eRxClinic – PRIVACY POLICY

Last Updated: December 25, 2025

IMPORTANT LEGAL NOTICE: This Privacy Policy is incorporated by reference into the eRxClinic Terms of Service. By using the Service, you acknowledge you are a licensed medical professional and accept the severe data protection responsibilities outlined herein.

1. Fundamental Architecture & Legal Implications

Core Technical Reality:

eRxClinic operates on a ZERO-RETENTION CLINICAL DATA ARCHITECTURE. This is not a policy choice—it is the fundamental technical design of our platform:

[DOCTOR'S INPUT] → [REAL-TIME PROCESSING ENGINE] → [DOCTOR'S STORAGE]

      ↓                           ↓                        ↓

Patient Data              NO PERSISTENCE             Your Responsibility

(Your Control)         (Volatile Memory Only)      (Your Google Drive)

Critical Legal Consequences:

• We are NOT a "medical records system" under any jurisdiction's healthcare regulations

• We are NOT a "data repository" requiring complex compliance certifications

• We function as a REAL-TIME PROCESSING CONDUIT only—analogous to a secure fax machine that doesn't keep copies

2. Explicit Data Categories & Jurisdictional Classifications

CATEGORY A: Platform Operational Data (We Store)

• Account authentication details

• Subscription status and payment records

• Anonymous usage analytics (no patient linkage)

• System performance metrics

Legal Status: We are Data Controller for this category only.

CATEGORY B: Clinical Processing Data (We NEVER Store)

• Patient demographics, conditions, medications

• Prescription details and clinical notes

• Any health information entered by you

• Contact information for delivery purposes

Legal Status: EPHEMERAL PROCESSING ONLY—data exists in volatile memory during active session, then is irrevocably destroyed.

3. The Unbreakable "Three-Never" Guarantee

By architectural design, we NEVER:

1. NEVER PERSIST

Patient data is never written to any persistent storage medium under our control—no databases, no files, no backups, no logs containing patient information.

2. NEVER ACCESS

We have no administrative interfaces, no analytics pipelines, and no human review processes that access patient data. The data flows through encrypted channels without interception.

3. NEVER REPOSIT

We maintain zero patient data repositories. Your data goes from your input → to your storage with processing in between, like a secure pipe that doesn't retain what passes through.

4. Your Non-Delegateable Professional Obligations

BY USING eRxClinic, YOU SOLEMNLY DECLARE, WARRANT, AND COVENANT THAT:

A. Storage Compliance (100% Your Responsibility)

You have independently verified that YOUR Google Drive (or alternative storage) configuration:

• Complies with all applicable healthcare data regulations (HIPAA, GDPR, PIPEDA, local laws)

• Has appropriate access controls, encryption, and audit trails

• Meets professional college standards for medical record keeping

B. Patient Consent & Transparency

You have obtained and documented informed consent from patients regarding:

• Use of digital prescription tools

• Storage of their data in YOUR systems

• Email transmission risks if you select that option

• All required disclosures under your jurisdiction's laws

C. Security Implementation

You maintain enterprise-grade security for:

• Your Google Workspace account (hardware 2FA, regular audits)

• Your devices accessing the platform

• Your network connections and email systems

D. Breach Response Readiness

You have established procedures for:

• Detecting and reporting data breaches as required by law

• Notifying patients and regulators when YOUR systems are compromised

• Remediating security incidents in YOUR infrastructure

5. Our Limited Technical Role (Processor Only)

We act as a NARROW-SCOPE DATA PROCESSOR providing:

Service:

• Real-time prescription document generation

• Secure data routing to your designated storage

• Optional email delivery infrastructure

Explicitly NOT Provided:

• Data storage, archiving, or backup services

• Compliance management for your clinical data

• Patient consent management or documentation

• Breach monitoring of your systems

• Legal or regulatory advice

6. Technical Safeguards & Transparency

Our Infrastructure:

• Google Workspace Enterprise with data region locking (US/EU)

• End-to-end TLS 1.3 encryption for all data in motion

• Zero-knowledge architecture for clinical data processing

• Regular third-party security assessments

Verification Mechanism:

Upon written request (with appropriate NDAs), we can provide:

• Architecture diagrams showing data flow

• System logs demonstrating no patient data persistence

• Third-party audit reports of our infrastructure

7. Data Subject Rights Allocation

Patient Requests (Your Exclusive Responsibility):

• Access requests: Patients contact YOU; you retrieve from YOUR storage

• Correction requests: You modify in YOUR systems

• Deletion requests: You delete from YOUR storage

• Portability requests: You export from YOUR systems

Our Support Obligation:

We will provide technical assistance to help you:

• Extract data from our processing logs (which contain no patient data)

• Verify system integrity during investigations

• Migrate to alternative platforms if needed

8. Breach Liability Waterfall

Scenario 1: Our Platform Compromised

• We notify you of any Platform Data exposure

• No patient data risk (we don't store it)

• We cover investigation and remediation costs

Scenario 2: Your Systems Compromised

• You bear 100% responsibility for:

  • Patient notifications

  • Regulatory reporting

  • Legal liabilities

  • Remediation costs

• We provide technical evidence of our secure data handling

Scenario 3: Google Infrastructure Compromised

• Google's responsibility under their terms

• Your responsibility for patient notifications regarding YOUR data

• Our role: Facilitate communication with Google

9. International Operations Framework

Our Operations:

• Canadian corporation (Ontario Technologies Co.)

• Infrastructure in Google's US/EU data centers

• Payment processing via Canadian-registered Coinpayments.net

Your Compliance Burden:

You must ensure:

• Your use complies with YOUR jurisdiction's cross-border data rules

• Your storage (Google Drive) meets local data residency requirements

• You have lawful bases for any international data transfers YOU initiate

10. Indemnification & Hold Harmless

YOU AGREE TO DEFEND, INDEMNIFY, AND HOLD HARMLESS Ontario Technologies Co. from ANY and ALL claims arising from:

• Your failure to secure YOUR storage systems

• Your inadequate patient consents or disclosures

• Your non-compliance with healthcare data regulations

• Any breach or incident involving YOUR patient data

• Your misuse or misconfiguration of the platform

This indemnification survives termination of your account and use of the Service.

11. Survival of Critical Terms

The following provisions survive indefinitely:

• Your professional responsibility acknowledgments

• Indemnification obligations

• Liability limitations

• Data protection warranties

12. No Regulatory Advice Disclaimer

WE PROVIDE NO LEGAL, REGULATORY, OR COMPLIANCE ADVICE. You are solely responsible for engaging appropriate counsel to ensure your use complies with all applicable laws.

13. Contact & Dispute Resolution

For Privacy Matters:
Data Protection Contact
Ontario Technologies Co.
erxclinic@ontariotechnologiesco.com

Legal Disputes: Shall be resolved per Terms of Service, with venue in Ontario, Canada.

FINAL ACKNOWLEDGMENT

BY USING eRxClinic, YOU IRREVOCABLY CONFIRM:

1. You understand this ZERO-RETENTION architecture

2. You accept 100% responsibility for patient data in YOUR systems

3. You have verified YOUR storage compliance independently

4. You will indemnify us for ANY patient data-related claims

This is not clickwrap—this is professional accountability.