Data Controller and Contact Information
MedRX-One Online Pharmacy (medrx-one.com) is the data controller for personal data processed in connection with this website and related services. Owner: Elara Hargrove, 250 Granite St, Braintree, MA 02184, United States. Email: [email protected].
Scope and Definitions
This notice explains how we collect, use, disclose, retain, and protect personal data under the European Union and United Kingdom General Data Protection Regulation (GDPR) and under applicable United States federal and state privacy laws, including but not limited to the California Consumer Privacy Act as amended by the CPRA (CCPA), and similar state privacy laws. For pharmacy-related services, we handle health information in accordance with applicable U.S. laws and regulations (including HIPAA where applicable) and professional standards.
Categories of Personal Data We Process
- Identifiers and contact details: name, postal address, email, phone number, and account identifiers.
- Account credentials and profile data: username, password, preferences, and communication settings.
- Order and transaction data: products selected, order history, delivery details, and support interactions.
- Payment information: payment method tokens and billing details processed via secure payment processors (we do not store full card numbers).
- Health and prescription-related data you provide: medication interests, conditions, allergies, prescription details, and other information necessary to provide pharmacy-related services.
- Device and usage data: IP address, browser and device characteristics, log files, diagnostic data, and approximate geolocation derived from IP.
- Cookies and similar technologies: identifiers used for essential site functionality, analytics, and, where permitted, advertising and personalization.
- Inferences drawn from the above to improve services and detect fraud.
Sources of Personal Data
- Directly from you when you browse, create an account, place an order, or contact support.
- Automatically from your device through cookies, pixels, and similar technologies.
- From service providers and partners such as payment processors, analytics providers, identity verification services, and shipping carriers.
- From publicly available sources where permitted by law.
Purposes and Legal Bases for Processing (GDPR)
We process personal data for the purposes below under the corresponding legal bases:
Contractual necessity
- To register and manage accounts, fulfill orders, provide customer support, and deliver requested services and communications.
Legal obligations
- To satisfy tax, accounting, pharmacovigilance, dispensing, recordkeeping, and other regulatory requirements.
Legitimate interests
- To secure our services, prevent fraud and misuse, improve site performance and content, and pursue business operations proportionately and with minimal privacy impact.
Consent
- To send marketing communications, place or read non-essential cookies, process certain health or sensitive data you choose to provide, and conduct targeted advertising where required by law.
Vital interests
- To protect the life or safety of an individual in emergencies, where applicable.
U.S. Privacy Disclosures
Residents of certain U.S. states (including California, Colorado, Connecticut, Utah, Virginia) have specific rights regarding personal information.
Your U.S. State Privacy Rights
- Right to know/access the categories and specific pieces of personal information we have collected.
- Right to deletion of personal information, subject to legal exceptions.
- Right to correct inaccurate personal information.
- Right to data portability.
- Right to opt out of the sale or sharing of personal information and of targeted advertising.
- Right to limit the use and disclosure of sensitive personal information where applicable.
- Right to non-discrimination for exercising your rights.
- Right to appeal a denial of a privacy request (for states that provide an appeal right).
How to Exercise Your Rights
Submit a request by emailing [email protected]. Please provide enough information to verify your identity and describe your request. You may designate an authorized agent as permitted by law. We will respond within the timeframes required by applicable law. To appeal a decision, reply to our response with Appeal in the subject line.
Sale/Sharing and Targeted Advertising
We do not sell personal information for money. We may share identifiers and internet or device activity with analytics or advertising partners for cross-context behavioral or targeted advertising as permitted by law. You can opt out by emailing [email protected] and by adjusting cookie preferences available on the site or your browser settings. Where technically feasible, we honor supported global opt-out signals.
Cookies and Tracking Technologies
We use cookies, pixels, and similar technologies to operate and secure the site, measure performance, and personalize content. You can manage cookies via your browser settings and, where offered, an on-site preference tool. Disabling certain cookies may reduce site functionality.
Cookie Categories
- Strictly necessary: essential for core functions such as security, network management, and accessibility.
- Performance and analytics: help us understand usage and improve services.
- Functional: remember choices and enhance features.
- Advertising and personalization: deliver and measure relevant content where permitted by law and with your consent where required.
Analytics and Advertising
We may use analytics providers to generate aggregated insights and, where permitted, advertising technology partners to provide interest-based ads. You may opt out as described above.
Sensitive and Health-Related Data
Health-related information and other sensitive personal data you provide are processed only as necessary to deliver services, comply with legal obligations, protect safety, or with your explicit consent. We do not use sensitive data for additional purposes, such as marketing, without your consent. California residents may request to limit use and disclosure of sensitive personal information.
Disclosures to Third Parties
- Service providers and processors: hosting, cloud infrastructure, IT support, payment processing, customer support, identity verification, pharmacy partners, and shipping carriers bound by contractual confidentiality and security obligations.
- Professional advisers: legal, compliance, and accounting advisers under confidentiality duties.
- Compliance and legal: law enforcement, regulators, courts, or as required to protect rights, safety, and property.
- Business transfers: in connection with mergers, acquisitions, financing, or sale of assets, subject to continued protections.
- Affiliates: entities under common ownership or control, consistent with this notice.
International Data Transfers
We principally process data in the United States. If you are located in the EEA, UK, or Switzerland, we rely on appropriate safeguards, such as the European Commission Standard Contractual Clauses or UK-approved equivalents, supplemented by risk assessments and additional measures as needed. You may contact us for information about these safeguards, subject to redactions for confidentiality.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this notice, including providing services, meeting legal, regulatory, tax, and accounting requirements, resolving disputes, and enforcing agreements. Pharmacy and health-related records may be retained for the periods mandated by applicable law. When retention is no longer required, we securely delete or anonymize data.
Security
We implement technical, administrative, and physical safeguards designed to protect personal data, including encryption in transit, access controls, monitoring, and staff training. No method of transmission or storage is completely secure, and you are responsible for maintaining the confidentiality of account credentials.
Children's Privacy
Our services are not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided personal data, contact us to request deletion.
Automated Decision-Making
We do not engage in decision-making based solely on automated processing that produces legal or similarly significant effects. We may use limited profiling for service personalization and fraud prevention in a manner consistent with applicable law and your rights.
Your GDPR Rights
- Access: obtain confirmation and a copy of your personal data.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion where grounds apply.
- Restriction: limit processing in certain circumstances.
- Portability: receive data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Objection: object to processing based on legitimate interests or for direct marketing.
- Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
- Complaint: lodge a complaint with an EU, UK, or Swiss supervisory authority. We encourage you to contact us first so we can address your concerns.
Exercising Rights and Contact
To exercise your rights or ask questions, contact: [email protected] or write to: MedRX-One Online Pharmacy, Attn: Data Protection, 250 Granite St, Braintree, MA 02184, United States. We may request information to verify your identity and will respond within timelines required by applicable law.
Data Breach Notification
In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law, including U.S. state breach notification laws and GDPR where applicable.
Changes to This Notice
We may update this notice from time to time to reflect changes in our practices or legal requirements. Material changes will be indicated by updating the Last updated date below.
Last updated: 21 August 2025
