Privacy Policy

Northern Peak is a provider-first routing service. We connect verified licensed clinicians to vetted 503A compounding pharmacy partners for lawful prescription fulfillment. The Service is B2B and intended exclusively for licensed medical professionals and their authorized staff. It is not intended for patients, consumers, or the general public.

Northern Peak is not a pharmacy. We do not compound, dispense, or ship medications. We do not provide clinical, diagnostic, dosing, or treatment advice.

Information you provide. When you submit our check, contact, onboarding, formulary unlock, or newsletter forms, we collect the information you choose to share, which may include: full name, clinic or practice name, National Provider Identifier (NPI), DEA number (optional), role, email, phone, shipping address, ship-to preference, state of license, product categories of interest, and any free-text message.

Information collected automatically. When you interact with the Service, we log your IP address, user agent, timestamp, and the path you used (e.g., which coverage page). For formulary unlock and onboarding flows, we additionally record the version of the confidentiality agreement you accepted, along with the full text of that agreement, for legal records.

NPI verification.When you submit an NPI to our onboarding or formulary unlock flow, we send the NPI to the public NPPES registry maintained by the Centers for Medicare & Medicaid Services to confirm active licensure. Only the NPI is transmitted. The registry response is used to confirm provider status and is not shared further.

Analytics. We use Vercel Analytics and Vercel Speed Insights to measure aggregated traffic and page-performance metrics. These products do not use third-party cookies and do not track you across other websites.

• To operate the Service and respond to your inquiries.
• To verify your professional credentials via the NPPES registry.
• To route qualified onboarding requests to our current pharmacy partner for fulfillment.
• To send you the biweekly newsletter if you subscribe. Every email includes an unsubscribe option.
• To send transactional notifications about your specific request (e.g., confirmation and follow-up emails).
• To improve the Service and diagnose performance issues.
• To comply with legal obligations and enforce our Terms.

We do not sell your information. We do not share it for third-party advertising. We share limited information only with the following categories of recipients:

• Pharmacy partners who fulfill your onboarding request. If you submit an onboarding form, the information necessary to onboard you (name, clinic, NPI, email, phone, state, DEA, shipping address) is shared with our current 503A partner for LifeFile onboarding.
• Service providers that operate our infrastructure: Supabase (database, storage), Vercel (hosting, analytics, performance), and Resend (transactional and newsletter email). Each is contractually bound to use your data only to provide services to us.
• Legal and regulatory authorities when we are required by law, subpoena, court order, or to protect our rights or the safety of others.

We retain lead records and communication history for up to seven years to meet common B2B record-keeping and audit expectations. Confidentiality-agreement acceptance logs are retained indefinitely as legal records, including the verbatim text of the agreement version you accepted, the timestamp of acceptance, your IP, and user agent.

Newsletter-subscriber records are retained until you unsubscribe. Unsubscribed records are marked as such rather than deleted, so we can honor your opt-out if your email re-enters through any intake.

You may request access to, correction of, or deletion of the personal information we hold about you by emailing us at the address in Section 11. We will respond within thirty days. Deletion requests are subject to the retention obligations above (for example, accepted confidentiality-agreement logs may be retained for legal records even after deletion of associated lead records).

If you are located in a jurisdiction with additional rights (for example, California CCPA or the EU GDPR), those rights apply in addition to the rights above.

We use encryption in transit (HTTPS), encryption at rest on our database and storage providers, row-level security policies to enforce least-privilege access, and server-only credentials for privileged operations. No system is perfectly secure, and we cannot guarantee the absolute security of your information.

We use essential cookies and browser local storage only for site function: a short-lived session cookie set by our hosting platform, an eight-hour staff-preview cookie used by internal administrators when verifying the site, and local storage for short-term session state. We do not set advertising cookies or cross-site tracking cookies.

The Service is intended for licensed medical professionals and their authorized staff. We do not knowingly collect information from anyone under eighteen. If you believe we have collected information about a minor in error, contact us and we will delete it.

We may update this policy from time to time. When we do, we will update the Effective date above and, for material changes, notify newsletter subscribers by email. Continued use of the Service after an update constitutes acceptance of the revised policy.

Questions, access or deletion requests, or other privacy concerns:

Northern Peak Health and Wellness LLC
Privacy inquiries: rosendo@obprx.com