Last updated: June 2026
We collect account information (name, email, credentials), facility operational data (controlled substance entries, temperature logs, cart checks), and case numbers/MRNs. We process Protected Health Information (PHI) including patient MRN and names in controlled substance logs.
We use information to provide the service, generate reports, calculate compliance scores, and support anonymized benchmarking when consent is provided.
We do not collect diagnoses, treatment details, insurance information, or social security numbers.
We use the following third-party sub-processors to deliver our services: Supabase (database & authentication), Vercel (hosting), Stripe (payment processing), Sentry (error monitoring), Google Analytics (website analytics), Formspree (contact forms), and MailerLite (email communications).
Data is stored in Supabase (PostgreSQL), encrypted at rest and in transit, and hosted in the United States.
We do not sell your data. We do not sell individual facility data. Anonymized aggregate data may be used for industry research with consent.
Data is retained for 10 years after account closure to support regulatory and compliance obligations. You may export your data at any time.
A HIPAA Business Associate Agreement (BAA) is active with our infrastructure provider. All subscribers are required to execute a BAA. PHI including patient MRN and names in controlled substance logs is processed in accordance with HIPAA requirements.
Security controls include role-based access, PIN authentication, entry immutability, geolocation verification, and rate limiting.
You may access your data, export your data at any time, delete your account, and opt out of data sharing.
This Policy is governed by the laws of the State of Texas, without regard to its conflict-of-laws principles.
This website uses cookies and similar technologies for two purposes: to understand how visitors use the site through Google Analytics, and to detect and diagnose errors through Sentry. These tools support analytics and reliability, not advertising, and we do not sell the information they collect. Google Analytics may collect information such as your IP address, device and browser type, and the pages you visit. You can opt out of Google Analytics using Google's opt-out browser add-on, or by blocking or clearing cookies in your browser settings. This is our public marketing site and does not collect protected health information.
Some features let your facility share certain data with TOM beyond what is needed to operate the Service. These are off by default. Your facility chooses whether to turn any of them on, and can turn them off at any time under Settings, Data and Privacy. Turning them off does not affect your use of the Service.
TOM does not sell personal information, and does not use protected health information for marketing, advertising, or any other secondary commercial purpose. Patient information is never included in benchmarking, research, or the public directory.
For privacy questions, contact jon@tompharmacy.com.