Privacy Policy – ScriptReady

This Privacy Policy describes how ScriptReady ("we", "our", or "us") collects, uses, and protects your information when you use the ScriptReady mobile application ("App"). We take your privacy seriously — especially given the sensitive nature of prescription data.

1. Information We Collect

Account Information
When you create an account, we collect your email address via Firebase Authentication. You may sign in with email and password or via Google Sign-In.

Prescription Data
When you add a script, we store the following in your private cloud account:

Medication name and optional nickname
Prescriber name (optional)
Issue date, expiry date, and repeat count
The eScript URL (used to generate the QR code)
The person the script belongs to (e.g. Me, family member)

Family Member Names
Names you add for family members are stored encrypted on your device using iOS Keychain (via Expo SecureStore). They are not uploaded to our servers.

Device Security Data
Your 6-digit passcode is stored encrypted on your device using iOS Keychain (via Expo SecureStore). It is never transmitted to our servers. Face ID is handled entirely by iOS — we never access biometric data.

2. How We Use Your Information

To store and sync your prescription data securely across sessions
To display your scripts and QR codes within the App
To authenticate you and protect access to your data
To allow you to manage repeats, expiry dates, and family member scripts
To automatically look up general medication information when you open a script (medication name only is sent to a third-party search API — see Section 4)

We do not use your data for advertising, analytics profiling, or any purpose beyond operating the App.

3. Data Storage and Security

Your prescription data is stored in Google Firebase Firestore, a secure cloud database. Access is restricted exclusively to your account — no other user or third party can read your data.

Firebase enforces server-side security rules that ensure only authenticated users can access their own data, with field-level validation to prevent malformed data.

Your passcode is hashed using SHA-256 with a random salt before being stored in iOS Keychain on your device. It is never stored in plain text and never uploaded to any server.

Your family member names are stored in iOS Keychain on your device only and are never uploaded.

The App automatically locks after 5 minutes of inactivity in the background, and locks out further passcode attempts after 5 incorrect entries (requiring sign-out).

Script data is never cached to unencrypted local storage — all prescription data is loaded directly from your secure Firestore account.

4. Data Sharing

We do not sell or rent your personal information. The third-party services we use are:

Google Firebase — for authentication and secure data storage. Subject to Google's Privacy Policy.
Tavily Search API — when you open a script, the medication name is automatically sent to Tavily to retrieve general drug information from trusted Australian health sources (e.g. healthdirect.gov.au, nps.org.au, pbs.gov.au). No other personal data or account information is sent. Subject to Tavily's Privacy Policy.

5. eScript Links

When you paste an eScript SMS link, the App opens the eRx/eScript provider's page within a secure in-app browser restricted to the ausscripts.erx.com.au domain only. We do not store or transmit the raw eScript page content — only the structured prescription data you confirm is saved. The eScript URL is stored solely to generate the QR code for pharmacy presentation.

6. Your Rights and Choices

Access: All your data is visible within the App at all times.
Deletion: You can delete individual scripts at any time. You can delete your entire account and all associated data from Settings → Delete Account.
Export: You can export a copy of all your prescription data at any time from Settings → Account → Export My Data. Your data is provided as a JSON file which you can save, email, or share via the iOS share sheet.

Deleting your account permanently removes all prescription data from our servers within 30 days.

7. Children's Privacy

ScriptReady is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the App or by email. Continued use of the App after changes constitutes your acceptance of the updated policy.

9. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us at:

ScriptReady
scriptreadysite@gmail.com

Last updated: March 2026