Privacy Policy & Terms of Service

Effective April 30, 2026

Still is built on a simple principle: your data belongs to you. This page explains exactly what information leaves your device, why, and how you stay in control.

Privacy Policy

Your Data Stays on Your Device

Still is a local-first native application. All of your personal data — journal entries, financial records, habits, contacts, reading lists, and everything else you create — is stored in a SQLite database file on your device. No data leaves your device unless you explicitly use a feature described below.

The backup and restore feature in Settings exports your entire database as a file saved to your device. Restoring imports from a local file. No data leaves your device or passes through any server during backup or restore.

Any future feature that involves data leaving your device will remain opt-in — local-first remains the default.

Data Security

The Still database file is stored in your application data directory, protected by your operating system's file permissions. Access to the file requires your OS login credentials.

The database is not encrypted at the application layer. If your device uses macOS FileVault or Windows BitLocker, your database is encrypted at the disk level by your OS. Still recommends enabling full-disk encryption on your device for the strongest protection of your stored data.

Backup and export files produced by Still are unencrypted. Treat them as sensitive documents — store them in a secure location and do not share them with anyone you would not trust with your personal data. Still displays a reminder before any export is saved.

Error Tracking

Still is configured to use GlitchTip (a self-hosted, open-source error tracker) for crash reports. When active, a scrubbing layer removes personally identifiable information before any error data leaves your device: user context is stripped entirely, UI interactions are anonymized, request bodies are removed, cookies are deleted, and financial amounts are redacted to "[AMOUNT]".

Performance traces are sampled at 20% in production and contain no personal content. Error tracking is only active when the application is configured with a reporting endpoint — it can be disabled entirely.

AI & Language Model Features

Some features (Discovery: Compass and Synthesis, Vellum: Scribe) can optionally connect to external language model providers. You choose the provider and supply your own API key — Still never stores or proxies your API key through its servers. No data is sent to any language model without your action.

When Compass or Synthesis sends your private research notes to an LLM, Still scans for personal identifiers — names, email addresses, phone numbers, credit card numbers, and street addresses — and replaces them with anonymous tokens before transmission. This is a best-effort privacy layer that catches common patterns but cannot guarantee detection of all personal information.

Article content from public RSS feeds (used by Scribe and feed discovery) is sent as-is, since it is already publicly available.

Financial data is never sent to any external service. The Means hub processes all calculations entirely on your device.

Supported providers include Anthropic (Claude), OpenAI, Google (Gemini), Mistral, Groq, and OpenRouter. Each provider has its own privacy policy governing how they handle your prompts. Still does not control or have access to data once it reaches your chosen provider.

Web Search

When you use the search feature in Discovery, your query is sent directly from the app to DuckDuckGo (by default) or Brave Search (if you provide your own API key). Requests originate from your device with no server intermediary — Still has no servers involved in this path. Search queries are not logged or stored.

RSS & Feed Fetching

When you subscribe to an RSS feed in Vellum, the feed URL is fetched directly from your device with no server intermediary. Feed URLs and content are never stored on a server. All fetched articles are saved locally in your database.

Analytics

Still plans to use Plausible Analytics on the stillapp.life marketing website — not inside the native app. Plausible does not use cookies, does not track individuals, and is fully GDPR-compliant by design. It collects aggregate, anonymous data (page views, referral sources, OS type) with no personal identifiers.

The native app itself contains no analytics, no telemetry, no tracking pixels, no fingerprinting, and no advertising networks of any kind.

On-Device Processing

Article summarization runs entirely on your device using Transformers.js (via WebGPU or WebAssembly). No article content is sent to external servers for summarization.

Cookies & Tracking

Still does not set HTTP cookies or use third-party tracking scripts. App settings and preferences are stored locally on your device. There is no cross-site tracking of any kind.

Waitlist & Contact

If you join the waitlist, your email is stored with Buttondown (our email platform) and used only to send you updates you’ve requested. This is the only personal information Still collects server-side.

Your email is used to notify you when Still launches and, if you opt in, to send occasional product and blog updates. Emails are retained for up to 12 months from collection or 30 days after public launch, whichever is sooner, then permanently deleted.

To request early deletion, email privacy@stillapp.life. We will process removal requests within 7 business days.

Sub-Processors

Still uses a small number of third-party services to operate. The table below lists all sub-processors, what they receive, and where they are located.

Netlify (USA) — hosts the stillapp.life marketing website and blog. Netlify may log server-level access metadata (IP addresses, request timestamps). No app data is processed through Netlify.

Buttondown (USA) — stores waitlist email addresses. Only email addresses you voluntarily provide are transferred to Buttondown.

GlitchTip (self-hosted, EU) — receives anonymized, scrubbed crash reports when error tracking is active. Personal data and financial values are removed before transmission; see the Error Tracking section for details.

Still does not use any advertising networks, data brokers, or social media sub-processors.

Data Retention

Your hub data: stored locally on your device, retained until you uninstall or reset via Settings.

Error reports: retained for 90 days, then automatically purged.

Waitlist emails: retained for up to 12 months or 30 days after public launch, whichever is sooner, then permanently deleted.

Analytics: when enabled, Plausible retains aggregate data indefinitely; no individual records exist to delete.

Your Rights (GDPR / CCPA)

Because Still is local-first, you already control your data. You can export everything via Settings at any time. To delete your local data, use the reset option in Settings or uninstall the app.

For waitlist email removal, email privacy@stillapp.life and we will delete your entry within 7 business days.

You have the right to: access your data (it's on your device), rectify it (edit it directly), erase it (clear site data), port it (use the export feature), and object to processing (disable any optional feature).

Children's Privacy

Still is not directed at children under 13. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this policy as features evolve. Material changes will be noted with an updated effective date at the top of this page. Since Still does not collect email addresses (outside the waitlist), checking this page periodically is the best way to stay informed. Questions? Email privacy@stillapp.life.

Terms of Service

Not Financial Advice

Still is a personal data management tool, not a financial advisory service. Nothing in Still — including budget tracking, net-worth calculations, portfolio views, spending summaries, or any AI-assisted feature — constitutes financial, investment, legal, or tax advice.

Calculations may contain errors. You should independently verify any financial figures before acting on them, and consult a licensed financial professional for decisions that affect your finances.

Acceptance of Terms

By downloading, installing, or using Still, you agree to these Terms of Service. If you do not agree, do not use the application.

Description of Service

Still is a local-first native application for personal life management. It stores all data — including any financial figures you type — in a SQLite database file on your device. Still is a tool for organizing and reflecting on your own data; it is not a financial platform, brokerage, or advisor.

Still does not guarantee data persistence. App data can be lost through uninstallation or user-initiated reset. You are responsible for backing up your data using the built-in export feature in Settings.

Your Responsibilities

You are responsible for maintaining backups of your data. Still provides an export feature in Settings for this purpose.

If you use AI features, you provide your own API key. Still stores your key in your device's secure OS keychain (macOS Keychain or Windows Credential Manager) and never transmits it to our servers. You are responsible for any costs incurred with third-party AI providers.

You agree not to use Still for any unlawful purpose or in violation of any applicable laws.

AI Features

AI-assisted features (Compass, Synthesis, Scribe) send content to third-party language model providers of your choice. Requests are routed directly from your device — no data passes through Still's servers. You choose the provider, supply your own API key, and are bound by that provider's terms and privacy policy.

Financial data in the Means hub is never sent to any AI provider. AI features that process other hub data apply a best-effort masking layer before transmission, replacing common identifiers with anonymous tokens.

Future AI features that process sensitive or financial data will require explicit user consent and a disclosure screen before any data leaves your device. Depending on the surface, that consent may be granted once on first use (and remembered for the lifetime of the install) or required per call when the user is selecting specific data to share. The full scope of those features, including any opt-in data processing terms, will be published as an addendum to this section at the time of release.

Intellectual Property

Still and its original content, features, and functionality are owned by Still and protected by applicable intellectual property laws. Your personal data within Still belongs to you.

Disclaimer of Warranties

STILL IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

We do not warrant that the application will be uninterrupted or error-free, that defects will be corrected, or that data stored on your device will persist indefinitely. We do not guarantee the accuracy of any financial calculations, summaries, or projections displayed in the application.

Limitation of Liability

To the maximum extent permitted by applicable law, in no event shall Still or its operators be liable for any indirect, incidental, special, exemplary, or consequential damages arising from your use of the application — including but not limited to loss of data, loss of profits, financial loss, or interruption of service — even if advised of the possibility of such damages.

Still's total cumulative liability to you for all claims arising from or relating to your use of the application, regardless of the form of action, shall not exceed the greater of: (a) the total fees you have paid to Still in the six (6) months immediately preceding the claim, or (b) USD $10.

Some jurisdictions do not allow the exclusion or limitation of certain warranties or liabilities. In those jurisdictions, Still's liability is limited to the maximum extent permitted by law.

Indemnification

You agree to indemnify, defend, and hold harmless Still and its operators from and against any claims, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from: (a) your use of the application; (b) your violation of these Terms; (c) your violation of any applicable law or regulation; or (d) your violation of any third-party rights.

Termination

Still is a local-first application. You can stop using it at any time by closing or uninstalling the application. Uninstalling removes the application but does not automatically delete your database file — you may delete it manually from your device.

Changes to These Terms

We reserve the right to modify these Terms at any time. Material changes will be reflected with an updated effective date. Continued use of Still after changes constitutes acceptance of the revised Terms.

Governing Law & Jurisdiction

These Terms are governed by and construed in accordance with the laws of the State of Israel, without regard to conflict-of-law principles.

Any disputes arising from or relating to these Terms or your use of Still shall be resolved exclusively in the courts of Tel Aviv-Yafo, Israel.

Contact

For questions about this Privacy Policy or Terms of Service, reach us at privacy@stillapp.life.