Privacy policy
We can’t see your data. That’s on purpose.
Last updated: 2026-05-21. This policy explains what we collect, why, where it goes, and how to get rid of it. In plain language.
The short version
Stedfast is local-first. You can use the entire app without making an account. If you never sign up for Stedfast Sync, your data never leaves your phone. If you do sign up, we hold the minimum amount needed to let you sync and share — and we’ve built the product so we don’t need to look at it.
- No third-party analytics or trackers. None.
- No advertising, ever.
- We do not sell your data. We do not share with third parties.
- You can export and delete everything any time.
What we collect (Free, no account)
Nothing on our servers. The free app stores kits, items, photos, and history locally on your device using iOS’s built-in storage. The app makes no network calls to us. We have no record that you installed it.
iOS handles its own diagnostics (crash reports, App Store analytics) per your device privacy settings. We don’t receive identifiable data from those — only aggregate anonymous metrics if you’ve opted in at the OS level.
What we collect (Stedfast Sync)
If you create an account, we store:
- Your email address (so you can sign in)
- A password hash (argon2id; we never see your password)
- Or your Apple ID identifier (if you used Sign in with Apple)
- The kits, items, events, and photos you choose to sync
- The household memberships and kit shares you create
- An opaque session token, stored in your phone’s Keychain
Sync is opt-in per kit. Kits marked “private to this device” never leave your phone, even after you sign in.
What we log on our servers
Standard request logs: timestamp, HTTP method, path, response status, IP address, user-agent. Used for debugging, abuse prevention, and capacity planning. Scrubbed of PII beyond the IP (which we keep for 14 days, then drop). No body content is logged.
We do not run Google Analytics, Mixpanel, Amplitude, Segment, Hotjar, Crashlytics, Firebase Analytics, or any third-party tracker in the app or on this website.
Where your data lives
Stedfast operates from Oregon, USA. The application servers, the primary Postgres database, and your photos all run in a single data center in Los Angeles, USA on dedicated hardware that we control. There is no third-party object storage in the path — photos sit on the same encrypted disks as everything else.
Encrypted backups go to Backblaze B2 in a US region. The backup archive is encrypted with a key we hold separately from the data; without that key, Backblaze cannot read the contents. We do not replicate your account or kit data outside the United States.
If you’re subject to data-residency requirements that conflict with the above, keep your kits local-only — they never leave your phone, regardless of where our servers are.
Photos
When you attach a photo to a kit or item, we store the file on the same server that runs the app (Los Angeles, dedicated hardware) and keep an opaque key in the database. URLs use unguessable identifiers; only people in your household (or share recipients) can request them through the API. We do not analyze photo contents, run face recognition, OCR them, or train any model on them.
Notifications
Notifications about expiration, rotation, and test-due dates are localnotifications scheduled by the iOS app from your device. Date data never leaves your phone for the notification path. We don’t run a push notification service at this time.
Sharing
When you share a kit with another household, only the people you explicitly invite get access. We do not federate, aggregate, or recommend across households. Shares can be revoked instantly and the recipient loses access on the next request.
Children
Stedfast is not directed at children under 13. Adults in a household can grant a child read-only viewer access on the parent’s account. If you believe a child created their own account on Stedfast, contact us at privacy@stedfast.app and we’ll delete it.
Your rights
You can:
- Export your data as CSV or PDF at any time, from the iOS app menu.
- Delete your account — and with it, every server-side row tied to it. Email privacy@stedfast.app.
- Request a copy of everything we hold on you. Email privacy@stedfast.app.
- Correct anything inaccurate. Most of it you can edit directly in the app.
California, EU, and UK residents have additional rights under CCPA / GDPR. The exercise mechanism is the same email address; we respond within 30 days.
Security
TLS in transit. Database access is restricted to the API process. Passwords are hashed with argon2id. Session tokens are stored hashed at rest and in the device Keychain on the client. We don’t encrypt your kit data at rest beyond the disk-level encryption the server provider applies; if that matters for your threat model, keep your kits local-only.
Payments
Purchases of Stedfast Sync ($9.99 one-time) go through Apple’s In-App Purchase system. We never see your payment method, billing address, or any of the financial details. Apple gives us a receipt token that we verify with Apple to unlock your account. That’s the entire transaction from our side.
Changes
We’ll post material changes on this page with a new “last updated” date. We won’t silently expand what we collect — if we ever do, we’ll tell you in the app first.
Contact
Questions, requests, complaints: privacy@stedfast.app. Real human responses, usually within a couple of days.
See also: Terms of Service.