SIBO daily guide
UnsiboLegal

Privacy Policy

Last updated: June 2026

Unsibo helps you track digestive patterns and daily lifestyle. Because the data you log is sensitive, we've designed the Service to collect only what's necessary and to give you granular control.

1. Who we are

Unsibo (the “Company,” “we,” “us”) is responsible for your personal data. For any privacy question or to exercise your rights, contact our privacy team at privacy@unsibo.com.

2. Your health data and the law

Unsibo is a wellness product, not a medical provider. We are not a HIPAA-covered entity, and the data you log is not “protected health information” under HIPAA. We do not claim to be HIPAA compliant. That does not mean your data is unprotected. It is covered by the US Federal Trade Commission Act and the FTC Health Breach Notification Rule, by US state privacy and consumer-health laws (including California's CCPA/CPRA and Washington's My Health My Data Act), and by the privacy laws of Australia and Canada. This policy explains those protections.

If you are a resident of Washington or Nevada, please also read our separate Consumer Health Data Privacy Policy, which describes how we handle consumer health data under those states' laws.

3. What we collect

Account data

  • Email address (for sign-in)
  • Display name (optional, your choice)
  • Date of birth (used to confirm you are 16 or older; we do not store age)
  • Authentication identifier from Apple, Google, or email plus password

Health and wellness data (sensitive personal data)

Only with your explicit, separate consent:

  • Meals you log (food items, quantities, timestamps)
  • Symptoms you log (severity scores, notes)
  • Bowel movements (Bristol scale, urgency, optional notes)
  • Medications and supplements you choose to track
  • Meal spacing timings
  • Phase selections (Reset, Rhythm, Routine)
  • Reintroduction challenge results
  • Breath-test results (if you choose to enter them)
  • Apple Health or Health Connect data you choose to sync (sleep, HRV, weight, menstrual cycle)

We treat as health data not only the entries above but also what they reveal, including the fact that you use Unsibo and how you interact with it.

Quiz responses (web)

If you take the landing-page quiz, your answers are stored client-side in your browser. If we add a server-side quiz response store later, this section will be updated and you will be notified.

Technical data

  • Device type, OS version, app version
  • Crash logs (with personal data scrubbed)
  • Anonymous product analytics (only with your separate, opt-in consent, disabled by default)

What we do not collect

  • Precise location
  • Contacts, photos, or files beyond what you explicitly upload
  • Browser history
  • Marketing or advertising identifiers
  • Cross-site tracking

4. Why we process your data

We process your data only for these purposes:

  • Provide the core Service (logging, sync, history, on-device pattern insights), based on your explicit consent.
  • Anonymous product analytics, only if you separately opt in. Never includes health data.
  • Crash reporting to debug errors, with personal data scrubbed.
  • Legal compliance, such as keeping consent records.

5. Your two consents

When you create an account, you will see two separate, unchecked switches. Each is independent. You can change either anytime in Settings.

  1. Health-data tracking. Required for the app to do anything useful. Insights you see in the You tab are computed on-device from data you have already consented to store, so no separate consent applies.
  2. Anonymous product analytics. Opt-in only, never includes your health entries.

Revoking #1 will trigger account-deletion confirmation, because the app cannot function without it.

Future server-side AI features (for example weekly LLM-generated reflections) will ship behind a new, separately-toggled consent on the consent screen at the time of launch. We do not run any such processing today.

6. How we share your data

We never sell your personal information or your health data. We never share your health data for advertising, marketing, or targeted advertising, and there are no advertising or marketing SDKs on any screen where you log health information. We will not disclose your health data to a third party for a new purpose without your affirmative, express consent.

We share data only with the limited set of service providers we need to run the Service, each bound by contract to protect it to the same standard:

ProcessorPurposeData sharedLocation
Supabase (database and auth)Storage of your account and logsAll app data, encrypted at restUnited States
RevenueCat (subscriptions)Manage your subscriptionBilling metadata and purchase receipts, no health dataUnited States
Vercel (web hosting)Landing siteNone from the app; quiz answers stay in your browserUnited States
Sentry (crash reporting)Debug app errorsScrubbed crash logs only, no health dataUnited States
PostHog (product analytics)Opt-in analyticsAllowlisted events only, never includes health dataUnited States
Apple and Google (auth and IAP)Sign-in and subscriptionsAuth identifiers, purchase receiptsper platform terms

7. AI features

The current Service does not send your logged data to any AI provider. The insights you see in the You tab (trigger ranking, symptom trends, meal-spacing summary) are computed on your device from your own logs, then displayed. Nothing is sent off-device for AI processing, and no automated process makes a decision that produces a legal or similarly significant effect about you.

If we add server-side AI features in the future (for example weekly LLM-generated reflections), they will ship behind a new, separately-toggled consent and this section will be updated to describe exactly what is sent, to whom, and for how long.

8. Where your data is stored

Your data is stored and processed in the United States by the providers listed above. If you use Unsibo from Australia, Canada, or another country, you are asking us to transfer your data to the United States, where it may be accessible to US courts and authorities. We protect every such transfer with a written data processing agreement with each provider.

9. How long we keep your data

  • Account and health data: as long as your account exists
  • Backups: purged within 30 days of deletion
  • Consent records: retained for the lifetime of the account plus the period required by applicable law (up to 6 years where consumer-health-data law requires it)
  • Anonymous analytics: aggregated and not personally identifiable after rollup
  • Crash logs: 90 days

10. Your rights

Depending on where you live (including California, Washington, other US states, Australia, and Canada), you have some or all of these rights:

  • Access: get a copy of your data, and, for health data, a list of any third parties it was shared with
  • Correct: fix inaccurate data
  • Delete: erase your data (in-app: Settings, then Delete account; or at unsibo.com/data-deletion)
  • Data portability: export your data in a machine-readable format (in-app: Settings, then Export data)
  • Withdraw consent: anytime, as easily as you gave it (in-app: Settings, then Privacy)
  • Opt out of sale, sharing, targeted advertising, and profiling: we do none of these with your data, so there is nothing to opt out of
  • Limit use of sensitive data: we use sensitive data only to provide the Service you asked for
  • Non-discrimination: we will not treat you differently for exercising any right

Because we do not sell or share your personal information, an opt-out preference signal such as Global Privacy Control has nothing to act on and is already satisfied. To exercise any right, email privacy@unsibo.comfrom the address on your account (this is how we verify the request). We respond within 45 days. If we decline a request, you may appeal by replying to our response, and you may also complain to your state Attorney General or your country's privacy regulator.

11. Security

We use:

  • TLS in transit for all data
  • Encryption at rest (Supabase-managed disk encryption on our database)
  • Row-level security on every database table, only you can read your own data
  • Authentication tokens stored in the device Keychain (iOS) or Keystore (Android), never in plaintext
  • Strict third-party SDK isolation, no advertising or marketing pixels on health screens

No system is perfectly secure, and we do not promise that it is.

12. Data breaches

If a breach affecting your data occurs, we will notify you and the relevant authorities without undue delay and within the timeframes required by applicable law. For breaches subject to the US FTC Health Breach Notification Rule, that means notifying affected individuals (and the FTC where 500 or more people are affected) within 60 days of discovery. We also follow Australia's Notifiable Data Breaches scheme and Canada's PIPEDA breach-reporting duties where they apply.

13. Children

Unsibo is not directed at children under 16. At sign-up we ask for your date of birth and block account creation if it indicates an age under 16. We do not knowingly collect data from children under 16. If you become aware that a child has provided us with data, contact privacy@unsibo.com so we can delete it.

14. Changes

If we make material changes to this Privacy Policy, we will notify you in the Service before they take effect, and for genuinely new uses of your data we will ask for fresh consent rather than rely on your continued use. The “Last updated” date above always reflects the current version.

15. Contact

Questions? Email privacy@unsibo.com.