← Home

Privacy Policy

Last updated: May 18, 2026

This Privacy Policy explains how Fiorella DiCarlo, RD, CDN ("we," "us," "our") collects, uses, shares, and protects your personal data when you use the No Rebound app at norebound.app ("Service").

We are based in the United States and can be reached at fiorella@fiorellard.com for any privacy questions or to exercise your rights under this Policy.

1. What we collect

We group what we collect into two buckets, in the style of an Apple App Store privacy label.

Data Linked to You

The following data may be collected and is tied to your identity:

  • Health & Fitness - weight entries, daily check-in responses (hunger, energy, mood, sleep, GI severity, optional symptoms, reflections), meal logs (food name, portion, protein grams, meal time, optional hunger before/after), the medication and dose you tell us about, your stage (tapering or off), tapering plan, body weight, and goal.
  • Contact Info - email address (provided via Clerk sign-in).
  • Identifiers - your account identifier and Stripe customer ID (used to associate subscriptions with your account).
  • Purchases - subscription status, plan, billing dates. Stripe stores card data directly; we never see it.

Data Not Linked to You

The following data may be collected but is not tied to your identity:

  • Usage Data - aggregated counts of which pages and features are used. Used only to understand patterns; never tied back to individuals.
  • Diagnostics - anonymized server logs and error reports to fix bugs.

Data we do not collect

We do not collect prescription records, lab results, doctor information, or any health record covered by HIPAA. We do not collect or share data for advertising. No Rebound is a wellness tracking tool, not a healthcare provider.

2. Why we use your data

  • To deliver the Service (Article 6(1)(b) GDPR): tracking entries are used to render your dashboard, trends, and history.
  • To send transactional email (Article 6(1)(b)): welcome email, trial-ending reminders, weekly digest (if opted in), streak milestones (if opted in).
  • To improve the Service (Article 6(1)(f) - legitimate interests): aggregate usage analytics, error tracking. No individual data is used for advertising or shared with advertisers.
  • To meet legal obligations (Article 6(1)(c)): tax records, dispute resolution.

3. Who we share data with

We use a small set of service providers who process data on our behalf:

We do not sell your personal data. We do not share it with third parties for their own advertising.

4. How long we keep your data

  • Tracking entries (weigh-ins, check-ins, meals): for as long as your account is active.
  • Account records: until you delete the account, plus 30 days for backup retention.
  • Payment records: 7 years (tax and accounting requirements).
  • Server logs (IP, request data): 90 days.

You can delete your account any time from settings. Deletion cascades to all your tracking entries.

5. Your rights

Depending on where you live, you have the following rights:

  • Access - request a copy of the data we hold about you. You can also download your data directly from settings.
  • Rectification - correct inaccurate data. Edit any entry from its history view.
  • Erasure - delete your account from settings.
  • Restriction - request we limit processing of your data.
  • Portability - download your data as JSON.
  • Objection - object to processing based on legitimate interests.
  • Withdraw consent - opt out of weekly digest or milestone emails any time from settings.
  • Lodge a complaint - if you are in the EU/EEA, with your supervisory authority. If you are in the UK, with the ICO.
  • Non-discrimination (CCPA) - we will not deny service for exercising any of these rights.

6. International data transfers

We are based in the United States. If you are in the EU, EEA, UK, or Switzerland, your data is transferred to the United States. We rely on the EU-US Data Privacy Framework where our processors are certified (Stripe, MailerLite-comparable) and on Standard Contractual Clauses otherwise.

7. Security

HTTPS encryption in transit. Postgres encryption at rest via Vercel. Authentication via Clerk (industry-standard JWT-based). Stripe handles all card data. No method is 100% secure; we notify affected users without undue delay of confirmed personal data breaches as required by applicable law.

8. Children's data

No Rebound is not directed to children under 18, and we do not knowingly collect personal data from anyone under 18.

9. Not medical advice

No Rebound is a tracking tool. The content and features are not medical advice, diagnosis, or treatment. Always work with your prescribing physician before changing your diet, medication, or health regimen.

10. Changes to this Policy

We may update this Policy. Material changes will be posted here with a new "Last updated" date. Continued use after changes take effect constitutes acceptance.

11. Contact

For privacy questions, contact fiorella@fiorellard.com.