Privacy Policy

This Privacy Policy describes how BID Partners LLC (“BID Partners,” “we,” or “us”), operating the Scriptlane product and the scriptlanedata.com website (together, the “Service”), collects, uses, and shares information.

1. Who we are

Scriptlane is a neutral commercial broker between Electronic Health Record (EHR) partner programs and the pharma, med-device, and consumer health activation ecosystem. Scriptlane does not receive, store, or transmit Protected Health Information (PHI) as defined under 45 CFR § 160.103. All query responses are aggregate-only and cell-size floored at the upstream partner portal.

2. Information we collect

Information you give us

• Account data: work email, name, company or team name, role selection, and (for scopers) the vertical you operate in.
• Campaign scoping briefs: the therapy area, drug codes (NDC/RxNorm), diagnosis codes (ICD-10), specialties, and geography you enter into the Scope product. These describe a campaign’s addressable market; they do not identify individuals.
• Contact form submissions: name, email, phone (if provided), company, inquiry type, and message text.
• Billing data: payment method details are collected and processed by Stripe, Inc.; we only retain the Stripe customer and subscription identifiers, billing email, and plan tier.

Information we generate

• Aggregate query results: responses from EHR partner portals are normalized and stored as aggregate counts (e.g., “N HCPs”) and rolled up by specialty and region.
• Audit events: who performed what action (query run, scoping created, lead submitted, plan changed) and when.
• Usage telemetry: request paths, response status, and server-side diagnostics through our hosting provider (Vercel) and database provider (Supabase).

What we do not collect

• We do not receive, process, store, or transmit patient-identifiable data. Every adapter output is validated against a PHI-key deny list before it reaches our database. See the Trust & Security page for the technical control.
• We do not sell or rent your information to advertisers.

3. How we use information

• To operate, maintain, and improve the Service.
• To run the scoping and brokered-execution workflow you requested - including routing signed deals to the EHR partner program on their standard paper.
• To render practice-administrator analytics in Caliper. When a practice connects Caliper to its EHR (via certified FHIR APIs), Caliper reads only aggregate counts - never patient-identifiable data, never PHI - to render the practice’s peer-benchmarking dashboard (patient mix, payer mix, specialty footprint, condition prevalence, medication adherence, MIPS proxy view).
• To inform Scope’s industry-network analytics with de-identified aggregate counts. Aggregate counts retrieved from connected EHR sources are de-identified at the boundary (cell-size floor n ≥ 11, PHI field-name deny list, no patient or clinician identifiers persisted) and may also inform Scope’s anonymous network signal - cohort-level intelligence used by Scriptlane’s pharmaceutical and life-sciences customers. Scope customers see aggregate, de-identified cohort counts only; no identifying information about a connected practice, clinician, or patient flows downstream.
• To communicate about your account, support, billing, and security.
• To comply with legal obligations and enforce our Terms of Service.

4. Legal bases (GDPR / UK GDPR)

Where Scriptlane is accessed from the European Economic Area or the United Kingdom, we process personal data under the legal bases of contract (to provide the Service you requested), legitimate interests (to operate, secure, and improve the Service), consent (where obtained for marketing communications), and legal obligation.

5. Sharing and subprocessors

We share information with the following subprocessors, each of whom is contractually obligated to protect your data:

• Vercel Inc. - hosting and edge/function runtime (United States).
• Supabase Inc. - Postgres database, authentication, and storage (United States region).
• Stripe, Inc. - payment processing and subscription management (United States).
• Resend, Inc. - transactional email delivery (United States).

We may disclose information to EHR partner programs and activation partners only where you have explicitly requested a brokered introduction or campaign execution and only the minimum fields necessary to make that introduction.

6. Data retention

• Account data: retained while your account is active and for 30 days after deletion.
• Audit logs: retained for seven (7) years for regulatory defensibility.
• Scoping briefs and results: retained while your account is active.
• Contact form submissions: retained up to 24 months or until you request deletion.
• Billing records: retained seven (7) years to meet tax and accounting obligations.

7. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing. To exercise these rights, email ben@scriptlanedata.com. We will respond within 30 days.

8. Security

We apply the technical and organizational controls described in our Trust & Security page, including encryption in transit and at rest, least-privilege access, audit logging, and aggregate-only data architecture.

9. International transfers

Scriptlane hosts data in the United States. Where personal data is transferred from the EEA or UK to the US, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

10. Children

The Service is not directed to children under 18 and we do not knowingly collect personal information from children.

11. Changes

We may update this Policy from time to time. Material changes will be announced via the Service or by email at least 14 days before they take effect.

12. Contact

BID Partners LLC, operating Scriptlane. For privacy inquiries, contact ben@scriptlanedata.com.