Privacy Policy

Last updated: April 2026

We wrote this in plain English. Your health data is yours. We don't sell it, share it with advertisers, or train AI on it.

1. What we collect

Account information: When you create an account, we collect your email address, and optionally your first name. If you sign in with Google, we receive your Google email and profile name.

Health tracking data you log: Everything you enter into KeepTally — period dates, symptoms, sleep times, gut entries, supplement names and doses, water intake, and any notes. This is the core of what makes the service work.

Usage data: Basic server logs (pages visited, API requests, timestamps) for security and debugging purposes. We do not use third-party analytics scripts. We do not track you across other websites.

Device information: Browser type and version, operating system — collected as part of standard server access logs.

2. How we use your data

We use your data to:

  • Provide the KeepTally service — show you your own health logs, compute streaks, generate cycle predictions, calculate cross-tracker insights
  • Maintain your account and authenticate you
  • Send transactional emails (password reset, account confirmation) when needed
  • Improve the product — we may look at aggregated, anonymized usage patterns (e.g., "most users have X supplements") to inform feature decisions. We never look at individual health data for this purpose.

3. What we don't do

  • We don't sell your data. Not to data brokers, not to advertisers, not to anyone.
  • We don't share your health data with third parties except as described below under Service Providers.
  • We don't use your data to train AI models. Your gut logs, period data, and sleep patterns are not AI training data.
  • We don't show you ads. KeepTally is a paid product. Your data is not the product.
  • We don't track you across websites. No cross-site tracking cookies, no tracking pixels from third-party ad networks.

4. Service providers

We use a small number of trusted infrastructure providers to operate KeepTally:

  • Railway — cloud hosting and database infrastructure. Your data lives in Railway's PostgreSQL database in the United States.
  • Google — if you sign in with Google OAuth. Google receives a signal that you authenticated, but not your health data.
  • Stripe — when payment integration launches, Stripe will process billing. Stripe receives your payment information only, not your health data.

These providers are contractually bound to protect your data and may not use it for their own purposes.

5. Data storage and security

Your data is stored in a PostgreSQL database on Railway's cloud infrastructure, based in the United States. We use encrypted connections (HTTPS) for all data in transit. Passwords are hashed with bcrypt and never stored in plain text.

No system is completely immune to breaches, but we take reasonable steps to protect your data. If a security incident occurs that affects your data, we will notify you by email as required by applicable law.

6. Data retention

We keep your data for as long as your account is active. If you request account deletion, we will permanently delete all your data within 30 days. Export your data first — once deleted, it cannot be recovered.

Server access logs are retained for up to 90 days for security purposes, then automatically purged.

7. Your rights

Access: You can export all your health data at any time via Settings → Export data.

Correction: You can edit or delete any individual log entry from within the app.

Deletion: Email hello@keeptally.org to request full account and data deletion. We process all requests within 30 days.

Portability: Your export includes all your data in JSON format, suitable for use in other applications.

8. Children

KeepTally is not intended for users under 13 years of age. We do not knowingly collect information from children under 13. If you believe a child has created an account, contact us at hello@keeptally.org and we will delete the account immediately.

9. GDPR and CCPA

EU users (GDPR): You have additional rights including the right to access, rectify, erase, restrict, or object to processing of your personal data, and the right to data portability. To exercise any of these rights, email hello@keeptally.org. Our legal basis for processing your health data is your explicit consent (Article 9(2)(a) GDPR), which you can withdraw at any time by deleting your account.

California residents (CCPA): You have the right to know what personal information we collect and how we use it, the right to delete it, and the right to opt out of its "sale" (we don't sell it, but you have the right to know that). To exercise these rights, contact hello@keeptally.org.

10. Changes to this policy

If we make material changes to this privacy policy, we'll notify you by email (at the address on your account) at least 14 days before the changes take effect. Continued use of KeepTally after changes take effect means you accept the updated policy.

11. Contact

Questions about privacy? Email hello@keeptally.org. We're a small team and we actually read our email.