Cash-Pay Health Has a $100 Billion Infrastructure Problem. We Just Raised $7.5M to Fix It.

VITLrx, Inc. Privacy Policy

Effective Date: July 7th, 2026

Prior version effective: August 5, 2025

VITLrx, Inc. (“VITL,” “we,” “us,” or “our”), 305 Jefferson Street STE 125, Nashville, TN 37201, provides a technology platform and marketplace that connects clinics and other health care providers (“Providers”), compounding pharmacies, and their patients (“Patients”) to support e-prescribing, pharmacy management, and virtual care (the “Services”). VITL is a technology company: it is not a pharmacy, does not dispense or provide medications, and does not provide medical care. Health care services are provided by the Providers and pharmacies that use our platform. Patients and Providers may be referred to as “you” or “your” in this Privacy Policy.

This Privacy Policy is published at https://vitlrx.com/privacy/ and is linked as “Privacy Policy” in the footer of every page of our websites. Our Services are offered to users located in the United States only.

Table of Contents

1. Scope of This Privacy Policy

This Privacy Policy describes the types of Personal Data VITL collects and how VITL collects, uses, shares, and protects that Personal Data. This Privacy Policy describes our current privacy practices.

“Personal Data” means and includes Personal Information, Sensitive Personal Information, and Protected Health Information (“PHI”), each as described in Section 2. We may collect Personal Data through our websites and web applications, including https://www.vitlrx.com/ and our patient portal at [PATIENT PORTAL URL] (collectively, the “Sites”), through our mobile applications (“Apps”), and from Patients and Providers who register as End Users to receive Services.

To receive our Services, you must register as an “End User,” create an “End User Account,” and enter into our End User License Agreement (“EULA”), providing Personal Information such as your name, email address, username, mailing address, and phone number, and creating a login and password. The EULA governs your use of the Services; this Privacy Policy describes how we handle Personal Data and the privacy rights available to you.

In this Privacy Policy, “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, including by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and its implementing regulations at 45 C.F.R. Parts 160 and 164, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

VITL handles health information in two ways, with different legal protections:

  • On behalf of your Provider. Where VITL creates, receives, maintains, or transmits PHI on behalf of Provider customers that are HIPAA covered entities, VITL acts as a HIPAA business associate and handles that PHI under written business associate agreements (“BAAs”) with those Providers and under HIPAA. VITL is not a covered entity; it is directly subject to the HIPAA provisions that apply to business associates.
  • Directly from you. Health information you submit to VITL outside a Provider relationship (for example, through patient-facing pages of the Sites or Apps) may not be covered by HIPAA, but it is protected as described in this Privacy Policy and by applicable federal and state consumer health data laws.


This Privacy Policy is not a HIPAA Notice of Privacy Practices. Your Provider’s own Notice of Privacy Practices describes how the Provider uses and discloses your PHI and explains your HIPAA rights. Patients with questions or requests about their PHI should contact their Provider first; we will support the Provider as required by HIPAA and our BAAs.

2. Types of Personal Data We Collect

We collect the following categories of Personal Data. The sources are described in Section 3, the purposes in Section 4, the categories of recipients in Section 6, and the retention criteria in Section 11. For California residents, this section, together with Sections 3, 4, 6, 7, 8, 9, and 11, provides the disclosures required by the California Consumer Privacy Act; the disclosures cover the 12 months preceding the Effective Date.

  • Personal Information (contact information and identifiers): name, email address, screen name, mailing address, and phone number.
  • Professional and Unique Identifiers: driver’s license number or identification card number; National Provider Identifier (NPI); professional license number (for example, MD or NP); and Drug Enforcement Administration (DEA) registration number.
  • Photographs: profile pictures or other photographs you choose to provide.
  • Sensitive Personal Information: ethnicity, gender, marital status, and date of birth; government-issued identification numbers; health information; and Financial Account Information.
  • Health Information, including PHI: past, present, or future physical or mental health conditions and current health status, including allergies, weight, height, medication history, surgical history, social history, exercise, activity, sleep, diet, and information about payment for the provision of health care. “PHI” is individually identifiable health information created or received by or on behalf of a HIPAA covered entity (such as your Provider) that relates to a person’s health condition, care, or payment for care. Health information is PHI when we handle it on behalf of a Provider that is a HIPAA covered entity; other health information, including information you submit to us directly, may not be PHI but remains protected under this Privacy Policy and applicable consumer health data laws.
  • Financial Account Information: credit card or debit card number and bank account and routing numbers, collected and processed through our payment service providers.
  • Location Information: the mailing address and ZIP code you provide, used to connect you with Providers and pharmacies. Our Apps request precise device location, if at all, only through your device’s permission prompt, which you can withdraw in your device settings.
  • Communications Content: the contents of emails, text messages, and in-platform messages, such as chats between Patients and their Providers, and recordings of telephone support calls as described in Section 12.
  • Internet and Network Activity: automated data described in Section 8, such as IP address, pages visited, and usage statistics.

3. How We Collect Personal Data

We collect Personal Data in the following ways:

  • Directly from you: when you submit registration forms to activate your End User Account, order Services through our Sites or Apps, communicate with us by email or text message, or call our telephone support number.
  • From Providers: when Providers use the platform in connection with the care of their Patients. Where the Provider is a HIPAA covered entity, health information received this way is handled as PHI under our BAAs and HIPAA; otherwise it is protected as described in this Privacy Policy and applicable consumer health data laws.
  • Automatically: through cookies, web beacons (pixels), and log files when you use the Sites or Apps, as described in Section 8.
3.1 Sensitive Personal Information and Consent

Where applicable law requires consent, we request your affirmative, opt-in consent at the point of collection before collecting or processing Sensitive Personal Information, except where the processing is necessary to provide Services you have requested or the information is governed by HIPAA through your Provider. We collect Sensitive Personal Information only as reasonably necessary to provide the Services, and you may withdraw consent at any time by contacting us (Section 17). We do not sell Sensitive Personal Information or use or disclose it for purposes other than those permitted by applicable law. Where HIPAA requires an individual authorization, we or your Provider will obtain a written authorization meeting 45 C.F.R. § 164.508 before the use or disclosure occurs.

4. How We Use Personal Data

We use Personal Data to operate our platform, to connect clinics, pharmacies, and End Users to us and to each other, and to provide our Services to all of our End Users, including to:

  • Communicate with Providers and Patients;
  • Facilitate communications and services between Provider and Patient End Users, including Providers’ clinical evaluations and Patient-Provider chat;
  • Use the address and ZIP code you provide to identify your locale and connect Patients, Providers, and pharmacies;
  • Enable prescribers to browse pharmacy offerings and write prescriptions for their Patients;
  • Enable End Users to pay for Services, and Patients to pay for programs offered by their Providers and view Provider instructions;
  • Administer our business and provide, update, improve, and develop the Services;
  • Enhance security and prevent fraud or illegal activity;
  • Perform our contractual duties under separate contracts with our End Users;
  • Comply with legal obligations, including under HIPAA, DEA controlled substance documentation requirements, and credentialing Providers to use our platform;
  • Provide user support and customer service; and
  • Perform market research and analytics, using only data that is not PHI or that has been de-identified in accordance with HIPAA (Section 4.1).
4.1 How We Use and Disclose PHI

We use and disclose PHI only as permitted or required by our BAAs and HIPAA. This includes supporting our Provider customers’ treatment of their Patients, payment for health care, and health care operations; disclosures required by law; and our proper management and administration where the applicable BAA permits. We apply HIPAA’s minimum necessary standard, limiting requests, uses, and disclosures of PHI to the minimum necessary for the intended purpose, including through role-based access controls.

We do not sell PHI or use or disclose PHI for marketing or our own market research, except with a valid written authorization meeting 45 C.F.R. § 164.508 or as otherwise expressly permitted by HIPAA and our BAAs. Where our BAAs permit de-identification, we de-identify PHI only under the HIPAA de-identification standard at 45 C.F.R. § 164.514(b); information de-identified to that standard is no longer PHI. We do not attempt to re-identify de-identified or aggregated data, and we require recipients of de-identified data to agree not to attempt to re-identify it.

5. How We Comply With Privacy Laws and Regulations

This section describes how VITL ensures that its operations comply with applicable laws and regulations regarding privacy and protected health information.

5.1 HIPAA and Protected Health Information

VITL complies with the HIPAA requirements applicable to business associates, including the applicable provisions of the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164, Subparts A and E), the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), and the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D). Specifically:

  • Business associate role. Where VITL creates, receives, maintains, or transmits PHI on behalf of Provider covered entities, VITL acts as a HIPAA business associate and enters into written BAAs before handling that PHI. VITL is not a covered entity.
  • Permitted uses and disclosures. We use and disclose PHI only as permitted or required by our BAAs and HIPAA (Section 4.1).
  • Minimum necessary. We apply the minimum necessary standard to requests for, uses of, and disclosures of PHI.
  • Safeguards. We maintain the administrative, physical, and technical safeguards required by the HIPAA Security Rule for electronic PHI (Section 5.4).
  • Subcontractors. Any vendor or subcontractor that creates, receives, maintains, or transmits PHI on our behalf must sign a written business associate agreement imposing the same HIPAA obligations that apply to VITL, including safeguards, use and disclosure limits, and breach reporting.
  • Workforce training. We train our workforce on privacy and security and restrict PHI access to personnel who need it for their jobs.
  • Breach notification. We report breaches of unsecured PHI as required by the HIPAA Breach Notification Rule (Section 5.5).
  • Individual rights. Your HIPAA rights to access, amend, and receive an accounting of disclosures of PHI we maintain for your Provider are exercised through your Provider; we support Providers as required by HIPAA and our BAAs.
5.2 State Privacy and Consumer Health Data Laws

VITL complies with applicable state privacy, consumer health data, and data breach notification laws in the states where its Services are offered. We provide the privacy rights described in Section 9 as required by the law of your state of residence, and where feasible we voluntarily extend those request processes to residents of other states. Where a state privacy law (including laws in California, Colorado, Connecticut, Virginia, Texas, Washington, Nevada, Oregon, Tennessee, and other states) grants additional rights, we honor them as required by that law.

For health information not governed by HIPAA (for example, health information you submit to us directly outside a Provider relationship), we comply with applicable state consumer health data laws. In particular:

  • We collect and share consumer health data only for the purposes described in this Privacy Policy, as permitted by applicable law and, where the law requires it, only with your consent.
  • You may ask us to confirm whether we collect consumer health data about you, to access it, to withdraw your consent, and to delete it (Section 9).
  • We do not sell consumer health data.
  • We do not use geofencing around facilities that provide in-person health care services to identify or track individuals, collect consumer health data, or send health-related notifications, messages, or advertisements.
5.3 Federal Consumer Protection Laws
  • FTC Act. We make only truthful, substantiated statements about our privacy and data security practices, consistent with Section 5 of the Federal Trade Commission Act.
  • FTC Health Breach Notification Rule. We comply with the FTC Health Breach Notification Rule (16 C.F.R. Part 318) for individually identifiable health information we hold that is not covered by HIPAA (Section 5.5).
  • COPPA. We comply with the Children’s Online Privacy Protection Act (Section 15).
  • CAN-SPAM Act and TCPA. Our email practices comply with the CAN-SPAM Act, and our telephone and text messaging practices comply with the Telephone Consumer Protection Act (Section 12).
5.4 How We Safeguard Your Information

We maintain administrative, physical, and technical safeguards designed to protect Personal Data, including the safeguards required for electronic PHI by the HIPAA Security Rule. These safeguards include:

  • Encryption in transit. All information regarding transactions, customers, patients, and medical information, and any other sensitive or confidential information, is processed and transmitted using Secure Socket Layer (SSL) encryption technology, implemented through its modern successor, Transport Layer Security (TLS). We also encrypt Personal Data at rest in our production systems.
  • Access controls. We restrict access to Personal Data to personnel who need it to perform their jobs, using role-based access controls.
  • Access logging. We maintain an access log that includes the time of access, user details, and the type of data accessed.
  • Risk management. We conduct periodic security risk assessments and address the risks we identify.
  • Workforce training. We train our workforce on privacy and security requirements.
  • Vendor contracts. Vendors and service providers that handle Personal Data must protect it under written contracts, and vendors that handle PHI must sign business associate agreements (Sections 5.1 and 6).
5.5 Breach Notification
  • PHI we hold as a business associate. If we discover a breach of unsecured PHI we hold on behalf of a Provider, we will notify the affected Provider without unreasonable delay, and no later than 60 calendar days after discovery as required by 45 C.F.R. § 164.410, or within any shorter period required by the applicable BAA, and we will cooperate with the Provider’s notification of affected individuals under 45 C.F.R. § 164.404.
  • Health information not covered by HIPAA. If we discover a breach of security involving unsecured, individually identifiable health information not covered by HIPAA, we will notify affected individuals without unreasonable delay, and no later than 60 calendar days after discovery, as required by the FTC Health Breach Notification Rule (16 C.F.R. Part 318). If 500 or more individuals are affected, we will notify the Federal Trade Commission at the same time we notify affected individuals; for smaller breaches, we will notify the FTC annually as the Rule requires. If 500 or more residents of a single state or jurisdiction are affected, we will also notify prominent media serving that area.
  • Other Personal Data. We will notify affected individuals and regulators of breaches involving other Personal Data as required by applicable state data breach notification laws.
5.6 Accountability and Privacy Questions

VITL maintains a designated Privacy Officer function responsible for this Privacy Policy, our privacy and security compliance program, and responses to privacy questions, requests, and complaints. You may reach the Privacy Officer function by emailing support@vitlrx.com with “Attn: Privacy Officer” in the subject line, by calling 903-884-8579, or by mail to VITLrx, Inc., Attn: Privacy Officer, 305 Jefferson Street STE 125, Nashville, TN 37201.

If you believe your privacy rights have been violated, you may file a complaint with us, with your Provider, or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for exercising your privacy rights or filing a complaint.

6. How We Share Personal Data; Contracts With Third Parties

We disclose Personal Data only as described in this Privacy Policy and as permitted or required by applicable law; we disclose PHI only as permitted by our BAAs and HIPAA. We disclose Personal Data to these categories of recipients:

  • Providers and pharmacies, to facilitate prescriptions, care, and the other Services you or your Provider request;
  • Service providers under written contract, including payment and document workflow providers (for example, Stripe and PandaDoc, and the card networks and banks involved in processing your payments) and analytics providers (Google Analytics, as described in Section 8), only to the extent necessary to complete your transaction or support our business and users;
  • Recipients required by law, such as disclosures under court order, subpoena, or other legal process; DEA controlled substance recordkeeping; and disclosures to the Secretary of Health and Human Services for determining HIPAA compliance;
  • Parties as necessary to protect rights and safety, including to enforce our agreements, protect the security of the Services, and prevent fraud or illegal activity;
  • A successor entity in a corporate transaction (such as a merger, acquisition, or sale of assets), subject to protections equivalent to those in this Privacy Policy; and
  • Others at your direction, when you ask or authorize us to share your Personal Data.


Our contracts with third parties, service providers, and contractors specify the purposes for which Personal Data may be processed and require comparable levels of privacy protection. These contracts stipulate that:

  • Personal Data may only be processed for specified purposes;
  • The third party must maintain the confidentiality and security of the Personal Data;
  • The third party must notify us if it can no longer meet these standards; and
  • Personal Data will not be further disclosed except as required by law.


Where a vendor, service provider, or subcontractor creates, receives, maintains, or transmits PHI on our behalf, we enter into a written business associate agreement requiring it to comply with the same HIPAA obligations that apply to VITL.

7. Restrictions on Use of Personal Data

  • We do not sell your Personal Data for money. Like many companies, we use cookies and analytics services on our public web pages (Section 8), and some state laws treat certain disclosures of identifiers and internet activity through those technologies as a “sale,” “sharing,” or “targeted advertising.” You may opt out as described in Sections 8 and 9.
  • We do not sell PHI or use or disclose PHI for marketing, except with a valid written authorization meeting 45 C.F.R. § 164.508 or as otherwise expressly permitted by HIPAA.
  • Users may not import personal address books, contacts, or other information about other people to our Sites unless specifically required for use of our Sites or Services.
  • We do not make your Personal Data publicly available to other users or third parties, except as described in this Privacy Policy.
  • We do not display third-party advertising on our Sites. We may send you marketing communications about our own Services, which you can opt out of at any time (Section 12).

8. Cookies and Automated Data Collection

Automated data is data collected through technologies such as cookies, web beacons (also known as pixels), and log files when you use our Sites, our Apps, or other online services. It may include your IP address, the pages of our Sites you visit, the time and date of your visit, time spent on certain pages, and other usage statistics.

“Cookies” are small files that a website stores on your computer or device. We use “session” cookies, which are deleted automatically when you close your browser and are used to optimize performance, such as maintaining your logged-in status and remembering information you enter. We may also use “persistent” cookies, which remain on your device unless deleted by you or your browser settings, for purposes such as statistical analysis of the performance and quality of our Services. Most browsers accept cookies automatically, but you may set your browser to block certain cookies. As required by applicable law, we will obtain any consent necessary before using cookies or similar tracking technologies.

You may opt in or opt out of the placement of optional technologies going forward, at any time, through our Cookie Preferences center at https://vitlrx.com/cookies/.

Our Sites use Google Analytics on public, unauthenticated marketing pages to collect usage statistics (such as device identifiers, IP address, and pages visited), which we review in aggregate form, and only as permitted by applicable law, including consumer health data laws. We do not deploy third-party analytics, advertising, or tracking technologies on authenticated pages of the Sites or Apps where PHI is created, received, maintained, or transmitted, and we do not disclose health information to advertising or analytics providers without your affirmative express consent or a HIPAA-compliant authorization. You can learn more about Google Analytics’ privacy practices and opt-out tools on Google’s website.

In the preceding 12 months, we disclosed identifiers and internet or network activity information to our analytics provider (Google). To the extent your state’s law treats this as a “sale,” “sharing,” or “targeted advertising,” you may opt out through our Cookie Preferences center at https://vitlrx.com/cookies/ or through a Global Privacy Control signal.

We treat Global Privacy Control (GPC) and other legally recognized universal opt-out preference signals sent by your browser as a valid request to opt out of the sale or sharing of personal information, and of targeted advertising, for that browser.

9. Your Privacy Rights

9.1 Rights We Honor

Depending on the state in which you reside, you may have some or all of the following rights, subject to applicable law and certain exceptions (for example, information we must retain to comply with legal obligations). We will honor your request as required by the law that applies to you, and where feasible we voluntarily extend these request processes to residents of other states:

  • Right to know and access: confirm whether we process your Personal Data and access it, including the categories collected, sources, purposes, categories of third parties receiving it, and the specific pieces we hold about you.
  • Right to correct inaccurate Personal Data.
  • Right to delete your Personal Data, subject to legal retention requirements.
  • Right to data portability: obtain a copy of your Personal Data in a portable and readily usable format.
  • Right to opt out of the sale of Personal Data, its sharing or processing for targeted advertising, and profiling in furtherance of decisions with legal or similarly significant effects.
  • Right to limit the use and disclosure of Sensitive Personal Information to purposes permitted by applicable law.
  • Right to non-discrimination for exercising any privacy right (Section 9.5).
  • Consumer health data rights: confirm whether we collect consumer health data about you, access it (including a list of the third parties and affiliates with whom we have shared it and a way to contact them), withdraw your consent, and have it deleted, including, where the law requires, from our processors and from third parties with whom it was shared.


For PHI we maintain on behalf of your Provider, direct requests to access, amend, or receive an accounting of disclosures to your Provider (Sections 1 and 5.1); we will support your Provider in fulfilling them. State privacy rights such as deletion do not apply to PHI we maintain on behalf of a Provider; that PHI is governed by HIPAA, the applicable BAA, and your Provider’s retention obligations.

9.2 How to Exercise Your Rights

Submit requests by emailing support@vitlrx.com with “Privacy Request” and “Attn: Privacy Officer” in the subject line, by calling 903-884-8579, or by mail to the address in Section 17. You may also manage cookie-based sharing at https://vitlrx.com/cookies/. Requests are free of charge. If requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or decline to act, as applicable law permits, and we will explain our decision. You do not need to create an account to exercise your rights, although existing account holders may be asked to log in for verification.

9.3 Identity Verification and Authorized Agents

We verify your identity using your account login credentials or by matching two or more data points you provide against information we already hold, and we may request additional information solely for verification. For requests to access the specific pieces of Personal Data we hold about you, we apply a higher verification standard, which may include matching at least three data points and obtaining a signed declaration that you are the person whose data is requested. An authorized agent may submit a request on your behalf with your signed written permission; we may still verify your identity directly with you.

9.4 Response Timelines

We will respond to rights requests within the time required by applicable law (in most states, within 45 days of receipt, with one 45-day extension where reasonably necessary; if we extend, we will notify you of the extension and the reason). Some consumer health data laws require faster responses (for example, Nevada requires a response within 30 days of authenticating a consumer health data request); where a shorter deadline applies, we will meet it.

9.5 Non-Discrimination

We will not discriminate or retaliate against you for exercising any privacy right, including by denying Services, charging different prices, or providing a different level of quality. Certain Services require specific Personal Data to function; if you ask us to delete data necessary to provide a Service, we may be unable to provide that Service, and we will explain this at the time of your request.

9.6 Appeals

If we decline to act on your request, you may appeal by emailing support@vitlrx.com with “Privacy Appeal” and “Attn: Privacy Officer” in the subject line, or by phone or mail (Section 17). We will respond in writing within the time required by applicable law (in most states, within 45 to 60 days), explaining any action taken or the reasons for our decision. If your appeal is denied, we will provide instructions for contacting your state Attorney General to submit a complaint.

9.7 Additional State-Specific Notices
  • Nevada residents: Under Nevada’s website operator law (NRS 603A.340), you may direct us not to sell your covered information by submitting a request to our designated request address, support@vitlrx.com, with “Nevada Do Not Sell Request” and “Attn: Privacy Officer” in the subject line; we will respond to those requests within 60 days. Requests under Nevada’s consumer health data law (SB 370) are handled as described in Sections 5.2, 9.1, and 9.4.
  • Oregon residents: You may request a list of the specific third parties to which we have disclosed personal data.
  • California residents: We do not sell or share the personal information of consumers we know to be under 16 without the opt-in consent required by California law.

10. Access to and Correction of Your Personal Data

While your End User Account is active, you may access, update, and correct the Personal Data in your account profile page, or contact us (Section 17) to request a correction form or have us make the correction. Some data may be unavailable after account closure, where we are legally required to retain it in its existing form, or where we have already deleted it; if we deny an access or correction request, we will explain why. Removing, or declining to provide, Personal Data necessary for certain Services may affect your ability to order and use those Services (Section 9.5).

For PHI we maintain on behalf of a Provider, please direct requests to access, amend, or receive an accounting of disclosures of that PHI to the Provider; we will support the Provider as required by HIPAA and the applicable BAA.

11. Retention Periods

We retain Personal Data for as long as necessary for the purposes described in this Privacy Policy. In general, Personal Data is retained for the duration of your End User relationship with us and as needed to provide the Services, and thereafter as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods for each category of Personal Data are determined by the nature of the Services, the duration of your relationship with us, legal and regulatory requirements, and applicable limitations periods. When Personal Data is no longer needed for these purposes, we delete or de-identify it.

PHI we maintain on behalf of a Provider is retained for the period required by the applicable BAA and applicable law. Upon termination of the applicable agreement, we return or destroy that PHI where feasible; where return or destruction is not feasible, we extend the protections of this Privacy Policy and the BAA to the retained PHI and limit further use and disclosure to the purposes that make return or destruction infeasible.

Unique Identifiers are retained by our third-party payment and service providers for as long as necessary to complete transactions and comply with the laws applicable to them. Information that has been de-identified or aggregated in accordance with applicable legal standards (for PHI, only as described in Section 4.1) is no longer Personal Data and may be retained for a longer period as permitted by law; we do not attempt to re-identify such data, and we contractually prohibit recipients from attempting to do so.

12. Communications, Email, and Text Messaging (SMS)

You agree not to provide us with any information of any kind about any other person unless you have that person’s consent or other legal authority to do so.

12.1 How We Contact You

We use your contact information for transactional and service communications, such as registration confirmations, order and prescription status updates, support responses, and security notices. We place marketing calls and send marketing text messages only with your prior express written consent, obtained when you opt in. Consent to receive marketing calls or texts is not a condition of purchasing any good or service, and you may revoke your consent at any time.

12.2 Telephone Communications

Your telephone communications with us may be recorded or monitored for quality assurance, training, and compliance purposes. Where required by law, you will be notified at the beginning of the call, and by continuing the call after that notice you consent to the recording and monitoring. Where recorded calls contain health information we handle on behalf of a Provider, the recordings are treated as PHI and protected in accordance with HIPAA, the applicable BAA, and the safeguards described in this Privacy Policy.

12.3 Email Marketing and Opt-Out

You may opt out of marketing emails using the “reply” or “unsubscribe” options included in every marketing email. We honor opt-out requests within 10 business days; no fee, login, or information beyond your email address is required. Opting out does not stop transactional or service emails, such as receipts, order and prescription status notices, and account and security notices.

12.4 Text Messaging (SMS)

Opt-in. You may opt in to receive SMS text messages from us online by submitting an online form, or in writing by filling out a paper form. For informational and transactional messages, you may also opt in verbally. Marketing text messages are sent only with the prior express written consent described in Section 12.1.

Message content and frequency. If you have provided consent to receive text messages from us, you may receive messages related to Services you have ordered, our Sites, and other relevant communications. Message frequency may vary based on the type of communication. Standard message and data rates may apply, depending on your carrier’s pricing plan, including potential variations for domestic or international messages.

Collection and use of SMS data. When you opt in to our text messaging service, we collect your mobile phone number and any other information you provide during the sign-up process. We may also collect data regarding your interaction with our messages, such as confirmation of receipt. This information is used to send you the text messages you have consented to receive, according to your preferences and behaviors. It is shared only with service providers that deliver those messages on our behalf, and as required by law. We do not share your mobile phone number or your SMS consent with third parties for their own use or for their marketing purposes.

We do not sell your SMS data. We do not sell any Personal Information collected through our SMS services, including phone numbers and SMS consents; it is used solely for the purposes you consented to when providing it.

Opt-out. You may opt out of receiving text messages at any time by replying with the word “STOP” to any message you receive from us. After you reply STOP, you may receive a single message confirming that you have been unsubscribed; we will then promptly discontinue sending you text messages. You may also have your name removed from our registration list, or stop marketing communications, by using the opt-out option in any marketing email or by contacting us (Section 17). We will respond to your request within the timeline required by law.

Help. Reply “HELP” to any message for assistance, or contact us at support@vitlrx.com or 903-884-8579.

12.5 Changes to Our Communications Practices

If we make changes to our communications practices, we will update this Privacy Policy and notify you as required by law or by our contractual obligations.

13. Security

We maintain reasonable and appropriate administrative, physical, and technical safeguards to protect Personal Data, as described in Section 5.4, including SSL/TLS encryption of Personal Data in transit (including all transaction, customer, patient, and medical information) and at rest, role-based access controls, access logging, periodic security risk assessments, and workforce training. We do not give third parties access to Personal Data except as described in this Privacy Policy or as permitted or required by applicable law.

No method of internet transmission or electronic storage is completely secure, and we cannot guarantee that communications between us will be free from unauthorized access by third parties. You can help protect your information by logging out of your End User Account when you are not using it, securing your computer, phone, and other devices against unauthorized access, and keeping your username, login, and password confidential. Individuals with access to your devices may be able to access the Services and your Personal Data, including your PHI.

If you believe your Personal Data has been compromised, or you become aware of a potential security vulnerability in our Services, please contact us (Section 17). Your report helps us respond quickly; it does not replace our own breach notification obligations described in Section 5.5.

14. Services Offered in the United States Only

Our Services are offered in the United States only. Our servers are hosted in the United States, and the Services are intended only for users located in the United States.

15. Children and Minors

Our Sites, Apps, and Services are not directed to children under 13, and End User Accounts may be created only by adults 18 years of age or older. We do not knowingly collect Personal Data directly from children under 13; if we learn that we have done so without verifiable parental consent, we will delete it promptly. Parents or guardians who believe a child has provided us Personal Data should contact us (Section 17).

Providers may use the Services in connection with the care of minor patients. Any minor’s PHI we handle on a Provider’s behalf is received at the direction of the Provider and is protected in accordance with HIPAA, the applicable BAA, and this Privacy Policy, with parents or legal guardians acting as personal representatives where applicable law provides. We do not sell or share the personal information of consumers we know to be under 16 without legally required opt-in consent, and we do not use the personal data of known minors for targeted advertising or profiling.

16. Changes to This Privacy Policy

This Privacy Policy may change from time to time. The Effective Date above shows when the current version took effect and was last updated; the prior version’s effective date is also shown. If we make material changes, we will notify you by email or by prominent notice on our Sites before the changes take effect, and we will post the revised version with an updated Effective Date. We encourage you to review this page regularly.

17. Contact Us

VITLrx, Inc.

Attn: Privacy Officer

305 Jefferson Street STE 125
Nashville, TN 37201

Email: support@vitlrx.com (for privacy matters, please include “Attn: Privacy Officer” in the subject line)

Telephone Number: 903-884-8579

Privacy questions, privacy rights requests, appeals, and consumer health data requests may all be submitted through these channels. Patients with questions about their PHI or HIPAA rights should also review their Provider’s Notice of Privacy Practices and contact their Provider. You may file a privacy complaint with us, with your Provider, or with the U.S. Department of Health and Human Services, Office for Civil Rights; we will not retaliate against you for exercising your privacy rights or filing a complaint.

VITL healthcare software dashboard displayed on laptop screen
Laptop displaying the VITL dashboard for e prescribing solutions

Ready to Transform Your Prescribing Process?

Join thousands of healthcare providers who’ve simplified their workflow with VITL’s e-prescribing platform.