Effective Date: July 7th, 2026
Prior version effective: August 5, 2025
VITLrx, Inc. (“VITL,” “we,” “us,” or “our”), 305 Jefferson Street STE 125, Nashville, TN 37201, provides a technology platform and marketplace that connects clinics and other health care providers (“Providers”), compounding pharmacies, and their patients (“Patients”) to support e-prescribing, pharmacy management, and virtual care (the “Services”). VITL is a technology company: it is not a pharmacy, does not dispense or provide medications, and does not provide medical care. Health care services are provided by the Providers and pharmacies that use our platform. Patients and Providers may be referred to as “you” or “your” in this Privacy Policy.
This Privacy Policy is published at https://vitlrx.com/privacy/ and is linked as “Privacy Policy” in the footer of every page of our websites. Our Services are offered to users located in the United States only.
This Privacy Policy describes the types of Personal Data VITL collects and how VITL collects, uses, shares, and protects that Personal Data. This Privacy Policy describes our current privacy practices.
“Personal Data” means and includes Personal Information, Sensitive Personal Information, and Protected Health Information (“PHI”), each as described in Section 2. We may collect Personal Data through our websites and web applications, including https://www.vitlrx.com/ and our patient portal at [PATIENT PORTAL URL] (collectively, the “Sites”), through our mobile applications (“Apps”), and from Patients and Providers who register as End Users to receive Services.
To receive our Services, you must register as an “End User,” create an “End User Account,” and enter into our End User License Agreement (“EULA”), providing Personal Information such as your name, email address, username, mailing address, and phone number, and creating a login and password. The EULA governs your use of the Services; this Privacy Policy describes how we handle Personal Data and the privacy rights available to you.
In this Privacy Policy, “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, including by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and its implementing regulations at 45 C.F.R. Parts 160 and 164, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
VITL handles health information in two ways, with different legal protections:
This Privacy Policy is not a HIPAA Notice of Privacy Practices. Your Provider’s own Notice of Privacy Practices describes how the Provider uses and discloses your PHI and explains your HIPAA rights. Patients with questions or requests about their PHI should contact their Provider first; we will support the Provider as required by HIPAA and our BAAs.
We collect the following categories of Personal Data. The sources are described in Section 3, the purposes in Section 4, the categories of recipients in Section 6, and the retention criteria in Section 11. For California residents, this section, together with Sections 3, 4, 6, 7, 8, 9, and 11, provides the disclosures required by the California Consumer Privacy Act; the disclosures cover the 12 months preceding the Effective Date.
We collect Personal Data in the following ways:
Where applicable law requires consent, we request your affirmative, opt-in consent at the point of collection before collecting or processing Sensitive Personal Information, except where the processing is necessary to provide Services you have requested or the information is governed by HIPAA through your Provider. We collect Sensitive Personal Information only as reasonably necessary to provide the Services, and you may withdraw consent at any time by contacting us (Section 17). We do not sell Sensitive Personal Information or use or disclose it for purposes other than those permitted by applicable law. Where HIPAA requires an individual authorization, we or your Provider will obtain a written authorization meeting 45 C.F.R. § 164.508 before the use or disclosure occurs.
We use Personal Data to operate our platform, to connect clinics, pharmacies, and End Users to us and to each other, and to provide our Services to all of our End Users, including to:
We use and disclose PHI only as permitted or required by our BAAs and HIPAA. This includes supporting our Provider customers’ treatment of their Patients, payment for health care, and health care operations; disclosures required by law; and our proper management and administration where the applicable BAA permits. We apply HIPAA’s minimum necessary standard, limiting requests, uses, and disclosures of PHI to the minimum necessary for the intended purpose, including through role-based access controls.
We do not sell PHI or use or disclose PHI for marketing or our own market research, except with a valid written authorization meeting 45 C.F.R. § 164.508 or as otherwise expressly permitted by HIPAA and our BAAs. Where our BAAs permit de-identification, we de-identify PHI only under the HIPAA de-identification standard at 45 C.F.R. § 164.514(b); information de-identified to that standard is no longer PHI. We do not attempt to re-identify de-identified or aggregated data, and we require recipients of de-identified data to agree not to attempt to re-identify it.
This section describes how VITL ensures that its operations comply with applicable laws and regulations regarding privacy and protected health information.
VITL complies with the HIPAA requirements applicable to business associates, including the applicable provisions of the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164, Subparts A and E), the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), and the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D). Specifically:
VITL complies with applicable state privacy, consumer health data, and data breach notification laws in the states where its Services are offered. We provide the privacy rights described in Section 9 as required by the law of your state of residence, and where feasible we voluntarily extend those request processes to residents of other states. Where a state privacy law (including laws in California, Colorado, Connecticut, Virginia, Texas, Washington, Nevada, Oregon, Tennessee, and other states) grants additional rights, we honor them as required by that law.
For health information not governed by HIPAA (for example, health information you submit to us directly outside a Provider relationship), we comply with applicable state consumer health data laws. In particular:
We maintain administrative, physical, and technical safeguards designed to protect Personal Data, including the safeguards required for electronic PHI by the HIPAA Security Rule. These safeguards include:
VITL maintains a designated Privacy Officer function responsible for this Privacy Policy, our privacy and security compliance program, and responses to privacy questions, requests, and complaints. You may reach the Privacy Officer function by emailing support@vitlrx.com with “Attn: Privacy Officer” in the subject line, by calling 903-884-8579, or by mail to VITLrx, Inc., Attn: Privacy Officer, 305 Jefferson Street STE 125, Nashville, TN 37201.
If you believe your privacy rights have been violated, you may file a complaint with us, with your Provider, or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for exercising your privacy rights or filing a complaint.
We disclose Personal Data only as described in this Privacy Policy and as permitted or required by applicable law; we disclose PHI only as permitted by our BAAs and HIPAA. We disclose Personal Data to these categories of recipients:
Our contracts with third parties, service providers, and contractors specify the purposes for which Personal Data may be processed and require comparable levels of privacy protection. These contracts stipulate that:
Where a vendor, service provider, or subcontractor creates, receives, maintains, or transmits PHI on our behalf, we enter into a written business associate agreement requiring it to comply with the same HIPAA obligations that apply to VITL.
Automated data is data collected through technologies such as cookies, web beacons (also known as pixels), and log files when you use our Sites, our Apps, or other online services. It may include your IP address, the pages of our Sites you visit, the time and date of your visit, time spent on certain pages, and other usage statistics.
“Cookies” are small files that a website stores on your computer or device. We use “session” cookies, which are deleted automatically when you close your browser and are used to optimize performance, such as maintaining your logged-in status and remembering information you enter. We may also use “persistent” cookies, which remain on your device unless deleted by you or your browser settings, for purposes such as statistical analysis of the performance and quality of our Services. Most browsers accept cookies automatically, but you may set your browser to block certain cookies. As required by applicable law, we will obtain any consent necessary before using cookies or similar tracking technologies.
You may opt in or opt out of the placement of optional technologies going forward, at any time, through our Cookie Preferences center at https://vitlrx.com/cookies/.
Our Sites use Google Analytics on public, unauthenticated marketing pages to collect usage statistics (such as device identifiers, IP address, and pages visited), which we review in aggregate form, and only as permitted by applicable law, including consumer health data laws. We do not deploy third-party analytics, advertising, or tracking technologies on authenticated pages of the Sites or Apps where PHI is created, received, maintained, or transmitted, and we do not disclose health information to advertising or analytics providers without your affirmative express consent or a HIPAA-compliant authorization. You can learn more about Google Analytics’ privacy practices and opt-out tools on Google’s website.
In the preceding 12 months, we disclosed identifiers and internet or network activity information to our analytics provider (Google). To the extent your state’s law treats this as a “sale,” “sharing,” or “targeted advertising,” you may opt out through our Cookie Preferences center at https://vitlrx.com/cookies/ or through a Global Privacy Control signal.
We treat Global Privacy Control (GPC) and other legally recognized universal opt-out preference signals sent by your browser as a valid request to opt out of the sale or sharing of personal information, and of targeted advertising, for that browser.
Depending on the state in which you reside, you may have some or all of the following rights, subject to applicable law and certain exceptions (for example, information we must retain to comply with legal obligations). We will honor your request as required by the law that applies to you, and where feasible we voluntarily extend these request processes to residents of other states:
For PHI we maintain on behalf of your Provider, direct requests to access, amend, or receive an accounting of disclosures to your Provider (Sections 1 and 5.1); we will support your Provider in fulfilling them. State privacy rights such as deletion do not apply to PHI we maintain on behalf of a Provider; that PHI is governed by HIPAA, the applicable BAA, and your Provider’s retention obligations.
Submit requests by emailing support@vitlrx.com with “Privacy Request” and “Attn: Privacy Officer” in the subject line, by calling 903-884-8579, or by mail to the address in Section 17. You may also manage cookie-based sharing at https://vitlrx.com/cookies/. Requests are free of charge. If requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or decline to act, as applicable law permits, and we will explain our decision. You do not need to create an account to exercise your rights, although existing account holders may be asked to log in for verification.
We verify your identity using your account login credentials or by matching two or more data points you provide against information we already hold, and we may request additional information solely for verification. For requests to access the specific pieces of Personal Data we hold about you, we apply a higher verification standard, which may include matching at least three data points and obtaining a signed declaration that you are the person whose data is requested. An authorized agent may submit a request on your behalf with your signed written permission; we may still verify your identity directly with you.
We will respond to rights requests within the time required by applicable law (in most states, within 45 days of receipt, with one 45-day extension where reasonably necessary; if we extend, we will notify you of the extension and the reason). Some consumer health data laws require faster responses (for example, Nevada requires a response within 30 days of authenticating a consumer health data request); where a shorter deadline applies, we will meet it.
We will not discriminate or retaliate against you for exercising any privacy right, including by denying Services, charging different prices, or providing a different level of quality. Certain Services require specific Personal Data to function; if you ask us to delete data necessary to provide a Service, we may be unable to provide that Service, and we will explain this at the time of your request.
If we decline to act on your request, you may appeal by emailing support@vitlrx.com with “Privacy Appeal” and “Attn: Privacy Officer” in the subject line, or by phone or mail (Section 17). We will respond in writing within the time required by applicable law (in most states, within 45 to 60 days), explaining any action taken or the reasons for our decision. If your appeal is denied, we will provide instructions for contacting your state Attorney General to submit a complaint.
While your End User Account is active, you may access, update, and correct the Personal Data in your account profile page, or contact us (Section 17) to request a correction form or have us make the correction. Some data may be unavailable after account closure, where we are legally required to retain it in its existing form, or where we have already deleted it; if we deny an access or correction request, we will explain why. Removing, or declining to provide, Personal Data necessary for certain Services may affect your ability to order and use those Services (Section 9.5).
For PHI we maintain on behalf of a Provider, please direct requests to access, amend, or receive an accounting of disclosures of that PHI to the Provider; we will support the Provider as required by HIPAA and the applicable BAA.
We retain Personal Data for as long as necessary for the purposes described in this Privacy Policy. In general, Personal Data is retained for the duration of your End User relationship with us and as needed to provide the Services, and thereafter as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods for each category of Personal Data are determined by the nature of the Services, the duration of your relationship with us, legal and regulatory requirements, and applicable limitations periods. When Personal Data is no longer needed for these purposes, we delete or de-identify it.
PHI we maintain on behalf of a Provider is retained for the period required by the applicable BAA and applicable law. Upon termination of the applicable agreement, we return or destroy that PHI where feasible; where return or destruction is not feasible, we extend the protections of this Privacy Policy and the BAA to the retained PHI and limit further use and disclosure to the purposes that make return or destruction infeasible.
Unique Identifiers are retained by our third-party payment and service providers for as long as necessary to complete transactions and comply with the laws applicable to them. Information that has been de-identified or aggregated in accordance with applicable legal standards (for PHI, only as described in Section 4.1) is no longer Personal Data and may be retained for a longer period as permitted by law; we do not attempt to re-identify such data, and we contractually prohibit recipients from attempting to do so.
You agree not to provide us with any information of any kind about any other person unless you have that person’s consent or other legal authority to do so.
We use your contact information for transactional and service communications, such as registration confirmations, order and prescription status updates, support responses, and security notices. We place marketing calls and send marketing text messages only with your prior express written consent, obtained when you opt in. Consent to receive marketing calls or texts is not a condition of purchasing any good or service, and you may revoke your consent at any time.
Your telephone communications with us may be recorded or monitored for quality assurance, training, and compliance purposes. Where required by law, you will be notified at the beginning of the call, and by continuing the call after that notice you consent to the recording and monitoring. Where recorded calls contain health information we handle on behalf of a Provider, the recordings are treated as PHI and protected in accordance with HIPAA, the applicable BAA, and the safeguards described in this Privacy Policy.
You may opt out of marketing emails using the “reply” or “unsubscribe” options included in every marketing email. We honor opt-out requests within 10 business days; no fee, login, or information beyond your email address is required. Opting out does not stop transactional or service emails, such as receipts, order and prescription status notices, and account and security notices.
Opt-in. You may opt in to receive SMS text messages from us online by submitting an online form, or in writing by filling out a paper form. For informational and transactional messages, you may also opt in verbally. Marketing text messages are sent only with the prior express written consent described in Section 12.1.
Message content and frequency. If you have provided consent to receive text messages from us, you may receive messages related to Services you have ordered, our Sites, and other relevant communications. Message frequency may vary based on the type of communication. Standard message and data rates may apply, depending on your carrier’s pricing plan, including potential variations for domestic or international messages.
Collection and use of SMS data. When you opt in to our text messaging service, we collect your mobile phone number and any other information you provide during the sign-up process. We may also collect data regarding your interaction with our messages, such as confirmation of receipt. This information is used to send you the text messages you have consented to receive, according to your preferences and behaviors. It is shared only with service providers that deliver those messages on our behalf, and as required by law. We do not share your mobile phone number or your SMS consent with third parties for their own use or for their marketing purposes.
We do not sell your SMS data. We do not sell any Personal Information collected through our SMS services, including phone numbers and SMS consents; it is used solely for the purposes you consented to when providing it.
Opt-out. You may opt out of receiving text messages at any time by replying with the word “STOP” to any message you receive from us. After you reply STOP, you may receive a single message confirming that you have been unsubscribed; we will then promptly discontinue sending you text messages. You may also have your name removed from our registration list, or stop marketing communications, by using the opt-out option in any marketing email or by contacting us (Section 17). We will respond to your request within the timeline required by law.
Help. Reply “HELP” to any message for assistance, or contact us at support@vitlrx.com or 903-884-8579.
If we make changes to our communications practices, we will update this Privacy Policy and notify you as required by law or by our contractual obligations.
We maintain reasonable and appropriate administrative, physical, and technical safeguards to protect Personal Data, as described in Section 5.4, including SSL/TLS encryption of Personal Data in transit (including all transaction, customer, patient, and medical information) and at rest, role-based access controls, access logging, periodic security risk assessments, and workforce training. We do not give third parties access to Personal Data except as described in this Privacy Policy or as permitted or required by applicable law.
No method of internet transmission or electronic storage is completely secure, and we cannot guarantee that communications between us will be free from unauthorized access by third parties. You can help protect your information by logging out of your End User Account when you are not using it, securing your computer, phone, and other devices against unauthorized access, and keeping your username, login, and password confidential. Individuals with access to your devices may be able to access the Services and your Personal Data, including your PHI.
If you believe your Personal Data has been compromised, or you become aware of a potential security vulnerability in our Services, please contact us (Section 17). Your report helps us respond quickly; it does not replace our own breach notification obligations described in Section 5.5.
Our Services are offered in the United States only. Our servers are hosted in the United States, and the Services are intended only for users located in the United States.
Our Sites, Apps, and Services are not directed to children under 13, and End User Accounts may be created only by adults 18 years of age or older. We do not knowingly collect Personal Data directly from children under 13; if we learn that we have done so without verifiable parental consent, we will delete it promptly. Parents or guardians who believe a child has provided us Personal Data should contact us (Section 17).
Providers may use the Services in connection with the care of minor patients. Any minor’s PHI we handle on a Provider’s behalf is received at the direction of the Provider and is protected in accordance with HIPAA, the applicable BAA, and this Privacy Policy, with parents or legal guardians acting as personal representatives where applicable law provides. We do not sell or share the personal information of consumers we know to be under 16 without legally required opt-in consent, and we do not use the personal data of known minors for targeted advertising or profiling.
This Privacy Policy may change from time to time. The Effective Date above shows when the current version took effect and was last updated; the prior version’s effective date is also shown. If we make material changes, we will notify you by email or by prominent notice on our Sites before the changes take effect, and we will post the revised version with an updated Effective Date. We encourage you to review this page regularly.
VITLrx, Inc.
Attn: Privacy Officer
305 Jefferson Street STE 125
Nashville, TN 37201
Email: support@vitlrx.com (for privacy matters, please include “Attn: Privacy Officer” in the subject line)
Telephone Number: 903-884-8579
Privacy questions, privacy rights requests, appeals, and consumer health data requests may all be submitted through these channels. Patients with questions about their PHI or HIPAA rights should also review their Provider’s Notice of Privacy Practices and contact their Provider. You may file a privacy complaint with us, with your Provider, or with the U.S. Department of Health and Human Services, Office for Civil Rights; we will not retaliate against you for exercising your privacy rights or filing a complaint.
Join thousands of healthcare providers who’ve simplified their workflow with VITL’s e-prescribing platform.