ChronoPill
Privacy Policy
Last updated: 20 April 2026. Incorporated by reference into the Terms of Service and the Legal Disclaimer.
Do Not Sell or Share My Personal Information → · Limit the Use of My Sensitive Personal Information →
1. Who we are
ChronoPill is published by ChronoPill. For any privacy-related question or data-rights request, contact contact@chronopill.com.
2. What data we collect and where it lives
2.1 On-device only (default)
By default, 100% of your medication data is stored locally on your iPhone and is never transmitted to our servers. This includes:
- Medication names, dosages, schedules, and reminders
- Adherence history (doses taken, skipped, or missed)
- Family member profiles you create
- Health profile details (age, weight, allergies, conditions)
- Side effect logs and symptom notes
- Legal disclaimer acceptance and app preferences
Storage technology: Apple SwiftData (a managed CoreData store) inside the app's iOS sandbox, encrypted at rest by iOS. Sensitive tokens (if any) are stored in the iOS Keychain.
2.2 Optional cloud features (opt-in, disabled by default)
| Feature | Data sent | Recipient | Retention |
|---|---|---|---|
| Enhanced AI interactions check | Medication names, dosages, generic age/weight bracket | Amazon Bedrock (AWS us-east-1) via our API | Request is not stored; only anonymous aggregate metrics |
| Price estimate (US only) | Medication brand name, dosage, form, ZIP code | Amazon Bedrock via our API | Not stored |
| Barcode scan lookup | Barcode digits only | openFDA, DailyMed, ANSM (public databases, depending on country) | Log-only, subject to those providers' policies |
| Medication equivalents abroad | Active substance name, dosage | RxNav, CIMA, KEGG, ANSM BDPM (public databases, depending on destination) | Log-only, subject to those providers' policies |
You can toggle Enhanced AI at any time in Settings. Disabling it prevents any further outbound requests of that kind. Data already processed before you disabled it is not retained by us.
2.3 Apple Health (optional, read + write)
If you grant Health access, ChronoPill reads vitals (height, weight) and writes medication administration records to Apple Health so other health apps can see your dose history. You can revoke Health access at any time in iOS Settings > Privacy & Security > Health > ChronoPill. Apple Health data never leaves your device through ChronoPill.
2.4 Optional account (email + password or Sign in with Apple)
An account is not required to use ChronoPill: you can install the app and manage medications without ever signing in. If you choose to create an account (to back up your Premium entitlement, contact support, or sync across your own devices), the following is collected and stored on our backend (AWS Lambda + DynamoDB, eu-west-3 / us-east-1):
- Email address (or the relay address Apple provides if you choose Hide My Email with Sign in with Apple).
- Password hash (bcrypt; the plaintext password never leaves your device and is never stored).
- Display name (only if you provide one; not required).
- Internal user ID (a random UUID we issue; we do not store the Apple-provided identifier as a key on its own).
- Subscription entitlement state (active / lapsed) tied to the StoreKit transaction ID; we never see card or Apple ID data.
This information is linked to your account record. We use it solely for: signing you in, restoring your purchase across reinstalls, replying to support requests, and processing privacy-rights requests. We do not use it for advertising, profiling, or any third-party disclosure. Account data is encrypted at rest (AWS-managed KMS) and in transit (TLS 1.3).
You can delete your account at any time from Settings > Account > Delete Account inside the app (see Section 5.4 below). Doing so erases the account record on our backend and wipes all local data on the device.
2.5 Alert Contacts (optional, opt-in)
If you opt into the Alert Contacts feature (Settings > Alerts), ChronoPill can notify one or more family members or caregivers when a critical dose is missed. To set this up you grant the iOS Contacts permission and choose specific entries from your address book; the app reads only the entries you explicitly select (name + phone number and/or email), never the entire address book. The selected name, phone, and email are stored locally on your device and, when an alert fires, are sent to our notification Lambda (AWS, eu-west-3 / us-east-1) solely to deliver the SMS or email; the contact details are not retained on our servers beyond the message-delivery window. The recipient receives only the alert content you chose to send; they do not receive your medication list or any health data. You can revoke this permission at any time in iOS Settings > Privacy & Security > Contacts > ChronoPill, and you can remove selected contacts from Settings > Alerts inside the app.
3. What we do NOT collect
- No advertising identifier (IDFA).
- No analytics SDKs, no telemetry, no crash reporting to third parties.
- No social media tracking pixels.
- No location tracking unless you explicitly enable Travel Mode, Fasting Mode, or driving detection.
- No payment card or billing data — Apple StoreKit handles all transactions.
4. In-app purchases
Subscription and purchase transactions are handled directly by Apple (StoreKit). ChronoPill never sees your credit card number, billing address, or Apple ID. We receive only an anonymous receipt token from Apple to verify entitlement. See Apple's privacy policy.
5. Your rights
Because the app stores data locally by default, you exercise most rights directly on your device:
- Access: all your data is visible inside the app. Export it as a PDF report (Settings > Export).
- Deletion (local data): uninstalling the app deletes all local data. iOS then wipes the sandbox immediately. In-app: Settings > Data & Privacy > Clear All Data.
- Account deletion (server data, if you created an account): Settings > Account > Delete Account permanently erases your account record on our backend and wipes all local data on the device. See Section 5.4.
- Rectification: edit or delete any medication record in the app.
- Objection: disable optional cloud features in Settings at any time.
- Complaint: you may lodge a complaint with your local data protection authority (CNIL in France; EU DPAs; your State Attorney General in the US).
5.1 European Union & United Kingdom (GDPR / UK GDPR)
EU/UK residents have the rights of Access, Rectification, Erasure, Restriction, Portability, Objection, and the right not to be subject to automated decision-making with legal effects. International transfers to AWS US East (N. Virginia) rely on Standard Contractual Clauses (see Section 8). Data controller: ChronoPill, France.
5.2 United States — State Privacy Rights
ChronoPill honors the rights below for all US users, regardless of state of residency, because the underlying data-minimisation choices are the same across jurisdictions: almost all data stays on your device, we do not sell it, we do not share it for advertising, and we do not profile you for automated decisions with legal effects.
| Right | What it means here | Covered by |
|---|---|---|
| Right to Know / Access | Get the categories, sources, purposes, and recipients of your personal information. See Section 12. | CCPA §1798.100 (CA), VCDPA (VA), CPA (CO), CTDPA (CT), UCPA (UT), OPA (OR), MCDPA (MT), TDPSA (TX) |
| Right to Delete | In-app: Settings > Data & Privacy > Clear All Data, or uninstall. For server-side logs (optional cloud features), email us. | CCPA §1798.105 and all US state privacy laws |
| Right to Correct | Edit medications, schedules, and Health Profile directly in the app. | CPRA §1798.106, VCDPA, CPA, CTDPA, OPA, TDPSA |
| Right to Data Portability | In-app: Settings > Export produces a portable PDF/JSON bundle. | CCPA §1798.130 and all US state privacy laws |
| Right to Opt-Out of Sale | Not applicable — we do not sell your personal information and never have. | CCPA §1798.120 |
| Right to Opt-Out of Sharing (cross-context behavioral advertising) | Not applicable — we do not share personal information for cross-context behavioral advertising. | CPRA §1798.120(a), CTDPA, CPA |
| Right to Limit Use of Sensitive Personal Information | Your Health Profile is Sensitive PI and is used only to perform the service you requested (AI interaction check) — never inferred, profiled, or disclosed. | CPRA §1798.121 |
| Right to Opt-Out of Profiling / Automated Decision-Making | ChronoPill does not make solely-automated decisions that produce legal or similarly significant effects. | CPA, CTDPA, TDPSA, OPA |
| Right to Non-Discrimination | We will not deny service, charge different prices, or degrade quality because you exercised any right. | CCPA §1798.125 |
| Right to Appeal | If we deny a request, reply to our decision email to appeal. We respond within 45–60 days depending on your state's deadline. | VCDPA, CPA, CTDPA, MCDPA, OPA, TDPSA |
5.3 How to exercise your rights
- In the app (fastest — no identity verification needed since data is local): Settings → Data & Privacy → Export Data / Clear All Data, or Settings → Account → Delete Account for the server-side account record.
- Email: contact@chronopill.com with subject "US Privacy Request — [Know / Delete / Correct / Portability / Appeal]" and your state of residence.
- Response time: receipt confirmed within 10 business days, substantive response within 45 days (extendable once by 45 days under CCPA §1798.130(a)(2)). VA, CO, CT, UT, OR, MT, TX deadlines honored per their statutes.
- Authorized agents may submit requests on your behalf under CCPA §1798.135; we verify the agent's authorization and your identity before acting.
5.4 Account deletion (Apple App Store Guideline 5.1.1(v))
If you have created an account inside ChronoPill (email + password or Sign in with Apple), you can permanently delete it directly inside the app, without having to email us, write a letter, or visit a website. The deletion path is:
Settings → Account → Delete Account → confirm in the dialog
When you confirm, ChronoPill:
- Calls our backend to permanently erase your account record (email, password hash, display name, internal user ID, subscription entitlement metadata) within 30 days.
- Cancels all scheduled local notifications.
- Wipes all locally stored data (medications, schedules, dose history, Health Profile, family profiles, app preferences) from your device.
- Removes any tokens or credentials stored in the iOS Keychain.
- Returns the app to its first-launch state.
Apple subscriptions are billed by Apple, not by us. Deleting your account does not cancel an active App Store subscription. To stop a recurring charge, also cancel the subscription in iOS Settings > Apple ID > Subscriptions > ChronoPill. Refund requests must be filed with Apple at reportaproblem.apple.com.
Some data may be retained for short periods after deletion when required by law (e.g. tax records, fraud-prevention logs, AWS audit trails). These are isolated from any user-facing system and are themselves deleted at the end of their statutory retention.
If you cannot use the in-app flow (for example because you lost access to your device), you can request account deletion by emailing contact@chronopill.com from the address tied to the account; we respond within 30 days.
5.5 Shine the Light (California Civ. Code §1798.83)
California residents may request once per calendar year a list of third parties to whom we disclosed personal information for their direct marketing purposes. We disclose to no such third parties, so any such request will receive confirmation of that fact.
5.6 Washington & Nevada — My Health My Data Act (MHMDA)
Your Health Profile is "consumer health data" under RCW 19.373 (Washington) and SB 370 (Nevada). We process it only with your affirmative opt-in consent, never geo-fence you around a healthcare facility, and never sell it.
6. Children
ChronoPill is not directed to children under 13. If a parent manages medications for a child via the Family Care feature, the parent is the data controller for that profile and assumes responsibility for lawful basis and consent.
7. Security
Device-side: iOS file-level encryption, optional Face ID / PIN app lock, keychain for sensitive tokens.
Server-side (optional cloud features only): TLS 1.3 in transit, AWS-managed KMS encryption at rest, least-privilege IAM, no long-term storage of request payloads.
8. International transfers
Optional cloud requests are processed in AWS US East (N. Virginia). For EU residents, these transfers rely on Standard Contractual Clauses (SCC) per Article 46 GDPR. If you are uncomfortable with US processing, disable Enhanced AI in Settings and the app functions entirely on-device.
9. Third-party data sources we display
Clinical information shown inside the app (indications, warnings, interactions) is sourced from public regulatory databases: FDA (openFDA, DailyMed), ANSM (France), AEMPS (Spain), PMDA (Japan), MHRA (UK), AIFA (Italy), Health Canada DPD. We do not modify, re-sell, or claim ownership of this data. See each authority's own terms for use.
10. Cookies and trackers on this website
chronopill.com uses no cookies, no analytics, no third-party trackers. The site is static HTML served from Amazon CloudFront.
11. HIPAA status
ChronoPill is a consumer wellness app. We are not a HIPAA-covered entity (we are not a health plan, health-care clearing-house, or health-care provider transmitting covered transactions). Your Health Profile is nevertheless treated with HIPAA-equivalent safeguards: on-device encryption at rest, TLS 1.3 in transit, least-privilege AWS access, no long-term retention, and no secondary use.
12. Categories of personal information (California CCPA §1798.140 disclosure)
- Identifiers: a randomly-generated anonymous install ID for App Attest rate-limiting; and, if you create an account, your email address, display name (optional), and an internal user UUID (linked to your account record).
- Customer records (Cal. Civ. Code §1798.80): medication list, dose history, schedules — stored on your device only.
- Medical / Health information (Sensitive PI): optional Health Profile (age, sex, height, weight, conditions, allergies, kidney/liver function, pregnancy status, alcohol/tobacco use). Transmitted ephemerally to AWS Bedrock only when you request an AI interaction check; never retained by us.
- Geolocation (coarse): when Travel / Fasting / driving detection enabled, used on-device only; never transmitted.
- Biometric identifiers: Face ID / Touch ID is evaluated by iOS; ChronoPill only receives a true/false result.
- Commercial information: in-app purchase status validated via Apple StoreKit (we never see your payment card). If you have an account, the subscription entitlement state (active / lapsed) is stored against your account record so it can be restored across reinstalls.
- Inferences: adherence statistics and streak counters computed on-device only.
13. Data retention
- On-device data (medications, schedules, dose history, Health Profile): retained until you uninstall the app or tap Clear All Data.
- Account data (email, password hash, display name, internal user ID, entitlement state): retained for the lifetime of the account. Erased within 30 days when you tap Delete Account or email us.
- Anonymous install ID (App Attest rate limiting): hashed, rotated every 90 days, never linked to identity.
- AI request logs (AWS Bedrock): Amazon-controlled, typically 30 days, then permanently deleted.
- Support emails: retained up to 24 months, then deleted.
14. Changes to this policy
We will post updated versions here and, if the change is material, require re-acceptance of the Legal Disclaimer at the next app launch. Material changes affecting US state privacy rights are highlighted at the top of this page for at least 30 days.
Back to chronopill.com - Terms of Service - Legal Disclaimer