Notice of Privacy Practices
This notice describes how your health information may be used and shared, and how you can access it. Please read it carefully.
Effective Date: April 2026 | Version 1.0
Quick Summary (Plain Language)
When you use Script Unlock to find better prices on your prescriptions, we handle some of your health information. Here's what you need to know:
- → We protect your data with bank-level encryption and strict access controls.
- → Pharmacies only see what they need — they see your medication category to make a bid, but not your name or personal details until you choose them.
- → We never sell your health information. Ever.
- → You have rights — you can see your data, get a copy, ask for corrections, and request restrictions.
- → This notice is required by law (HIPAA) and explains everything in detail below.
1. Who We Are
Script Unlock is a prescription marketplace that helps you compare prices from licensed pharmacies. Under federal health privacy law (HIPAA), we act as a Business Associate — meaning we handle health information on behalf of the pharmacies that serve you, and we're legally required to protect it.
This Notice of Privacy Practices ("Notice") applies to all health information we create, receive, maintain, or transmit through our platform, including our website, mobile app, and any communications with our support team.
2. Your Health Information — What We Collect
When you use Script Unlock, we may collect and handle the following types of health information (called "Protected Health Information" or "PHI"):
Prescription details
Medication name, dosage, quantity, and prescribing doctor
Prescription images
Photos you upload of your prescriptions
Contact information
Name, email, phone number, and delivery address
Payment information
Billing details (card numbers are never stored — processed securely by Stripe)
Order history
Which medications you ordered, from which pharmacy, and delivery status
Health-related identifiers
Information that links you to your health data, such as your account ID
3. How We Use and Share Your Health Information
HIPAA allows us to use and share your health information in the following ways without your written permission:
For Treatment
We share your prescription information with the pharmacy you select so they can fill and deliver your medication. Before you choose a pharmacy, we share only the medication category — not your name, doctor, or prescription image — so pharmacies can offer prices.
For Payment
We use your information to process payments between you and the pharmacy. This includes sharing order details with our payment processor (Stripe) and the fulfilling pharmacy. Your credit card number is never stored on our servers.
For Healthcare Operations
We use health information to operate our platform, including quality assurance, customer support, verifying pharmacy licenses, investigating complaints, and improving our services. When possible, we use de-identified or aggregated data.
As Required by Law
We may disclose your information when required by federal, state, or local law, including responses to court orders, subpoenas, or government investigations. We will notify you when legally permitted to do so.
To Prevent Serious Harm
We may share information to prevent or lessen a serious and imminent threat to your health or safety, or the health or safety of others.
Public Health & Safety
We may share information for public health activities, such as preventing disease, reporting adverse reactions to medications, or notifying someone exposed to a communicable disease — as permitted or required by law.
Health Oversight
We may share information with government agencies for activities authorized by law, such as audits, investigations, inspections, and licensure actions.
4. Uses That Require Your Written Permission
We will never use or share your health information for the following purposes without your explicit, written authorization:
Marketing or advertising (we will never sell your information to marketers)
Selling your health information to anyone, for any reason
Sharing psychotherapy notes (we do not collect these)
Using your information for purposes not described in this Notice
Sharing with your employer for employment decisions
Research purposes, unless the data is fully de-identified
If you give us written authorization, you may revoke it at any time by submitting a request through your account settings or contacting our Privacy Officer. Revoking authorization won't affect information we already shared based on your earlier permission.
5. Your Rights
Federal law gives you important rights over your health information. You can exercise these rights at any time:
Right to See and Get a Copy
You can ask to see or get a copy of your health information. We will provide it within 30 days, in the electronic format you request (if we can reasonably produce it). We may charge a reasonable fee for copies.
Log into your account and visit Settings → My Data, or submit a request at /data-rights.
Right to Request Corrections
If you believe your health information is incorrect or incomplete, you can ask us to correct it. We will respond within 60 days. If we deny your request, we will explain why in writing and you may file a statement of disagreement.
Contact our Privacy Officer with the specific information you want corrected.
Right to Request Restrictions
You can ask us to limit how we use or share your health information for treatment, payment, or operations. We are not required to agree to your request, but if we do, we will honor it — except in emergencies.
Submit a restriction request through /data-rights or contact our Privacy Officer.
Right to Request Confidential Communications
You can ask us to contact you in a specific way or at a specific location. For example, you can ask us to send information only to your email and not by text message. We will accommodate reasonable requests.
Update your communication preferences in Account Settings.
Right to an Accounting of Disclosures
You can request a list of times we shared your health information outside of treatment, payment, and operations for the past six years. We will provide one free accounting per year.
Submit a request at /data-rights or contact our Privacy Officer.
Right to a Paper Copy of This Notice
You can ask for a paper copy of this Notice at any time, even if you agreed to receive it electronically.
Contact our Privacy Officer and we will mail a copy to your address on file.
Right to Be Notified of a Breach
If a breach of your unsecured health information occurs, we will notify you without unreasonable delay and no later than 60 days after discovery, as required by HIPAA.
Notifications are sent automatically via the contact method on your account.
6. How We Protect Your Information
We take the security of your health information seriously. Here's how we keep it safe:
Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Your information is unreadable even if intercepted.
Access Controls
Staff and pharmacies can only see the minimum information needed for their specific role. We enforce this at the database level.
Audit Logging
Every access to your health information is recorded — who viewed it, when, and why. These logs are tamper-proof.
Automatic Session Timeout
Your session locks automatically after a period of inactivity to prevent unauthorized access on shared devices.
Anomaly Detection
Our systems monitor for unusual access patterns and automatically flag or block suspicious activity.
Regular Security Testing
We conduct regular penetration testing and security audits to identify and fix vulnerabilities before they can be exploited.
7. Our Duties
We are required by law to:
- Maintain the privacy and security of your protected health information.
- Provide you with this Notice of our legal duties and privacy practices.
- Follow the terms of the Notice currently in effect.
- Notify you if a breach of your unsecured health information occurs.
- Not use or share your information other than as described in this Notice without your written authorization.
8. Changes to This Notice
We may change this Notice at any time. Changes will apply to all information we already have about you, as well as any information we receive in the future. The updated Notice will be:
- → Posted on our website with a new effective date
- → Available in your account dashboard
- → Sent to you by email if the changes are material
9. Complaints
If you believe your privacy rights have been violated, you have the right to file a complaint. You will not be penalized or retaliated against for filing a complaint.
Complain to Us
Contact our Privacy Officer using the information below. We will investigate and respond within 30 days.
Complain to the U.S. Department of Health & Human Services
You can also file a complaint with the Secretary of HHS if you believe we have violated your rights.
Office for Civil Rights, U.S. Department of Health and Human Services
200 Independence Avenue, S.W., Washington, D.C. 20201
Toll-free: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/
10. Contact Our Privacy Officer
If you have questions about this Notice, want to exercise any of your rights, or need to file a complaint, please contact:
Script Unlock Privacy Officer
11. Special Situations
Minors
If you are under 18 and use our platform with parental consent, your parent or guardian may exercise privacy rights on your behalf. State laws may provide additional protections for minor health records, and we comply with all applicable state requirements.
Deceased Individuals
We will protect the health information of deceased individuals for 50 years following death, as required by HIPAA. Personal representatives of the deceased may exercise privacy rights on behalf of the estate.
Personal Representatives
If someone has legal authority to make healthcare decisions for you (such as a power of attorney for healthcare), we will treat that person as if they were you for purposes of this Notice — unless we reasonably believe doing so would endanger you.
Pet Prescriptions
Veterinary prescriptions are not subject to HIPAA. However, we apply the same strong security and privacy protections to all information on our platform, including pet medication data, as a matter of best practice.
12. Additional State & International Rights
Depending on where you live, you may have additional privacy rights beyond HIPAA:
Right to know, delete, and opt-out of sale. We never sell health data. Additional protections under CMIA for medical information.
Extended record retention. Additional protections for HIV-related information and mental health records.
Stricter consent requirements. Electronic health records covered by additional Texas state rules.
Biometric Information Privacy Act (BIPA) protections. Extended retention periods for health records.
Right to data portability, right to erasure, data protection officer access. See our EU Compliance page.
We comply with the most protective standard. If your state law provides greater protection than HIPAA, we follow your state law.
Acknowledgment of Receipt
By creating an account on Script Unlock, you acknowledge that you have been provided with this Notice of Privacy Practices and had the opportunity to review it. A copy is always available at this page and in your account settings.