Privacy policy

Information you provide.

We collect information you submit when you register an account, complete eligibility verification, place orders, contact support, or otherwise interact with the Service. This includes:

• Identity and contact: first and last name, business email address, business phone number, role/title at the organization.
• Organization details: legal entity name, doing-business-as (DBA) name, primary practice or facility address, shipping addresses, billing contact, taxpayer identification number where required for invoicing.
• License and credentialing documents: practitioner license number, issuing state and board, license expiration, DEA registration number where applicable, NPI, supporting credentialing documents you upload (e.g., scanned license, board verification letter, institutional authorization).
• Order data: SKUs, quantities, lot numbers assigned to each shipment, ship-to address, carrier and tracking number, delivery confirmation, COA references, and compliance-disclaimer confirmations.
• Payment metadata: invoice numbers, payment-method last-four where applicable, ACH/wire reference data. Full payment card numbers are processed by our payment processor and are not stored on Bioveris systems.

Information collected automatically.

• Operational logs: IP address, user-agent string, request timestamps, authenticated session identifiers, and audit-log entries needed to operate the Service securely and investigate incidents.
• Cookies and storage: a small number of first-party cookies and local-storage entries required to operate authenticated sessions and remember basic preferences. We do not currently use third-party advertising cookies, behavioral-advertising trackers, or cross-context tracking on the authenticated portal.

Information from third parties.

We may receive information from third parties to confirm eligibility or to detect fraud, including:

• License verification sources: state medical, pharmacy, and nursing boards, the DEA registration database, NPI Registry, and third-party credential-verification vendors;
• Payment processors: settlement, dispute, and chargeback metadata;
• Carriers: delivery confirmation and exception data;
• Compliance and fraud-prevention services: address verification, sanctions screening, and risk scoring as part of onboarding and order review.

We use the information described above to:

• Verify eligibility under our practitioner-gating model (§02 of the Terms);
• Operate your account and fulfill orders;
• Maintain lot-level traceability and compliant recordkeeping;
• Generate and retain invoices and tax records;
• Detect, investigate, and prevent fraud, abuse, diversion, and unauthorized access;
• Respond to your support requests and to compliance inquiries;
• Send transactional communications about your account and orders;
• Send service announcements and, where you have not opted out, occasional product updates;
• Comply with applicable legal and regulatory obligations, including recordkeeping for product distribution and responses to lawful regulatory or law-enforcement requests; and
• Improve the security, performance, and quality of the Service in aggregated or de-identified form.

To the extent applicable, our processing relies on the following lawful bases:

• Contract performance: operating your account and fulfilling orders.
• Legitimate interests: fraud prevention, account security, lot-level traceability, business-relationship management, and improving the Service. We balance these interests against your rights and have determined that they do not override your reasonable expectations.
• Legal obligation: tax recordkeeping, product-distribution recordkeeping, sanctions screening, and responses to lawful government requests.
• Consent: where required by law, including for non-essential marketing communications. Consent can be withdrawn at any time without affecting prior processing.

We do not sell personal information. We do not rent personal information. We do not share personal information for cross-context behavioral advertising.

We share personal information only with the following categories of recipients, and only as needed for the purposes stated:

• Service providers and subprocessors operating under written data-processing agreements with confidentiality and security obligations, including: cloud infrastructure and database hosting; transactional email and notification delivery; payment processing; shipping carriers and address verification; license verification and credential-checking; and fraud detection and identity verification.
• Government and regulatory bodies when required by law, valid legal process (subpoena, search warrant, court order), or in response to an emergency where we have a good-faith belief that disclosure is necessary to prevent imminent harm.
• Professional advisors (attorneys, accountants, auditors) under confidentiality obligations.
• Successors in a business transaction: in the event of a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, we may transfer personal information to a successor or acquirer, subject to commitments consistent with this Policy.

A current subprocessor list is available on request from privacy@bioveris.co.

Bioveris currently operates only in the United States and ships only to U.S. addresses. Personal information is stored and processed in the United States. We do not currently market, sell, or ship to the European Union, the United Kingdom, or other jurisdictions imposing extraterritorial data-transfer obligations. If this changes, we will update this Policy and, where required, implement appropriate transfer mechanisms (e.g., Standard Contractual Clauses).

We retain personal information only as long as is reasonably necessary for the purposes for which it was collected, including legal, accounting, and regulatory requirements.

After the retention period, personal information is deleted, archived in an encrypted offline form, or irreversibly de-identified.

We employ administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and destruction, including:

• TLS 1.2+ encryption for data in transit;
• Encryption at rest for stored data and uploaded documents;
• Role-based access control with least-privilege defaults;
• Row-level security policies on the underlying database, scoped per organization;
• Audit logs for sensitive access and configuration changes;
• Vendor reviews and contractual data-protection commitments with subprocessors;
• Annual review of security controls and access privileges.

No system is impervious to compromise. If we become aware of a personal-data security incident that triggers a notification obligation under applicable law, we will notify affected account-holders without undue delay in accordance with the applicable statute.

Subject to applicable retention obligations, you may exercise the following rights with respect to your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request that we correct inaccurate or incomplete information.
• Export — request an export of your account profile, order history, and uploaded documents in a structured, commonly used format.
• Deletion — request that we delete your personal information, subject to records we are required to retain by law or for legitimate business purposes (most importantly, order, lot, and license records — see §06).
• Restriction and objection — request that we restrict or object to certain processing.
• Opt-out of marketing — unsubscribe at any time using the link in any marketing email or by contacting us.
• Withdraw consent — where processing relies on your consent, withdraw it at any time without affecting prior processing.

To exercise any right, send a request from the email address associated with your account to privacy@bioveris.co. We may need to verify your identity before fulfilling the request. We will respond within thirty (30) calendar days, or such shorter period as required by applicable law.

Authorized agents. A practitioner or organization may authorize a representative to make requests on its behalf with written authorization satisfactory to us.

No retaliation. We will not discriminate or retaliate against you for exercising any right under this Policy.

Bioveris is a vendor of products, not a healthcare provider. Bioveris is not a HIPAA covered entityand is not, by virtue of placing an order on this Service, a business associate of any customer practitioner. We do not ask for, and we do not need, protected health information ("PHI") to fulfill orders.

If a practitioner customer voluntarily uploads PHI — for example, attaching a patient chart to a support ticket — we will, depending on context, (a) ask the practitioner to redact and resend, or (b) handle the information with the same safeguards we apply to all sensitive uploads, but we do not undertake business-associate obligations under HIPAA absent a written Business Associate Agreement signed by an authorized officer.

Patient health information remains the legal responsibility of the practitioner under HIPAA, state medical-privacy laws, and the practitioner's own practice agreements. Bioveris encourages practitioners to avoid sending PHI through unsecured channels.

Bioveris is a B2B service. Where personal information collected from you relates to your role as an employee, owner, director, officer, or authorized representative of a business (rather than as a consumer of consumer products), several U.S. state privacy laws — including the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), and similar laws in Colorado, Connecticut, Utah, and other states — provide narrower coverage of B2B personal information.

To the extent any state privacy law applies, the categories of personal information we collect, the purposes, the categories of recipients, and your rights are as described elsewhere in this Policy.

California-specific.Bioveris does not "sell" personal information or "share" it for cross-context behavioral advertising within the meaning of the CCPA/CPRA. We have not done so in the preceding twelve months. We do not use sensitive personal information for purposes that would trigger CPRA limit-use rights.

Shine the Light.California residents may, once per calendar year, request a list of third parties to whom we disclosed personal information for those third parties' direct-marketing purposes in the preceding year. We do not engage in such disclosures, so any such request will receive a confirming response.

Bioveris does not currently target offers to, monitor the behavior of, or direct any service at individuals located in the European Economic Area, the United Kingdom, or Switzerland. If this changes, we will update this Policy with the appropriate disclosures (lawful basis, data controller of record, EU representative, transfer mechanism, supervisory-authority complaint route).

We use only the cookies and local-storage entries needed to:

• Operate authenticated sessions and remember your sign-in;
• Honor your basic preferences (e.g., timezone, density);
• Detect and prevent fraud (e.g., authenticated-session tampering);
• Measure aggregate, non-identifying site performance.

We do not use third-party advertising cookies, behavioral-advertising trackers, social-network tracking pixels, or cross-context tracking on the authenticated customer portal.

Most browsers offer controls to block or delete cookies. Blocking essential cookies will impair your ability to use the Service.

We do not currently respond to "Do Not Track" browser signals as no industry consensus on interpretation exists. We do honor the Global Privacy Control signal where applicable.

Bioveris is a B2B platform for licensed clinical, pharmacy, and research entities. We do not direct the Service to, or knowingly collect personal information from, minors. If you believe a minor has provided personal information to us, contact privacy@bioveris.co and we will delete it.

We may update this Policy from time to time. Material changes will be posted on this page with the new effective date and, where appropriate, communicated to active accounts by email. Continued use of the Service after the new effective date constitutes acceptance of the updated Policy.

Privacy inquiries should be sent to privacy@bioveris.co. We respond within one business day during normal business hours. Substantive responses to formal requests under §08 may take up to thirty (30) days.