Privacy Policy

Short version: PharmacyAI stores your medication list locally on your device. We don't sell your data. The AI assistant sends your questions to OpenAI for processing. You can delete everything anytime. We're based in Norway and comply with the EU/EEA General Data Protection Regulation (GDPR).

1. Who we are (Data Controller)

PharmacyAI is an independent product developed and operated from Norway. For the purposes of GDPR, the Norwegian Personal Data Act, and other applicable laws, PharmacyAI is the Data Controller for personal data processed through the PharmacyAI iOS app and the website at pharmacyai-app.com. The operator's legal identity is available on request through the contact email below for any legitimate legal or regulatory purpose.

You can reach us at support@pharmacyai-app.com for any privacy question, data subject request, or complaint.

2. Information we collect

We collect the minimum information needed to operate the service. Categories below describe what is collected, where it lives, and why.

2.1 Information you provide directly

• Account identifiers (Sign in with Apple): When you sign in, Apple sends us a stable opaque user identifier and — if you choose to share it — your email address (which may be a private relay address). We never receive your Apple ID password.
• Email address (Web Pro / newsletter): If you start a Web Pro subscription or subscribe to product updates on the website, you provide your email address.
• Medication list and reminders: Drug names, dosages, schedules, notes, profile names (for caregiver profiles), and adherence logs that you create in the app.
• AI queries: The free-text questions you type into the AI assistant and the drug pairs you submit to the interaction checker.
• Photos and barcodes (camera features): Images you take of medication packaging, pills, or NDC barcodes.
• Support correspondence: Any message you send to support@pharmacyai-app.com, including your email address and the content of your message.

2.2 Special category data (health data) — GDPR Art. 9

Medication information may be considered "data concerning health" under GDPR Article 9. We process this category of data on the basis of your explicit consent (Art. 9(2)(a)), which you provide by (a) accepting these terms and this Privacy Policy when you first launch the app, and (b) granting iOS-level permissions when prompted for specific features (camera, notifications, Apple Health). Your medication list is stored locally on your device and is not transmitted to our servers unless you explicitly use a feature that requires server processing (AI assistant, interaction check, drug search, scanning). You can withdraw your consent at any time by deleting your account or uninstalling the app; withdrawal does not affect processing carried out before withdrawal.

2.3 Information collected automatically

• Aggregated, cookie-free website analytics: The website uses Vercel Web Analytics and Vercel Speed Insights, which collect aggregated page-view counts, country, device type, and browser without setting tracking cookies and without creating individual user profiles. No personal data is collected for the purpose of tracking you across sites.
• App diagnostics: The iOS app may send anonymous crash reports through Apple's standard mechanisms (you can opt out in iOS Settings → Privacy & Security → Analytics & Improvements).
• Server logs and rate limiting: Our backend records request timestamps, route, response code, IP address (truncated for European traffic), and a derived rate-limit key. These are retained for up to 30 days for abuse prevention and incident investigation.

3. Legal bases for processing (EU / UK / EEA users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under GDPR Article 6 and (for health data) Article 9:

• Performance of a contract (Art. 6(1)(b)): To provide the features you request — checking interactions, running AI queries, delivering reminders, and processing your subscription.
• Your explicit consent (Art. 6(1)(a) and Art. 9(2)(a)): For storing and processing medication data on your behalf, and for any optional features that require it (e.g. push notifications, AI features).
• Legitimate interests (Art. 6(1)(f)): For security, fraud prevention, rate limiting, and product improvement based on aggregated usage data — balanced against your rights and freedoms.
• Compliance with legal obligations (Art. 6(1)(c)): For responding to lawful requests from public authorities and for tax/accounting records.

You can withdraw consent at any time by deleting your account, uninstalling the app, or contacting us. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

4. How we use your information

• To provide the core features of the app (medication list, reminders, scanning, interaction checks, AI answers)
• To deliver Web Pro subscription content and verify your subscription status
• To send service-related communications (subscription receipts, security alerts, important changes)
• To respond to your support requests
• To protect the service from abuse (rate limiting, fraud detection)
• To improve features based on aggregated, non-identifying usage signals

We do not use your information for advertising, profiling, or automated decision-making with legal effects.

5. AI features and disclosure

The AI Assistant and AI-powered drug interaction checker send your free-text questions (and the names of the medications you are checking) to OpenAI (model: gpt-4o-mini as of the last update of this policy) for processing. The data sent is the question itself plus a system prompt; it does not include your name, email address, account identifier, or medication list unless you choose to include that information in your question.

OpenAI processes API requests under its API Data Usage Policies and, as of this policy's date, does not use API inputs or outputs to train its general-purpose models. We do not retain AI queries on our own servers beyond the request-response cycle.

Important: AI output is informational only and may contain errors. Do not rely on it for medical decisions. See our Terms of Use for the full medical disclaimer.

6. Third-party service providers

We use a small, deliberate set of vendors, each with its own privacy policy and bound by a data processing agreement. We send only the minimum data each feature requires.

AI inference

• OpenAI (US) — gpt-4o-mini for the assistant and drug-interaction analysis. Receives your free-text question and drug names. Privacy ↗

Hosting & infrastructure

• Vercel (US, EU edge) — website and API hosting; cookie-free Web Analytics and Speed Insights. Privacy ↗
• Upstash (EU region) — rate-limit cache and short-lived (15-min) one-time login codes. Privacy ↗

Payments & subscriptions

• Apple (US/IE) — iOS App Store billing, Sign in with Apple, iCloud sync between your own devices, Push Notifications. Privacy ↗
• Stripe (US/IE) — Web Pro payment processing. We never see your full card number. Privacy ↗
• RevenueCat (US) — subscription state, receipt validation, and entitlement management. Privacy ↗

Notifications

• Firebase Cloud Messaging (IE for EU traffic) — delivery of push notifications you opted in to. Privacy ↗

Forms

• FormSubmit (US) — newsletter and contact form delivery to our support inbox. Info ↗

7. International data transfers

Several of the vendors above are based in the United States. When we transfer personal data outside the EEA / UK, we rely on:

• The EU–U.S. Data Privacy Framework for vendors that are certified under it, where applicable;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Supplementary technical measures such as encryption in transit (TLS 1.2+) and at rest;
• Data minimization: we send the smallest amount of data needed for the feature to work.

8. Data retention

Category	Retention
Medication list, reminders, profiles	On your device until you delete them or uninstall the app. Synced via your own iCloud account if enabled — never to our servers.
Account identifier (Sign in with Apple)	Until you delete your account in Settings → Profile → Delete account.
Web Pro email + subscription state	Active period plus 7 years (Norwegian and EU tax/accounting law).
AI queries	Not retained on our servers. Subject to OpenAI's API retention (typically 30 days for abuse monitoring, then deleted).
Server logs (truncated IP, route)	Up to 30 days.
Support emails	Up to 3 years after the last interaction, then deleted.
Newsletter email	Until you unsubscribe.

9. Your rights

9.1 EU / UK / EEA / Switzerland (GDPR rights)

You have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase your data ("right to be forgotten");
• Restrict processing in certain situations;
• Object to processing based on legitimate interests;
• Data portability — receive your data in a structured, machine-readable format;
• Withdraw consent at any time;
• Lodge a complaint with a supervisory authority. In Norway this is Datatilsynet (Norwegian Data Protection Authority) ↗.

9.2 United States (state-level rights)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another state with a comprehensive privacy law, you have rights similar to those above: to know what we collect, to access and delete it, to correct it, and to opt out of "sale" or "sharing" for cross-context behavioral advertising. We do not sell or share personal information for advertising purposes, so the opt-out has no practical effect for our service.

9.3 How to exercise your rights

Email support@pharmacyai-app.com with the subject line "Privacy request". We respond within 30 days (extendable by 60 days for complex requests, as permitted by GDPR Art. 12). We may need to verify your identity using the email address linked to your account.

10. Account and data deletion

You can delete your account at any time from the iOS app: Settings → Profile → Edit Profile → Account → Delete account. This permanently removes your account identifier, any server-side subscription record, and any associated server state. Medication data stored locally on your device is cleared when you sign out or uninstall the app.

Web Pro subscribers can also request deletion by emailing support. Local data on your device must be cleared by uninstalling the app.

11. Security

We protect your data with industry-standard measures including TLS 1.2+ in transit, encryption at rest by our infrastructure providers, server-side rate limiting, principle of least privilege for access, short-lived authentication tokens, and short-lived (15-minute) one-time login codes for Web Pro. No system is 100% secure; if you suspect unauthorized access to your account, contact us immediately.

12. Children's privacy

PharmacyAI is not directed at children under the age of 13 (or under 16 where local law sets a higher threshold for digital consent, including in many EU/EEA countries). We do not knowingly collect personal data from children. Parents and caregivers may, however, use the Caregiver Profiles feature to manage medication information for their own children on their own device. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Cookies and similar technologies

The website uses only strictly-necessary, first-party storage (e.g. localStorage for your theme preference and one-time-code session). It does not set tracking cookies, advertising identifiers, or social-media pixels. Vercel Web Analytics is cookie-free.

If we ever add a non-essential tracker, we will display a consent banner and update this policy.

Most web browsers and some mobile operating systems offer a "Do-Not-Track" (DNT) signal. Because no industry standard exists for honouring DNT signals, we do not currently respond to them. If a recognized standard is finalised, we will update this policy.

14. Changes to this policy

We may update this policy to reflect changes in our service, our vendors, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you in the app or by email. Continued use of PharmacyAI after the effective date constitutes acceptance of the updated policy.

15. Contact

For privacy questions, requests, or complaints, email support@pharmacyai-app.com with the subject "Privacy request". Norwegian and EU residents can also lodge a complaint with their local supervisory authority — see §9.1 above.