Privacy Policy

1. Introduction

C2 Track, LLC ("we," "our," or "us") respects your privacy and is committed to protecting your personal and business information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our C2 Track service ("Service").

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us when you register for and use the Service:

• Account Information: Pharmacy name, email address, password, physical address, city, state, ZIP code, phone number, and pharmacy license number
• User Information: Names and role assignments for pharmacy staff (e.g., pharmacists, technicians), along with 4-digit PINs for system access
• Medication Data: Controlled substance medication information including drug names, NDC numbers, DEA schedules, manufacturers, dosage forms, quantities, lot numbers, and expiration dates
• Transaction Data: Records of receiving, dispensing, and adjusting controlled substances, including prescription numbers, wholesaler information, invoice numbers, and quantity changes
• Payment Information: Billing details processed through our payment processor (Stripe), including payment method information

2.2 Automatically Collected Information

When you access or use the Service, we automatically collect:

• Usage Data: Information about your interactions with the Service, including pages visited, features used, actions taken, and timestamps
• Device Information: IP address, browser type, operating system, device type, and unique device identifiers
• Log Data: Server logs that include IP address, browser type, referring/exit pages, timestamps, and error logs
• Cookies and Similar Technologies: We use cookies, session tokens, and similar tracking technologies to maintain your session and improve your experience

2.3 Information from Third Parties

We may receive information from:

• Payment Processors: Stripe provides us with payment status, subscription information, and billing details
• Authentication Services: NextAuth.js provides authentication and session management

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Maintain the Service

• Create and manage your pharmacy account
• Authenticate users and maintain secure access
• Track controlled substance inventory and transactions
• Generate reports and audit trails
• Provide barcode scanning and verification features
• Send verification emails and account notifications

3.2 To Process Payments

• Process subscription payments through Stripe
• Send payment receipts and invoices
• Manage billing and subscription renewals
• Handle payment failures and account suspensions

3.3 To Communicate With You

• Send welcome emails and onboarding information
• Notify you of trial expiration reminders
• Send subscription renewal notifications
• Alert you to payment failures and account issues
• Respond to your support requests and inquiries
• Send important service announcements and updates

3.4 To Improve and Optimize the Service

• Analyze usage patterns to improve functionality
• Monitor system performance and diagnose technical issues
• Develop new features and enhancements
• Conduct research and analytics (using aggregated, de-identified data)

3.5 For Security and Compliance

• Prevent fraud, abuse, and unauthorized access
• Enforce our Terms of Service
• Comply with legal obligations and regulatory requirements
• Maintain audit trails for compliance purposes
• Investigate and respond to security incidents

4. How We Share Your Information

We do not sell your personal information. We may share your information only in the following limited circumstances:

4.1 With Service Providers

We share information with third-party service providers who perform services on our behalf:

• Stripe: Payment processing and billing management
• MongoDB Atlas: Database hosting and data storage
• Vercel: Application hosting and content delivery
• Email Service Providers: Zoho or similar SMTP services for transactional emails

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.2 For Legal Reasons

We may disclose your information when required by law or in response to:

• Court orders, subpoenas, or other legal processes
• DEA investigations or audits
• Law enforcement requests
• Protection of our legal rights or compliance with regulations

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5. Data Security

We implement industry-standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
• Password Security: Passwords are hashed using bcrypt before storage
• Access Controls: Role-based access controls limit data access to authorized personnel only
• Secure Hosting: Data is stored on secure, industry-leading cloud infrastructure (MongoDB Atlas, Vercel)
• Regular Security Audits: We conduct regular security reviews and updates
• Automatic Backups: Data is automatically backed up to prevent data loss
• Security Headers: We implement security headers (CSP, HSTS, X-Frame-Options) to protect against common web vulnerabilities

However, no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: We retain your data for as long as your account is active and you have a valid subscription
• Expired Subscriptions: After your subscription expires or your trial ends, we retain your data for 30 days to allow you to reactivate your account
• Deleted Accounts: After account deletion, we permanently delete your data within 30 days, except where retention is required by law
• Legal Compliance: We may retain certain information longer when required by law, such as for tax, accounting, or regulatory purposes
• Audit Trails: Transaction logs and audit trails may be retained for compliance with DEA record-keeping requirements

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access and Data Portability

You have the right to access your personal information and obtain a copy of your data. You can export your medication and transaction data at any time through the Service's reporting features (CSV export).

7.2 Correction and Update

You can update your pharmacy profile information, user accounts, and medication data directly through the Service settings at any time.

7.3 Deletion

You can request deletion of your account and data by cancelling your subscription and contacting us at info@c2track.com. Note that certain information may be retained as required by law.

7.4 Opt-Out of Marketing

You can opt out of marketing emails by clicking the "unsubscribe" link in any marketing email. Note that you will still receive transactional emails (e.g., payment receipts, trial reminders) necessary for the operation of your account.

7.5 California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, use, and disclose, and the right to request deletion of your personal information.

To exercise any of these rights, please contact us at info@c2track.com. We will respond to your request within 30 days.

8. HIPAA and Protected Health Information

C2 Track is designed for controlled substance inventory management and does not require the storage of Protected Health Information (PHI) as defined by HIPAA.

However, if you enter prescription numbers or other information that could be considered PHI, we will act as a Business Associate under HIPAA. In such cases, we will enter into a Business Associate Agreement (BAA) with you. See our HIPAA BAA page for more information.

We recommend that you do not enter patient names or other identifiable patient information into the Service. Prescription numbers alone (without patient identifiers) are generally sufficient for inventory tracking.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide and improve the Service:

• Essential Cookies: Required for authentication, session management, and core functionality of the Service (e.g., NextAuth session cookies)
• Functional Cookies: Remember your preferences and settings (e.g., selected theme colors)
• Analytics Cookies: Help us understand how users interact with the Service to improve functionality and user experience

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of the Service.

10. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child under 18, please contact us immediately at info@c2track.com, and we will delete such information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws than your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States and other countries where our service providers operate.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Sending an email to the address associated with your account
• Posting a notice on our Service
• Updating the "Last Updated" date at the top of this Privacy Policy

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: