TOM MMS

Effective April 19, 2026 · version 2026-04-19-v2

Privacy Policy

This document is a working draft. It will be finalized following legal review. The effective version is denoted by the version field in the document header.

This Privacy Policy describes how TOM Pharmacy Consulting, LLC ("TOM," "we") collects, uses, protects, and shares information in connection with the TOM MMS platform ("Service"). When TOM processes Protected Health Information ("PHI") on behalf of a Customer ambulatory surgery center, we do so as a Business Associate under HIPAA; the Business Associate Agreement ("BAA") between TOM and the Customer governs those activities and controls over any conflict with this Policy.

This Policy applies to (a) the administrators and authorized users who operate a Customer account ("you" in this document), (b) visitors to our marketing site, and (c) individuals whose information is processed as part of the Service, to the extent not governed by the BAA.

1. Information We Collect

Account information. Name, email address, facility name, facility address, job title, and password for owners and administrators who register an account. For pharmacist, nurse, and auditor roles, the account owner or administrator enters the same data on the user's behalf, plus a PIN the user chooses. PIC (Pharmacist-in-Charge) is a designation applied to a pharmacist user; it is not a separate account type.

Facility configuration. Operating hours, formulary, equipment list, licensure metadata, policies and procedures, and similar configuration that the Customer provides to set up the Service.

Protected Health Information (PHI). When the Service is used to record controlled-substance transactions, temperature logs, cart checks, discharge records, incident reports, patient case records (including patient names, medical record number identifiers — last-four MRN or full MRN per facility configuration — patient allergies, procedure type, scheduled date and time, and surgeon), and similar operational records, those records may contain PHI. The categories of PHI processed by the Service are enumerated in the BAA. TOM processes PHI as a Business Associate under the BAA. We do not use PHI for any purpose other than to provide the Service, as required by applicable law, or as otherwise permitted under the BAA.

Usage data. Device identifiers, IP address, user agent, login timestamps, feature usage, and error traces. We use usage data to operate and secure the Service, diagnose problems, detect abuse, and improve the product.

Billing information. For owner accounts, Stripe, Inc. collects and processes payment-method data directly. TOM stores only a Stripe customer identifier, subscription identifier, billing email, and plan metadata — no full card numbers.

Support communications. Emails, chat transcripts, and other communications you send to support.

2. How We Use Information

  • To provide, operate, and maintain the Service, including authentication, authorization, audit logging, and routine administration.
  • To support Customer's compliance workflows (Board of Pharmacy reporting, DEA recordkeeping, and HIPAA documentation, as applicable).
  • To communicate with you about the Service, including security alerts, subscription events, and service notices.
  • To detect, investigate, and prevent fraud, abuse, and security incidents.
  • To improve the Service, including in-aggregate analytics that do not identify an individual or facility.
  • To comply with legal obligations and to exercise or defend legal claims.

TOM does not sell personal information. TOM does not use PHI for marketing, advertising, or any secondary commercial purpose.

3. How We Protect Information

TOM hosts the Service on HIPAA-compliant cloud infrastructure. Controls include:

  • Encryption. Data at rest is encrypted in the database provider's storage layer. Data in transit is encrypted with TLS 1.2 or higher.
  • Access controls. Access to production PHI is limited to personnel who have signed BAAs and business-need authorization. Access is audited.
  • Row-level security. PHI is scoped per facility in the database, so one Customer's users cannot read another Customer's records even if application logic were to fail.
  • Audit logs. PHI reads and mutations are logged with actor, timestamp, and context, in accordance with HIPAA § 164.312(b). Patient case records — creation, view, edit, dispense, waste, and review — generate audit-log entries identifying the actor, the case record, and the action. Logs are retained for at least six years.
  • Multi-factor authentication. Optional for owners at launch; expected to become required for owners in a future release.
  • Incident response. Suspected security incidents are investigated on a 24/7 on-call basis. Confirmed breaches of unsecured PHI are reported to the affected Customer as required by 45 C.F.R. § 164.410 and the BAA.

4. Subprocessors

We use the following subprocessors to provide the Service. Each is bound by a written data-protection agreement, and each receives only the information needed to perform its function. A list of current subprocessors is also available at app.tompharmacy.com/legal/subprocessors and is updated as changes occur.

| Subprocessor | Purpose | Data scope | |---|---|---| | Supabase, Inc. | Managed PostgreSQL database and authentication | PHI and account data (HIPAA BAA in place) | | Vercel, Inc. | Web application hosting and edge runtime | Request metadata, logs (no PHI at rest) | | Stripe, Inc. | Subscription billing | Owner billing data (no PHI) | | Resend | Transactional email (security alerts, subscription notices) | Owner email address, alert content | | MailerLite | Marketing newsletters (opt-in only) | Email addresses of newsletter subscribers | | Anthropic, PBC | AI-assisted document parsing (policies, invoices) | Document text; processed ephemerally, no training use | | Sentry | Error monitoring | Error traces, scrubbed of PHI fields |

Engaging a new subprocessor that will process PHI is subject to at least thirty (30) days' prior notice, during which a Customer may object and, if the concern cannot be resolved, terminate for material breach.

5. Retention

Active subscriptions. Customer Data is retained for the duration of the subscription.

After cancellation. Customer Data is retained in a read-only state for thirty (30) days to permit export in accordance with HIPAA § 164.524. At the end of the thirty-day window, Customer Data is permanently deleted unless a legal hold applies.

Audit logs. Retained for at least six (6) years after the later of creation or the event audited, in accordance with HIPAA § 164.316(b)(2).

Backups. Database backups are retained on a rolling basis consistent with our disaster-recovery policy and are purged according to standard retention schedules. Deleted Customer Data persists in backups until the relevant backup is purged.

Billing records. Retained as required by applicable tax and accounting law (typically seven years).

6. Your Rights

Under HIPAA, individuals whose PHI is processed by the Service may exercise rights of access, amendment, and accounting of disclosures through the Customer (the Covered Entity) that collected the information. TOM supports the Customer's fulfillment of these requests as required by the BAA and § 164.524 and § 164.526. Patient case records — including patient names and MRN identifiers — appear only in role-scoped views accessible to the patient's facility-assigned staff (Owner, Admin, Pharmacist, PIC, Nurse, Auditor), and corresponding audit-log entries are retrievable by the Customer for accounting-of-disclosures requests.

For account-level (non-PHI) data held by TOM about you as an Authorized User — e.g., your name, email, and role — you may review and correct that information in your account settings or by contacting support. You may close your owner account at any time as described in the Terms; doing so triggers the retention and deletion schedule in Section 5.

7. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect information from minors other than PHI that Customers record in the course of ordinary pediatric care at their facilities, which is governed by the BAA.

8. International Transfers

The Service is hosted and offered within the United States. At launch, we do not market the Service outside the United States and do not intentionally process data of individuals located outside the United States other than as incidental to US-based care.

9. Changes to This Policy

We may revise this Policy from time to time. Material changes will be announced at least thirty (30) days in advance by email to the Customer's billing contact and by notice in the Service. The "Last updated" date at the bottom of this Policy reflects the most recent revision. If a change materially expands our use of PHI or account information, we will obtain renewed consent via the Service's re-consent flow before the change takes effect.

10. Privacy Officer and HIPAA Security Official

TOM Pharmacy Consulting, LLC has designated the following individual to serve as Privacy Officer under 45 C.F.R. § 164.530(a)(1) and as Security Official under 45 C.F.R. § 164.308(a)(2):

  • Name: Jonathan Lim, PharmD
  • Role: Privacy Officer / HIPAA Security Official
  • Contact: privacy@tompharmacy.com

Jonathan currently serves in both roles at TOM's single-operator stage. The designations will be split and updated as the team grows. Any change to the Privacy Officer designation is published through the same version-controlled mechanism as this Privacy Policy; a change triggers a re-consent prompt on Customer accounts' next login.

11. Contact

TOM Pharmacy Consulting, LLC Privacy questions: support@tompharmacy.com HIPAA Privacy Officer: privacy@tompharmacy.com Security reports (responsible disclosure): security@tompharmacy.com

Last updated: 2026-04-19