Privacy Policy

The operator of pill-pal.com is the data controller for the personal information you give us. We operate from the United Kingdom.

You can reach us at privacy@pill-pal.com about anything in this policy.

We process the following information about you:

• Your email and password — to give you an account and let you sign back in. Passwords are hashed and salted by our authentication provider; we never see them in readable form.
• Your name — to greet you on the dashboard and in SMS reminders. Optional.
• Your mobile phone number — only if you opt in to SMS reminders. Used to send you (and any carers you've linked) an end-of-day reminder if you haven't marked your medications as taken. You can turn this off at any time on your settings page.
• Your medications, schedules, and dose history — so we can show you what's due, when, and whether you've taken it. This is medical-adjacent information; UK GDPR classes it as a "special category". We only process it with your explicit consent, which you give by creating an account and adding a medication.
• Your pill box's NFC token — a random identifier that links the physical box to your account. The NFC tag itself stores only the public URL; no medical data ever lives on the chip.
• Photos of medication labels — only if you use the "Scan medication label" feature. The image is sent to a third party (see below) to read the printed text. We do not store the image after the request completes.

We do not use cookies for tracking or advertising. We set only the minimum cookies needed to keep you signed in.

Under UK GDPR our lawful bases are:

• Performance of a contract — for everything needed to give you the service (account, medications, schedules, logs).
• Your explicit consent — for health-related data (your medications and adherence history) and for optional features (SMS reminders, sharing with a carer, label scanning).

We use a small number of trusted providers to run the service. Each is bound by GDPR-compliant data processing agreements. None of them have free rein over your data — they process it on our instructions only.

• Supabase — hosts our database and authentication. Data is stored in their EU region.
• Vercel — hosts the website itself. Vercel sees HTTP request metadata (IP address, browser type) for the purpose of serving pages and security; we don't enable any analytics features.
• Twilio — sends SMS reminders, only if you've opted in. Twilio receives your phone number and the message body.
• Anthropic — reads the text on a medication label photo, only when you press "Scan medication label". The image is sent to Anthropic, parsed, and discarded by both us and them. We instruct the model to ignore patient names, NHS numbers, and prescription numbers when extracting fields.

Some of these providers operate in the United States; transfers are covered by the EU–US Data Privacy Framework and standard contractual clauses where required.

• Account and medications: for as long as your account is open. When you delete your account (email us — we'll add a one-tap button shortly), we delete everything within 30 days.
• Dose history (logs of when you took a medication): kept for as long as your account is open, so you can see your history and adherence over time.
• SMS delivery records: kept for 12 months for troubleshooting and to verify what was sent.
• Label scan images: not stored after the scan completes (seconds).

Under UK GDPR you can:

• Ask for a copy of the data we hold about you
• Ask us to correct anything that's wrong
• Ask us to delete your account and everything in it
• Withdraw consent for optional features (SMS, label scanning, carer access) at any time
• Ask us to send your data to another service in a portable format
• Object to how we're using your data

The fastest way to exercise any of these rights is to email privacy@pill-pal.com. We aim to reply within 14 days; UK GDPR gives us up to 30.

If you're not happy with our response you can complain to the UK Information Commissioner's Office.

You can link a carer (typically a family member) to your account so they can see your dose history and receive reminders. The carer is shown your name, medication names, schedules, and dose history. They cannot see your password, your phone number, or anything else.

Only you can add or remove a carer link. You can revoke it at any time and the carer will lose access immediately.

Pill Pal is not designed for users under 18. We do not knowingly collect data about children. If you believe a child has set up an account, email us and we'll delete it.

We use a small number of strictly necessary cookies:

• Authentication cookies set by Supabase to keep you signed in across page loads.
• Vercel security cookies for bot protection and request routing.

We don't use analytics, advertising, or tracking cookies. Because all our cookies are strictly necessary for the service to function, you don't see a consent banner — UK and EU rules don't require one for cookies in this category.

If we make a material change we'll email you and update the date at the top of this page. Minor updates (typo fixes, clearer wording) we'll just make.

This policy describes a small, single-operator app. We have tried to be honest and specific rather than legalistic. If anything is unclear or you think we've got something wrong, please email privacy@pill-pal.com.