I guess I should also add that with the current web version, you can opt out of sending telemetry data via cookie preferences, and with the Premium version you choose whether or not you want your data persisted or not. (there is also a button to remove all your data at a later date if desired). Perhaps something else that might be helpful to add is an import/export button so you can save and load data locally(?)
> I guess I should also add that with the current web version, you can opt out of sending telemetry data via cookie preferences, and with the Premium version you choose whether or not you want your data persisted or not.
Rather than ameliorate concerns about privacy, this intensifies them. This is the approach I would expect from a megacorporation hellbent on mining my private data to death while pointing to the by-sheer-coincidence-hidden option to opt out of telemetry. And the choice to pay for the ability to not be data-mined to death.
These are the design choices I expect from a product team that regards privacy as something to be defeated and evaded. It's the sort of thing I would expect from Facebook.
Perhaps a privacy-centered approach might be worth considering? What might the user experience look like if behavior was not tracked until the user explicitly consented to just specifically that? What if the ability to upload your data was a premium option, with the local-only privacy-preserving experience the default? What data do you need to let people do incredibly personal calculations, as opposed to what data do you want?
Oops, it seems my attempt to add clarity on the current implementation only added more confusion. Sorry about that. Let me try to break down the status quo in more detail.
1. User arrives on the site, no google analytics activated unless user accepts cookie settings (which includes option to accept some types and not others).
2. User onboards and creates a plan for free, experiments with app -- no plan data or results are transmitted. Everything done client-side in JavaScript and goes away on page refresh.
3. User decides to upgrade to premium. If they do, the app asks if they would like to enable persistent data. If they enable this feature, only then is plan data saved.
I think part of the disconnect is communicating what the app actually does vs. what the terms permit it to do in the future.
It sounds like you've put genuine thought into this, and your privacy policy is very readable, but it suffers from the generic "WTFPL" clauses.
For example, you clearly specify who the third-parties are and what data is shared, which again is commendable. But it's combined with "we may use your data for [any] other purposes", "we may sell and may have sold [extremely personal PII]", and so on.
Are you doing this? Doesn't seem like it. Could you? Apparently, and that's part of the concern.
Currently just google analytics dashboards showing things like navigation within the app and where users are dropping off during the onboarding process.
