PRIVACY POLICY

RxMed (“we,” “us,” or “our”) is committed to protecting the privacy and personal data of our Tenants, their users, customers, and suppliers in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission (“NPC”).

1. Scope and Role

This Privacy Policy applies to all personal data we collect, process, and store through the RxMed multi-tenant online pharmacy management system, including web and related services.

For purposes of the Data Privacy Act:

• RxMed generally acts as a Personal Information Processor (PIP) on behalf of Tenant pharmacies, which are the Personal Information Controllers (PICs) regarding their own customers, suppliers, and staff data.
• RxMed may act as a PIC for personal data collected directly from Tenant Administrators, users, and prospects for account, billing, and support purposes.

Tenants remain responsible for ensuring that their own collection and use of personal data in the system complies with the Data Privacy Act and other applicable regulations (e.g., pharmacy, health, and commercial laws).

2. Personal Data We Collect

Depending on how you use RxMed, we may process the following categories of personal data:

Tenant and User Account Data

• Name, position/role, business name, license or registration information
• Business address, email address, phone number
• Login identifiers, activity logs, and preferences

Customer (Patient) Data entered by Tenants

• Name, contact information, address
• Transaction history (e.g., items purchased, dates, amounts)
• Other data that Tenants choose to store in customer records, which may indirectly relate to health or medication purchases as part of pharmacy operations

Supplier and Partner Data

• Contact person name and business contact details
• Corporate identifiers, business addresses, and related records

Transactional and Accounting Data

• Sales and purchase information, invoices, receipt details
• Inventory and medicine-related records linked to identifiable customers or suppliers

Technical and Usage Data

• IP address, browser type, device information
• Log data such as access times, pages viewed, and feature usage patterns

We do not intentionally collect more data than is necessary for the declared, specified, and legitimate purposes described below, in line with the principles of transparency, legitimate purpose, and proportionality.

3. Legal Bases and Purposes of Processing

We process personal data only when there is a lawful basis under the Data Privacy Act, including:

• Performance of a contract: To provide the RxMed service to Tenants and their authorized users.
• Compliance with a legal obligation: To comply with accounting, tax, audit, or regulatory requirements.
• Legitimate interests: To secure our systems, prevent fraud, improve our services, and support business operations, provided these interests do not override data subject rights.
• Consent: When required by law (e.g., certain marketing communications or specific processing initiated by Tenants), and where such consent is obtained by the relevant PIC.

We use personal data for the following purposes:

• To create and manage Tenant and user accounts, authenticate users, and operate the multi-tenant pharmacy management platform.
• To record and manage customer and supplier information, sales and purchases, inventory, medicine listings, accounting, and reports as part of pharmacy operations.
• To provide customer support, respond to requests, and communicate important notices (e.g., security alerts, service updates).
• To maintain the security, availability, and integrity of the Service, including monitoring, backup, and recovery.
• To analyze usage for service improvement, troubleshooting, and feature development, using aggregated or anonymized data where possible.
• To comply with applicable laws, respond to lawful requests, and enforce our Terms of Service and policies.

4. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, to comply with legal and regulatory obligations, or to establish, exercise, or defend legal claims.

For Tenant data within RxMed:

• When a Tenant cancels its subscription, the Tenant account is placed in inactive status for a grace period of fourteen (14) days. During this period, data remains stored in a non-operational state solely to enable immediate reactivation if the Tenant resubscribes.
• If the Tenant resubscribes within the 14-day period, the Tenant account and associated data are reinstated.
• If the 14-day period lapses without resubscription, the Tenant account and associated personal data are permanently deleted or irreversibly anonymized using secure disposal methods designed to prevent further processing, unauthorized access, or reconstruction, consistent with the Data Privacy Act’s requirements on storage limitation, retention, and secure destruction.

We may retain certain data for a longer period when required by applicable law (e.g., tax and accounting rules) or for the establishment, exercise, or defense of legal claims, after which such data will likewise be securely disposed of.

5. Data Sharing and Transfers

We do not sell personal data. We may share personal data only under the circumstances described below and subject to appropriate safeguards:

With Tenant’s Authorization

• Within a Tenant’s organization, with their authorized users and branches.
• With third parties that the Tenant designates (e.g., accountants, integrators, or other systems to which the Tenant connects RxMed), where the Tenant acts as PIC.

With Service Providers (Personal Information Processors)

• We may engage third-party providers for hosting, backups, email delivery, payment processing, security, and analytics.
• These providers are bound by contracts requiring them to process personal data only on our documented instructions, implement appropriate safeguards, and maintain confidentiality.

For Legal and Safety Reasons

• To comply with legal obligations, court orders, or lawful requests by government or regulatory authorities.
• To protect the rights, property, or safety of RxMed, our Tenants, data subjects, or the public, consistent with applicable law.

Where data is transferred or accessed from outside the Philippines, we will take reasonable steps to ensure that such transfers comply with applicable data privacy regulations and provide an adequate level of protection.

6. Data Subject Rights

Under the Data Privacy Act, data subjects have the following rights, subject to certain limitations and conditions:

• Right to be informed – To be notified whether personal data is being processed, and to receive information about such processing.
• Right to access – To obtain reasonable access to personal data that has been processed, including the sources, recipients, and manner of processing.
• Right to rectification – To have inaccurate or incomplete personal data corrected.
• Right to object – To object to the processing of personal data on legitimate grounds, including processing for direct marketing or profiling.
• Right to erasure or blocking – To request the suspension, withdrawal, blocking, removal, or destruction of personal data that is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for the purposes for which it was collected.
• Right to data portability (where applicable) – To obtain a copy of personal data in an electronic or structured format, when technically feasible and legally allowed.
• Right to damages and to file a complaint – To claim compensation for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, and to lodge a complaint with the National Privacy Commission.

For data that RxMed processes on behalf of Tenants (e.g., customer/patient data), requests to exercise rights should generally be directed to the relevant Tenant as the PIC.

For data where RxMed is the PIC (e.g., Tenant admin account data, billing, or platform usage logs), requests may be sent directly to us using the contact details below.

We may need to verify your identity and clarify your request before acting on it. Certain requests may be subject to legal and contractual restrictions.

7. Security Measures

We implement reasonable and appropriate organizational, physical, and technical measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, and other unlawful processing, as required under the Data Privacy Act and NPC Circulars (e.g., NPC Circular No. 2023-06 on minimum security requirements).

These measures may include, among others:

• Access controls, user authentication, and role-based permissions.
• Encryption in transit and at rest where appropriate.
• Regular backups and disaster recovery mechanisms.
• Logging and monitoring of system access and activities.
• Internal policies, confidentiality obligations, and training for personnel handling personal data.

While we strive to protect personal data, no system can be completely secure and we cannot guarantee absolute security.

8. Cookies and Similar Technologies

RxMed may use cookies and similar technologies to:

• Maintain session state and authenticate users.
• Remember user preferences and improve usability.
• Collect anonymized usage analytics for service improvement.

You may adjust your browser settings to refuse cookies or to alert you when cookies are being sent. However, some parts of the Service may not function properly without certain essential cookies.

9. Children’s Data

RxMed is designed for use by licensed businesses and professionals, not directly by children. Personal data of minors may appear in the system only insofar as Tenants record legitimate pharmacy transactions or records as PICs. Tenants are responsible for processing such data in compliance with sector-specific regulations and the Data Privacy Act.

10. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

• Material changes will be communicated through the Service or via email to Tenant Administrators, where appropriate.
• Continued use of the Service after the effective date of the updated Policy constitutes acceptance of the changes.

11. Contact and Data Protection Concerns

If you have questions, requests, or concerns regarding this Privacy Policy or our data protection practices, or if you wish to exercise your data subject rights (for data where RxMed acts as PIC), you may contact:

RxMed Support Team
Email: rxmed@filzofinnovations.com
Address: Velasco St. Dona Maria Subd. Brgy. Tagas, Daraga, Albay 4501

You also have the right to file a complaint with the National Privacy Commission if you believe your data privacy rights have been violated:

Website: https://privacy.gov.ph