PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE USING THE SERVICE.
This Privacy Policy (this "Policy") describes how MyPeriod ("MyPeriod," "we," "us," or "our") collects, uses, discloses, retains, and otherwise processes personal data when you access or use our website at https://myperiod.me, our progressive web application at https://myperiod.me/app/ (collectively, the "Service"), or otherwise interact with us.
By registering for, accessing, or using the Service, you acknowledge that you have read and understood this Policy. Where required by applicable law, we will seek your separate, explicit consent for the processing of special categories of personal data (including health-related data) as described herein.
1. Data Controller
For purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and similar legislation, the data controller responsible for your personal data is the operator of MyPeriod, contactable at .
2. Scope and Application
This Policy applies to personal data processed through the Service. It does not apply to third-party websites, applications, or services that may be linked from the Service, which are governed by their own privacy policies. You are encouraged to review those policies independently.
3. Categories of Personal Data We Process
Depending on how you use the Service, we may process the following categories of personal data:
- Account and identity data: first name, last name, email address, password (stored in hashed form using industry-standard one-way hashing algorithms), email verification status, referral codes, and account preferences.
- Health and cycle-related data: menstrual period start and end dates, cycle length settings, flow intensity, symptoms, mood entries, pregnancy mode status, fertility-related inputs, calendar notes, and other health-related information you voluntarily submit ("Health Data").
- Technical and usage data: IP address, browser type, device identifiers, session identifiers, access timestamps, pages viewed, and similar diagnostic information.
- Communications data: messages you send to us (e.g., feedback, support requests) and our responses.
- Marketing and notification preferences: opt-in or opt-out choices for email notifications, push notifications, and similar communications.
4. Special Categories of Personal Data
Health Data may constitute "special category" or "sensitive" personal data under the GDPR, UK GDPR, FADP, and other laws. We process such data only where permitted by law, including:
- your explicit consent provided at registration or when submitting Health Data;
- processing that is necessary for the provision of the Service you request (i.e., cycle tracking, predictions, and related features); and/or
- other lawful bases expressly recognized under applicable data protection law.
You may withdraw consent at any time as described in Section 12; withdrawal does not affect the lawfulness of processing prior to withdrawal, but may limit or prevent your continued use of certain features.
5. Sources of Personal Data
We collect personal data:
- directly from you when you register, log in, enter cycle information, configure settings, export data, contact us, or otherwise use the Service;
- automatically through cookies, session mechanisms, server logs, and similar technologies (see our Cookie Policy); and
- from referral parameters if you register via a referral link (referrer identifier only, not third-party profiling).
6. Purposes and Legal Bases for Processing
We process personal data for the following purposes and on the following legal bases, as applicable:
| Purpose | Legal Basis (GDPR Art. 6 / Art. 9) |
|---|---|
| Creating and administering your account; authentication; security | Performance of a contract (Art. 6(1)(b)); legitimate interests in securing the Service (Art. 6(1)(f)) |
| Providing cycle tracking, predictions, insights, calendar, mood logging, exports, and related core functionality | Performance of a contract (Art. 6(1)(b)); explicit consent for Health Data where required (Art. 9(2)(a)) |
| Sending transactional emails (verification, password reset, optional phase emails you enable) | Performance of a contract (Art. 6(1)(b)); consent where required (Art. 6(1)(a)) |
| Operating push notifications (where enabled and supported by your device) | Consent (Art. 6(1)(a)) |
| Responding to inquiries, feedback, and support requests | Legitimate interests (Art. 6(1)(f)); performance of contract where applicable |
| Fraud prevention, abuse detection, enforcing Terms of Service | Legitimate interests (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c)) |
| Analytics on the marketing website (only if you accept non-essential cookies) | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations, regulatory requests, and establishment or defence of legal claims | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
7. Encryption and Security Measures
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction, including:
- encryption of certain sensitive fields (including symptom notes and similar Health Data) using AES-256 or comparable standards prior to storage;
- transmission of data over HTTPS/TLS;
- password hashing using industry-standard algorithms;
- access controls limiting personnel access to production systems on a need-to-know basis; and
- routine monitoring, patching, and security reviews commensurate with the nature of the data processed.
No method of transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and for all activity under your account.
8. Automated Processing and Predictions
The Service uses algorithmic logic to generate cycle predictions, fertile window estimates, phase classifications, trend analyses, and similar outputs based on data you provide. These outputs are informational estimates only, do not constitute medical advice, and do not involve automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR.
9. Data Sharing and Recipients
We do not sell, rent, or trade your personal data to third parties for monetary or other valuable consideration. We do not share Health Data with advertisers, data brokers, or insurance companies for marketing or underwriting purposes.
We may disclose personal data to the following categories of recipients, strictly as necessary:
- Infrastructure and hosting providers (e.g., cloud hosting, database services) that process data on our behalf under written data processing agreements or equivalent contractual safeguards;
- Email delivery providers for transactional communications (e.g., account verification, password reset, optional notifications you enable);
- Analytics providers (e.g., Google Analytics) only where you have consented to non-essential cookies on our marketing pages;
- Professional advisers (legal, accounting, technical) bound by confidentiality obligations;
- Law enforcement, regulators, courts, or other authorities where required by applicable law, regulation, legal process, or enforceable governmental request, or where necessary to protect rights, safety, or property.
All subprocessors are selected with regard to their security practices and are contractually required to process personal data only on our documented instructions and in compliance with applicable data protection law.
10. International Data Transfers
Your personal data may be processed in Switzerland, the European Economic Area ("EEA"), and/or other jurisdictions where our service providers operate. Where personal data is transferred from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of protection, we implement appropriate safeguards, which may include Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement, or other mechanisms recognized under applicable law.
11. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law. In general:
- Account and Health Data: retained for the duration of your active account and deleted or anonymized within a reasonable period following account deletion, except where retention is required for legal, security, or dispute-resolution purposes;
- Server logs: retained for a limited period consistent with security and operational needs;
- Backup copies: may persist in encrypted backups for a limited rolling window before being overwritten;
- Communications: retained as needed to address your inquiry and for a reasonable period thereafter.
Upon verified account deletion via the Service, we will delete or irreversibly anonymize associated personal data in active systems, subject to the exceptions above.
12. Your Rights
Depending on your location, you may have the following rights with respect to your personal data, subject to applicable law and certain exceptions:
- Right of access — obtain confirmation and a copy of personal data we hold about you;
- Right to rectification — correct inaccurate or incomplete data (also available in-app);
- Right to erasure ("right to be forgotten") — request deletion of your data (also available via "Delete Account" in Profile settings);
- Right to restriction of processing — request limitation under certain circumstances;
- Right to data portability — receive your data in a structured, commonly used, machine-readable format (export available as JSON and PDF in-app);
- Right to object — object to processing based on legitimate interests or for direct marketing;
- Right to withdraw consent — where processing is consent-based, without affecting prior lawful processing;
- Right not to be subject to certain automated decision-making — as described in Section 8.
12.1 California Residents (CCPA/CPRA)
If you are a California resident, you may have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise rights, contact us at . We will not discriminate against you for exercising privacy rights.
12.2 Exercising Your Rights
To exercise any applicable right, contact . We may request information reasonably necessary to verify your identity before responding. We will respond within the timeframe required by applicable law (generally within one (1) month under GDPR, subject to permitted extensions).
13. Children and Minors
The Service is not directed to children under the age of sixteen (16), and we do not knowingly collect personal data from children under 16 without appropriate parental or guardian consent where required by law. If you believe we have collected data from a child without proper authorization, contact us immediately at , and we will take steps to delete such information.
14. Third-Party Links
The Service may contain links to third-party websites or resources. We are not responsible for the privacy practices of such third parties. Your interaction with any third-party site is governed by that party's policies.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in law, technology, or our practices. When we make material changes, we will post the updated Policy on this page with a revised "Last Updated" date and, where required by law, provide additional notice (e.g., email or in-app notification). Your continued use of the Service after the effective date of changes constitutes acceptance of the revised Policy, except where further consent is required by law.
16. Supervisory Authorities and Complaints
If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first at so we may address your concerns directly.
17. Contact
For questions, requests, or complaints regarding this Policy or our data practices:
Email:
Website: https://myperiod.me