, diagnoses, conditions (ICD-10), procedures (CPT)
• →
  Medications and prescriptions (RxNorm-coded)
• →
  Laboratory results (LOINC-coded), vital signs, immunizations
• →
  Imaging reports, diagnostic reports, clinical notes
• →
  Insurance and coverage information
• →
  Consent authorizations and revocations
• →
  Substance use disorder (SUD) records (governed by 42 CFR Part 2 with heightened protections)

All PHI is encrypted at rest using AES-256-GCM with HKDF-SHA256 key derivation and encrypted in transit using TLS 1.3. Our blockchain stores only cryptographic hashes — zero plain-text PHI is on-chain.

Usage & Technical Data

We automatically collect certain technical information when you use the Platform:

Data Type	Purpose	Retention
IP Address	Security, fraud prevention, geo-compliance	90 days
Browser / Device Type	Platform optimization, security audit	90 days
Session Tokens	Authentication (JWT, 15-min access / 7-day refresh)	Token lifetime
API Access Logs	HIPAA audit trail (45 CFR §164.312(b))	6 years
Consent Event Logs	Blockchain audit trail (on-chain hashes only)	Permanent on-chain
Security Incident Logs	HIPAA security compliance	6 years

Purpose	Legal Basis	Data Used
Providing health portal services	Contract · HIPAA Treatment	PHI, Account Info
Identity verification & MFA	Security requirement · Contract	Phone, Email, Device
Processing payment claims	HIPAA Payment	PHI, Insurance Info
Blockchain consent audit trail	HIPAA Operations · 21CC Act	Consent hashes (no PHI)
Security monitoring (Sentinel)	HIPAA Security Rule · DoD STIG	Session data, access logs
Platform analytics	Legitimate interest (de-identified only)	Aggregated usage data
Legal compliance & reporting	Legal obligation (HIPAA, ONC, CMS)	As required by law
Communicating with you	Contract · Consent	Email, Phone
Research (with IRB approval)	HIPAA Research · Your authorization	De-identified or authorized PHI

With Your Consent

We share your information with third parties only with your explicit authorization, except as required by law. All consent grants are recorded on our blockchain audit trail and can be revoked through the Patient Portal at any time.

Business Associates

We share PHI with service providers under written Business Associate Agreements (BAAs) as required by HIPAA. These providers may only use PHI for the purposes specified in the BAA.

Legal Requirements

We may disclose information when required by law, court order, or governmental authority. We will notify you of such disclosure to the extent legally permitted.

Health Information Exchange (TEFCA/QHIN)

With your authorization, we may exchange your health records with other providers and payers through TEFCA-connected networks and payer APIs (CMS Blue Button, BCBS, UHC, Aetna, Cigna, Humana, Anthem). All exchanges are logged in your consent history.

We Do Not Sell Your Data

MyRxWallet does not sell personal information as defined under the California Consumer Privacy Act (CCPA) or any other applicable law.

Security Control	Standard	Status
Encryption at Rest	AES-256-GCM · HKDF-SHA256	ACTIVE
Encryption in Transit	TLS 1.3	ACTIVE
Access Control	JWT · OAuth 2.0 + PKCE · RBAC	ACTIVE
Audit Logging	HIPAA 45 CFR §164.312(b)	ACTIVE
Blockchain Audit	Hyperledger Fabric 2.5	ACTIVE
Multi-Factor Authentication	TOTP · SMS OTP · Device Shake	ACTIVE
Security Monitoring	MyRx-Sentinel · DoD STIG-aligned	ACTIVE
Penetration Testing	Annual (planned)	PLANNED
SOC 2 Type II	Schellman & Company (engagement pending)	IN PROGRESS

No system is 100% secure. While we implement industry-leading security measures, we cannot guarantee absolute security of your data. In the event of a breach, we will notify you as required by HIPAA within 60 days of discovery.

We retain your information for the periods required by applicable law and our legitimate business purposes:

Data Category	Retention Period	Authority
PHI / Medical Records	6 years from date of creation or last effective date	45 CFR §164.530(j)
HIPAA Audit Logs	6 years	45 CFR §164.312(b)
Consent Records	Permanent (blockchain anchored)	HITECH · 21CC Act
Prescriptions (EPCS)	2 years (Schedule II–V)	21 CFR Part 1311
SUD Records (42 CFR Part 2)	Per applicable state law + patient request	42 CFR Part 2
Account Data	Duration of account + 3 years post-deletion	Legitimate interest
Security Logs	6 years	HIPAA Security Rule

Upon account deletion, we will de-identify or delete your personal information to the extent permitted by law. Some information may be retained in anonymized form for aggregate analytics or as required by our legal obligations.

We use minimal, essential cookies and local storage on the Platform:

• ✓
  Authentication tokens (JWT): Stored in localStorage to maintain your logged-in session. 15-minute access token lifespan; 7-day refresh token.
• ✓
  Theme preference: Light/dark mode preference stored in localStorage. No personal data.
• ✓
  Push notification subscription: VAPID WebPush subscription stored in IndexedDB for real-time health alerts.
• ✗
  No advertising cookies. We do not use advertising networks, ad pixels, or behavioral tracking cookies.
• ✗
  No third-party analytics trackers. We do not use Google Analytics, Facebook Pixel, or similar third-party tracking services.

Depending on your location, you may have the following rights:

Right	How to Exercise	Response Time
Access your data	Patient Portal → Medical Records	Immediate (digital) / 30 days (formal)
Correct inaccurate data	Patient Portal → Profile or written request	60 days
Delete your data	Written request to Privacy Officer	30 days (subject to legal retention requirements)
Restrict processing	Patient Portal → Consents → Restrictions	10 business days
Data portability	FHIR R4 API · Patient Portal → Export	Immediate (FHIR) / 30 days (formal)
Opt out of data sale	N/A — we do not sell data	N/A
Withdraw consent	Patient Portal → Consents → Revoke	Immediate
File a complaint	info@myrxwallet.io or HHS OCR	10 business days acknowledgment

California Residents (CCPA/CPRA): You have additional rights including the right to know, delete, correct, and opt-out of sale/sharing. We honor all CCPA/CPRA requests. To submit a verifiable consumer request, contact info@myrxwallet.io or 702.546.8686.

The MyRxWallet Platform is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506.

For minors aged 13–17, a parent or legal guardian must authorize account creation and maintain oversight of the account. Certain sensitive health records (e.g., SUD treatment, reproductive health, family planning) may be maintained confidential from parents as permitted by applicable state law.

If you believe we have inadvertently collected information from a child under 13, please contact us immediately at info@myrxwallet.io and we will delete such information promptly.

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will:

• →
  Update the "Effective Date" at the top of this Policy.
• →
  Notify you through the Patient Portal with a prominent notice.
• →
  Send an email notification to your registered address for material changes.
• →
  Provide a 30-day notice period before material changes take effect for existing users.

Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes.