Privacy Policy

Last updated: 2026-04-27

TL;DR: PillMe is a privacy-first medication app. By default, everything you enter stays on your phone — we have no servers in the loop. If you choose to sign in to enable cloud sync or caregiver alerts, the data those features need is stored in your own private subtree of Google Cloud Firestore. We never sell or share your data, and there are no analytics, ad SDKs, or trackers.

What data is stored locally

When you use PillMe, the following data is stored on your device inside the app's private sandbox:

Medication details (name, form, strength, color, photos you attach)
Schedules and reminder times
Dose history (taken / skipped / snoozed / missed)
Inventory counts and low-stock thresholds
Doctor and pharmacy contact information you choose to add
App preferences (theme, nag interval, snooze duration, lock settings)
If you enable app-lock, a salted hash of your PIN (the PIN itself is never stored)

What data leaves your device — only when you opt in

None by default. Data leaves your device only when you take one of these explicit actions:

Sign in for cloud sync. If you sign in with Apple, Google, or email, your medications, dose history, and a basic profile (display name, email) are uploaded to Google Cloud Firestore inside a subtree scoped to your account UID. Firestore security rules block any other user from reading it. You can sign out at any time (cloud copy is preserved) or delete your account from Settings (cloud copy is wiped, GDPR-compliant).
Connect a caregiver. When you generate an invite code and share it with a trusted person who accepts it, that person gains read-only access to your medications and dose history through Firestore security rules. They never see your push notification tokens, account profile, or other private data. Either side can unlink at any time. The Cloud Function that sends them a push when you miss a dose runs on Google's infrastructure in europe-west3 (Frankfurt).
Share a backup. "Export backup" produces a JSON file and hands it to the system share sheet. You choose where it goes (iCloud, email, a file). We never see it.
Share via QR code. The QR option renders the backup on-screen for another device to scan. Nothing is transmitted over a network.
Call your pharmacy. Shake-to-call opens your native phone dialer. The call is handled by your carrier, not by PillMe.
Notifications. Local notifications are scheduled by iOS or Android on-device. Caregiver pushes are sent via Firebase Cloud Messaging (FCM) when you miss a dose and have a caregiver linked.

Permissions we request

Notifications — to deliver reminders at the times you set.
Camera — only if you attach a photo of a medication.
Photo library — only if you pick an existing photo to attach.
Face ID / Touch ID / biometrics — to unlock the app, if you enable app-lock.
Motion / accelerometer — to detect shake-to-call for the pharmacy.
Exact alarms (Android) — to fire reminders at the exact minute.
Background app refresh — to mark missed doses and trigger caregiver alerts even when you don't open the app (only relevant if a caregiver is linked).

PillMe does not request location, contacts, microphone, or any other permission.

Third-party services

PillMe uses these third-party services only to the extent that you opt in to features that require them:

Google Cloud Firestore + Firebase Authentication + Firebase Cloud Messaging (Google LLC). Used for cloud sync, caregiver pairing, and missed-dose push alerts. Only relevant if you sign in. Google's privacy policy and Firebase's data-processing terms apply to data you upload through these services. Region: europe-west3 (Frankfurt) for EU/Norwegian users.
Apple Sign-In, Google Sign-In (Apple Inc., Google LLC). Used as identity providers when you choose to sign in. We receive only the identity token, your email, and (optionally) your display name from these providers — they do not get your medication data.
openFDA (U.S. Food and Drug Administration). Read-only public drug-label API queried over HTTPS to fetch warnings and interaction text for medications by name. We send the medication name only — no user identifiers.

PillMe does not integrate with any analytics SDKs, crash-reporting services, ad networks, or data brokers.

Children

PillMe is a general-audience reminder tool and is not directed at children under 13.

Security

Your local data is protected by your device's standard application sandbox. If you enable app-lock, the app also requires biometric verification or a PIN to view or modify your data. Cloud data (when you sign in) is protected by Firestore security rules that restrict reads and writes to your authenticated user account, and additionally by HTTPS in transit and Google's at-rest encryption.

Your controls

View your data. All of it is inside the app itself.
Stop syncing. Sign out from Settings — your local copy stays, future writes are not uploaded.
Delete your account. Settings → Delete account wipes your cloud Firestore subtree, caregiver links/invites, and Firebase Auth user record. Your local copy on this device is also cleared.
Unlink a caregiver. Either side can unlink at any time; their read access stops immediately.
Uninstall. Removing PillMe wipes all local storage. If you signed in, your cloud data persists until you also use Delete Account.
Export your data. Use "Export backup" any time for a portable JSON copy.

Changes to this policy

If we ever change this policy, we'll update the "Last updated" date above. Please check back here or read the in-app disclaimer.

Contact

Questions about this policy? Open an issue at the app's repository or contact the publisher at the address listed in the App Store / Play Store listing.