DRAFT — not legal advice, requires review by a licensed attorney before use.
Settle — Privacy Policy
Effective date: [EFFECTIVE DATE PLACEHOLDER] Operator: Desert Services Group LLC ("DSG," "we," "us") Service: Settle, an elimination-diet planning tool at wellsettled.vercel.app Contact: jeff.jones@desertservicesgroup.com
Settle helps an individual plan and run a structured elimination diet — establish a baseline, remove suspected foods, then reintroduce them one at a time — to surface foods that may be behind IBS-type gut symptoms. Settle provides diagnostic information, not a diagnosis. See our Terms of Service and the in-app medical disclaimer.
This policy explains what we collect, why, how it is protected, and the choices and rights you have. Washington residents: a separate Consumer Health Data Privacy Notice also applies to your health data; please read it together with this policy.
1. Privacy at a glance
- Local-first by default. Unless you turn on cloud sync, everything you log stays in your browser and is never sent to us.
- Zero-knowledge cloud sync (optional). If you create an account to sync across devices, your diary is encrypted in your browser before upload. Our servers store only an unreadable encrypted blob. We cannot read your diary content, and we cannot recover it if you lose your passphrase and recovery key.
- No sale of data. No behavioral advertising. No analytics or ad trackers mixed with your health data.
- You can export and delete your data at any time.
2. What we collect and why
a. Your symptom diary (consumer health data)
When you use Settle you may record: daily discomfort severity (0–10); symptom-type selections (bloating, abdominal pain, gas, diarrhea, constipation, urgency, nausea, reflux, fatigue, headache); free-text notes; the food-trigger groups you choose to eliminate and reintroduce; and your plan dates and phase windows. We use this only to run your plan and to compute your own Insights (comparing symptom severity across phases). This is regulated health data and we treat it accordingly.
By default this data lives only in your browser's local storage. It leaves your device only if you (i) enable cloud sync or (ii) export a backup yourself.
b. Account data (only if you enable cloud sync)
To sync across devices you create an account using your email address. We use email solely to sign you in (via a magic link — there is no password) and to send account/security messages. Your email is stored separately from your encrypted diary blob.
c. Encrypted diary blob (only if you enable cloud sync)
We store the encrypted version of your diary so it can sync between your devices. We store only ciphertext — see Section 3.
d. Technical logs
Our hosting and database providers generate standard server logs (e.g., IP address, browser type, timestamps) to deliver the service and protect it against abuse. These logs are not combined with your diary content and are not used for advertising or profiling.
We do not collect analytics-SDK data, advertising identifiers, location beyond incidental IP, or (at launch) payment information.
3. How zero-knowledge cloud sync works (and its limits)
If you enable cloud sync, Settle encrypts your diary in your browser using AES-GCM, with the encryption key derived from your passphrase (and a separately generated recovery key) using PBKDF2. Only the resulting encrypted blob is uploaded. Your passphrase, recovery key, and decryption key never leave your device and are never sent to us. As a result:
- We and our storage provider can see only an opaque encrypted blob — we cannot read your symptom diary.
- Either your passphrase or your recovery key can unlock your data. If you lose both, your synced diary cannot be recovered by anyone, including us — by design. There is no reset.
What this protection does NOT cover — please read:
- Your email address is not part of the zero-knowledge encryption. It is stored in readable form so we can sign you in.
- Local-only data is not "end-to-end encrypted." When cloud sync is off, your diary simply stays in your browser; its protection is the security of your own device and browser, not our encryption.
- Backups you export (JSON/CSV) are plain files on your device; protecting them is up to you.
We describe this as zero-knowledge encryption of your synced diary — we do not claim end-to-end encryption of your email or of local-only data.
4. We do not sell your data, and we do not use it for ads
- We do not sell or rent your personal information or your consumer health data, and we do not "share" it for cross-context behavioral advertising.
- We do not use advertising networks, ad SDKs, or behavioral profiling.
- We do not combine analytics or ad trackers with your health data.
5. Sub-processors (service providers)
| Provider | Role | What they can access |
|---|---|---|
| Supabase | Magic-link authentication + encrypted vault storage | Your email (readable), sign-in/session metadata, and your encrypted diary blob (which they cannot read) |
| Vercel | Hosting / delivery of the web app | Standard server/request logs (e.g., IP, browser, timestamps) |
These providers act on our behalf under their terms and may not use your data for their own purposes. We do not authorize any provider to read your diary content, and the encryption prevents it for the synced blob.
6. Your privacy rights
Depending on where you live (including under CCPA/CPRA in California, the Washington My Health My Data Act, Nevada SB 370, and the GDPR in the EU/EEA/UK), you may have the right to:
- Access / know what we hold about you;
- Export / port your data;
- Delete your data;
- Withdraw consent to collection or processing of your health data;
- Correct inaccurate data;
- Non-discrimination for exercising these rights.
How to exercise them:
- Export: Use Insights → Export in the app to download your full diary (JSON or CSV) at any time, without contacting us.
- Delete locally: Clearing the app's site data in your browser removes all local diary data immediately.
- Delete your account and synced data: Use the in-app account-deletion control, or email jeff.jones@desertservicesgroup.com. We will delete your email/account record and your stored encrypted blob.
- Access / other requests: Email jeff.jones@desertservicesgroup.com. We will verify your request (typically by confirming control of the account email) and respond within the timeframe the applicable law requires.
Because synced diary content is stored only as an unreadable encrypted blob, the content we can return for an "access" request is what you can already export yourself; we can also confirm and delete the encrypted blob and your account email.
[ATTORNEY: confirm response-deadline language, verification standards, and appeals/authorized-agent handling for CCPA/CPRA, WA MHMD, NV SB370, and GDPR.]
7. Data retention
- Local diary data persists in your browser until you delete entries, clear site data, or stop using the app.
- Synced encrypted blob is retained until you delete your vault or your account.
- Account email is retained until you delete your account.
- Infrastructure logs are retained per our providers' standard retention windows. [ATTORNEY/OPS: pin the exact windows before launch.]
When you delete your account, we delete your account email and your stored encrypted blob; residual copies in routine backups, if any, are purged on the provider's normal backup cycle.
8. Security
We protect your data with client-side AES-GCM encryption for synced diaries, PBKDF2 key derivation, transport encryption (HTTPS), passwordless magic-link sign-in, and database row-level security so each account can reach only its own row. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security. If a breach affecting your data occurs, we will notify you and regulators as required by law (see our internal breach process).
9. Children
Settle is for adults. It is not directed to children and is not intended for anyone under 18. We do not knowingly collect data from children under 13. If we learn we have collected data from a child under 13, we will delete it. Do not use Settle if you are under 18.
10. International users
Settle is operated from the United States and your data is processed in the U.S. If you access Settle from the EU/EEA/UK, your symptom diary is special-category (health) data under GDPR Article 9, and we process it only on the basis of your explicit consent, which you may withdraw at any time. By using cloud sync from those regions you consent to processing and transfer to the U.S. as described here. [ATTORNEY: confirm transfer mechanism / SCCs and whether EU launch is in scope at all.]
11. Changes to this policy
We may update this policy. We will change the effective date above and, for material changes, provide a more prominent notice (e.g., in-app). Continued use after an update means you accept the revised policy.
12. Contact
Desert Services Group LLC — privacy Email: jeff.jones@desertservicesgroup.com Governing law: State of Arizona, USA (see Terms of Service).