Privacy as a Default, Not a Feature

Date Published

When you use most consumer health apps, your data is the product.

We made a different choice.

The default is yours

In myTSH, the data you enter lives on your device and in your account. We can see aggregated, anonymized patterns if you consent to sharing them for research or model improvement. But the raw, identifiable record is yours.

This isn't a privacy "feature" you can toggle on. It is the baseline the entire system is built on.

We log events in an append-only structure precisely because that structure makes it easier to give people real ownership. You can export your full history. You can (in the future) hand it to another system or a new doctor without us becoming a middleman that has to approve the transfer.

Why this matters more than it seems

Many tools in this category collect rich longitudinal data and then treat it as a company asset. That data becomes training material, product development fuel, or (eventually) something that gets sold or shared when the company changes hands.

We are trying to build something that can survive us.

That means designing the data model and the consent flows so that the most valuable thing — a person's actual multi-year thyroid history — can leave the product cleanly if the person wants it to.

It also means we are conservative about what we ask for and what we store. Every extra field we collect is a liability for the user as much as it is an opportunity for us.

The honest trade-off

This approach makes some things harder. It slows down certain kinds of product development. It limits how clever we can be with personalized recommendations derived from population data.

We accept those constraints because the alternative is quietly turning patients into a dataset they no longer fully control.

If someone wants to contribute their data to improve projections for others, we make that easy and transparent. But the default has to be the opposite: their record belongs to them, not to the tool.

This is one of those decisions that looks boring from the outside and becomes extremely important the moment something goes wrong — a company acquisition, a policy change, or simply a user who wants to leave.