Security and privacy

The families we work with are senior, private, and accustomed to institutions that treat their information with discipline. This page is the companion to our Trust and Compliance page and sets out, in more detail than most visitors will ever need, the way we handle personal and clinical data across the full arc of an engagement. It covers the US-side handling under the Health Insurance Portability and Accountability Act (HIPAA), the posture we take for patients with a European nexus under the EU General Data Protection Regulation (GDPR), and the destination-country frameworks that govern the information once it crosses a border.

The short answer, for the reader who wants one

Clinical records are encrypted in transit and at rest. The number of people at Reserve Meds who can see any given patient's file is small, named, and audited. Patient information is shared only with the treating physician, the receiving site, and the regulator, with the narrow legal exceptions required for pharmacovigilance and for lawful investigation. We retain records for the period the applicable pharmacy law requires and for no longer than necessary thereafter. Our AI review agents operate on redacted or summarised inputs wherever feasible and never export patient identifiers to third-party model providers.

HIPAA-aligned handling on the US side

Altima Care, the US-licensed specialty wholesaler currently in our US supply chain (while Reserve Meds advances its own wholesale distributor license), is a HIPAA-covered entity and operates its privacy, security, and breach-notification programs under the Administrative Simplification provisions of HIPAA (45 C.F.R. Parts 160 and 164). In practice, this means that any protected health information (PHI) we receive in connection with a dispense is held in systems that satisfy the HIPAA Security Rule, that our workforce members receive HIPAA training on hire and annually thereafter, and that any vendor that touches PHI on our behalf is under a written Business Associate Agreement. Our HIPAA Notice of Privacy Practices is published at /legal/hipaa.html and is available in paper form on request.

GDPR posture for EU-domiciled patients

Where the patient or the immediate family has a European nexus, for example a family office domiciled in the European Union or a patient ordinarily resident there, we treat the engagement as subject to the GDPR. Our lawful basis for processing is typically the combination of explicit consent and the performance of a contract for specialty pharmacy services; for sensitive health data, processing is grounded in Article 9(2)(h), medical necessity under the direction of a health professional. Data subjects retain their full rights of access, rectification, erasure, portability, and objection, and we respond to verified requests within the one-month statutory window. Where cross-border transfers are involved, we rely on the standard contractual clauses adopted by the European Commission and on additional safeguards where the destination country does not benefit from an adequacy decision.

Destination-country privacy frameworks

The information we handle eventually crosses into the country where the patient is being treated, and the rules there matter. Our posture is to align to the strictest of the applicable regimes.

United Arab Emirates

For patients in the UAE, we align to Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the UAE PDPL) and, for Dubai Healthcare City-based institutions, to the Dubai Healthcare City Data Protection Regulations. Clinical data is shared with the treating physician or hospital pharmacy that is licensed by the relevant emirate-level health authority, under a written authorisation from the patient or, in paediatric cases, from the legal guardian.

Kingdom of Saudi Arabia

For patients in Saudi Arabia, we align to the Personal Data Protection Law (KSA PDPL, Royal Decree M/19) as amended, and to the applicable Saudi Data and Artificial Intelligence Authority (SDAIA) guidance. Where a Ministry of Health authorisation or a Saudi Food and Drug Authority pathway is engaged, the information package shared with the authority is limited to what that pathway requires.

India

For patients in India, we align to the Digital Personal Data Protection Act, 2023 (DPDP Act) and to the pre-existing sensitive-personal-data rules under the Information Technology Act, 2000. Consent notices are provided in the language the patient reads, and data-principal rights under the DPDP Act, including the right of correction and erasure, are honoured on verified request.

Encryption, in transit and at rest

Patient information moves over transport-layer encryption (TLS 1.2 or higher) for web and API traffic, and over encrypted email channels where email is the appropriate medium. Stored data is encrypted at rest using industry-standard symmetric encryption; keys are held in a managed key-management service with access restricted to named, audited roles. Backups are encrypted to the same standard. Laptops, phones, and removable media used by workforce members are centrally managed and encrypted at the device level, with remote wipe enabled.

Who can see what

Access to patient files inside Reserve Meds is role-based and least-privilege. A coordinator sees the cases they are assigned to and nothing beyond. The pharmacist-in-charge sees the dispensing-relevant portion of every file that crosses the dispense queue. The regulatory lead sees the import-relevant portion. Administrative and finance staff see billing records with clinical detail masked. Every access to a patient file is logged, and those logs are reviewed on a defined cadence by the compliance function. No access to patient files is available from personal devices or outside the managed environment.

Retention schedule

Dispensing records are retained for the period required by the pharmacy law of the dispensing state, which is, at minimum, five years and, in most cases, seven. Regulatory correspondence and import-pathway files are retained for the period the destination-country regulator requires, typically five to ten years. Pharmacovigilance files are retained for the life of the product in our service plus the statutory tail. Marketing, contact, and intake data not associated with a dispense are retained for the shorter period defined in our privacy notice. Records are destroyed on a documented schedule at the end of their retention period.

AI reviewer data boundaries

Our AI Clinical Review Agent and AI Regulatory Review Agent operate inside our managed environment on inputs that have been redacted or summarised wherever the review does not require the raw record. Patient identifiers are not sent to third-party model providers. Where a model is called through a vendor API, the vendor operates under a written data-processing agreement that prohibits use of our inputs for model training and obliges the vendor to the same security posture we hold ourselves to. The agents do not make dispensing decisions; the pharmacist-in-charge and the treating physician retain that authority.

Auditability

Every material action on a patient file, every access to PHI, every regulatory submission, and every release of medicine is logged and time-stamped. Logs are tamper-evident and held for a period consistent with our retention schedule. A patient or an authorised representative may request an accounting of disclosures of their information and, under HIPAA and the GDPR, we are obliged to provide it. Regulators may request audit records in connection with a lawful inquiry and we cooperate with those requests promptly.

Breach-notification posture

If a breach affecting protected health information occurs, we operate under the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400 et seq.) and the parallel breach-notification obligations of the GDPR (Articles 33 and 34) and the destination-country frameworks noted above. Individuals whose information is affected are notified in writing, in a language they read, within the statutory window; regulators are notified within the required timelines; and we publish a summary on this site where the applicable rule requires. Our obligation is to tell you promptly, tell you plainly, and tell you what we are doing about it.

Reviewed 2026-04-22 by Reserve Meds's AI clinical and regulatory review agents. Human pharmacist-in-charge: Altima Care. Next scheduled review: 2026-10-22.