Privacy policy

RN PocketPal is operated by Charles Enterprises, LLC (“RN PocketPal,” “we,” “us”). Mailing information is available upon verified legal request. We are the data controller for the personal data you provide through rnpocketpal.com (the “Website”) and the RN PocketPal mobile application on iOS and Android (the “App”), plus cloud-backed features such as Marketplace, support, AI requests, and optional rhythm-strip contribution.

If you are in the European Economic Area or the United Kingdom, you can contact us at the email address in section 12.

We collect only the data we actually need to operate the service. There is no analytics SDK, no advertising network, no tracking pixel. The full list:

From the Website

• Beta signup form — email address, role (e.g., RN, LPN, Student), specialty (e.g., Telemetry, ICU), optional biggest-pain and launch-platform preferences, first-party campaign/UTM fields from the link you clicked, and an SHA-256 hash of your IP for rate-limiting only. We never store the raw IP.
• First-party website analytics — page views, CTA clicks, App Store / Google Play outbound clicks, and signup-state events tied to a random browser install ID and campaign fields. This is opt-in: nothing is stored in your browser or sent to us until you choose “Allow analytics” on the consent banner, and you can withdraw at any time from the Cookie Policy. No third-party analytics SDK, ad pixel, cookie sync, or user-entered clinical text is ever collected.
• Support form — email address, the subject and description of your support request, and the same IP-hash rate-limit. Do not include PHI. We auto-redact patterns that look like SSNs, MRNs, dates, and phone numbers before storing or emailing, but redaction is not a substitute for removing identifiers before submission.
• Server logs — your IP address may appear in standard webserver access logs (LiteSpeed access logs at our hosting provider) for security and abuse-prevention purposes. These logs are not used for tracking.

From the App

• Account data — email address or Apple/Google sign-in identifier, nursing role + specialty, subscription state, and Marketplace identity needed to operate account-only features.
• Local clinical content — your brain sheet, notes, calculator inputs, and saved templates live on your device in iOS Keychain / encrypted Core Data or Android encrypted storage/Room. We do not have access to local-only content unless you intentionally use a cloud-backed feature.
• Marketplace, Connect, and community content — listings, messages, profile fields, photos, reports, and similar submissions you choose to send to the live service. These surfaces prohibit PHI and are not for clinical care, handoff, charting, or urgent communication.
• Rhythm strip images — rhythm review runs on-device where available. If you separately opt in to contribute a strip for model improvement, the App asks you to confirm de-identification and authorization, strips metadata where possible, and sends the image to a private review queue. Do not contribute strips containing patient or facility identifiers.
• AI feature inputs — when you use AI-assisted features (Note Writer, Care Plan, Legal Reference, etc.), the input text is scrubbed for PHI patterns on-device before transmission to our AI provider, then sent over TLS for processing. Scrubbing is best-effort and you remain responsible for not entering PHI. See section 5 for who that provider is.
• Crash reports — anonymized crash traces with no user-entered clinical content, used solely to fix bugs if crash reporting is enabled.
• Uploaded photos — for Pill Imprint, Rhythm capture, Marketplace listings, and any other photo-bearing feature, we strip EXIF metadata (geolocation coordinates, device identifier, original timestamp, lens / serial information) on-device before the photo is stored on our servers or transmitted to any third-party processor. The visible image content is preserved; embedded metadata is not. Do not photograph anything that visually shows a patient identifier — that content is not in EXIF and cannot be stripped automatically.

What we explicitly do NOT collect

• We do not intentionally collect patient names, medical record numbers, dates of birth, room numbers tied to a real person, or Protected Health Information.
• Your location, contacts, photos, calendar, or biometric data.
• Behavioural analytics or session recordings.
• Third-party tracking identifiers (Apple Tracking Transparency: we do not request the IDFA).

For visitors and users in the EU/EEA/UK, our lawful bases under Article 6 of the GDPR are:

• Consent (Art. 6(1)(a), and Art. 5(3) ePrivacy / UK PECR) — for the beta signup form, and for first-party website analytics, which stays off unless you opt in on the consent banner and which you can withdraw at any time.
• Legitimate interests (Art. 6(1)(f)) — for responding to support requests, fixing bugs via anonymized crash reports, and rate-limiting / abuse prevention. We balance these against your rights and you can object at any time (section 7).
• Contract (Art. 6(1)(b)) — for delivering Pocketpal Pro features and processing your subscription.
• Legal obligation (Art. 6(1)(c)) — for retaining transaction records required by tax law.

Health data we incidentally see (none, by design — see section 9) is not used as “special category data” under Article 9.

• Beta signup data — until 90 days after public launch, or until you ask us to delete it, whichever is sooner.
• Prelaunch analytics — aggregate dashboard data may be retained for product planning; event-level browser identifiers are retained for up to 13 months, then deleted or aggregated.
• Support tickets — 2 years after the ticket is closed, then deleted. Anonymized aggregate metrics (e.g., total tickets per month) may be retained longer.
• Subscription / billing records — 7 years to comply with US tax-records requirements (IRS recommends 7).
• Server access logs — 90 days, then rotated and discarded.
• Crash reports — 1 year, then deleted.

We do not sell, rent, or trade personal data. Period. We share only with the following categories of processor, under data-processing agreements:

• Hosting — our cPanel host stores the form-submission data and serves the Website. They are bound by their own data-processing terms.
• Email — when we email you a beta-signup confirmation or a support reply, those emails transit standard mail servers.
• AI provider — AI-assisted features in the App route PHI-prohibited, best-effort-redacted prompts to DeepSeek (deepseek.com). DeepSeek is based in China; we surface this provider disclosure inside the App’s AI Settings and may change providers as privacy, compliance, or product requirements evolve.
• Marketplace and contribution hosting — our backend stores live marketplace/community submissions and optional rhythm-contribution review-queue files needed to provide those features.
• Payments — Google Play Billing on Android and Apple App Store billing on iOS when available. We never see your card number.
• Authorities — when we are legally compelled (court order, subpoena, etc.). We will tell you unless we’re prohibited from doing so.

Our hosting is in the United States. If you are in the EU/EEA/UK, your data will be transferred to the US. The transfer is covered by Standard Contractual Clauses (Module 1: Controller-to-Processor) under Commission Implementing Decision (EU) 2021/914, plus supplementary technical and organizational measures (encryption in transit and at rest, the on-device-first architecture described in section 2).

The AI provider disclosed in section 5 is, currently, hosted in China. AI features are optional. Before any text is sent, it is scrubbed for PHI patterns on your device and we transmit only the minimum needed for the feature. We are assessing this transfer route — including a transfer risk assessment — with counsel, and will issue a specific addendum, change providers, or disable affected features in regions where that route is not appropriate under applicable law.

You have the following rights, depending on where you live:

Everyone

• Right to know — what data we have about you.
• Right of access — a copy of that data.
• Right to correction — fix anything that’s wrong.
• Right to deletion — remove your data (subject to retention obligations).
• Right to withdraw consent — for anything we process on a consent basis.

If you’re in the EU/EEA/UK (GDPR)

• Right to portability — receive your data in a machine-readable format.
• Right to object — to processing based on legitimate interests.
• Right to restrict — limit how we process your data in specific cases.
• Right not to be subject to automated decisions — including profiling. We don’t do this anyway.
• Right to lodge a complaint — with your local Data Protection Authority. For UK, that’s the ICO (ico.org.uk).

If you’re in California (CCPA / CPRA)

• Right to know + access — described above.
• Right to delete — described above.
• Right to correct — described above.
• Right to opt out of “sale” or “sharing” — we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of. We disclose this explicitly here.
• Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond what is necessary to provide the service.
• Right to non-discrimination — exercising your rights will never affect your access to the service or the price you pay.

If you’re elsewhere in the US

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other state laws grant overlapping rights. We honor them the same way we honor CCPA rights. If your state isn’t named here and you have a right under your state’s law that we missed, contact us and we’ll handle it.

Consumer health data — Washington, Connecticut, and similar states

RN PocketPal is not a HIPAA-covered entity, which means certain state consumer-health-data laws apply to us in addition to general privacy laws. If you are a resident of Washington State, the Washington My Health My Data Act(effective March 2024) gives you specific rights with respect to “consumer health data” as that act defines it, including:

• Consent before collection or sharing of consumer health data. We obtain consent at signup for any health-adjacent data we collect (role, specialty), and we do not share consumer health data with third parties for advertising or behavioral analytics under any circumstance.
• The right to know what consumer health data we hold about you.
• The right to delete your consumer health data.
• The right to withdraw consent at any time, with deletion of any data we collected on the basis of that consent.
• No sale of consumer health data. We do not sell consumer health data under WA MHMD’s definition of sale, and we do not sell consumer health data under any other state’s definition either.

Similar consumer-health-data rights exist under the Connecticut Data Privacy Act’s health-data provisions, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Oregon Consumer Privacy Act, and other emerging state laws. We honor all of these rights through the same data-request channel described below.

We will continue updating this section as state consumer-health-data laws and healthcare privacy requirements evolve.

How to exercise these rights

Email support@rnpocketpal.com with the subject line [DATA REQUEST], or use the form at /data-requests. We respond within 30 days (45 in complex cases, with a heads-up). We never charge you to exercise these rights, and exercising them never affects your access to the service.

RN PocketPal is a professional tool for licensed nurses, nursing assistive personnel, and nursing students. The Website and App are not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. Nursing students should be adults enrolled in a nursing program; we do not request school-records data.

RN PocketPal is not a HIPAA-covered entity in its consumer-app capacity, and we do not intentionally collect or process Protected Health Information. The App is designed so bedside identifiers in brain sheets stay in encrypted local storage by default, and cloud-backed features prohibit PHI.

If RN PocketPal ever enters a hospital/system arrangement that would make us a Business Associate, or if we provide services on behalf of a covered entity or business associate, we will execute a Business Associate Agreement before that engagement starts and will update this policy. That is not the case for the consumer App.

Health-related or professional preferences you tell us about yourself (your nursing role, your unit specialty) are professional descriptors rather than “special category data” under GDPR Article 9. We do not infer health conditions from this data.

Do not send RN PocketPal protected health information, patient identifiers, medical-record numbers, dates of birth, room numbers tied to a real person, facility screenshots with patient banners, or any information you are not authorized to disclose.

If PHI or patient-identifying information is submitted to us by mistake — in a support ticket, a marketplace listing photo, a feedback form, an email, an AI prompt our on-device scrubber did not catch, a Connect post, a rhythm contribution, a crash report, or any other channel — you authorize us to process that information only as needed to secure it, identify the affected submission, delete it, redact it, return it to you, comply with law, investigate abuse or security incidents, and maintain a minimal audit record. We do not use unintended PHI for model training, marketing, analytics, product improvement, marketplace features, or social features.

Specifically, our inbound-PHI handling protocol is:

1. We do not retain it. The message, attachment, or record is purged from our active systems within 72 hours of detection. We make best-effort attempts to remove it from short-term backups within 30 days. We do not export it. We do not analyze it. We do not train any model on it.
2. We do not republish it. We do not quote inbound PHI back to you in our reply. We do not forward it to a third party. We do not share it with a vendor, contractor, or affiliate. If we need to ask a clarifying question, we do so without referencing the patient information you sent.
3. We notify you to delete it on your end. Within one business day of detecting inbound PHI, we ask you to delete the message from your sent folder and any other place you kept a copy, and we provide instructions for your platform where we can.
4. We log the incident without the content. We retain a redacted record of date, channel, and PHI category (not the PHI itself) for our own audit purposes for one year, then delete that record too.
5. The disclosure burden stays with the sender.Because we are not a HIPAA-covered entity and have no Business Associate Agreement with your facility, sending us PHI does not create an authorized disclosure under HIPAA. If you sent PHI without your facility’s authorization, the unauthorized disclosure is yours to report to your facility’s privacy officer. Our handling above limits downstream harm; it does not retroactively make the disclosure compliant.

If you are a facility or hospital privacy officer: contact us at security@rnpocketpal.com and we will work with you in good faith on incident scope, retention timelines, and documentation you need for OCR notification calculations.

RN PocketPal is not a HIPAA secure-messaging system, electronic health record, designated record set, or substitute for your facility’s approved documentation systems. You remain responsible for complying with your employer’s policies, HIPAA obligations, state nursing rules, and minimum-necessary requirements.

These timelines are designed to reduce retention of unintended PHI while preserving a minimal security and abuse-prevention record.

We protect personal data with technical and organizational measures appropriate to its sensitivity. Specifically:

• TLS 1.2+ for all data in transit, HSTS enforced.
• On-device encryption for any clinical content (iOS Data Protection “complete when locked”).
• IP addresses hashed (SHA-256 with a non-public salt) before storage. Raw IPs are not retained beyond standard webserver logs.
• Server-side input validation, parameterized queries, and PHI-shaped-pattern auto-redaction on submitted free-text.
• Content Security Policy, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy that denies camera/mic/geolocation by default.
• No third-party advertising or analytics SDKs in either the Website or the App.

No system is perfectly secure. If we discover a personal-data breach, consumer-health-data breach, or breach of unsecured individually identifiable health information that we maintain, we will evaluate and provide notices required by applicable federal, state, and international laws, including consumer health breach-notification rules where they apply.

We will update this policy as the product evolves. When we make a material change (e.g., a new processor, a new data category, a new lawful basis), we will:

• Update the “Last updated” date at the top of this page.
• Post a notice in the App and on the Website 30 days before the change takes effect, where the change is significant.
• If we’re relying on consent for a new purpose, ask you for that consent before processing.

Effective date of this version: May 28, 2026.

For privacy questions, data-access requests, or to exercise any of the rights above:

• Email: support@rnpocketpal.com (subject line [DATA REQUEST])
• Web form: /data-requests
• Mail: Mailing address available upon verified legal request.
• EU/UK representative: Not currently appointed. We are reviewing, with counsel, whether a GDPR Article 27 representative is required for our processing; until then, direct EU/UK privacy requests to support@rnpocketpal.com.
• Data Protection Officer: We have not designated a DPO. We are reviewing, with counsel, whether Article 37 requires one; in the meantime, send any data-protection question to support@rnpocketpal.com.