Yes you don't need to be on the App Store to have people testing your app, which is what TestFlight enables you to do. We have apps that have been in TestFilght for month and still not in App Store. We roll it out to internal testers (our team) and external (a selection of your target audience).
The level of privacy and more importantly security you can offer will depend on your infrastructure, and you are the only person who define what it is. I would strongly encourage encrypting your database and all api connections (if any).
As long as you follow the country recommended level of protection for your customer data, you shouldn't liable if you get hacked or the data is accessed pass your current security implementation.
If your app only save data in local storage, and the data disappear when you delete the app then that's quite safe. If you have a backend server holding your data, this is what will be the main concern for privacy.