Privacy Policy

StocklyHealth, Inc. (“StocklyHealth,” “we,” “us,” or “our”) provides clinical inventory management software to U.S. healthcare providers. This Privacy Policy explains how we collect, use, share, and protect information through our website (stocklyhealth.com) and the StocklyHealth platform (collectively, the “Services”).

This Policy does not modify or replace any Business Associate Agreement (“BAA”) we have with a Covered Entity customer. Where a BAA applies, the BAA controls how Protected Health Information (“PHI”) is handled.

We collect three categories of information:

• Information you provide. Name, work email, company / practice, role, and any details you submit through forms (contact, demo request, support).
• Information from your use of the Services. Account credentials, configuration choices, in-product activity, device and browser metadata, IP address, and approximate location derived from IP.
• Customer data. Inventory, vendor, purchasing, supply usage, and patient-encounter data uploaded or generated through the platform. Where this includes PHI, we act as a Business Associate under HIPAA.

We use information to:

• Operate, maintain, secure, and improve the Services;
• Authenticate users, prevent abuse, and respond to support requests;
• Communicate about your account, security, billing, product changes, and (with consent) marketing;
• Generate de-identified, aggregated insights for benchmarking and product development;
• Comply with legal, regulatory, and contractual obligations.

We do not sell personal information, and we do not use customer data to train third-party AI models.

StocklyHealth is built to function as a HIPAA Business Associate for our healthcare customers. PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256), access is least-privilege, and audit logs capture access to PHI. We will only use or disclose PHI as permitted by the applicable BAA and by law.

If you believe your PHI has been used or disclosed improperly, contact privacy@stocklyhealth.com.

We share information only as follows:

• Subprocessors. Vetted vendors who help us deliver the Services (e.g. cloud hosting, error monitoring, email delivery). A current list is available on request.
• Customers and users you authorize. Information is shared inside your organization’s account based on the roles you configure.
• Legal & safety. Where required by law, valid legal process, or to protect rights, property, or safety.
• Business transfers. In connection with a merger, acquisition, or asset sale, subject to standard confidentiality protections.

We use a small number of strictly necessary cookies for authentication and security. We may also use privacy-preserving analytics to understand aggregate usage of the marketing site. We do not use advertising cookies and do not participate in cross-site tracking. You can control cookies through your browser settings.

We retain account and customer data for as long as your account is active and as needed to provide the Services. After termination, customer data is deleted or de-identified within 60 days, except where retention is required for legal, accounting, or audit purposes. Backup copies are purged on a defined cycle.

Depending on where you live (including under the GDPR, UK GDPR, and applicable U.S. state privacy laws such as the CCPA/CPRA), you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to object to certain uses. To exercise these rights, email privacy@stocklyhealth.com. Where StocklyHealth processes data on behalf of a Covered Entity customer, we will direct your request to that customer.

StocklyHealth is operated from the United States. If you access the Services from outside the U.S., your information will be transferred to and processed in the U.S. We rely on appropriate safeguards (such as Standard Contractual Clauses) for transfers from the EEA, UK, and Switzerland.

We maintain administrative, technical, and physical safeguards designed to protect information consistent with HIPAA, HITECH, and SOC 2 Type II. No method of transmission or storage is 100% secure; if you believe your account has been compromised, contact security@stocklyhealth.com immediately.

The Services are intended for use by healthcare organizations and their authorized personnel. They are not directed to children under 13, and we do not knowingly collect personal information from children.

We may update this Policy from time to time. Material changes will be communicated by posting an updated version on this page with a new “Last updated” date and, where appropriate, by additional notice in the Services or by email.

StocklyHealth, Inc.
Attn: Privacy
privacy@stocklyhealth.com