Drug Catalog is operated by the company behind drug-database.com (“Drug Catalog”, “we”, “us”), a company incorporated under Swiss law. For the personal data described in this Policy, we act as the data controller with respect to data we collect about you when you sign up for the Service or use the dashboard; and as the data processor with respect to any personal data your application sends through our API on behalf of your end-users (governed by our Data Processing Agreement).

The Service is designed so that, in normal use, your end-users’ personal data never reaches our infrastructure. Read on for the details.

We collect a deliberately narrow set of personal data:

• Account information. Tenant name, owner email address, country code, and (optionally) a billing address. Stored in the tenants table.
• Authentication artefacts. HMAC-signed session cookies for the dashboard (the session_tokens table) and short-lived magic-link tokens (the magic_links table; tokens expire after fifteen minutes).
• API keys. We store a SHA-256 hash of each key in the api_keys table. We never store the plaintext value; you see it once at creation and are responsible for its safe storage thereafter.
• API usage counters. The api_usage table records, per key and per calendar period, the endpoint called, the HTTP status, the response time in milliseconds, and a request counter. We do not log the drug name, identifier, ATC code, NDC, Pharmacode, GTIN, or any other catalogue value that appears in the request or response.
• Webhook subscriptions. For change-feed and recall webhooks, we store the destination URL and an HMAC signing secret in the webhook_subscriptions table.
• BYOL credentials. Where you supply credentials for a commercial upstream (HCI, Vidal, Rote Liste, etc.) for tenant-scoped passthrough, we store them encrypted with pgsodium AEAD using a per-provider key (seesupabase/migrations/20260602000034_byol_credentials.sql).
• Payment information. Card numbers and bank details are handled by Stripe and never reach our infrastructure. We receive only a Stripe customer identifier, the last four digits of the card, and the subscription status.
• Support communications. Emails and dashboard messages you send to support, kept for as long as needed to resolve the issue and for our legitimate interest in operational records.

• No personal health information (PHI). The /v1/prescriptions/validate endpoint accepts bucketed context only — age band (e.g. “65–74”), eGFR band, a pregnancy flag, condition codes — never names, dates of birth, medical record numbers, addresses, or free-text notes. That bucketed context is forwarded to a separate PHI Gateway product under its own DPA; only counters and elapsed-time values are retained in our phi_audit_log. The bodies of the request and response, and any warning text generated, are never persisted in Drug Catalog.
• No catalogue values in logs. Operational logs record key identifier, endpoint, status, and timing. They do not record the drug name, ATC code, NDC, Pharmacode, GTIN, dm+d identifier, or any other clinical content.
• No marketing trackers. The marketing site and the dashboard do not embed third-party advertising pixels, marketing analytics, or session-replay tools.
• No biometric data. No facial recognition, no voiceprints, no fingerprints.

Under the EU GDPR and the Swiss revised Federal Act on Data Protection (nFADP):

• Performance of a contract. Account information, API keys, usage counters, billing data, and BYOL credentials are processed because they are necessary to deliver the Service you signed up for (Art. 6(1)(b) GDPR; Art. 31(2)(a) nFADP).
• Legitimate interest. Operational logs, security telemetry, fraud prevention, and aggregate analytics are processed to keep the Service running and secure (Art. 6(1)(f) GDPR).
• Legal obligation. Tax records, accounting books, and certain audit log entries are retained because Swiss commercial and tax law requires it (Art. 6(1)(c) GDPR; Code of Obligations Art. 957–958f).
• Consent. The product newsletter (if you opt in) and any non-essential cookies are based on your consent and can be withdrawn at any time (Art. 6(1)(a) GDPR).

Customer-facing Postgres is hosted on Supabase in Switzerland (eu-central-2 Zurich). The application edge runs on Cloudflare Workers in points-of-presence worldwide; Worker instances are stateless, terminate TLS, and forward authenticated requests to the Swiss database.

Outbound email (signup confirmations, billing receipts, dashboard notifications) is sent through Cloudflare Email Routing / MailChannels. Payment events go through Stripe (Stripe Payments Europe Ltd., Ireland, with US sub-processors).

• Account records — for the life of the account plus thirty days after deletion, then purged.
• API key hashes — until the key is revoked or rotated, then deleted.
• API usage counters — rolled up monthly; raw rows are kept for thirteen months, then aggregated and the per-row data deleted.
• Operational logs — thirty days.
• Session cookies — thirty days, revocable from the dashboard at any time.
• Magic-link tokens — fifteen minutes; single-use.
• Raw ingestion artefacts (BAG-SL CSVs, AIPS XML, openFDA dumps, etc.) — twelve months, in the sources/raw/{source}/ bucket.
• Ingestion run records (ingestion_runs) — kept indefinitely for audit and provenance.
• PHI audit log (counters and ms_elapsed only, never bodies) — seven years, in line with healthcare compliance norms.
• Stripe invoice records — ten years, per Swiss tax law.
• Support correspondence — three years after the ticket is closed.

We use the following subprocessors. Each has been reviewed for security posture and signed appropriate data processing terms with us:

We will give thirty (30) days’ notice in the dashboard before adding or materially changing a subprocessor. Enterprise customers may object to a new subprocessor under the terms of their DPA.

The dashboard sets a single first-party session cookie. It is HttpOnly, Secure, and SameSite=Lax, with a maximum age of thirty days, and is revoked when you sign out.

The marketing site sets no advertising or tracking cookies. Aggregate page-view counters are computed from Cloudflare access logs server-side and never linked to an individual visitor.

Personal data is primarily stored in Switzerland. When data crosses borders, we rely on the following safeguards:

• EU → Switzerland. Covered by the European Commission’s adequacy decision for Switzerland.
• Switzerland / EU → United States (Cloudflare control plane, Stripe sub-processors). We rely on the EU–US Data Privacy Framework where applicable and on the European Commission’s 2021 Standard Contractual Clauses (Module 2 controller-to-processor and Module 3 processor-to-processor) with the Swiss FDPIC addendum, supplemented by the technical measures described in the Security Overview.

TLS 1.2 or higher for all client connections, with HSTS preload. AEAD-encrypted BYOL credentials. SHA-256 hashed API keys with no plaintext persistence. HMAC-signed session cookies. Bucketed (never identifying) clinical context on the validation endpoint. Full details are in the Security Overview.

Under GDPR (Articles 15–22) and the Swiss nFADP, you may:

• request access to the personal data we hold about you;
• request rectification of inaccurate data;
• request deletion (“right to be forgotten”), subject to retention obligations under Swiss law;
• request a portable export of the data you provided;
• object to processing based on legitimate interest;
• withdraw consent at any time, where consent is the legal basis;
• lodge a complaint with a supervisory authority — the Swiss Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB) or, for EU residents, the data protection authority of your member state.

To exercise any of these rights, email privacy@drug-database.com from the address registered to your account. We respond within thirty days.

The Service is for business and professional use by adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has created an account, contact us and we will delete it.

When you act as a data controller and use our Service to process personal data of your end-users, our Data Processing Agreement forms part of the contract. Enterprise customers can request a counter-signed copy with their tenant identifier.

We will notify the owner email on file and post a notice in the dashboard at least thirty days before material changes take effect. The effective date at the top of this page always reflects the current version.

Privacy and data-subject requests: privacy@drug-database.com.
Security disclosures: security@drug-database.com.
Incidents: incidents@drug-database.com.