Contents
1. Introduction 2. Platform Status 3. Information We Collect 4. How We Use Information 5. Cookies 6. Email Communications 7. Health Information / HIPAA 8. Genetic Information Privacy 9. How We Share Information 10. Data Retention and Deletion 11. Your Privacy Rights 12. Children's Privacy 13. Security 14. Third-Party Links 15. Changes to This Policy 16. Contact Us
Version History ← Back to Early Access ← myrxwallet.io
Section 1

Introduction

MyRxWallet North America Corporation (“MyRxWallet,” “we,” “us,” or “our”) is a Wyoming corporation designing the first healthcare platform built to compensate patients and providers for the health data the industry has been monetizing without them. We take your privacy seriously — not as a legal obligation, but as a founding principle.

This Privacy Policy describes what information we collect from visitors to myrxwallet.io (the “Website”) and individuals who join our early access list, how we use and protect that information, and what rights you have with respect to it. It applies to all information collected through our Website and related email communications.

This Privacy Policy governs the Website only. When the MyRxWallet platform launches and members enroll, member health data will be governed by a separate Notice of Privacy Practices issued under HIPAA, and by member-facing terms of service. See Section 7.

By using our Website or submitting your information, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our Website or submit your information.

Section 2

Platform Status

The MyRxWallet Platform is live and accepting enrolled members. We collect, store, and process Protected Health Information (PHI) on behalf of enrolled patients and providers in accordance with HIPAA, HITECH, and the 21st Century Cures Act. This Privacy Policy governs both the public Website and all member health data processed through the Platform.

Personal information we collect includes:

  • Identity and account information (name, email, date of birth, phone number)
  • Protected Health Information (PHI): medical history, prescriptions, lab results, diagnoses, immunizations, and clinical encounters entered by or on behalf of enrolled members
  • Medicare claims data retrieved via the CMS Blue Button 2.0 API on behalf of enrolled Medicare beneficiaries who have authorized access
  • Insurance and payer data retrieved via FHIR-compliant payer APIs (UHC, Aetna, Cigna, Humana, Anthem) under member authorization
  • Blockchain wallet address (no PHI stored on-chain — only cryptographic hashes)
  • Standard technical information automatically collected when you visit the Website or use the Platform

Material updates to this Privacy Policy will be communicated to enrolled members via email at least 30 days before taking effect, unless changes are required sooner by law.

Section 3

Information We Collect

3.1 Information You Provide

Early Access List. If you submit our early access sign-up form, we collect your email address and ZIP code. Submission is entirely voluntary. You may decline to register and still visit the Website.

Communications. If you contact us by email or through any contact form, we collect the contents of your communication and any personal information you choose to include.

3.2 Information Collected Automatically

When you visit our Website, certain technical information is collected automatically through standard web server logs and, where enabled, analytics tools:

  • IP address — used to derive approximate geographic location for analytics and security
  • Browser type and version
  • Operating system
  • Referring URL — the page you visited before arriving at our Website
  • Pages visited and time spent on each page
  • Date and time of your visit
  • Device type (desktop, mobile, tablet)

This information is used in aggregate or pseudonymized form to understand how visitors use our Website and to improve the user experience. It is not used to identify you personally without your consent.

3.3 Cookies and Similar Technologies

See Section 5 for details on cookies and tracking technologies.

3.4 Information We Do Not Currently Collect

We do not currently collect: protected health information (PHI) of any kind; prescription records, medical history, or electronic health records; genetic or genomic data; financial account, payment card, or banking information; Social Security numbers or government-issued identification numbers; biometric data; or personal information from children under 13.

Section 4

How We Use Your Information

PurposeLegal Basis (GDPR)Data Used
Send launch updates to early access subscribersConsent (explicit at sign-up)Email address
Analyze Website traffic and improve user experienceLegitimate interestsIP address, page views, device/browser info
Detect and prevent fraud, spam, and abuseLegitimate interestsIP address, email address
Comply with legal obligationsLegal obligationAs required by applicable law
Notify you of material changes to this Privacy PolicyConsent / Legitimate interestsEmail address

We will never use your email address for any purpose other than launch communications and policy update notifications without your separate, explicit consent. We will never sell your email address or any other personal information to third parties.

Section 5

Cookies and Similar Technologies

5.1 What Are Cookies

Cookies are small text files placed on your device by websites you visit. They allow the website to remember information about your visit, improving both your experience and the site's functionality.

5.2 Types of Cookies We Use

CategoryDescriptionOpt-Out
Essential / Strictly NecessaryRequired for basic Website functionality (form submission, session security). Without these cookies, certain features cannot work.No — required
Analytics / PerformanceCollect anonymized or pseudonymized data about how visitors use the Website. Used to improve the Website, not to identify individuals.Yes
FunctionalRemember preferences you set (if any) to provide a more personalized experience.Yes

We do not use advertising, tracking, or cross-site behavioral advertising cookies. We do not use cookies that track you across third-party websites for commercial purposes.

5.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to view, block, and delete cookies. Residents of the EU/EEA/UK and other jurisdictions with applicable cookie consent laws will be presented with a consent banner before non-essential cookies are placed on their device.

Section 6

Email Communications

6.1 What We Send

If you join the early access list, you will receive: MyRxWallet platform launch updates and milestone announcements; and advance notice of material changes to this Privacy Policy.

We will use your email address to send you launch updates and nothing else. You will not receive promotional emails from third-party advertisers, commercial offers unrelated to MyRxWallet, or communications sold to other companies. We mean this commitment absolutely.

6.2 Email Service Provider

We use SendGrid (a Twilio company) to deliver email communications to early access list subscribers. SendGrid processes email addresses as a data processor acting under our instructions. SendGrid does not have the right to use early access subscriber email addresses for its own purposes.

6.3 How to Unsubscribe

Every email we send includes an unsubscribe link. Click it to remove yourself from launch communications at any time. Removal from email communications will be processed within a commercially reasonable time (typically within 10 business days). You may also request deletion of your information entirely by contacting privacy@myrxwallet.io. See Section 10 for our data retention practices.

Section 7

Health Information and HIPAA

7.1 HIPAA Compliance — Active

MyRxWallet is an active HIPAA Business Associate and acts as a HIPAA-covered entity with respect to health data processed through the Platform. All PHI is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Our blockchain stores only cryptographic hashes — zero plain-text PHI is stored on-chain.

We comply with the HIPAA Privacy Rule (45 C.F.R. Part 164), HIPAA Security Rule, HITECH Act, and the 21st Century Cures Act (information blocking prohibition, 45 C.F.R. Part 171). We execute Business Associate Agreements (BAAs) with all third-party service providers that process PHI on our behalf. Our HIPAA Notice of Privacy Practices is published at myrxwallet.io/legal/hipaa-notice.html.

7.2 CMS Blue Button 2.0 — Medicare Data

For enrolled members who are Medicare beneficiaries, MyRxWallet accesses Medicare claims data through the CMS Blue Button 2.0 API (FHIR R4, CARIN Consumer Directed Payer Data Exchange IG) solely on the member’s explicit authorization. The following applies to all Medicare data accessed via Blue Button:

  • Data collected: Medicare claims (ExplanationOfBenefit), coverage information, and patient demographics as provided by CMS
  • Purpose: Display your Medicare history in your sovereign health wallet; support care coordination with your authorized providers. Medicare data is never used for advertising, risk scoring, or sold to any third party
  • Authorization: You authorize MyRxWallet to access your Medicare data through the CMS Blue Button authorization flow. You may revoke this authorization at any time from your patient portal or by visiting medicare.gov/account/apps
  • Access duration: Authorization is valid for 13 months. You will be prompted to reauthorize after 13 months for continued access
  • Deletion: You may request permanent deletion of all Medicare data held by MyRxWallet by contacting privacy@myrxwallet.io. Deletion is processed within 30 days
  • Data labeling: Medicare data sourced via Blue Button is labeled “Medicare” within the Platform, consistent with CMS Blue Button branding guidelines

7.3 Payer & Health Information Exchange Data

With your authorization, we may also retrieve health records from private insurers (UnitedHealth, Aetna, Cigna, Humana, Anthem/BCBS) and TEFCA-connected networks using FHIR R4 and SMART on FHIR 2.0 (PKCE). All exchanges are governed by the CMS Interoperability and Patient Access Rule (42 C.F.R. §§ 422.119, 423.152) and logged in your consent history. You may revoke any payer connection at any time from your patient portal.

7.4 Your Rights Over Your Health Data

  • Access: View all health records in your patient portal at any time
  • Revocation: Revoke any payer or provider access from the Consents tab in your portal; revocation is effective immediately and anchored to the blockchain
  • Deletion: Request deletion of any or all of your health data by contacting privacy@myrxwallet.io
  • Portability: Export your complete health record in FHIR R4 format from your portal at any time under 45 C.F.R. § 164.524
  • Correction: Request correction of inaccurate health information under the HIPAA Right of Access

7.5 Health Information in Correspondence

If you contact us and voluntarily describe your health situation outside of the Platform (e.g., via email to support@myrxwallet.io), we will treat that information as confidential and will not use it for any commercial purpose.

7.6 VA Lighthouse APIs — Veteran Military & Health Data

For enrolled members who are United States military veterans, MyRxWallet accesses veteran data through the VA Lighthouse API platform solely on the veteran’s explicit authorization via the VA Authorization Code Grant (ACG) OAuth 2.0 consent flow. The following applies to all veteran data accessed via VA Lighthouse:

  • Data collected: Military service history (service periods, branch of service, discharge character); VA disability rating; VA healthcare enrollment status; VA FHIR R4 health records (diagnoses, medications, lab results, immunizations, allergies, and clinical notes); community care eligibility status by service type; VA benefits claims status, type, submission date, and tracked issues
  • Purpose: Display your VA service profile, health records, and benefits information in your sovereign health wallet; power the PACT Act Automatic Eligibility Screening engine; surface VA benefits you may be eligible for but not currently utilizing; support care coordination with providers you authorize. VA data is never used for advertising, risk scoring, employment screening, or sold to any third party
  • Authorization: You authorize MyRxWallet to access your VA data through the VA Lighthouse ACG OAuth consent flow. You may revoke this authorization at any time from your patient portal or by visiting va.gov and managing your connected applications
  • PACT Act eligibility screening: MyRxWallet’s PACT Act Automatic Eligibility Screening engine cross-references your confirmed service history against the statutory coverage criteria of the Sergeant First Class Heath Robinson PACT Act of 2022 (Public Law 117-168). Eligibility determinations are made by MyRxWallet’s internal rules engine — the VA is not responsible for and does not endorse these determinations. Eligibility screening is provided for informational purposes only and is not a substitute for an official VA eligibility determination or disability rating decision
  • Benefits claims: MyRxWallet displays your VA benefits claims status for informational purposes only. MyRxWallet is not a claims representative, accredited VA claims agent, or Veterans Service Organization (VSO). Filing, managing, and appealing VA claims remains solely the veteran’s responsibility
  • Access duration: VA ACG authorization tokens follow VA Lighthouse token expiration and refresh policies. You will be prompted to reauthorize when your token expires
  • Deletion: You may request permanent deletion of all VA data held by MyRxWallet by contacting privacy@myrxwallet.io. Deletion is processed within 30 days. Revoking VA authorization from your portal stops all future VA data access immediately
  • Data labeling: VA-sourced data is labeled “VA Health Record” or “VA Service History” within the Platform, consistent with VA Lighthouse branding requirements
  • Ethics Principles: MyRxWallet has attested to and operates in compliance with the VA’s Ethics Principles for Access to and Use of Veteran Data. Veteran data is used exclusively for the purposes stated in our VA Lighthouse application (Case #00015333) and this Privacy Policy. We do not use veteran data for any secondary commercial purpose
Section 8

Genetic Information Privacy

8.1 Current Status — No Genetic Data Collected

We do not collect any genetic or genomic data through this Website or the early access list. Genetic data integration is planned as an optional, opt-in feature for enrolled members after the platform launches, subject to HIPAA Expert Determination de-identification requirements and applicable state and federal genetic privacy laws.

8.2 Applicable Legal Framework

When genetic data collection begins (and only with explicit member opt-in consent), we are committed to compliance with the following:

Federal law: Genetic Information Nondiscrimination Act (GINA) (42 U.S.C. § 2000ff et seq.); HIPAA as applied to genetic information in covered entity operations.

State laws (representative; not exhaustive): California GIPA (Cal. Health & Safety Code §§ 24000–24010); Illinois GIPA (410 ILCS 513); Texas Genetic Privacy Act (Tex. Health & Safety Code § 58A); Washington My Health MY Data Act (SB 1155); Florida, Nevada, Colorado, Connecticut, Virginia, Oregon: comparable genetic and consumer health data protections under applicable state law.

We monitor state genetic privacy legislation and will comply with applicable law in every state where members reside.

8.3 Genetic Data Commitments

Regardless of applicable law minimums: Member genetic data will never be sold to third parties without explicit, separately executed written consent. Genetic data licensing for pharmaceutical research will be conducted only under HIPAA-compliant de-identification, individual member consent, and the platform's royalty structure (85% of licensing revenue to the member). Members will retain the right to revoke consent for genetic data use at any time.

Section 9

How We Share Your Information

9.1 We Do Not Sell Your Information

We do not sell your personal information. Period.

9.2 Current Sharing Practices

RecipientPurposeData Shared
SendGrid (Twilio)Email delivery — data processor under our instructionEmail address
Website hosting / analytics providersWebsite operations; performance and traffic analyticsIP address, device/browser info (aggregate or pseudonymized)
Legal and regulatory authoritiesResponse to valid legal process (court orders, subpoenas, regulatory requests)As required by applicable law

We do not share personal information with other third parties except as described above or with your explicit consent.

9.3 Future Platform Operations

When the platform launches, information sharing will expand to include licensed buyers of de-identified research data (pharmaceutical companies, research institutions, healthcare organizations) acting under member-by-member consent and the platform's royalty structure. That expanded sharing will be fully described in member-facing disclosures at launch.

9.4 Business Transfers

If MyRxWallet is involved in a merger, acquisition, restructuring, or sale of all or a portion of its assets, your personal information may be transferred to a successor entity. We will provide notice via email and/or prominent Website notice before your information becomes subject to a materially different privacy policy, and you will have the opportunity to delete your information prior to any such transfer.

Section 10

Data Retention and Deletion

Data CategoryRetention Period
Early access list (email + ZIP)Until you unsubscribe; or until platform launch and you complete enrollment or affirmatively decline; or upon verified deletion request
Website analytics / server log dataUp to 24 months in aggregated or pseudonymized form
Unsubscribe recordsRetained indefinitely to honor your preference and comply with CAN-SPAM and similar anti-spam obligations
Inquiry / correspondenceUp to 3 years, or as required by applicable law
Legal holdFor the duration required by applicable legal obligation, litigation hold, or regulatory investigation

10.1 Your Right to Request Deletion

You may request deletion of your personal information at any time by emailing privacy@myrxwallet.io with “Deletion Request” in the subject line. We will process your request within 30 days (or within the shorter period required by applicable law for California, EU/EEA/UK, and other residents). We will confirm deletion in writing.

Exceptions: We may retain certain information as required to comply with legal obligations, resolve disputes, enforce our agreements, or prevent fraud, even after a deletion request.

Section 11

Your Privacy Rights

11.1 California Residents — CCPA / CPRA

If you are a California resident, CCPA/CPRA grants you: Right to Know (categories and specific pieces of personal information collected); Right to Delete (subject to limited exceptions); Right to Correct inaccurate personal information; Right to Opt Out of Sale or Sharing (we do not sell — no action needed); Right to Limit Use of Sensitive Personal Information; Right to Non-Discrimination for exercising your rights.

To exercise California rights: Email privacy@myrxwallet.io with “California Privacy Request” in the subject line. We will respond within 45 calendar days, extendable by 45 days with notice if reasonably necessary.

11.2 European Union / EEA / UK Residents — GDPR / UK GDPR

If you are located in the EU, EEA, or UK, GDPR grants you: Right of Access; Right to Rectification; Right to Erasure; Right to Restriction of Processing; Right to Data Portability; Right to Object; Right to Withdraw Consent; Right to Lodge a Complaint with your local supervisory authority (edpb.europa.eu).

Lawful bases: Consent (email communications); Legitimate interests (analytics, security, anti-fraud). International data transfers: Standard Contractual Clauses (SCCs) where required. EU Representative: Will be designated per GDPR Article 27 before processing EU resident data at scale. Contact privacy@myrxwallet.io for current representative information.

To exercise GDPR rights: Email privacy@myrxwallet.io with “GDPR Request” in the subject line. We will respond within 30 days.

11.3 Other State Privacy Rights

Residents of Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Indiana (ICDPA), Iowa (ICDPA), Tennessee (TIPA), Nevada, Washington (My Health MY Data Act), and other states with enacted comprehensive privacy legislation have rights substantially equivalent to those described above. Email privacy@myrxwallet.io with “[State] Privacy Request” in the subject line.

11.4 Washington My Health MY Data Act — Additional Notice

Washington's My Health MY Data Act (SB 1155) provides specific protections for consumer health data, including geolocation data that could be used to infer health conditions and genetic data. We do not currently collect consumer health data as defined by this Act. When the platform launches and health data collection begins, Washington residents will receive specific disclosures required by this Act.

Section 12

Children's Privacy

12.1 Website and Early Access List — 18+ Only

Our Website and early access list are intended exclusively for individuals 18 years of age and older. We do not knowingly collect personal information from any person under the age of 13, and we do not knowingly collect personal information from individuals aged 13–17 without verifiable parental consent as required by applicable law.

If you believe we have inadvertently collected personal information from a child under 13, please contact us immediately at privacy@myrxwallet.io. We will promptly delete the information upon verification.

California residents under 16 have additional rights under CCPA § 1798.120 regarding sale of personal information. We do not sell personal information of anyone, including minors.

12.2 Pediatric Patient Enrollment — Future Platform Operations

The MyRxWallet platform is designed to include clinical research participation pathways for pediatric patients under guardian consent (Tier 5 — pediatric patients with qualifying diagnoses). When this feature launches, enrollment will require documented parental or legal guardian informed consent and HIPAA authorization; all pediatric data processing will comply with COPPA (15 U.S.C. § 6501 et seq.) and applicable FTC regulations; clinical trial participation will require IRB approval with independent ethics review for each study protocol.

Section 13

Security

We implement reasonable and appropriate technical, administrative, and physical safeguards to protect the personal information in our care. Current measures include:

  • Encryption in transit: All Website traffic is transmitted over HTTPS (TLS 1.2 or higher)
  • Access controls: Early access list data is accessible only to authorized personnel on a need-to-know basis
  • Email security: Industry-standard authentication (SPF, DKIM, DMARC) for all outbound email
  • Vendor security: SendGrid and other data processors are selected with security practices reviewed as part of vendor due diligence

No data transmission over the internet or electronic storage system is 100% secure. While we work diligently to protect your information, we cannot guarantee absolute security against all threats.

Breach notification: In the event of a personal data breach affecting your information, we will notify you as required by applicable federal and state breach notification laws (including GDPR Article 33/34 for EU residents) within the timeframes required by applicable law.

When the platform launches and PHI is processed, we will implement the full HIPAA Security Rule safeguard framework (45 C.F.R. §§ 164.302–164.318).

Section 14

Third-Party Links

Our Website may contain links to third-party websites, social media platforms, or services not operated by us. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party website you visit before submitting personal information. We have no control over and assume no responsibility for the privacy practices of any third-party site or service.

Section 15

Changes to This Privacy Policy

We may update this Privacy Policy as our platform develops, legal requirements change, or we expand our data practices. When we do:

  • The updated Privacy Policy will be posted at myrxwallet.io/privacy with a new “Effective Date” and incremented version number
  • For material changes, we will send advance written notice to early access list subscribers at least 14 days before the change takes effect
  • Your continued use of the Website or continued subscription to early access communications after the effective date constitutes acceptance of the updated Privacy Policy

Prior versions of this Privacy Policy are available upon written request to privacy@myrxwallet.io.

Section 16

Contact Us

MyRxWallet North America Corporation
Attention: Privacy Officer
Email: privacy@myrxwallet.io

Subject line guidance: General inquiry: “Privacy Inquiry” • California request: “California Privacy Request” • GDPR request: “GDPR Request” • Deletion request: “Deletion Request” • Security concern: “Security Concern”

We will acknowledge all privacy-related inquiries within 5 business days and provide a substantive response within 30 days. For requests with extended statutory response periods (e.g., CCPA 45-day window), we will confirm receipt and timeline by the 5-business-day acknowledgment.

Version History

Version History

VersionEffective DateScopeSummary
1.0May 7, 2026Website and early access list onlyInitial publication
2.0June 12, 2026Full Platform — enrolled members, PHI, Medicare (CMS Blue Button 2.0), payer APIsPlatform live update: removed pre-launch language; added Sections 7.2 (CMS Blue Button / Medicare), 7.3 (payer data), 7.4 (patient rights), 7.5; updated Platform Status (Section 2) to reflect live enrollment
2.1June 24, 2026Full Platform + VA Lighthouse veteran dataAdded Section 7.6 — VA Lighthouse APIs covering veteran military service history, disability rating, VA FHIR health records, PACT Act eligibility screening, community care eligibility, and benefits claims data; updated meta description; added VA Ethics Principles attestation and VA Lighthouse Case #00015333 reference
2.2July 11, 2026CMS Blue Button 2.0 Production — Medicare claims consent model, revocation process; print CSS for regulatory submissions; Effective Date alignment with CMS Production Access applicationUpdated effective date and version; confirmed CMS Blue Button 2.0 consent model, revocation process, and data handling disclosures meet CMS API Management and Blue Button 2.0 Production Access requirements
PL
CO
NV
CM
PR
LG
MyRxWallet Demo