1. Who We Are
Information Pharm Corporation ("Company," "we," "us," or "our") operates the website formcheckrx.com and the FormCheckRx formulary intelligence platform (collectively, the "Service"). FormCheckRx is a Medicaid drug formulary reference instrument that enables healthcare professionals to look up drug coverage information across Medicaid managed care plans in all 50 states and the District of Columbia.
Information Pharm Corporation is incorporated in the State of Michigan. Our principal contact for privacy matters is [email protected].
2. HIPAA and Protected Health Information
Information Pharm Corporation is not a covered entity or business associate under the Health Insurance Portability and Accountability Act ("HIPAA") as defined by 45 CFR §160.103. FormCheckRx provides reference information only and does not process, store, or transmit Protected Health Information ("PHI") of any kind.
The platform accepts two inputs: a drug name and a state. No patient name, date of birth, member identification number, diagnosis code, medical record number, insurance information, or any other patient-identifying data should be entered into the Service.
Because FormCheckRx is architecturally incapable of processing PHI — no PHI input fields exist in the platform — no Business Associate Agreement ("BAA") is required or appropriate for institutional procurement or use of this Service.
3. Information We Collect
3.1 Information You Provide Directly
- Account credentials: When you create an account, we collect your email address for identity verification and authentication. We do not require your name, phone number, employer, or physical address to create an account.
- Password: Your password is stored as a cryptographic hash. We never store or have access to your plaintext password.
- State preference: You select a default state for formulary searches. This preference is stored in your profile.
- Contact form submissions: If you contact us through the website or via email, we collect the information you provide in your message (name, email, organization, role, message content).
- Payment information: If you subscribe to a paid plan, payment is processed exclusively by Stripe, Inc. under PCI DSS Level 1 standards. Information Pharm Corporation never receives, stores, or has access to your full payment card number. We receive only a tokenized payment reference, billing status, and plan tier from Stripe.
3.2 Information Collected Automatically
- Search queries: When you search a drug, we record the drug name searched and the state selected. We do not record any patient context or clinical indication associated with the search. Search queries are used to improve data accuracy, measure platform usage, and enforce query limits.
- Usage data: We record the number of queries used, plan tier, session timestamps, and feature interactions for the purpose of enforcing subscription limits, improving the Service, and generating aggregate analytics.
- Device information: We collect device identifiers, browser type, and operating system for security purposes (device verification, fraud detection, session management). This data is not used for advertising or tracking.
- IP address: Your IP address is logged for rate limiting, security, and abuse prevention. IP addresses are not used for advertising, profiling, or sold to third parties.
3.3 Information We Never Collect
Information Pharm Corporation does not collect, and the FormCheckRx platform has no mechanism to accept, any of the following:
- Patient names, dates of birth, or demographic information
- Medicaid member identification numbers or insurance IDs
- Diagnosis codes (ICD-10), procedure codes (CPT/HCPCS), or clinical notes
- Prescription records or medication histories
- Medical record numbers (MRN)
- Social Security numbers or government identifiers (other than drug names)
- Protected Health Information (PHI) as defined under 45 CFR §160.103
- Biometric data
- Location data (GPS or precise geolocation)
4. How We Use Your Information
We use the information we collect for the following purposes and no others:
- Service operation: To provide, maintain, and improve the FormCheckRx platform and its formulary reference functions
- Authentication: To verify your identity via email confirmation, device verification, and session management
- Billing: To process subscription payments and manage billing through Stripe
- Transactional communications: To send account verification emails, payment receipts, subscription status notifications, and service announcements
- Security: To detect, investigate, and prevent fraudulent access, abuse, automated querying, and unauthorized account activity
- Support: To respond to support requests submitted directly to us
- Data accuracy: To improve the accuracy of formulary data by analyzing aggregate search patterns and error reports
- Legal compliance: To comply with applicable legal obligations, respond to valid legal process, and enforce our Terms of Service
5. Third-Party Service Providers
FormCheckRx is built on a technology infrastructure that includes the following third-party service providers. Each provider processes only the minimum data necessary for its function. In all cases, drug search queries consist of drug names and state selections only — no patient or user identity information is included in query transmissions.
| Provider | Function | Data Processed | Compliance |
|---|---|---|---|
| Supabase | Database and authentication | Email, hashed password, usage data, formulary data | SOC 2 Type II, HIPAA eligible |
| Vercel | Application hosting and serverless compute | Request metadata, IP addresses (operational logs) | SOC 2 Type II, ISO 27001 |
| Stripe | Payment processing | Payment card data, billing address | PCI DSS Level 1 |
| Cloudflare | DNS, DDoS protection, web application firewall | Request metadata, IP addresses | SOC 2 Type II, ISO 27001 |
| Resend | Transactional email delivery | Email address, email content | SOC 2 Type II |
| AI Inference Providers | Proprietary multi-agent formulary framework | Drug names and state selections only — no user identity, no patient data | Enterprise-grade API agreements with data processing terms |
Queries submitted to the proprietary multi-agent framework are processed through one or more AI inference providers. These queries contain drug names and state selections only. No user identity information, account credentials, IP addresses, or patient data is transmitted to AI inference providers. The specific providers used may change; this policy will be updated to reflect material changes.
As our infrastructure evolves, this list will be updated. Material additions of third-party processors with access to user personal data will be communicated to subscribers in advance.
6. Cookies and Tracking
FormCheckRx uses only essential cookies required for platform operation:
- Session cookie: Maintains your authenticated session while you are logged in. Expires when you log out or after the session timeout period.
- State preference: Stores your selected default state for formulary searches.
We do not use advertising cookies, third-party tracking pixels, social media tracking scripts, or analytics cookies that track user behavior across websites. We do not participate in cross-site tracking or retargeting networks. We do not use Google Analytics, Facebook Pixel, or similar advertising-oriented tracking tools.
7. Data Retention
- Account data: Retained while your account is active and for 90 days following account deletion or subscription cancellation, after which it is permanently deleted from our systems.
- Search query records: Drug name and state searches are retained for data accuracy improvement and aggregate analytics. Query records are not associated with user identity after 90 days and are anonymized for long-term analysis.
- Payment records: Retained for 7 years as required by applicable federal and state financial record-keeping regulations.
- Security audit logs: Retained for 90 days. Security logs contain session identifiers, IP address prefixes, endpoint accessed, and response status codes. Logs do not contain drug names, search results, or user content.
- Contact form submissions: Retained for 2 years or until the inquiry is resolved, whichever is later.
8. Data Security
Information Pharm Corporation implements commercially reasonable security measures to protect your information, including:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest (via Supabase)
- Cryptographic password hashing (passwords are never stored in plaintext)
- Row-level database security (RLS) ensuring users can only access their own data
- Per-endpoint rate limiting to prevent brute force and denial-of-service attacks
- Device verification for new login locations
- Single-device session enforcement
- API credentials stored as encrypted environment variables, never exposed to client browsers
- Each query executes in an isolated serverless function context with no persistent server state
- Payment card data handled exclusively by Stripe under PCI DSS Level 1 — never reaches our servers
For complete security documentation, see our Security page.
9. Your Rights
9.1 All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of your personal information and account
- Data portability: Request your data in a structured, machine-readable format
- Opt-out of communications: Unsubscribe from non-essential communications using the link in each email
To exercise any of these rights, contact [email protected]. We will respond within 30 days. We may verify your identity before processing rights requests.
9.2 California Residents — CCPA Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
- Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions.
- Right to Opt-Out of Sale: Information Pharm Corporation does not sell personal information. We have not sold personal information in the preceding 12 months. No opt-out mechanism is necessary because no sale occurs.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.
California residents may submit CCPA requests to [email protected] or by mail to the address listed in Section 14. We will respond within 45 days as required by law.
9.3 Categories of Personal Information Collected (CCPA Disclosure)
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers: Email address, IP address, device identifiers
- Commercial information: Subscription plan, payment history (via Stripe)
- Internet activity: Search queries (drug names and states), feature usage, session timestamps
We have not collected: real name (unless provided in contact form), physical address, Social Security number, driver's license number, biometric data, geolocation data, sensory data, professional or employment information, education information, or protected classification characteristics.
10. Children
FormCheckRx is a professional clinical reference tool intended exclusively for healthcare professionals and adults. We do not knowingly collect information from individuals under 18 years of age. If you have reason to believe a minor has created an account or provided personal information, contact [email protected] immediately. We will promptly delete the account and associated data.
11. International Users
FormCheckRx is operated from the United States and is designed for use by healthcare professionals working within the United States Medicaid system. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have different data protection standards than your jurisdiction.
12. Data Breach Notification
In the event of a data breach that affects your personal information, Information Pharm Corporation will notify affected users by email within 72 hours of confirming the breach, or as otherwise required by applicable law. Breach notification will include: the nature of the breach, the types of information involved, steps we have taken to address the breach, and recommendations for affected users.
Because FormCheckRx does not process or store patient data, a breach of our systems would not constitute a breach of Protected Health Information under HIPAA.
13. Changes to This Policy
Information Pharm Corporation may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. We will notify subscribers by email at least 14 days before material changes take effect. The effective date at the top of this document reflects the most recent revision.
Continued use of the Service following notification of changes constitutes acceptance of the updated policy. If you do not agree with the updated policy, you should discontinue use of the Service before the effective date.
14. Contact
- Privacy inquiries: [email protected]
- General support: [email protected]
- Security concerns: