PharmPro

Application Privacy Policy

Application Privacy Policy

This Application Privacy Policy describes how PharmPro collects, uses, discloses, safeguards, and retains information in connection with the Service at app.pharmpro.ai and related application workflows. It applies to the Application and does not apply to the public marketing website at pharmpro.ai.

Last updated April 9, 2026/Back to sign in

1. Scope and Applicability

This Privacy Policy ("Policy") applies to the PharmPro platform located at app.pharmpro.ai and related APIs, integrations, support, operational, and billing workflows that reference this Policy (collectively, the "Service"). In this Policy, "PharmPro," "we," "us," and "our" refer to Brechin Advisors LLC d/b/a PharmPro.ai, the operator of the Service.

This Policy does not apply to the public marketing website at pharmpro.ai, which is governed by separate website terms and privacy disclosures.

PharmPro is designed for healthcare organizations and their authorized workforce users. The customer organization ("Customer") controls the data it submits to the Service and remains responsible for its own notices, consents, authorizations, workforce training, and internal privacy obligations.

If your organization has executed a Business Associate Agreement ("BAA"), master services agreement, order form, or other written commercial agreement with PharmPro, that written agreement controls to the extent of any conflict with this Policy concerning protected health information or other regulated data.

2. Information We Collect

We collect the following categories of information in connection with the Service:

  • Account and profile data, including name, work email address, organization name, facility assignments, role designation, notification settings, and user preferences.
  • Authentication and session data, including authentication tokens, session identifiers, login timestamps, session duration, IP addresses, and the secure active-facility cookie used to scope the interface to the appropriate facility.
  • Customer-submitted content, including incident reports, narratives, statements of fact, witness information, investigation findings, corrective actions, root-cause analyses, approval records, comments, annotations, escalation records, and stakeholder communications.
  • Attachments and exports, including uploaded files, clinical documentation, photographs, witness statements, PDF incident reports, QAPI summaries, and analytics exports generated by authorized users.
  • Patient and resident information submitted through incident workflows, which may include names, chart or medical record numbers, dates of birth, room or unit numbers, diagnoses, comorbidities, medications, and narrative descriptions of incidents.
  • Billing and subscription data, including organization billing identifiers, subscription plan information, payment history, and payment-processor metadata. Payment instrument details are processed by Stripe and are not stored directly by PharmPro.
  • Technical, usage, and audit data, including browser and device information, operating system, user agent, user actions, affected records, field-level changes, timestamps, and other operational telemetry associated with use of the Service.
  • Monitoring and analytics data, including error and performance-monitoring data, masked session-replay data where enabled, and product-usage analytics captured through the application.
  • AI interaction data, including prompts, relevant incident context, facility context, AI-generated outputs, and audit metadata associated with use of the Lauren assistant and related AI-assisted workflows.
  • Voice-reporting data, if voice intake is enabled for a workspace, including caller identification, phone number, call duration, timestamps, transcripts, recording references, and structured fields extracted from voice submissions.

3. How We Collect Data

  • Directly from users and administrators who sign in, configure settings, create or edit incident records, approve reports, manage access, generate exports, make payments, or interact with Lauren.
  • From automated workflow activity, including form submissions, AI-assisted drafting, analytics queries, PDF generation, scheduled notifications, escalation rules, and billing events.
  • From inbound integrations, including designated email-ingestion workflows and any enabled voice-reporting workflow.
  • From cookies and similar technologies used to support authentication, session continuity, facility scoping, analytics, and application performance monitoring.
  • From audit, monitoring, and analytics systems that record user actions, product events, system events, errors, replay telemetry, and other security-relevant or operational activity.

4. How We Use Data

  • To provide, operate, secure, maintain, and support the Service and its core workflows, including incident creation, investigation, corrective action tracking, approval, export, analytics, and reporting.
  • To authenticate users, enforce organization and facility-level access controls, apply role-based permissions, manage sessions, and investigate potential misuse or security incidents.
  • To create, route, store, export, analyze, and report on healthcare incident records, corrective actions, root-cause analyses, and quality-improvement summaries.
  • To deliver operational notifications and secure links directing users to the authenticated portal.
  • To provide AI-assisted features through Lauren, including conversational incident reporting, form completion assistance, document extraction, narrative drafting, risk analysis, pattern recognition, and analytics support.
  • To monitor reliability, diagnose technical problems, improve workflows, understand product usage, and enhance the quality and efficiency of the Service.
  • To maintain audit trails of user actions, AI interactions, and system events for compliance, security monitoring, and investigation.
  • To process billing, manage subscriptions, and communicate with Customer administrators regarding account status, plan changes, renewals, and payment issues.
  • To comply with applicable law, contractual obligations, and valid legal process, including obligations arising under HIPAA, HITECH, state privacy or breach-notification laws, and our commercial agreements.

5. AI Data Processing

PharmPro includes an AI assistant called Lauren. Lauren uses Anthropic Claude models made available through Azure AI Foundry and related application workflows.

When an authorized user invokes an AI-assisted feature, the data sent for processing depends on the feature used and may include incident narratives, statements of fact, investigation findings, uploaded document content, structured incident fields, facility context, and user prompts. In some cases, this information may include protected health information.

AI features are designed to support drafting, summarization, extraction, analysis, and workflow efficiency. All AI-generated content is presented as draft output and must be reviewed, validated, and approved by qualified, authorized personnel before use, reliance, submission, or inclusion in official records.

  • AI interactions are logged with user identity, facility context, action type, and timestamp to preserve an audit trail.
  • AI-assisted workflows are subject to the same facility-scoped access controls and role-based permissions that govern the rest of the Service.
  • User-supplied input is sanitized before inclusion in prompts, and application controls are designed to reduce unnecessary exposure of sensitive content.
  • Customers with provider-specific data-processing, retention, or training questions should contact PharmPro before enabling or expanding AI-assisted workflows.

6. Service Providers and Subprocessors

We use service providers and subprocessors to host, operate, monitor, secure, analyze, and bill for the Service. These providers may process information on our behalf under applicable contractual and operational controls. Our current provider set includes:

  • Supabase, for database hosting, authentication, and encrypted file storage.
  • Vercel, for application hosting, server-side compute, and edge delivery.
  • Azure AI Foundry and Anthropic Claude model infrastructure, for Lauren and related AI-assisted features.
  • Resend, for transactional email delivery.
  • Stripe, for payment processing and subscription management.
  • Sentry, for error monitoring, performance telemetry, and masked replay capabilities.
  • PostHog, for product analytics and usage measurement.
  • Bland AI, for voice-reporting workflows if voice intake is enabled.

7. Cookies and Technical Storage

PharmPro uses cookies and similar technologies that are reasonably necessary to operate the Service and, where configured, to measure product usage and diagnose performance issues.

  • Authenticated session cookies managed through Supabase Auth to maintain the user's signed-in session.
  • A secure, httpOnly, sameSite=lax active-facility cookie used to preserve the user's facility context within the authenticated application.
  • Analytics and telemetry storage used by configured monitoring and product-analytics tools, which may rely on cookies or local storage to measure page activity, feature usage, and operational performance.
  • PharmPro does not use the Application for behavioral advertising, advertising-tech profiling, or cross-site advertising tracking.

8. Healthcare and Regulated Data

PharmPro is intended for use by healthcare organizations and may process electronic protected health information ("ePHI") and other regulated information as a Business Associate or service provider, depending on the applicable legal framework and contractual relationship.

Customers using PharmPro to process protected health information must execute an appropriate Business Associate Agreement or other required healthcare-data agreement with PharmPro before submitting regulated healthcare data to the Service.

Additional information about our healthcare data posture is available on our HIPAA Information page and Security Overview at app.pharmpro.ai.

9. Data Retention and Deletion

We retain data for as long as reasonably necessary to provide the Service, satisfy legal, regulatory, contractual, security, accounting, and operational obligations, resolve disputes, and enforce our agreements.

Where regulated healthcare records are involved, retention may be governed by HIPAA, applicable state law, the Customer's Commercial Agreement, and the BAA.

Upon termination of the Customer relationship, PharmPro will address return, export, retention, and deletion of Customer Data as provided in the applicable BAA, Commercial Agreement, and law. Certain records, including audit logs, backups, and records subject to legal or regulatory retention requirements, may be retained beyond account deactivation.

10. Security Measures

PharmPro maintains administrative, technical, and organizational measures designed to protect the confidentiality, integrity, and availability of information processed through the Service.

  • Role-based access controls and facility-level data isolation.
  • Encryption in transit and platform-level encryption for core storage systems.
  • Audit logging of material user and AI-assisted activity.
  • Private attachment storage, signed access URLs, upload validation, and quarantine-based review controls.
  • Secure-link email notifications that avoid including incident details in message bodies.
  • Monitoring, replay masking, and redaction controls designed to reduce unnecessary transmission of sensitive content in telemetry systems.
  • Security headers and other application-level controls designed to harden public and authenticated routes.

11. Privacy Requests and Individual Rights

Customers and authorized users may send privacy-related questions or requests to privacy@pharmpro.ai. We may need to verify identity, confirm workspace authorization, and assess whether a request is limited by applicable law, contract, security requirements, or regulated-record retention obligations.

  • Depending on applicable law, you may have rights of access, correction, deletion, portability, restriction, or objection with respect to personal data.
  • Requests concerning access to, amendment of, or an accounting relating to protected health information generally must be coordinated through the applicable Customer organization, which controls access and disclosure decisions for regulated healthcare data submitted to the Service.
  • PharmPro does not sell personal information within the meaning of the California Consumer Privacy Act.

12. Children

The Service is intended for authorized workforce use by adults and is not directed to children under 13. We do not knowingly collect personal information from children under 13 through the Application. If you believe that a child under 13 has provided information to us through the Service, please contact privacy@pharmpro.ai.

13. International Data Transfers

The Service is hosted and operated in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States.

If your organization requires additional data-transfer arrangements for cross-border use, please contact PharmPro to discuss available options.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in the Service, our practices, legal requirements, regulatory guidance, or business operations. When we make material changes, we will update the effective date at the top of this page and may provide additional notice to Customer administrators by email or in-application notice.

15. Contact Us

The Service is operated by Brechin Advisors LLC d/b/a PharmPro.ai.

  • Privacy inquiries: privacy@pharmpro.ai
  • General support: support@pharmpro.ai
  • Security reports: security@pharmpro.ai