Security — PillRem

The short version: Your data stays on your iPhone. Cloud backup is optional. Everything is encrypted. We don't run ads. We don't track you. We don't sell anything to anyone. If you find a security issue, we want to hear about it — and we'll thank you for it.

Our security principles

Everything we build is guided by four principles:

1. Local-first by default

PillRem is built so that the most sensitive data — your medications, dose history, and health metrics — lives on your iPhone first. No account is required to use the core features. No network connection is required for reminders, logging, or PDF reports. This dramatically reduces the attack surface compared to cloud-first health apps.

2. Encrypted everywhere

At rest: Data stored on your iPhone is protected by iOS Data Protection, which uses hardware-backed AES-256 encryption tied to your device passcode.
In transit: If you enable optional cloud backup, all communication with our backend (Firebase Authentication and Firestore) uses HTTPS with TLS 1.3.
In the backend: Firebase encrypts data at rest using AES-256.

3. Minimal data collection

We collect only what is strictly necessary for the App to function. We do not use general-purpose analytics SDKs, we do not collect advertising identifiers, we do not track you across apps, and we never sell your information.

4. Transparent by design

Our Privacy Policy is written in plain English. When we collect something, we say why. When we share something with a third party, we name them. When we change a policy, we tell you.

Technical safeguards

iOS Data Protection: all App data is stored in the iOS sandbox with NSFileProtectionComplete-class encryption where supported.
Keychain for secrets: any sensitive tokens (e.g. authentication tokens for cloud backup) are stored in the iOS Keychain, not in plaintext files.
Firebase Authentication: password-based accounts use Firebase Auth, which hashes passwords with SCRYPT and never exposes them to us.
No third-party trackers: PillRem does not integrate any analytics, attribution, or advertising SDKs.
App Transport Security: all network traffic enforces ATS, preventing unencrypted HTTP connections.
Regular dependency audits: we review our third-party dependencies for known vulnerabilities on every release.

Responsible disclosure

If you believe you've found a security vulnerability in PillRem, please report it to us privately. We take every report seriously and aim to respond within 48 hours.

How to report: Email security@pillrem.com with:

A description of the vulnerability and its potential impact
Steps to reproduce (proof of concept, if possible)
Your contact details, if you'd like us to credit you

Please do not:

Publicly disclose the issue before we've had a chance to fix it
Access, modify, or delete data belonging to other users
Test against accounts or devices you don't own

We will acknowledge receipt, keep you updated on our progress, and credit you in our release notes if you'd like (and if you report responsibly).

What we recommend

Even though PillRem is built to be secure, a few habits will make your data even safer:

Use a strong iPhone passcode and enable Face ID or Touch ID
Keep iOS up to date — Apple ships security patches regularly
Only install PillRem from the official App Store
If you use cloud backup, use a unique password you haven't used elsewhere
Review what's backed up in iCloud and Firebase periodically

Questions?

Security-related questions, not vulnerability reports, can go to security@pillrem.com. We're happy to answer.