...
Location data for undiagnosed users never leaves their device (i.e. this is a “decentralized” solution).
It is also encrypted at rest.
It is deleted after 28 days
The user can turn location tracking on & off whenever they like (either using the in-app setting, or their device settings).
...