Privacy Policy

Last updated: May 30, 2026

Overview

Stash is developed by Stash Diabetes, Inc. ("we," "us"). Your privacy is important, and Stash was designed with it in mind.

Stash is built around data minimization: by default, your supply data never leaves your device. Where we do collect data, we limit it to what's necessary, make it opt-in wherever practical, and tell you exactly what gets sent.

This policy explains what's stored, what (if anything) is shared, and your choices.

Data Stored Locally on Your Device

The supply data you enter into Stash — including inventory, lot numbers, expiration dates, body placement zones, trip plans, packing lists, and personal notes — is stored locally on your device using Apple's standard data storage frameworks.

This data may sync to your iCloud account if iCloud is enabled on your device. Apple, not Stash, manages this sync. Your data syncs across your own devices under your iCloud account; we do not have access to it, and we never receive a copy.

Data Sent Off Your Device

The following types of data may leave your device. Each is described in detail below.

1. Anonymous Behavior Analytics (TelemetryDeck)

Stash uses TelemetryDeck to collect anonymous, aggregate behavior signals — actions like "Dashboard opened," "Trip planner used," "Issue report submitted." These signals describe what users do, not what their data contains.

What's sent:

• Session counts, app version, iOS version, device model (e.g., "iPhone 17 Pro"), locale (e.g., "en-US")
• Named events triggered by specific actions (e.g., "Dashboard.opened," "Insights.regionAdded")

What's never sent:

• Your name, email, or any identifying information
• Your supply data: lot numbers, brand names, dose amounts, body placement coordinates, trip details
• Any specific value you entered or selected — only the fact that you did

TelemetryDeck uses a per-install hash to count unique users; the hash is not tied to your Apple ID, iCloud account, or any other identifier we hold.

You can opt out of all analytics including TelemetryDeck by disabling Settings → Privacy & Security → Allow Apps to Request to Track in iOS, which limits attribution across analytics SDKs at the system level.

2. Community Reports (Opt-In Ongoing Contribution)

Community Reports (also called the Community Reporting Network) is an optional system for sharing anonymized signal about supply quality, failure patterns, and lot circulation across the community of Stash users. Joining is opt-in and requires you to be at least 16 years old — see Terms of Service §6.0 for the rationale. Stash itself is available to users 13 and older with parental supervision; the higher Community Reports threshold reflects the perpetual license users grant when they contribute data. You join once — by tapping Join Community Reports on the in-app announcement, by toggling Community Reports on in Settings → Community Reports, by completing the wizard's Community step, or by tapping Send on your first report (which is itself a join action, disclosed at the moment of tap).

After you join, your device contributes data through two paths:

1. Per-incident reports — sent immediately when you tap Report Issue on a supply or use Submit a Manual Report.
2. Periodic background sync — roughly once a week your device transmits a small batch of wear-session outcomes and inventory snapshots covering the time since the last sync. This activates only after you join, and only while you remain joined.

Both paths are described below in detail.

Incident reports (sent when you explicitly tap Send). Each report carries: the supply category (e.g., "CGM Sensor"), manufacturer, lot number (or serial number when only a serial is on the package — some products like the Dexcom sensor applicator print a serial but no lot), the issue category from a fixed list (e.g., "insertion failure," "occlusion"), a severity tier you pick (no impact / mild / severe), wear time, optional notes you typed for this report, optional region (city, state, and country — only when you tap "Use my location" on that specific report), and the body zone label for placement-tracked supplies. The report also carries small per-user counts that frame the failure ("is this lot bad, or has this user had bad luck?") — total / failed / remaining counts for the same lot, totals for the same product across lots, and aggregate placement-zone counts. These counts are tallied from your local data and never include individual session timestamps or per-event timelines.

Wear-session records (sent in the background sync, after you join). When a supply ends — a sensor expires, a pod is changed, an infusion set is pulled, a pen runs dry — Stash records the total wear duration and an outcome (full wear, ended early, fell off, user-ended, scheduled end, site issue, or ran out). These records validate the integrity of incident reports — they provide the denominator of successful sessions against which failure rates can be compared. They carry the supply category, manufacturer, lot, GTIN (when scanned), serial (when present), wear time in hours, and outcome — but never per-session timestamps and never an activity timeline.

Inventory snapshots (sent in the background sync, after you join). Roughly once a week, Stash sends a snapshot of your inventory broken down by supply category and lot — including the quantity in stock, how many of those have been opened, the manufacturer and (when scanned) GTIN, and the earliest expiration date in the bucket. We collect these for three specific purposes:

• Report validation. An incident report (e.g. "lot X had 7 failures") only carries weight when we can compare it against the number of successful sessions of the same lot across the community. Inventory snapshots, paired with wear-session records, give us that denominator. Without them, the failure rate is a numerator with no scale.
• Shortage monitoring. When pump cartridges, sensors, or insulin stock drops sharply across the user base in a given window, that's a leading indicator of distribution problems — and surfacing it lets Stash flag shortages to other users before they feel the impact themselves.
• Lot circulation tracking. Which lots are circulating in the community, when they expire, and whether recalled or expired stock is still moving through distribution. Snapshot-over-time gives us early signal on bad batches working their way through real supply chains.

Snapshots are aggregated per (category × lot) bucket — individual scans, timestamps, and activity timelines are not included. The server collapses repeat submissions for the same bucket within the same calendar week, so the dataset doesn't grow unbounded. No personal data is transmitted — snapshots carry the rotating per-install pseudonymous identifier only, never your name, account, Apple ID, location, glucose, doses, or any field that could identify you.

Stash is interested in tracking supplies, not people.

Device context bundle. Each submission also carries a small contextual bundle scoped to the reported supply category. The bundle is computed on-device at submit time by a DeviceContextBuilder that enforces a bounding contract:

• Inventory lots in the reported category — a list of lot numbers and a single inventory count, used to relate the report to the user's wider exposure to that lot or product. The bundle never reveals categories the user didn't report on.
• Wear-time aggregate — median, p25, p75, and sample count of the user's historical wear sessions in the reported category. Statistical aggregate only; never per-session.
• Placement zone history — zone names only (e.g. "Abdomen," "Upper arm"), capped at the most recent 30 placements. No coordinates, no timestamps.
• Same-category competitors — manufacturer name and count if the user has supplies from another manufacturer in the same category (e.g. Libre alongside Dexcom). Count only, never specific lots.
• Therapy regimen — one of "pump," "mdi," or "hybrid." If the user uses a pump, the pump manufacturer is included.
• Insulin types — when the user is on MDI, the product names of their insulins (e.g. "Humalog," "Tresiba"). Doses, units remaining, and titration history are never included.
• GLP-1 boolean — a single uses_glp1: Bool. Never the GLP-1 product, dose, titration stage, or any GLP-1 history detail.
• Country — only when the user opted into "Use my location" on this submission, and only the two-letter country code.

Each submission also carries a small amount of mundane metadata: the app version, the iOS version, and a platform discriminator ("ios"). These are used for client compatibility, bug pattern analysis, and constraint checks — never user identification.

What's never sent — regardless of which path:

• Your name, email, account ID, Apple ID, advertising ID, or any device identifier that could identify you
• Your GPS coordinates, ZIP code, or street address — region capture, when you opt into it per-submission, gives city / state / country only
• Your blood glucose data, time-in-range, glucose alerts, or any sensor reading values
• Your insulin doses, basal/bolus units, MDI counts, or dose amounts of any kind
• Your GLP-1 product, dose, or titration history — only a boolean ("uses GLP-1") in the device context bundle
• Your body-map placement coordinates — zone names only, never x/y
• Your trip names, trip destinations, dates, or trip packing list contents
• Your side-stash names or contents tagged to a stash location
• Free-text notes you typed anywhere outside an explicit incident report's notes field
• The contents of any inventory category you haven't actually used the Community Reports flow to report on, beyond what the periodic snapshots already disclose (which is the bucketed quantity + lot + manufacturer + GTIN + earliest expiration — never individual scans or activity timelines)

How submissions are processed. Every submission — incident report, wear-session record, or inventory snapshot — is sent to our database hosted by Supabase, a US-based data hosting service, under a per-install pseudonymous identifier ("install_id") that is generated on your device the first time the app launches. The identifier is not tied to your name, account, Apple ID, or any other personal identifier we hold. Reinstalling the app rotates this identifier, breaking any link between your old submissions and your new ones. If multiple devices on your same Apple ID join the Network independently, each device has its own install_id; we do not attempt to dedupe across devices.

How we use Community Reports data:

• Surface community-reported "Lot Notices" to other Stash users (de-identified aggregates only)
• Deliver personalized alerts to you about recalls, lot notices, and shortages affecting lots in your stash
• Inform our editorial decisions about which lots warrant a notice
• Detect supply shortages and lot-circulation patterns at community scale
• Identify patterns in supply quality across the user base
• Share aggregated, non-identifying summaries with manufacturers, researchers, or public health bodies if doing so could improve supply quality or safety

Leaving the Community Reports network. You can leave at any time by toggling Community Reports off in Settings → Community Reports. When you leave:

• All future transmissions stop immediately — no further incident reports, wear-session records, or inventory snapshots are sent from your device.
• Personalized push notifications about lots in your stash stop.
• Previously submitted data remains in the anonymized dataset. Because we never linked your submissions to your identity, there is no install_id → identity map that would let us identify and remove your prior contributions. If you reinstall the app, your new install_id starts a fresh submission history with no link to the previous one.

Withdrawal of individual reports. Because submissions are anonymous and not linked back to you as an identifiable person, individual reports, wear sessions, or snapshots cannot be retrieved or deleted on request. The only mechanisms available are leaving the network (stops future transmissions) and reinstalling the app (rotates the install_id, severing any link between your future submissions and your prior ones).

3. Lot Notices Lookup (Public Read)

When Stash checks for community-reported "Lot Notices," it queries our public Supabase database. No data about you is sent in this query. Stash retrieves the active notice list and matches it locally against your inventory on-device.

4. Recall Alerts Lookup (Public Read)

Stash periodically checks Apple's CloudKit Public Database for product recall alerts. No data about you is sent in this query.

5. Email Newsletter (Opt-In)

If you choose to subscribe to our optional email newsletter, your email address is processed by Loops (loops.so), our US-based email service provider. See Email Communications below.

Camera Usage

Stash requests access to your device's camera solely for scanning barcodes on supply packaging. Camera data is processed on-device in real time. Nothing is recorded, stored, or transmitted.

Location Usage

Stash may request access to your location only when you tap "Use my location" on a Community Reports submission. When you do:

• Stash requests a coarse location fix (approximately 3km accuracy, not precise GPS)
• Stash reverse-geocodes the location to determine your state and country
• Stash immediately discards the raw coordinates after geocoding
• Only the resulting state and country codes (e.g., ("US", "CA")) are sent to our servers

No background location, no significant-change monitoring, no continuous tracking, no use of location for any purpose other than the per-report region tag you explicitly opt into.

You can decline location permission and Stash will still let you submit Issue Reports — just without region.

Third-Party Services

Stash uses the following third-party processors, each for a specific, limited purpose:

We do not sell or share your data for advertising. Period. We do not engage in cross-context behavioral advertising.

Email Communications

Stash offers an optional email newsletter for users who want recall alerts and product updates. Subscription is opt-in only.

What we collect when you subscribe:

• Your email address
• The date and time of your opt-in
• A source tag indicating where you signed up (e.g., ios_app)
• Engagement data, including which emails you open and which links you click

Why we collect it: To send you recall alerts, product news, and occasional updates about Stash. Engagement data helps us understand whether our emails are useful.

Legal basis (GDPR): We process your email address based on your consent, given when you opt in via the app or our website. You can withdraw consent at any time.

Who processes your email: We use Loops (loops.so), a US-based email service provider, under their privacy policy and Data Processing Agreement. For users in the EU and UK, Loops processes data in the United States under appropriate safeguards.

Tracking in emails: Our emails include standard tracking pixels and tracked links so we can measure open and click rates. This data is never sold or shared.

How to unsubscribe: Every email includes an unsubscribe link, and you can opt out anytime from Settings → Communications in the app. Unsubscribed addresses are retained on a suppression list to prevent accidental re-subscription.

Separation from app data: Your subscription email is not linked to your in-app supply data, Community Reports contributions, or any other personal information stored in Stash.

Data Security

Local data on your device is protected by your device's built-in security features, including passcode, Face ID, and Touch ID. iCloud-synced data is protected by Apple's encryption (and, when enabled in your iCloud settings, end-to-end encryption).

Community Reports data on Supabase is protected by row-level security (RLS) policies that prevent any client from reading submissions they did not write. Aggregated data extracted for analysis is de-identified before review.

Newsletter subscriber data is protected by Loops' security measures, including encryption in transit and at rest.

Your Rights

You have rights regarding your personal data. Most of your data is stored on your device and under your direct control; some rights apply more specifically to your newsletter subscription and Community Reports contributions.

For all users:

• Access your in-app data: It's on your device — you can view, modify, or delete it at any time from within Stash. Uninstalling Stash deletes all locally-stored data on that device. Data synced to iCloud is governed by Apple's privacy policies.
• Access your subscription data: Request a copy of the personal data we hold about you in our newsletter system (email address, signup date, source, engagement data).
• Correction: Update your email address.
• Deletion: Request deletion of your subscription data. This is also accomplished by unsubscribing; your email remains on a suppression list to prevent accidental re-subscription.

For your Community Reports contributions: Because submissions are anonymous and have no link back to you, individual contributions (incident reports, wear-session records, and inventory snapshots) cannot be retrieved or deleted on request. You can stop contributing at any time by toggling Community Reports off in Settings. We retain anonymous Community Reporting Network data indefinitely so historical patterns remain available, but the data is not associated with you as an identifiable person.

For users in the EU, UK, and EEA (under GDPR / UK GDPR), you additionally have the right to:

• Portability: Receive your subscription data in a portable format.
• Restriction: Request that we limit how we process your data.
• Objection: Object to our processing of your data.
• Withdraw consent: Withdraw consent for newsletter processing at any time.
• Lodge a complaint with your local data protection authority.

For users in California (under CCPA/CPRA):

• We do not sell or share your personal information for cross-context behavioral advertising.
• You have the right to know what we collect, request deletion, and opt out of any sale or sharing (we do not engage in either).

To exercise any of these rights, contact us at support@stashdiabetes.com. We aim to respond within 30 days.

Children's Privacy

Stash is not directed at children under 13. We do not knowingly collect any information from children under 13. Children under 18 should use Stash only with a parent or legal guardian's supervision and consent, consistent with our Terms of Service.

The newsletter is not directed at children, and we do not knowingly accept newsletter subscriptions from anyone under 16 without verifiable parental consent.

Changes to This Policy

If this privacy policy is updated, the revised version will be posted here with an updated date. Continued use of the app after changes constitutes acceptance of the revised policy. For material changes, we will make a reasonable effort to notify you in-app or via the newsletter if you've subscribed.

Contact

If you have questions about this privacy policy, you can reach out at support@stashdiabetes.com.