Data handling

Data minimization

PillBird only asks for information that helps it provide reminders, scheduling, tracking, and the optional features you turn on. Optional location context is requested only if you enable it for travel/timezone reminders. There is no profile-building, no advertising data collection, and no selling of health information.

If a piece of data isn't needed to make a feature work, the app is designed not to ask for it in the first place.

Where your data lives

Your logs, reminders, and settings are stored locally on your device in an on-device database (SQLite), with sensitive values kept in the platform's secure storage. By default, this information does not leave your phone.

• Day-to-day data: stored in a local on-device database
• Sensitive values: kept in the operating system's secure store / keychain
• Location context: used transiently for timezone/travel reminders if enabled; coordinates are not stored
• Synced copies: created only if you explicitly enable cloud sync
• Account identity: Firebase Auth is used only for opted-in signed-in Plus/payment-linked or authenticated features

Cloud sync

Cloud sync is off by default and requires explicit sign-in and passphrase setup. When enabled, PillBird stores opaque encrypted settings/log blobs and a passphrase-locked recovery bundle on Cloudflare R2. The passphrase and plaintext data stay off our servers, and importing a local backup file does not enable cloud sync.

Security expectations

Data should be protected both at rest on your device and in transit if a feature sends it anywhere. PillBird also supports an app-level screen lock so your information stays private even if your phone is unlocked.

When sync or any networked feature is involved, data is sent over encrypted connections, and access is limited to the systems needed to run that feature.

Retention and deletion

Because PillBird is local-first, your data persists on your device until you remove it. Deleting your account from the app clears your local logs, settings, reminders, and personalization, and requests removal of any synced copy if sync was enabled.

Deletion is permanent and is something you perform yourself — see the Deleting your account page for the exact steps.

Third-party services

PillBird relies on a small number of trusted platform services. These receive only what they need to do their job, and not the plaintext contents of your health logs.

• Apple App Store and Google Play process payments and deliver the app
• RevenueCat manages subscription entitlement events; PillBird stores entitlement status, not card details
• Firebase Auth provides optional account identity for signed-in Plus/payment-linked or authenticated features
• Firebase Firestore / Firebase Admin store backend account, subscription, webhook, and share metadata needed to verify entitlements and run account deletion
• Firebase Crashlytics collects anonymized crash and stability diagnostics
• Cloudflare R2 stores opaque sync ciphertext only if you enable cloud sync

Your rights

You can access, correct, export-by-editing, and delete your information directly in the app, without filing a request or contacting support. The goal is that the controls live where you already are.