What is DEA PPAEMA and does NarcTrack comply?

The DEA's Preventing Drug Diversion Act (PPAEMA) final rule took effect March 9, 2026, requiring EMS agencies to maintain electronic chain-of-custody records and demonstrate active accountability for controlled substances. NarcTrack is designed specifically to meet and exceed these requirements — including electronic signatures, immutable audit logs, DEA Form 41, and DEA Form 106 for theft and significant loss reporting.

How is NarcTrack different from other digital narcotics tracking platforms?

Most EMS tracking platforms digitize the paper log — they record what happened. NarcTrack actively monitors for diversion as it happens. The difference is 25 named detection patterns running continuously: pharmacodynamic window violation detection, z-score peer comparison against agency baselines, concentration substitution detection, GPS deviation analysis, and structured investigation case files. No other EMS platform has an equivalent detection engine.

How does the diversion detection engine work?

NarcTrack runs 25 named detection patterns continuously across four categories: access anomalies, behavioral patterns, inventory signals, and geographic deviations. This includes pharmacodynamic window violation detection (drug-specific thresholds for fentanyl, morphine, and ketamine), z-score peer comparison against your agency's own baseline, and concentration substitution detection — the same statistical methodology used in hospital diversion programs, applied to EMS for the first time. The engine has been validated against 1,004 synthetic diversion scenarios modeled from documented real-world cases.

What happens when the system flags a potential diversion pattern?

A structured investigation case file is opened automatically. It captures the triggering pattern, collects relevant evidence (access logs, chain-of-custody records, timestamps, photos), routes the case to the appropriate supervisor, and tracks resolution. Every step is logged immutably — so if a DEA proceeding ever occurs, your agency has a complete, defensible record.

What does implementation look like? Do we need IT resources?

No dedicated IT resources required. NarcTrack handles NFC tag provisioning and programming directly — or works with a designated person at your agency to get every kit set up before go-live. For most agencies, implementation is a single onboarding session. Your crews are scanning and documenting within the same day.

What hardware does Tap To Track require?

Standard NFC tags or QR code labels. No proprietary hardware or expensive scanners required. Any modern smartphone or tablet works as the reader. NarcTrack provisions and programs the NFC tags as part of onboarding.

How do audits and DEA reports work?

NarcTrack generates complete chain-of-custody reports on demand — every movement, signature, and variance — organized by date, provider, unit, or medication. DEA Form 41 (biennial inventory) and DEA Form 106 (theft and significant loss) are supported directly. Agencies using NarcTrack report reducing audit prep from days to minutes.

Can NarcTrack integrate with our ePCR or CAD system?

Integration with ePCR and CAD platforms is on our roadmap. Today, NarcTrack provides full data export in standard formats (CSV, PDF) so your records can be cross-referenced with any system.

Who owns our data? Can we export everything?

Your agency owns its data — period. NarcTrack provides complete export capabilities at any time in standard formats. You are never locked in, and your records are always accessible.

Privacy Policy — NarcTrack

Last Updated: March 11, 2026

Veritas Technology Solutions, Inc. — legal@narctrack.io

1. Introduction

Veritas Technology Solutions, Inc. ("Company," "we," "us," or "our") operates the NarcTrack platform and the narctrack.io website (collectively, the "Services"). We are committed to protecting the privacy and security of all information entrusted to us, particularly given the sensitive nature of controlled substance tracking and medication management data.

This Privacy Policy explains what information we collect, how we use and protect it, when we disclose it, and what rights you have. It applies to all interactions with NarcTrack, including visitors to our marketing website and authorized users of the NarcTrack platform.

2. Who This Policy Applies To

This Policy covers two distinct groups of individuals, and we treat their data differently based on context and sensitivity:

Site Visitors: Anyone who browses narctrack.io, reads our blog, submits a contact or pilot application form, or otherwise interacts with our public-facing website without an active platform subscription. Data collected from Site Visitors is general and low-sensitivity (see Section 3).
Platform Users: Authorized personnel at agencies that have executed a NarcTrack Platform Agreement — including administrators, supervisors, and field users (e.g., paramedics, EMTs) operating the NarcTrack system. Platform Users interact with the system in an operational capacity, and the data involved is substantially more sensitive (see Sections 4–8). Platform Users access the service under the terms of their agency's executed Platform Agreement, which governs in the event of any conflict with this Policy.

If you are a field-level employee of an agency using NarcTrack, your agency (as your employer) is the subscriber to our Services. Questions about your individual data rights should be directed first to your agency's NarcTrack administrator, and secondarily to us at legal@narctrack.io.

3. Information We Collect — Site Visitors

When you visit narctrack.io, we collect limited, standard web analytics data:

Usage & Analytics Data: Pages visited, referral source, browser type, device type, and general geographic region (country/state level). We use this data to understand how our site is used and to improve content.
IP Address: Collected automatically for security logging and geographic analytics. Not linked to personal identity for site visitors.
Contact & Application Forms: If you submit a contact request or pilot program application, we collect the information you voluntarily provide (name, email, agency name, role, fleet size, and similar). We use this solely to evaluate and respond to your inquiry.
Cookies: We use essential cookies necessary for site function. We do not use advertising or cross-site tracking cookies. A minimal analytics cookie may be used to track aggregate page visit counts. You can disable cookies in your browser settings; doing so will not prevent you from accessing our public content.

4. Information We Collect — Platform Users

When your agency deploys the NarcTrack platform, we collect operational and security data necessary to provide the service and fulfill our diversion-detection mission. Categories include:

Account & Identity Information: Name, email address, agency affiliation, role, and credentials of each registered user.
Controlled Substance Transaction Logs: Records of each medication access, administration, waste, and reconciliation event, including timestamps, quantities, and the identity of the user performing the action. These records constitute the core audit trail of the platform.
Geolocation Data: Physical GPS coordinates captured at the moment of "Tap to Trax" events and other critical transaction checkpoints. Geolocation is collected to establish context for each transaction and to support diversion investigations. Your agency, as your employer, is responsible for obtaining any required individual consent for location data collection before deploying the platform to field personnel.
Device Telemetry: Device fingerprints, operating system identifiers, IP addresses, and unique device identifiers associated with each login and transaction event. This data is used to detect unauthorized access attempts and to verify that transactions originate from expected devices.
Behavioral Analytics: Interaction patterns — including login frequency, transaction timing, access sequences, and anomalous activity flags — used by NarcTrack's diversion detection engine to identify potential variances for agency review.
Audit Logs: A tamper-evident log of all administrative actions, configuration changes, and data access events within your agency's account.

Employee notice obligation: Agencies deploying NarcTrack to field personnel are responsible for providing appropriate workplace notice that the platform collects geolocation, device, and behavioral data during use. Your Platform Agreement includes model consent language for this purpose.

5. HIPAA and Protected Health Information (PHI)

NarcTrack is primarily an inventory and compliance tracking system. In certain operational contexts, data processed through the platform — such as medication administration records linked to patient encounters — may constitute Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

Where our clients are Covered Entities under HIPAA (which applies to the substantial majority of EMS agencies), Veritas Technology Solutions operates as a Business Associate. We implement the administrative, physical, and technical safeguards required under the HIPAA Security Rule to protect the confidentiality, integrity, and availability of any electronic PHI we receive, maintain, or transmit on a client's behalf.

A Business Associate Agreement (BAA) is executed as part of every Platform Agreement with a Covered Entity. Our cloud infrastructure provider, Supabase, operates under an executed BAA with Veritas Technology Solutions, ensuring HIPAA-compliant handling at the infrastructure layer.

We use PHI solely to provide the Services described in the BAA. We do not use PHI for our own marketing, product development, or any purpose not authorized under the applicable BAA and HIPAA regulations.

6. Diversion Detection & Investigation Support

NarcTrack serves as a neutral system of record. The detailed operational and behavioral data described in Section 4 may be relevant to internal agency investigations, regulatory audits, or law enforcement inquiries involving suspected medication diversion.

Voluntary disclosure to agency leadership:

Upon written request from an authorized agency representative (Medical Director, EMS Director, or Chief, as designated in the Platform Agreement), we will provide relevant transaction logs, geolocation records, device telemetry, and audit data to support an internal investigation. We do not make this data available to individual supervisors or personnel outside the agency's designated administrative contacts without authorization.

Legally compelled disclosure:

We may be required by law to disclose data in response to a valid court order, subpoena, warrant, or binding regulatory directive. This includes requests from the Drug Enforcement Administration (DEA), state pharmacy boards, and law enforcement agencies with proper legal authority. Where legally permitted, we will notify the affected agency prior to disclosure so that they may seek protective relief. We do not voluntarily cooperate with informal law enforcement requests for platform data absent written agency authorization or legal compulsion.

7. How We Use Your Information

We use the data we collect for the following purposes only:

To provide, operate, maintain, and improve the NarcTrack platform and website.
To process transactions and generate compliance and audit logs for your agency.
To detect and flag potential medication diversion events for agency review.
To communicate with you regarding account status, security alerts, product updates, and support.
To evaluate pilot program applications and respond to contact inquiries (Site Visitors).
To maintain the security and integrity of our systems through monitoring and anomaly detection.
To comply with our legal obligations and enforce our agreements.

We do not sell personal data. We do not use operational data from Platform Users for advertising, marketing analytics, or any purpose unrelated to the delivery of the NarcTrack service.

8. Data Sharing and Disclosure

We share data only in the following limited circumstances:

Infrastructure and Service Providers: We use Supabase as our cloud database and backend infrastructure provider. Supabase processes data on our behalf under a binding data processing agreement and, for PHI, an executed BAA. We do not share identifiable operational data with any other third-party vendors without agency authorization. A current list of our material subprocessors is available on request at legal@narctrack.io.
Agency-Authorized Disclosure: We share data with agency leadership and investigators as described in Section 6, upon written request from an authorized agency representative.
Legally Compelled Disclosure: As described in Section 6, we comply with valid legal process. We do not share data pursuant to informal law enforcement requests without legal compulsion or agency authorization.
Business Transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, agency data may be transferred to the successor entity. We will provide notice prior to any such transfer and require the successor to honor the commitments in this Policy and any executed BAAs.

9. Data Security

We implement enterprise-grade security measures appropriate to the sensitivity of the data we process. Key controls include:

Encryption: All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
Access Controls: Role-Based Access Control (RBAC) with Row Level Security enforced at the database layer ensures that users can only access data they are explicitly authorized to view. Multi-Factor Authentication (MFA) is required for all administrative and supervisor-level accounts.
Infrastructure: Our infrastructure is hosted on Supabase, which operates on AWS data centers that are SOC 2 Type 2 certified and HIPAA compliant. NarcTrack inherits these infrastructure-level certifications. Supabase's compliance attestations are available at supabase.com/security.
Audit Logging: All access to sensitive data and all administrative actions are logged and retained in tamper-evident audit trails.
Vulnerability Management: We conduct periodic security reviews of our platform. To report a potential security vulnerability, contact security@narctrack.io. We will investigate all credible reports and respond within five (5) business days.

No security system is impenetrable. Despite our controls, we cannot guarantee absolute security against all threats. In the event of a security incident, we will notify affected agencies as described in Section 10.

10. Breach Notification

In the event we discover or are notified of a security incident that results in unauthorized access to, acquisition of, or disclosure of agency data — including PHI — we will:

Notify the affected agency's designated security contact within 72 hours of confirming that a breach has occurred, or as soon as practicable if the scope of the breach is still being assessed at that point.
Provide a description of the nature of the incident, the categories and approximate volume of data involved, the likely consequences of the breach, and the measures we have taken or propose to take to address it.
Cooperate fully with the agency's breach response process and any required regulatory notifications.

For breaches involving PHI, our notification procedures are governed by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and the terms of the executed Business Associate Agreement.

11. Data Retention

We retain data for as long as necessary to provide the Services and comply with our legal obligations:

Active accounts: All operational data is retained for the duration of the Platform Agreement and is accessible to authorized agency personnel at any time.
Post-termination export window: Following account cancellation or expiration, agency data remains available for export in standard CSV format for thirty (30) days. We will provide written notice before permanently deleting agency data.
Permanent deletion: After the 30-day export window, agency data is permanently deleted from our systems and from Supabase's infrastructure, except where retention is required by law (e.g., certain DEA record-keeping requirements).
Site Visitor data: Contact and application form data is retained for up to two (2) years for business development purposes, unless you request deletion earlier.
Security logs: System access and security audit logs are retained for a minimum of twelve (12) months for incident investigation purposes.

12. Your Rights

Depending on your location and applicable law, you may have rights with respect to your personal data, including the right to access, correct, or delete information we hold about you, or to object to or restrict certain processing.

Platform Users: Your agency, as the platform subscriber, controls your operational data. Please contact your agency's NarcTrack administrator to request access to, correction of, or deletion of your individual records within the platform. For requests that require our direct involvement, contact legal@narctrack.io and we will respond within forty-five (45) days.

Site Visitors: To request deletion of contact or application form data, email legal@narctrack.io with the subject "Data Deletion Request." We will confirm deletion within forty-five (45) days.

Please note that certain data — particularly controlled substance transaction logs — may be subject to mandatory legal retention requirements that limit our ability to delete records on request.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, for Platform Users, provide notice via email to the agency's designated contact at least thirty (30) days before the changes take effect. Continued use of the Services after the effective date of a revised Policy constitutes acceptance of the changes.

For changes required by law or to address security vulnerabilities, we may provide shorter notice or implement changes immediately with concurrent notification.

14. Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, contact us at:

Email: legal@narctrack.io
Security incidents: security@narctrack.io
Company: Veritas Technology Solutions, Inc.