← Back to Pill Plan

Privacy Policy

Last updated: May 7, 2026

Pill Plan is operated by Darrick Fauvel (trading as Darrick Develops). This policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have under the General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Data controller

Darrick Fauvel / Darrick Develops
Email: darrick@darrickdevelops.com

2. Data we collect

Account data

• Email address — used to identify your account and communicate with you.
• Password — stored as a one-way bcrypt hash (we cannot read your password).
• Account creation date
• Consent timestamp — when you agreed to this policy.

Health data (Article 9 special category)

Pill Plan stores sensitive health information that you enter directly:

• Medication names, strengths, forms, and dosing instructions
• Medication quantities and refill thresholds
• Medication schedule (which time slots each medication is taken)
• Daily intake history (whether each dose was taken or skipped)
• Profile names (e.g., "Me", "Dad")
• Medication images you upload or link

We process this data only because you have given us your explicit consent (GDPR Article 9(2)(a)) at account creation. You can withdraw consent at any time by deleting your account in Settings.

Payment data (Pro plan users only)

If you upgrade to Pro, your email address is shared with Stripe, Inc., our payment processor. Stripe stores your payment card details — we never see or store them. We keep a Stripe customer ID and subscription ID to manage your subscription status.

3. Legal basis for processing

• Account and session data: Performance of contract (GDPR Article 6(1)(b)) — necessary to provide the Pill Plan service.
• Health data: Explicit consent (GDPR Article 9(2)(a)) — you choose to enter this data and can delete it at any time.
• Payment data: Contract performance and legal obligation (GDPR Article 6(1)(b) and 6(1)(c)).

4. How long we keep your data

• Session cookies: 7 days, then automatically deleted.
• Account and health data: Until you delete your account. Deletion is immediate and permanent — we run no backups that outlive deletion.
• Payment records: Stripe retains transaction records as required by financial regulations, even after you delete your Pill Plan account.

5. Who we share data with

• Stripe, Inc. (payment processor, Pro plan only) — processes payments on our behalf. Stripe is certified under EU-US Data Privacy Framework. Stripe Privacy Policy.
• National Library of Medicine / RxNorm — when you search for a medication by name, the search term is sent to a public NIH API. No personal data is included in these requests.

We do not sell, rent, or share your data with any other third party.

6. Cookies

We use only strictly necessary cookies. No analytics, advertising, or tracking cookies are used.

• sid — session authentication cookie. Expires after 7 days. Required to keep you logged in. HttpOnly, Secure, SameSite=Strict.
• pid — remembers which profile you last viewed. Session-scoped (cleared when the browser closes). HttpOnly, Secure, SameSite=Strict.

Because these cookies are strictly necessary for the service to function, they are set without requiring your separate consent for cookies (ePrivacy Directive Article 5(3) exemption).

7. Your rights

Under GDPR you have the right to:

• Access (Article 15) — request a copy of all data we hold about you. Use the "Download your data" button in Settings.
• Erasure (Article 17) — permanently delete your account and all associated data. Use "Delete account" in Settings.
• Portability (Article 20) — receive your data in a machine-readable format. Use "Download your data" in Settings.
• Rectification (Article 16) — correct inaccurate data. You can edit all your data directly in the app.
• Objection (Article 21) — object to processing based on legitimate interests. Contact us at the address below.
• Withdraw consent — delete your account at any time to withdraw consent for health data processing.
• Lodge a complaint — with your national data protection authority if you believe your rights have been violated.

8. Data security

Passwords are hashed with bcrypt (cost factor 12). Session cookies use HttpOnly, Secure, and SameSite=Strict flags. All data is transmitted over HTTPS. Database access requires authentication tokens that are never exposed to clients.

9. Children

Pill Plan is not directed at children under 16. If you are under 16, please do not create an account. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

10. Changes to this policy

If we make material changes, we will update the "Last updated" date above and notify you by email at least 14 days before the changes take effect.

11. Contact

For any privacy questions or to exercise your rights:
darrick@darrickdevelops.com