Independent · Evidence-Based

Off-label Insight

§ Page

Privacy

Off-label Insight is a small independent blog. I collect as little data as I can get away with and still run the site. The site stores your email only if you explicitly hand it to me, keeps no advertising profile on you, and never sells anything to third parties. This page is a description of what actually happens, not legal cover.

Last updated: April 2026.

What the site collects

Newsletter email. If you subscribe through one of the email forms on the homepage or the bottom of a blog post, Off-label Insight stores your address in its database along with the page that triggered the signup and the date. That's the whole record. Nothing else is linked to it.

Affiliate link clicks. Most affiliate links on the site route through offlab.link, my self-hosted link shortener (running Dub open source). When you click one, the shortener records the click - timestamp, approximate country from your IP, and the destination the link pointed to. It does not set a cookie in your browser, and it does not link the click to your email or any other identifier I hold. Aggregate click counts help me understand which recommendations are useful.

Server and request logs. The hosting provider (Vercel) keeps short-lived request logs - IP address, timestamp, requested URL, user agent — the same as any web server. These are used for debugging and abuse prevention, then rotated.

Analytics. I have not wired up an analytics provider yet. When I do, it will be a privacy-respecting option (Plausible, Fathom, or PostHog self-hosted) rather than Google Analytics, and I will update this page with exactly what it measures. If you want the current state of truth, it's: no analytics.

What the site does not collect

  • No advertising cookies. No retargeting pixels. No Facebook or TikTok tracking.
  • No Google Analytics.
  • No account creation for readers. The only logins that exist belong to me and are protected by Google OAuth; readers never see a login screen.
  • No behavior profile across pages or sessions.
  • No payment information - the site doesn't sell anything directly.

Third parties that see your data

  • Vercel hosts the site and serves the pages. Every request goes through them. Their privacy policy is at vercel.com/legal/privacy-policy.
  • Layerbase / self-hosted Dub handles affiliate link redirects on `offlab.link`. I operate the infrastructure myself on Layerbase.
  • Amazon and other affiliate merchants see a referring header when you click through to them, indicating you came from Off-label Insight. They set their own cookies on their own domains; I have no access to or control over those. See my Affiliate Disclosure for the list.
  • Google is involved only to the extent I use Google OAuth for my own admin login. Your reading activity is not sent to Google by this site.

If I ever add an email delivery provider for the newsletter, I will list them here before I start sending.

Cookies

The site sets one cookie related to the admin panel login session. That cookie does not apply to readers - you will never have it set in your browser unless you log into the admin panel, which only I do.

The site does not set cookies for reader tracking or personalization.

Your rights

Regardless of where you live:

  • You can unsubscribe from the newsletter at any time. There's no magic — email me and I'll delete your record, or wait for the unsubscribe link once an email delivery system is wired up.
  • You can request a copy of any data the site holds about you. For a newsletter subscriber, that is an email address and a signup timestamp.
  • You can request deletion of that data.

If you're in the EU, UK, or California, the legal frameworks applicable to you (GDPR, UK GDPR, CCPA/CPRA) give you these rights explicitly. The site will honor them for everyone.

To make a request, email the contact address at the bottom of this page.

Retention

  • Newsletter emails are kept until you unsubscribe or request deletion, then removed from the database within 30 days.
  • Server request logs rotate on Vercel's schedule (typically within a few weeks).
  • Affiliate click events are kept indefinitely in aggregate form (counts, not individual records) for long-term trend analysis.

Children

This site is aimed at adults researching their own health and supplement use. It is not directed at children under 13 and I do not knowingly collect information from anyone under 13. If you believe a child has subscribed, email me and I will delete the record immediately.

Security

Data is stored in a managed PostgreSQL instance on Layerbase with encrypted connections. Backups are encrypted at rest. The site runs over HTTPS. No system is perfectly secure - if there is ever a breach that affects user data, I will notify affected users within 72 hours of discovery.

Changes to this policy

If I change anything meaningful, I will update the "Last updated" date at the top and, for substantive changes, note what changed at the bottom of this page. I will not quietly reduce your protections.

Contact

Privacy questions, data access requests, or deletion requests: use the contact email listed on the About page.