HerLyfe Privacy Policy

1.1 This Privacy Policy explains how HerLyfe Ltd uses personal data when you use the HerLyfe mobile app, related subscription features, and legal or support pages linked from the app (together, the “Service”).

1.2 HerLyfe Ltd is the controller of the personal data described in this policy.

1.3 Our privacy promise. We design HerLyfe so your most sensitive health data can stay on your device wherever possible. We do not access that data to sell it, build advertising profiles about you, or share it with advertisers. We only store and use what is necessary to provide the features you choose and to run the Service responsibly.

1.4 HerLyfe may still process health-related or other sensitive information when the app stores, reads, analyses, or displays it for you. Where a feature keeps sensitive data on your device, that data is not sent to our servers unless you choose a feature that requires server-side processing, such as account syncing, backup, export, support, or similar functionality.

1.5 We do not sell your personal data. We do not share your health data with advertisers, ad networks, data brokers, or social media platforms for their own marketing, advertising, or profiling purposes.

1.6 HerLyfe is built to help people, not to exploit their data. Your health data is not our product.

1.7 Some third-party services you use with HerLyfe, such as Apple App Store, Google Play, Apple ID, or Google sign-in, may also process your personal data under their own privacy information. This policy covers HerLyfe’s processing, not theirs.

2.1 We collect the following categories of personal data:

• Account and profile data, such as your email address, login method, Clerk user ID, and account details you choose to add.
• Wellness and app content, such as experiments, check-ins, notes, cycle or life-stage context, reminder settings, safety acknowledgements, and other information you choose to enter. Depending on what you enter, this may include special category data such as health information and other sensitive information related to fertility, pregnancy, menopause, or sex life.
• Device and app data, such as device identifiers, app version, operating system, notification token, platform, time zone, and app settings.
• Subscription and entitlement data, such as your plan, entitlement status, renewal or expiry information, and store-related subscription metadata received through RevenueCat and the relevant app platform. If you subscribe through Apple or Google, they process your payment. We do not receive your full payment card details.
• Diagnostics and analytics data, such as crash reports, error logs, performance data, and product analytics events if you enable analytics or if diagnostics are necessary to keep the Service secure and reliable.
• Support and communications data, such as messages you send us and information needed to respond.

2.2 We collect personal data directly from you, automatically from your device and app use, and from service providers and platform providers that support login, subscriptions, notifications, and app operations.

2.3 Examples of third-party sources include Apple, Google, Clerk, RevenueCat, and notification providers, depending on which features you use and which login or payment method you choose.

2.4 Some information is needed to create and run your account and provide the Service. If you do not provide that information, some or all of the Service may not work. Other information is optional.

3.1 In plain English, we use your data to:

• provide the app and your account;
• save your entries, experiment history, and settings;
• generate insights, summaries, and results for you;
• send reminders and service messages you choose to receive;
• keep the app secure and fix problems; and
• improve core features in a privacy-conscious way.

3.2 More specifically, we use personal data to:

• create and manage your account;
• provide core app functions, including syncing, storage, experiments, check-ins, summaries, AI-assisted insights, export, and deletion tools;
• apply safety features, warnings, gating, and signposting;
• send reminders or notifications you enable;
• verify and manage subscription entitlements;
• troubleshoot bugs, monitor reliability, prevent fraud or misuse, and secure the Service;
• respond to support requests and other messages;
• improve the Service using analytics where enabled; and
• comply with legal, regulatory, accounting, tax, consumer, or enforcement obligations.

3.3 We do not sell personal data. We do not use your health data for targeted advertising. We do not allow third parties to use your health data for their own marketing.

3.4 We do not use third-party advertising SDKs in the app.

3.5 HerLyfe may use automated processing to generate insights, summaries, reminders, or safety prompts inside the app. However, we do not currently use your personal data to make solely automated decisions that produce legal or similarly significant effects on you.

4.1 If you are in the UK or EEA, our main legal bases under data protection law are:

• Contract — where processing is needed to provide create your account, provide the Service, sync your data, manage your subscription, deliver the features you choose, and provide customer support that is necessary to deliver the Service.
• Legitimate interests — for security, fraud prevention, debugging, service reliability, internal administration, and defending legal claims. Our legitimate interests include running a safe, reliable, sustainable, and privacy-conscious service.
• Consent — where we ask for it, such as optional analytics, optional reminders or device permissions where required, and other optional processing that requires consent.
• Legal obligation — where we must process data to comply with legal, regulatory, accounting, tax, consumer, or enforcement obligations.

4.2 Some data you choose to enter into HerLyfe may be special category data, including health data and other sensitive information. Where UK or EEA law applies and we process that kind of data, we identify both a lawful basis under Article 6 and an additional condition under Article 9. For the health and wellness features you choose to use, our main additional condition is your explicit consent for the specified purposes of those features.

4.3 You can withdraw consent at any time through in-app settings where available or by contacting us at oliver@herlyfe.com or support@herlyfe.com. If you withdraw consent, we may not be able to continue providing some or all health-related or optional features. Withdrawal does not affect processing already carried out before withdrawal.

4.4 Because HerLyfe may process sensitive information, we treat this data with extra care and apply additional protections appropriate to the risks.

4.5 Important right to object. Where we rely on legitimate interests, you have the right to object to that processing in some circumstances. To do this, contact oliver@herlyfe.com or support@herlyfe.com.

4.6 Because some processing may involve sensitive health data, AI-assisted features, and other higher-risk operations, we carry out and keep under review a data protection impact assessment (DPIA) where the law requires it or where we consider it good practice to do so. If a DPIA indicates a high residual risk that we cannot adequately mitigate, we will follow any consultation steps required by applicable law before continuing that processing.

5.1 We use device storage and similar technologies, including local app storage, secure tokens, cached settings, and notification identifiers, to keep you signed in, remember settings, protect the Service, and make the app work.

5.2 Some of these technologies are strictly necessary for the Service and security controls to function. Others are optional.

5.3 Where we use analytics or similar non-essential technologies, we ask for consent where required before using them, and you can change that choice in the app. On our marketing website (such as herlyfe.com), we may use similar technologies to understand how the site is used; where the law requires it, we will obtain consent or use other lawful bases before loading non-essential cookies or analytics, and we may add site controls (for example a cookie or consent banner) as we expand that tooling.

5.4 Reminder notifications are optional. Notification text is generic by default. You can manage reminders, notification permissions, and preview settings in the app and in your device settings.

6.1 We share personal data only where reasonably necessary to operate, secure, support, and improve the Service.

6.2 We use trusted service providers to host, maintain, secure, analyse, and support the app. Where they act on our behalf, they process personal data under contract and only on our instructions.

6.3 At the date of this policy, our key providers may include:

• Clerk for authentication and identity services;
• Amazon Web Services (AWS) for cloud infrastructure, compute, networking, DNS, storage, and AI-related services we use to operate and improve the Service;
• Convex for backend infrastructure, storage, and sync;
• RevenueCat for subscription and entitlement processing;
• PostHog for product analytics in the app and aggregate website usage on our marketing site, where we enable it;
• Sentry for crash and error monitoring;
• Apple APNs and Google FCM for push notification delivery; and
• email, hosting, legal, accounting, or other operational providers we use to run the business.

6.4 Some platform providers, such as Apple or Google, may also process personal data as independent controllers under their own terms when you use their services, for example for app distribution, payments, account login, or notification infrastructure.

6.5 We do not share your health data with third parties for their own advertising, marketing, or profiling purposes.

6.6 We may also share personal data:

• where required by law, regulation, court order, or lawful request;
• to establish, exercise, or defend legal claims;
• to investigate fraud, abuse, or security issues; or
• as part of a merger, acquisition, financing, reorganisation, or sale of assets.

6.7 If you buy a subscription through Apple or Google, those platforms also process data under their own privacy terms.

7.1 We and our service providers may process personal data outside the UK or EEA.

7.2 Where transfer rules apply, we rely on an adequacy decision or other lawful transfer mechanism, such as the UK International Data Transfer Agreement, the UK Addendum, or EU Standard Contractual Clauses, together with any required transfer risk assessment or supplementary measures.

7.3 You can contact us if you want more information about international transfers or a copy or summary of the relevant safeguards, where the law gives you that right.

8.1 We keep personal data only for as long as we need it for the purposes described in this policy, including to provide the Service, comply with law, resolve disputes, enforce agreements, and protect our legal rights.

8.2 In general:

• account, wellness, and settings data are kept while your account remains active;
• if you delete your account, we start a deletion workflow and then delete or irreversibly anonymise data from live systems, subject to limited backups and records we must keep;
• some deletion steps may be queued and may take a short time to complete across all systems;
• residual copies may remain in backup systems for a limited period until they are overwritten in the ordinary course;
• subscription, support, security, tax, accounting, consumer, and legal-claims records may be kept longer where reasonably necessary or legally required; and
• crash and analytics data may be kept for limited rolling periods under our settings or our providers’ retention schedules.

8.3 Some data stored locally on your device may remain until you remove the app, clear the data, or delete your account from that device.

9.1 You can request access to, correction of, export of, restriction of, objection to, or deletion of your personal data, subject to applicable law. If you delete your account, we will delete your personal data unless we are legally required or otherwise permitted to keep certain information.

9.2 If you are in the UK or EEA, you may have rights to:

• access your personal data;
• correct inaccurate personal data;
• delete personal data;
• restrict processing in some circumstances;
• object to processing in some circumstances, especially where we rely on legitimate interests;
• receive a portable copy of certain personal data; and
• withdraw consent where we rely on consent.

9.3 You can exercise your rights by contacting oliver@herlyfe.com or support@herlyfe.com. We may need to verify your identity before acting on a request.

9.4 You can also use in-app tools to manage analytics preferences, export your data, and delete your account where those tools are available. We also provide a public account deletion request page at /delete-account if you cannot access the app or need to request deletion from the web.

9.5 We normally respond to rights requests within one month, although the law allows more time in some cases.

9.6 If you want to complain about how we handle your personal data, you can contact us at oliver@herlyfe.com or support@herlyfe.com.

9.7 If you are in the UK, you can complain to the Information Commissioner’s Office. If you are in the EEA, you can also complain to your local supervisory authority. If local law where you live gives you additional rights, you may contact us to exercise them.

10.1 If we ever contribute to women’s health research, we will do so using aggregated statistics that do not identify you or data that has been irreversibly anonymised so it is no longer personal data.

10.2 If we ever want to use identifiable or pseudonymised health data for research, we will clearly explain this and obtain any consent required by law before doing so.

11.1 HerLyfe is not intended for anyone under 18.

11.2 If we become aware that we have collected personal data from someone under 18, we will take steps to delete it.

12.1 We use appropriate technical and organisational measures designed to protect personal data, taking into account the sensitivity of the data we process and the risks involved.

12.2 No method of transmission, storage, or processing is completely secure. If you believe your account or data has been compromised, contact us promptly.

12.3 If we are legally required to notify you or a regulator about a personal data breach affecting your personal data, we will do so.

13.1 We may update this Privacy Policy from time to time.

13.2 If we do, we will update the effective date and post the revised version through the app or other normal legal channels. Where changes are material, we may also notify you by in-app message or email.

HerLyfe Ltd
First Floor Swan Building
20 Swan Street
Manchester, England, M4 5JW
Company number: 16811057

Privacy requests and complaints: oliver@herlyfe.com
Support: support@herlyfe.com