PRIVACY POLICY
Effective 2026-06-03. What data we collect from providers and practices, how we use it, and your rights.
1. Who we are
MediCaine ("we", "us", "our") sells compound topical anesthetic preparations to licensed healthcare providers through medicainenumb.com. This policy describes how we handle data collected through the site.
2. Data we collect
When you place an order or contact us, we collect:
- Practice name, contact email and phone
- Shipping address
- Provider first and last name
- NPI number, state license number, license state
- Optional DEA number
- Order configuration (formulation, form, packaging, size, quantity, auto-reorder preference)
- Any notes or special instructions you submit
- Payment-processor token returned by our PCI-DSS compliant processor (we never see your card number)
We also collect standard server-side request data — IP address, user agent, referrer — at the Cloudflare edge for security monitoring and rate limiting.
3. How we use it
- NPI Registry verification through the public CMS API before any order ships
- Compounding the formulation you ordered, labeled with your verified provider information
- Shipping the compounded preparation to your verified practice address
- Order confirmation, shipping notification, and reorder reminder emails
- Operational support — answering questions about your order or formulation
- Fraud prevention and security monitoring
- Regulatory recordkeeping required by state boards of pharmacy
4. What we don't do
- We do not sell your data to any third party
- We do not use your data for advertising or marketing without your explicit opt-in
- We do not collect or store patient-identifiable information from your practice — only provider-side ordering information
- We do not store payment card numbers; PCI-DSS compliant processor handles those
5. Service providers
We use a limited set of service providers, each with their own security and privacy practices:
- Cloudflare — site hosting, Workers, D1 database, Access (Zero Trust)
- iPOSPays / Dejavoo — PCI-DSS compliant payment processing
- Resend — transactional email delivery
- CMS NPI Registry — public-facing provider verification API
We share only the minimum data necessary for each provider to perform its function.
6. Cookies and tracking
We do not currently set tracking cookies for cross-site advertising. We may set first-party cookies necessary for configurator state and analytics. If we add analytics or marketing cookies in the future, we will update this policy and provide a consent mechanism.
7. Retention
Order and compounding records are retained per state board of pharmacy requirements — typically a minimum of two years. Payment records are retained per PCI-DSS guidance. NPI verification records are retained alongside the corresponding order record. Marketing-related data is retained until you opt out.
8. Your rights
Depending on your jurisdiction (US states with privacy statutes, EU/UK GDPR, etc.), you may have rights including:
- Access to the data we hold about you
- Correction of inaccurate data
- Deletion of data where retention is not required by regulation
- Objection to certain processing
- Data portability
To exercise these rights, contact hello@medicainenumb.com. We respond within 30 days.
9. Security
See our Security & Data Handling page for technical details on encryption, access control, security headers, and SOC 2-oriented controls.
10. Changes
Material changes to this policy will be reflected here with a revised effective date. We will notify you of material changes that affect data we already hold about you.
11. Contact
Privacy questions: hello@medicainenumb.com · (310) 889-0733