Skip to main content
ScriptRun

Privacy Policy

Effective April 23, 2026

This Privacy Policy explains how MonkeyWolf Digital LLC("ScriptRun," "we," "us") collects, uses, stores, and protects personal information in connection with the ScriptRun pharmacy prescription delivery platform (the "Service"). ScriptRun is a business-to-business platform operated for licensed pharmacies. Patients do not interact directly with ScriptRun; they interact with their pharmacy, which uses our Service to manage deliveries.

1. Information We Collect

From pharmacies (our customers): business name, address, license details, administrator names, email addresses, phone numbers, and payment information.

From patients (through their pharmacy): first name, last name, phone number, delivery address, optional email address, prescription metadata (order identifier, pickup instructions, proof-of-delivery photos and signatures). We do not display medication names or clinical details to drivers.

Automatically: driver GPS location (only while the driver app is active and an active route is assigned), IP address, browser type, device identifiers, usage logs.

2. How We Use Information

  • To dispatch, route, and deliver prescriptions to patients.
  • To send SMS and email notifications to patients about their own deliveries (see Section 4).
  • To provide tracking, proof of delivery, and analytics to the pharmacy.
  • To process subscription billing and prevent fraud.
  • To comply with applicable law, including HIPAA.

3. HIPAA and Protected Health Information

ScriptRun acts as a HIPAA Business Associate to participating pharmacies. Our standard Business Associate Agreement (BAA) is published at /baa for public review. We have executed or will execute BAAs with every pharmacy customer and with each of our subprocessors that may handle PHI, including Supabase, Twilio, Resend, Anthropic, and Vercel. The current subprocessor list is maintained at /security#subprocessors. PHI is encrypted in transit (TLS 1.2+) and at rest. Drivers never see medication names.

4. SMS Messaging

ScriptRun sends SMS messages to patients on behalf of participating pharmacies using Twilio. Messages are strictly transactional and relate only to the patient's own active prescription deliveries (dispatch notifications, tracking links, delivery confirmations, and failed-delivery notices). Message and data rates may apply. Message frequency is approximately 2–4 messages per delivery.

Patients consent to receive SMS at the pharmacy counter, either verbally (logged by the pharmacist) or through a written intake form. The pharmacy records consent in its patient management system. Patients may opt out at any time by replying STOP to any message. Reply HELP for assistance or email support@scriptrun.app.

Mobile information and opt-in data are not shared with third parties or affiliates for marketing or promotional purposes. We do not sell phone numbers or patient data.

5. Email

We send transactional email (delivery confirmations, account notifications, password resets, team invitations) via Resend. We do not send marketing email to patients.

6. Data Sharing

We share information only with:

  • The pharmacy that collected the patient's data (our customer).
  • Subprocessors acting on our behalf under contract (Supabase — database; Twilio — SMS; Resend — email; Anthropic — label recognition; Vercel — hosting; Stripe — billing; Mapbox — maps; OSRM — routing).
  • Law enforcement or regulators when required by valid legal process.
  • Successors in the event of a merger or acquisition, subject to this Policy.

We do not sell personal information.

7. Data Retention

Delivery records are retained for the duration of the pharmacy's account plus 7 years to meet pharmacy recordkeeping obligations, or longer if required by law. Driver GPS points are retained for 90 days, then aggregated. Patients may request deletion of their data by contacting their pharmacy, which can delete records through the ScriptRun dashboard.

8. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export your personal information. Patients should direct such requests to their pharmacy. Pharmacies and other direct customers may contact us at support@scriptrun.app.

9. Security

We use industry-standard safeguards including TLS encryption, role-based access control, row-level security in our database, and audit logging. Our current security posture and compliance roadmap are published at /security. No system is perfectly secure; we will notify affected customers and regulators of any breach as required by law.

10. Children

The Service is not directed to children under 13. We do not knowingly collect information from children under 13 directly; pharmacies may create records on behalf of pediatric patients with appropriate parental/guardian consent.

11. Driver Mobile Application

The ScriptRun Driver app is installed by delivery drivers employed or contracted by a participating pharmacy. When a driver uses the app, we collect the following information:

  • Account information: name, email address, and phone number. These are provided by the pharmacy when the driver is invited to the platform and used only to authenticate the driver and assign deliveries.
  • Precise location (GPS): collected while the driver is signed in and on an active route, including when the app is running in the background. Background location collection is necessary so dispatchers can see driver positions on the route map and so proof-of-delivery timestamps are accurate. Location collection stops when the driver completes the route, signs out, or revokes location permission in their device settings. Location data is used solely to operate the Service; it is not sold, shared with advertisers, or used for any purpose unrelated to delivery dispatch.
  • Camera access: used only when the driver captures a proof-of-delivery photo or scans a package barcode. Photos are uploaded to the pharmacy's account and are not retained on the device beyond upload.
  • Device identifiers and diagnostic data: used for crash reporting, security, and fraud prevention.

Drivers may revoke location, camera, or notification permissions at any time in their device settings, though doing so may prevent the app from functioning. Drivers may request access to or deletion of their personal data by contacting their pharmacy or emailing support@scriptrun.app. We do not use driver data for advertising and do not sell it.

12. Changes

We may update this Policy. Material changes will be emailed to account administrators and posted here with a revised effective date.

13. Contact

MonkeyWolf Digital LLC
8052 NW 114 Pl, Miami, FL 33178
Email: support@scriptrun.app