How we handle your data.

This Privacy Policy describes how MarkupRx ("we," "us," or "our") collects, uses, and shares information when you use the MarkupRx platform — a drug pricing intelligence service for independent pharmacists. It covers our web application at pharm.markuprx.com and this marketing site at markuprx.com.

This policy is effective as of May 13, 2026. Material changes will be announced via email or in-app notice and reflected in the date above.

Questions? Email [email protected] — we read every message.

We collect the following categories of information:

• Account data — your name, email address, pharmacy name, and NPI number when you sign up.
• Usage data — claim aggregates you upload for underwater-claim analysis (NDC, dispense date, quantity, payer type — no patient names or identifiers), contracts you upload for AI parsing, and appeal letters generated on your behalf.
• Waitlist data — your email address if you previously joined the waitlist at markuprx.com (now closed; open signup at pharm.markuprx.com/signup).
• Automated telemetry — page views, referral source, browser and device class, and anonymized geographic region via Google Analytics 4. See the Processors section for details and opt-out options.

MarkupRx aggregates 13 federal data sources published by the U.S. government and makes them available to pharmacists in a unified search interface. These are public datasets — we do not purchase or license private data.

• NADAC (National Average Drug Acquisition Cost)
• FDA NDC Directory
• RxNorm Bulk
• RxNorm API Fallback
• RxNorm NDC Resolve
• SDUD (State Drug Utilization Data)
• Orange Book (FDA)
• Drug Shortages (FDA)
• ASP + HCPCS Crosswalk (Medicare Part B)
• CMS Drug Spending (Part B, Part D, Medicaid)
• Federal Upper Limit (FUL)
• VA FSS (Federal Supply Schedule)
• Drugs@FDA
• IRA MFP (Inflation Reduction Act Medicare Negotiated Prices)

Honesty note: we do not have access to AWP (Average Wholesale Price), WAC (Wholesale Acquisition Cost), per-pharmacy acquisition costs, or patient-level claim data. These data sources are proprietary or confidential and are not part of the MarkupRx platform.

We use the following third-party processors. Each receives only the data necessary for its stated purpose.

Resend

Transactional email, sent from send.markuprx.com. We send your email address and waitlist confirmation messages to Resend. Resend processes these to deliver emails on our behalf.

Stripe (Stripe, Inc.)

Payment processing for subscription billing. We send your name, email, billing address, and payment method details to Stripe when you start a subscription. Stripe's Privacy Policy: https://stripe.com/privacy. Stripe retains invoice records for approximately 7 years to comply with tax law.

Cloudflare R2

Object storage for the compliance vault. When you upload documents to your vault or generate compliance-signed audit bundles, the resulting files are stored in Cloudflare R2. What we send: vault document uploads and compliance signing artifacts.

Railway

Infrastructure provider. Our PostgreSQL primary database and Redis broker run on Railway's platform. All application data stored in the primary database is hosted on Railway infrastructure.

Google Analytics 4 (Google LLC)

Page views, referrer, browser/device class, and anonymized IP-derived approximate geographic region (city-level; raw IP discarded before logging). Used to understand which marketing channels drive sign-ups. We do not use Google Ads remarketing. To opt out: (a) enable Do Not Track or Global Privacy Control in your browser, (b) install the Google Analytics Opt-Out Browser Add-on, or (c) adjust your Google Ads Settings.

Anthropic

AI processing for drug summaries, contract analysis, and appeal generation. When you trigger an AI feature, MarkupRx sends the relevant inputs to Anthropic's API. No PHI, no patient identifiers, no Rx numbers are sent. Under Anthropic's Commercial Terms of Service, Anthropic does not use Customer Content to train their models. Anthropic retains prompts briefly (default ~7 days) for abuse monitoring, then deletes them. For more information: Anthropic Commercial Customers Privacy Center. Please do not upload contracts containing patient information.

Active accounts: we retain your data for as long as your account is active.

To delete your account, email [email protected] and we will process your request within 30 days. On deletion we will purge your user record, dispense records, vault documents, and any associated objects from our primary database and object storage (Cloudflare R2). We will also remove your Resend audience entry.

Stripe subscription billing: when you cancel your subscription, your subscription status is set to canceled. Stripe retains invoice records for approximately 7 years to comply with tax and financial reporting law — those records are at Stripe and are not used by MarkupRx after cancellation. We do not delete Stripe Customer records on your behalf; Stripe manages that lifecycle under their own retention obligations.

Per-document vault deletion: when you delete an individual vault document via the in-app delete control, both the metadata row and the underlying Cloudflare R2 object are removed within 30 days.

Encrypted backups: backups containing pre-deletion snapshots are overwritten on a rolling 30-day cycle.

A self-serve account-deletion endpoint is on the roadmap and will be added in a future release.

Depending on where you are located, you may have the following rights regarding your personal data:

• Right to access — request a copy of the personal data we hold about you.
• Right to correct — request that we correct inaccurate personal data.
• Right to delete — request deletion of your personal data.
• Right to portability — request a machine-readable export of your personal data.
• Right to opt out — opt out of targeted advertising or sale of personal data (we do not sell your data or use it for targeted advertising).

To exercise your right to deletion, email [email protected] and we will process your request within 30 days.

To stop receiving waitlist emails, click the unsubscribe link in any waitlist email — this immediately marks your entry as do-not-email. To request full deletion of your waitlist record, email [email protected].

Depending on your state of residence, you may have additional rights described below. To exercise any of these rights, email [email protected].

California (CCPA / CPRA)

Under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–199.100) as amended by the California Privacy Rights Act (CPRA, effective Jan 1, 2023), California residents have the right to know what personal data we collect, delete it, correct it, opt out of its sale or sharing, and limit use of sensitive personal information. We do not sell your personal information. You also have the right to non-discrimination for exercising these rights and the right to request disclosure of personal data shared with third parties for direct marketing purposes (California "Shine the Light," Cal. Civ. Code §1798.83).

Virginia (VCDPA)

Under the Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 et seq., effective Jan 1, 2023), Virginia residents have the right to access, correct, delete, and port their personal data, and to opt out of targeted advertising, sale of personal data, and profiling for decisions with legal or similarly significant effects. As MarkupRx's operator is based in Virginia, we are especially attentive to VCDPA compliance. To exercise your rights, contact [email protected].

Colorado (CPA)

Under the Colorado Privacy Act (C.R.S. §§ 6-1-1301 et seq., effective Jul 1, 2023), Colorado residents have rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising, sale, and profiling. Colorado also requires recognition of universal opt-out mechanisms (Global Privacy Control) as of Jul 1, 2024. MarkupRx will honor Global Privacy Control browser signals. We do not sell personal data or use it for targeted advertising, which limits practical scope of the opt-out right.

Connecticut (CTDPA)

Under the Connecticut Data Privacy Act (Conn. Pub. Act 22-15, effective Jul 1, 2023), Connecticut residents have rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising, sale, and profiling. Connecticut requires recognition of universal opt-out preference signals as of Jan 1, 2025. We respond to Connecticut requests within 45 days (extendable by an additional 45 days with notice).

Utah (UCPA)

Under the Utah Consumer Privacy Act (Utah Code §§ 13-61-101 et seq., effective Dec 31, 2023), Utah residents have rights to access, delete, and port their personal data, and to opt out of targeted advertising and sale of personal data. We do not sell your personal information and do not use it for targeted advertising, which limits the practical scope of the opt-out right for most MarkupRx users.

AI features (drug summaries, contract analysis, appeal generation) are powered by Anthropic's Claude API. When you trigger an AI feature, MarkupRx sends the relevant inputs to Anthropic's API for processing. No PHI, no patient identifiers, no Rx numbers are sent. Under Anthropic's Commercial Terms of Service, Anthropic does not use Customer Content (the inputs we send) to train their models. Anthropic retains prompts briefly (default ~7 days) for abuse monitoring, then deletes them. We do not store the AI response beyond rendering it to you in your dashboard, except where you explicitly save the output (e.g. a generated appeal letter saved to your Vault).

For contract analysis specifically, the text of the contract you upload is sent to Anthropic for parsing — we do not redact it. Please do not upload contracts containing patient information.

For more information on Anthropic's data practices for commercial customers, see the Anthropic Commercial Customers Privacy Center.

MarkupRx is intended for adult professionals operating pharmacies. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, contact [email protected] and we will promptly delete it.

We may update this policy from time to time. Material changes will be reflected in the Effective date above and announced via email or in-app notice. Continued use of MarkupRx after notice constitutes acceptance of the revised policy.

Questions about this policy or your data? Email [email protected] — we read every message.