Privacy Policy

PillBox processes data about your health — information about the medications you take, dosages, well-being and treatment adherence. This is a special category of personal data that requires enhanced protection. This Policy describes in detail what data we collect, why, and how you can control it.

1. General

1.1. This Privacy Policy (the "Policy") governs the processing of personal data of users of the PillBox mobile application (the "App").

1.2. The data controller is PillBox (the "Operator", "we").

1.3. This Policy is developed in accordance with applicable data protection laws, including, where applicable, the EU General Data Protection Regulation (GDPR).

1.4. By using the App, you confirm your agreement with this Policy and consent to the processing of your personal data, including health data, on the terms described below.

2. Data we collect

2.1. Account data

• email address;
• hashed password (if you sign up with email/password);
• third-party authentication provider ID (Apple ID, Google) and the associated email;
• username (if provided);
• profile photo (if uploaded).

2.2. Health and medication data

• medication names, dosages, forms;
• intake schedule (times, days of week, course length);
• special intake conditions (on an empty stomach, after meals, on workout days, when ill, etc.);
• records of doses actually taken, with date and time;
• images of prescriptions and medical orders uploaded by you;
• your notes and comments on medications or intake days.

This data is a special category of personal data (health data). It is processed solely on the basis of your explicit and informed consent.

2.3. Technical data

• device model, operating system version, App version;
• interface language, time zone;
• unique device and/or installation identifier;
• IP address and approximate geolocation derived from it (country, region);
• error and crash logs;
• anonymized usage analytics (screen views, button taps).

2.4. Payment data

We do not receive or store your payment details (card number, CVV). All subscription payments are processed by the App Store / Google Play. We receive only confirmation of payment and a transaction identifier.

3. Purposes of processing

• creating and authenticating your account;
• providing the core functionality of the App — intake calendar, reminders, adherence calculation;
• AI-based recognition of prescriptions from uploaded images;
• syncing data across the devices of a single account;
• user support;
• improving the App, fixing bugs, developing new features (based on anonymized statistics);
• processing subscription payments;
• compliance with legal requirements.

4. Legal bases for processing

• consent of the data subject (explicit consent for health data);
• performance of a contract (provision of the subscription service);
• the Operator's legitimate interests (fraud prevention, security);
• compliance with legal obligations.

You may withdraw your consent at any time by emailing support@pillbox.cyou. Withdrawal of consent results in discontinuation of your use of the App.

5. Sharing data with third parties

The Operator does not sell personal data. Limited data is shared with third parties only to the extent necessary for the App to function, governed by appropriate agreements:

• cloud database and authentication provider;
• AI service providers for prescription recognition (e.g., Anthropic, OpenAI) — they receive the prescription image for the duration of processing;
• Apple Inc. and Google LLC — for distribution of the App, delivery of push notifications, and processing of subscription payments;
• Sentry or another error-monitoring service — anonymized crash logs;
• analytics services (if used) — anonymized usage events;
• government authorities — only in the cases and manner expressly required by law.

Where data is processed by providers located in other countries, such international transfers are carried out under appropriate safeguards.

6. Storage and security

6.1. Data is stored encrypted on cloud infrastructure providers. Passwords are stored as cryptographic hashes and cannot be recovered in plain text.

6.2. Access to personal data is limited to authorized personnel of the Operator who are bound by confidentiality.

6.3. Protective measures include:

• encryption of data in transit via HTTPS/TLS;
• Row-Level Security in the cloud database restricting access to records to the account owner only;
• regular software updates and vulnerability remediation;
• monitoring for unauthorized access.

6.4. Despite these measures, absolute security cannot be guaranteed. In the event of a data breach, the Operator will notify affected users within the period required by law.

7. Retention periods

• account data and medication intake data — until you delete your account;
• prescription images — up to 30 days after recognition (to allow re-processing in case of an error), then deleted automatically;
• error logs and analytics events — up to 12 months in anonymized form;
• payment and subscription data — for the period set by tax and accounting law (up to 5 years).

After the retention periods expire, data is deleted or anonymized.

8. Your rights

• obtain confirmation that your data is processed and a copy of it;
• request rectification of inaccurate data;
• request erasure of your data (the "right to be forgotten");
• restrict processing;
• object to processing based on the Operator's legitimate interests;
• receive your data in a structured, machine-readable format (data portability);
• withdraw consent previously given;
• lodge a complaint with the competent data protection authority.

Residents of the EEA, the United Kingdom and certain U.S. states (e.g., California) may have additional rights. To exercise your rights, email support@pillbox.cyou. The Operator will respond within 30 days of receiving your request.

9. Account deletion

9.1. You can delete your account:

• in the App settings (Profile → Delete account); or
• by emailing support@pillbox.cyou.

9.2. After account deletion:

• all personal data and health data are deleted within 30 days;
• prescription images are deleted immediately;
• anonymized analytics may be retained without the ability to identify you;
• payment data is retained for the period required by law.

10. Children's privacy

The App is not intended for use by persons under 18 without the consent of their legal guardians, and is not directed to children under 13. The Operator does not knowingly collect personal data from minors. If a legal guardian determines that a minor has provided personal data without consent, they may request deletion at support@pillbox.cyou.

11. Cookies and similar technologies

The App does not use cookies in the classic sense but may use local device storage (UserDefaults, AsyncStorage, Keychain) to save settings, authentication tokens and cached data. This data is stored locally on your device and is not transmitted to the Operator unless necessary.

12. Notifications and marketing

12.1. Medication push notifications are sent only with your explicit permission via the device system settings.

12.2. The Operator does not send promotional messages without separate consent.

12.3. You can disable notifications at any time in the device or App settings.

13. Changes to this Policy

13.1. The Operator may update this Policy. The new version is published in the App and at https://pillbox.cyou/privacy.

13.2. Material changes affecting your rights are communicated via email or an in-app banner at least 14 days before they take effect.

13.3. Continued use of the App after the changes take effect constitutes acceptance of the new version.

14. Contact information

Operator: PillBox

Privacy enquiries: support@pillbox.cyou

Support: support@pillbox.cyou

Website: https://pillbox.cyou/