Your Privacy,Our Commitment

VialRun, Inc. (“VialRun,” “we,” “us,” or “our”) operates an on-demand and STAT specimen-logistics platform that connects clinics and phlebotomists (“operators”) with W-2 couriers who collect laboratory specimens and deliver them to receiving labs. This Privacy Policy applies to:

• The VialRun Operator mobile application for iOS and Android
• The VialRun Courier mobile application for iOS and Android
• The VialRun website at vialrun.com and admin.vialrun.com
• Any related APIs, communications, and customer-support channels

By creating a VialRun account or using the Services, you acknowledge that you have read and understood this Privacy Policy.

The data controller responsible for your personal information is VialRun, Inc., a corporation headquartered in the State of Illinois, United States. For privacy questions you can reach our team at privacy@vialrun.com.

We collect the categories of information described below. The exact fields we collect depend on which app you use and which features you choose to enable.

3.1 Information you provide directly

3.2 Information collected automatically

• Device information: a unique device identifier (via react-native-device-info), operating system, OS version, app version, language settings, and time zone
• Log and usage data: screens viewed, features used, taps and interactions, request timestamps, and crash diagnostics
• Network information: IP address and approximate network-derived location
• Crash and stability data: via Firebase Crashlytics
• Push-notification tokens: via Firebase Cloud Messaging

3.3 Information from third parties

• Identity- and background-check results from Checkr (couriers only)
• Payment-method tokens, charge results, and payout status from Stripe
• Map, routing, and place data from Mapbox in response to addresses and routes you request
• Phone-verification status from Twilio (one-time codes are dispatched server-side; no Twilio SDK runs in the app)

We use your information to:

• Create and manage your account and verify your identity
• Match operators’ pickup requests with nearby couriers and dispatch pickups
• Provide turn-by-turn navigation and accurate pickup and delivery ETAs
• Generate chain-of-custody (COC) records, log cold-chain temperatures, and send one-tap SMS delivery confirmations to receiving labs
• Process practice billing and pay courier wages
• Send pickup updates, receipts, and operational notifications
• Provide customer, compliance, and safety support, including responding to incidents and investigating claims
• Detect, investigate, and prevent fraud, abuse, account takeover, and other harmful activity
• Improve the Services, debug crashes, and develop new features (using aggregated or de-identified data wherever possible)
• Comply with legal obligations (tax and payroll reporting, laboratory and HIPAA-related compliance, regulatory requirements, court orders, and law-enforcement requests)

We will not use your personal information for purposes materially different from those listed here without first notifying you.

Location is central to specimen logistics. We collect precise GPS location through your device’s location services after you grant permission.

Pickup route data (pickup site, receiving lab, and waypoints) is retained as part of your pickup history and chain-of-custody record.

6.1 Operators

Practice billing is processed by Stripe using its mobile SDK. Card numbers and CVCs are sent directly from your device to Stripe and are not stored on VialRun servers. We retain only a payment-method token, the brand and last four digits of your card, billing ZIP, and a transaction record for your subscription plan (Essential, Professional, or Enterprise) and per-pickup fees.

6.2 Couriers

Couriers are W-2 employees, and wages are paid through our payroll provider. Your bank routing number, account number, date of birth, and the last four digits of your SSN are collected to satisfy U.S. payroll, tax-withholding, and employment-eligibility requirements and are transmitted directly to our payroll and verification partners.

7.1 Between operators and couriers

To make a pickup work, certain information is exchanged in real time:

• Couriers see about operators: first name, practice or clinic name, profile photo (if provided), pickup site and receiving-lab addresses, specimen type and handling requirements, and access instructions.
• Operators see about couriers: first name, courier rating, profile photo (if provided), real-time location during the pickup, and estimated arrival time.

Personal phone numbers are not exposed; in-app messaging is used for communication during active pickups. Receiving labs confirm delivery via a one-tap SMS link and are not given app accounts.

7.2 With service providers

We share data with vendors who perform services on our behalf under contractual privacy and security obligations. These include payment processors, mapping providers, background-check providers, cloud hosting, communications, analytics, and customer-support tools. See section 8 for the specific providers used.

7.3 For legal and safety reasons

We may share information when we believe in good faith that disclosure is necessary to: comply with applicable law, court orders, or legal process; enforce our Terms of Service; protect the safety of operators, couriers, or the public; investigate fraud, compliance, or security incidents; or respond to lawful requests from governmental authorities.

7.4 Business transfers

If VialRun is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections.

7.5 With your consent

We may share information for any other purpose with your consent.

We never sell your personal information or specimen-associated data, and we do not share it with third parties for cross-context behavioral advertising.

The Services rely on the following third-party providers. Each handles personal data only for the purposes described below and is bound by their own privacy policy.

We do not embed third-party advertising SDKs, social-login providers, or cross-app tracking SDKs in either app.

We send you operational messages (pickup status, chain-of-custody and delivery confirmations, receipts, account and security notices) by push notification, in-app message, SMS, and email. These cannot be turned off while you have an active VialRun account because they are required to deliver the Services.

Marketing emails and promotional notifications are optional. You can unsubscribe at any time using the link in any marketing email or by adjusting notification preferences in the app.

We retain personal information for as long as necessary to provide the Services and to satisfy our legal, tax, accounting, laboratory-compliance, and dispute-resolution obligations. Pickup records, chain-of-custody records, payment records, and tax records are typically retained for a minimum of seven (7) years to comply with U.S. tax, financial, and laboratory recordkeeping requirements.

When personal information is no longer required, we delete it or de-identify it so that it can no longer be associated with you.

We use technical and organizational safeguards to protect your information, including:

• TLS encryption for all data in transit between the apps and our servers
• Encrypted storage of credentials and tokens on your device using the platform keychain (react-native-keychain)
• Optional Face ID, Touch ID, and Android biometric login. Biometric templates never leave your device.
• Role-based access controls for employee access to production systems
• Continuous monitoring, logging, and crash reporting

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@vialrun.com.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Receive a copy of your data in a portable format
• Opt out of certain processing activities
• Withdraw consent where processing is based on consent

Residents of California, Colorado, Connecticut, Utah, Virginia, and other U.S. states with comprehensive privacy laws may exercise these rights by emailing privacy@vialrun.com. We will verify your request and respond within the time required by your state’s law.

You may delete your VialRun account at any time from within the app or by emailing us. Some information must be retained for legal, tax, and laboratory-compliance reasons even after account deletion.

The VialRun Services are intended for business use by healthcare professionals and are not directed to anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@vialrun.com and we will delete that information.

Couriers are W-2 employees and must meet all applicable employment-eligibility and age requirements for the state in which they operate.

VialRun is operated from the United States and the Services are intended for use in the United States. If you access the Services from outside the United States, you consent to the transfer of your information to and processing in the United States, where data-protection laws may differ from those in your country.

We may update this Privacy Policy from time to time. The “Last Updated” date at the top of this page reflects the most recent revision. When we make material changes, we will notify you in advance through the app or by email. Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updated terms.