Privacy Policy
The short version. Klebb Cloud stores your health data so that you can see it, not so that we can. It is yours. We never sell it, never show you ads, never train AI models on it, and it never leaves our systems except when you ask it to: an export you encrypt, or a chat question you send to the AI assistant. We are funded by your subscription and nothing else.
Who we are
Klebb Cloud is a hosted health dashboard operated from New South Wales, Australia. Because we hold health information, we comply with the Australian Privacy Act 1988 and the Australian Privacy Principles in full; the small-business exemption does not apply to services like ours, and we would not want it to. Contact for anything in this policy: support@klebb.app.
What we collect
Two very different kinds of data, kept in very different places.
- Account data (the billing plane): your email address, your chosen subdomain, subscription state, and Stripe's identifiers for your customer and subscription records. We never see or store your card number; that goes directly to Stripe.
- Health data (your instance): whatever you choose to track: measurements, medications, notes, documents, data synced from Apple Health. This may include sensitive health information. It lives only inside your own isolated instance, and we collect it only in the sense that you typed it into a service we host. We also store the public halves of your passkeys (they cannot be used to impersonate you) and short-lived session records.
The marketing site sets no analytics cookies and runs no trackers. Our web server keeps standard access logs (IP address, URL, user agent) for security and debugging, rotated out after 14 days.
Where it lives
- Your health data: on our server in Sydney, Australia, in a container dedicated to you. One customer per container; no shared database.
- Account data: on our web server in Germany (the portal database holds your email, subdomain and Stripe identifiers; never your health data).
How we use it
To run the service you pay for, and for nothing else: creating and operating your instance, billing, sending you the emails the service needs (sign-in links, receipts-adjacent lifecycle notices), and responding when you contact support. Our monitoring sees whether your container is running and how much disk it uses; it does not read your health data. Emails we send you never contain your health data.
The AI assistant
Your instance includes an AI chat assistant. When you send it a message, that message plus the minimum card data needed to answer it is sent to a third-party AI model provider to generate the reply. If you use voice chat, your audio is likewise processed by a third-party speech provider to convert between speech and text. This happens only when you use those features; nothing is sent in the background. The specific providers may change over time as models improve, but the rule does not: we do not train models on your data, and our provider agreements do not permit your data to be used for training. If you would rather your health data never reach an AI provider at all, simply don't use the chat: every other feature works without it.
Who we share it with
No one, except the small set of providers the service cannot run without, each receiving only what its job requires:
- Stripe (payments, USA): your email address, card details (directly, never via us) and payment history. Legally required accounting records stay with Stripe even after you close your account.
- Resend (transactional email, USA): your email address and the content of the emails we send you, which never includes health data. Open and click tracking are not used.
- AI model and speech providers (USA): only what you send the assistant (text, or audio when you use voice chat), only when you use those features, as described above.
- Cloudflare (DNS and network proxy, global): routes traffic to your instance; sees encrypted connections and IP addresses, as any network carrier does.
- Hetzner (website and portal hosting, Germany) and OVHcloud (instance hosting, Sydney, Australia): the physical infrastructure underneath everything above.
That's the whole list. We never sell personal information, share it with advertisers or data brokers, or hand it to anyone else unless the law compels us to. Disclosure to overseas recipients is limited to the named providers above in the countries stated.
Security
- Every connection is HTTPS; there is no unencrypted access path.
- Sign-in is by passkey only. There are no passwords to steal, phish or reuse.
- Each customer's instance is an isolated container with its own credentials; no shared data store between customers.
- Exports are encrypted archives (7z, AES-256) with a password generated in your browser and shown only to you, once. We cannot read your export, and the download link is single-use.
- Short-lived operational archives (see retention below) are encrypted at rest with a key held only by the operator.
- Our own administrative access to your instance is deliberately minimal: it can create a new sign-in invite for you and count your passkeys; it cannot delete them, and it cannot read your health data through any administrative API.
Retention and deletion
Exact numbers, because "a commercially reasonable period" isn't a policy:
- While you subscribe, your data stays put. It's your dashboard.
- If your subscription ends, your instance is switched off and your data is held, untouched, for a 30-day grace period so you can export it or reactivate.
- When the grace period lapses (or you choose immediate deletion), your instance and health data are permanently deleted. A single encrypted operational archive survives for at most 7 days as insurance against operator error, then is destroyed. It is not a recovery service and we will never offer it as one.
- Export downloads expire after 48 hours and are then deleted.
- After deletion, we keep your email address and Stripe records only as required for accounting and tax law.
Your rights
Wherever you live, we give you the same rights: access, correction, export and deletion. In practice you already hold most of them yourself: your dashboard is your data, the export button gives you a complete encrypted copy, and closing your account deletes everything on the schedule above. For anything else (correcting account details, a copy of what the billing plane holds), email support@klebb.app and we'll respond within 30 days.
If you believe we've mishandled your information, complain to us first and we will investigate and reply within 30 days. If you're not satisfied, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au).
Data breaches
If a data breach is likely to result in serious harm, we will notify you and the OAIC under the Notifiable Data Breaches scheme: assessment within 30 days at the outside, notification as soon as practicable, with plain advice on what to do. Health data is exactly the kind of information that scheme exists for, and we treat it accordingly.
Children
Klebb Cloud is not directed at children and we don't knowingly hold accounts for anyone under 16. Health data about family members you choose to track in your own instance is your responsibility as its custodian.
Changes to this policy
If we change this policy in any way that matters, we'll email you before the change takes effect, and you can export your data and close your account before it does. The effective date at the top always tells you when it last changed.
Contact
support@klebb.app: it reaches a human (the same one who built the service).