Privacy Policy — EzMedSource

This Privacy Policy describes how EzMedSource LLC ("EzMedSource," "we," "us") handles information in connection with the marketplace at shop.ezmedsource.com (the "Service"). It applies to buyers, vendors, and casual visitors.

1. Information we collect

You provide directly

Account information: name, email, organization, role, contact phone.
Vendor onboarding information: business details, classifications, shipping zones, service specializations.
Listing and catalog information: models, prices, lead times, photographs, specifications.
RFQ content: the products requested, quantities, delivery notes, and any message text you include.
Uploaded documents: manuals, work orders, service records you choose to contribute.

Collected automatically

Log data: IP address, user agent, request paths, timestamps. Used for security, rate limiting, and debugging.
Analytics: aggregated page-view data via Google Analytics 4, only when you consent via the cookie banner.
Cookies: a session cookie for authentication (required), a small preference cookie for analytics consent (optional).

From third parties

Identity provider: WorkOS (our authentication provider) passes us your verified email when you sign in.

2. How we use information

To operate the Service and authenticate you.
To route your RFQs to the vendors whose listings you selected or who match the products you requested.
To display public catalog content (product pages, manufacturer pages, vendor pages) so buyers can discover equipment.
To send transactional email about your RFQs, listings, and account (these are service-essential and not marketing).
To detect abuse, prevent fraud, and enforce our Terms of Service.
To improve the Service in aggregate — understanding which pages are useful, which flows convert, which queries get no results.

3. How we share information

With vendors you RFQ: your organization, contact info, and message text are shared with the vendors fanned out from your request. Vendors agree to use that information solely to respond to the RFQ.
With service providers who operate the infrastructure underneath the Service: Google Cloud (hosting, database, object storage, error reporting), WorkOS (authentication), SendGrid (transactional email), Google Analytics (opt-in page-view analytics).
For legal reasons when required by subpoena, court order, or regulation, or to protect rights, safety, or property.
In a business transfer if EzMedSource is acquired or merged; successors are bound to this Privacy Policy.

We do not sell your personal information. We do not share RFQ content with any party outside the vendors who were asked to respond.

4. Data retention

RFQ records: 7 years (for tax, warranty, and dispute support).
Uploaded documents: while your organization is active on the Service, plus 90 days after account closure.
Account data: until you request deletion (see below) or after 3 years of inactivity.
Server logs: 90 days hot, then archived for 7 years.

5. Your rights

You have the right to access, correct, export, or delete your personal information. From your account settings you can:

Update your profile and organization information.
Download your RFQ history and contributed assets.
Request account deletion. Deletion soft-deletes your account for 30 days to allow recovery, then hard-deletes your personal information. Aggregated and anonymized data (e.g., RFQ counts, catalog contributions with PII removed) may be retained.

California residents have rights under CCPA; EU/UK residents have rights under GDPR. To exercise those rights contact privacy@ezmedsource.com.

6. Security

We use TLS in transit, encryption at rest (Google-managed keys by default), least-privilege service accounts, and regular dependency patching. We store secrets in Google Secret Manager. No system is perfectly secure; notify us of suspected incidents at security@ezmedsource.com.

7. PHI and HIPAA

The Service is not designed to receive protected health information (PHI). Do not include PHI in product listings, RFQ messages, or uploaded documents. If you do so inadvertently, notify us and we will purge it.

8. Children

The Service is not directed to individuals under 18, and we do not knowingly collect information from minors.

9. International transfers

The Service is hosted in the United States. If you access it from outside the US, your information will be transferred to and processed in the US. We apply the same protections described above regardless of transfer location.

10. Changes

We will post material changes at least 30 days before they take effect. The "Effective" date at the top reflects the most recent revision.

11. Contact

Privacy questions: privacy@ezmedsource.com.

1. Information we collect

You provide directly

Account information: name, email, organization, role, contact phone.

Vendor onboarding information: business details, classifications, shipping zones, service specializations.

Listing and catalog information: models, prices, lead times, photographs, specifications.

RFQ content: the products requested, quantities, delivery notes, and any message text you include.

Uploaded documents: manuals, work orders, service records you choose to contribute.

Collected automatically

Log data: IP address, user agent, request paths, timestamps. Used for security, rate limiting, and debugging.

Analytics: aggregated page-view data via Google Analytics 4, only when you consent via the cookie banner.

Cookies: a session cookie for authentication (required), a small preference cookie for analytics consent (optional).

From third parties

Identity provider: WorkOS (our authentication provider) passes us your verified email when you sign in.

2. How we use information

To operate the Service and authenticate you.

To route your RFQs to the vendors whose listings you selected or who match the products you requested.

To display public catalog content (product pages, manufacturer pages, vendor pages) so buyers can discover equipment.

To send transactional email about your RFQs, listings, and account (these are service-essential and not marketing).

To detect abuse, prevent fraud, and enforce our Terms of Service.

To improve the Service in aggregate — understanding which pages are useful, which flows convert, which queries get no results.

3. How we share information

With vendors you RFQ: your organization, contact info, and message text are shared with the vendors fanned out from your request. Vendors agree to use that information solely to respond to the RFQ.

With service providers who operate the infrastructure underneath the Service: Google Cloud (hosting, database, object storage, error reporting), WorkOS (authentication), SendGrid (transactional email), Google Analytics (opt-in page-view analytics).

For legal reasons when required by subpoena, court order, or regulation, or to protect rights, safety, or property.

In a business transfer if EzMedSource is acquired or merged; successors are bound to this Privacy Policy.

We do not sell your personal information. We do not share RFQ content with any party outside the vendors who were asked to respond.

4. Data retention

RFQ records: 7 years (for tax, warranty, and dispute support).

Uploaded documents: while your organization is active on the Service, plus 90 days after account closure.

Account data: until you request deletion (see below) or after 3 years of inactivity.

Server logs: 90 days hot, then archived for 7 years.

5. Your rights

You have the right to access, correct, export, or delete your personal information. From your account settings you can:

Update your profile and organization information.

Download your RFQ history and contributed assets.

Request account deletion. Deletion soft-deletes your account for 30 days to allow recovery, then hard-deletes your personal information. Aggregated and anonymized data (e.g., RFQ counts, catalog contributions with PII removed) may be retained.

California residents have rights under CCPA; EU/UK residents have rights under GDPR. To exercise those rights contact privacy@ezmedsource.com.