What Data We Collect and Why It Matters
When you use Pharmacy Mall, we collect only the data needed to process your orders, ensure product safety, and meet legal and medical regulations in the US. That includes your name, shipping address, email, and payment method. If you’re ordering medication that requires dosage accuracy or specific handling, we also collect limited health-related information that’s directly relevant to the product you choose.
Your data is used for three things only:
- To fulfill your order accurately
- To verify your identity and protect against fraud
- To comply with pharmaceutical laws and safety protocols
We do not collect irrelevant details. We do not track behavior for ad targeting. Your data is not a business model here. It’s a regulatory and operational necessity.
Medical Data and Compliance
If you upload prescriptions or submit health details, this information is stored in accordance with HIPAA-related standards, even though our operations are international. We align with US federal data handling expectations when it involves medication, storage, and transmission. We also follow GDPR practices for customers located in the EU or interacting with EU-based systems.
For prescription drugs, legal obligations vary. In some cases, we must retain specific documents to comply with drug safety protocols or pharmacy audits. That data is encrypted and stored in secured systems with access limited to licensed pharmacy staff.
Data Storage and Access
Data is stored on servers secured with industry-standard encryption protocols (AES-256 or stronger). We retain essential data for recordkeeping as required by pharmaceutical law – typically 5 to 7 years for controlled substances. Access is limited to staff with legitimate operational roles, such as pharmacists verifying an order, or logistics staff preparing shipments.
We do not share your information with third-party advertisers. Your data does not leave our control unless required by law (court orders, federal audits) or in case of cross-border regulatory checks for drug safety.
Cookies and Session Data
Our website uses session cookies to maintain a smooth ordering experience – keeping your cart, login, or form progress active. These cookies expire after your session ends. No tracking cookies are placed by external parties. We do not allow advertising pixels on any part of our platform.
You can disable cookies in your browser and still access most parts of the site. Some features like checkout may require cookies for technical reasons.
Email and Communication Practices
We send order confirmations, tracking details, and product safety notices. Occasionally, we send essential updates about drug recalls or regulatory changes. Marketing emails are optional – you must opt in. Every email includes a visible opt-out link that works immediately.
We do not purchase email lists. We do not use third-party bulk email systems. All communications are managed in-house through secure servers.
Third-Party Processors
Payment processing is handled by PCI-compliant gateways. These companies are not permitted to store your full payment details beyond transaction confirmation. We do not store CVV codes or raw card data.
If we work with a licensed pharmacy partner or shipping contractor, they receive only the information necessary to fulfill their specific function – name, shipping address, and product details. These parties are under binding agreements not to use or retain data beyond fulfillment.
Data Requests and Deletion
You may request a full copy of your personal data, including any prescriptions submitted, and request deletion where it does not conflict with medical recordkeeping laws. To do so, email us using the address associated with your order. We’ll verify your identity and respond within 10 business days.
Some information, such as prescription fulfillment history for controlled substances, cannot be deleted immediately due to retention rules imposed by pharmacy regulators in the US and internationally.
Security Incidents and Breach Protocol
In the event of a data breach, we notify affected users directly within 72 hours of confirmation. The notification includes what data was exposed, how it happened, and what steps we’ve taken to prevent recurrence. We also report breaches to relevant authorities based on the location and severity of the incident.
We routinely test our systems for vulnerabilities and conduct audits as part of ongoing regulatory compliance.