Cycle OS is operated by Cycle OS ("we", "us", "our"). For privacy enquiries, please contact us at admin@cycle-os.app.
We are the data controller for the personal data described in this policy. As a UK-based operator, we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We are committed to collecting only the minimum personal data necessary for each specific purpose. Every category of data listed in this policy is justified against a stated purpose โ we do not collect data speculatively or because it may be useful in future. If we cannot justify collecting a piece of data, we do not collect it.
Your health and cycle data โ the most sensitive information you enter โ is stored in your personal account and protected by Row Level Security (RLS), meaning our database infrastructure enforces that only your authenticated session can read or write your data. We have deliberately designed the app this way so that we are not in a position to misuse, leak, or be compelled to disclose your health information.
Cycle OS is a Progressive Web App (PWA) and uses your browser's localStorage and cache storage for offline functionality. This is required to make the app work without an internet connection and to improve performance on repeat visits.
The following is stored locally on your device:
Local storage is not a "cookie" and does not track you across websites. It is scoped entirely to cycle-os.app and is accessible only to the app itself. You can clear it at any time by clearing your browser or app storage โ this will sign you out and remove locally cached data, but your account data in Supabase is unaffected.
This local storage use is disclosed in accordance with the UK Privacy and Electronic Communications Regulations (PECR).
| Data | Where it is stored | Why we collect it | Legal basis |
|---|---|---|---|
| Email address | Supabase (our authentication provider), encrypted at rest | To create and manage your account and allow you to sign in | Contract performance (Article 6(1)(b)) |
| Google account ID and name (only if you sign in with Google) | Supabase, encrypted at rest | To authenticate you securely without storing a password | Contract performance (Article 6(1)(b)) |
| Push notification token (only if you enable reminders) | Your Supabase account (push subscription endpoint and encryption keys), encrypted at rest and protected by Row Level Security. Also managed by your browser and operating system. | To deliver the cycle reminders you opt in to | Explicit consent (Article 6(1)(a)) โ granted when you enable notifications in the app and again at OS level |
| Cycle dates, period logs, moods, symptoms, journal notes, energy ratings, libido, fitness data, sleep data | Your personal Supabase account, encrypted at rest (AES-256). Protected by Row Level Security โ only your authenticated session can access it. Also cached locally on your device for offline use. | To power your cycle tracking, insights, and daily log features | Explicit consent (Article 6(1)(a) and Article 9(2)(a)) |
| App settings and preferences (theme, cycle length, companion name, reminder settings) | Your personal Supabase account and locally on your device | To personalise your experience and remember your choices | Legitimate interests (Article 6(1)(f)) โ the minimal nature of this data means no privacy impact |
๐ Your health data is private to your account. It is stored in your personal Supabase account and protected by Row Level Security โ a database-level rule that prevents any other user, including us, from querying your data. Your period dates, mood logs, symptoms, journal entries, and energy levels are under your full control at all times.
๐ Push notification tokens are stored securely in your account. When you enable reminders, your browser generates a push subscription (an endpoint URL and encryption keys). This subscription is stored in your Supabase account so that reminders can be sent to your device. It is protected by Row Level Security โ only your authenticated session can access it. You can revoke push notifications at any time by disabling them in your browser or OS settings, which also removes the stored subscription.
Supabase โ we use Supabase (supabase.com) to manage user accounts, authentication, and health data storage. Your email address, cycle logs, moods, symptoms, journal notes, and profile settings are stored in Supabase's infrastructure, which may be located in the United States or European Union. Supabase is GDPR-compliant and a data processor under a Data Processing Agreement with us. All data at rest is encrypted using AES-256. Health data is additionally protected by Row Level Security so that only your own authenticated session can access it. You can read their privacy policy at supabase.com/privacy.
Google OAuth โ if you choose to sign in with Google, Google authenticates you and shares your email address and account identifier with us via Supabase. No health or cycle data is shared with Google. Google's privacy policy applies to that interaction: policies.google.com/privacy.
Android Health Connect (Android devices only) โ if you are using the Android app and grant permission, Cycle OS can read your step count, sleep duration, and workout history from Android Health Connect. This data is only ever stored in your personal account (see Section 3) and is never shared with third parties. Health Connect data is entirely optional โ granting permission is a separate step within the app. You can revoke this permission at any time via your Android system settings. Google's Health Connect privacy policy applies: developer.android.com/health-and-fitness/guides/health-connect.
Claude AI by Anthropic โ the optional AI chat feature sends your typed message and a small amount of anonymised cycle context (your current cycle phase, cycle day number, cycle length, today's energy label, mood label, energy rating, libido status, logged symptoms, tracking mode, and โ if you are tracking a pregnancy โ your current week) to Anthropic's API to generate a response. No personal identifiers, email address, journal entries, or detailed health data are included in these requests. Anthropic processes this data as a data processor. Anthropic does not use API inputs to train their models by default. If you do not use the AI chat feature, nothing is sent to Anthropic. Anthropic's privacy policy: anthropic.com/privacy.
Google Fonts โ the app loads typography from Google Fonts (fonts.googleapis.com). This is a network request to Google's servers that may include your IP address. No health data is involved. Google's privacy policy applies.
We do not use advertising networks, behavioural tracking SDKs, or analytics services of any kind.
We take the following technical measures to protect your data:
No method of electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.
Uninstalling Cycle OS does not automatically delete your account or the data associated with it. Your email address and account information will remain in our systems until you explicitly request account deletion (see Section 9).
Your health data (cycle logs, moods, symptoms, journal) is stored in your Supabase account. Uninstalling the app removes the local cache but your data remains in your account and will be restored when you sign back in. To permanently delete your health data, you must request full account deletion (Section 9).
You can request account deletion directly from within the app:
Alternatively, you can email us at the address below with the subject line "Account deletion request" and include the email address associated with your account. We will process your request within 7 days and confirm by email.
After account deletion, any locally cached health data on your device is cleared automatically when you sign out. You can also manually clear it by uninstalling the app or clearing app storage in your browser/device settings.
This deletion right is provided in accordance with Article 17 of the UK GDPR (right to erasure).
You have the following rights regarding the data we hold (your email address and authentication information):
To exercise any of these rights, contact us using the details at the bottom of this policy. We will respond within 30 days.
Cycle OS is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us and we will delete it promptly.
Your account data may be processed by Supabase on servers located outside the UK, including in the United States. Where this occurs, appropriate safeguards are in place โ including Standard Contractual Clauses (SCCs) under UK GDPR โ to ensure your data receives equivalent protection to that required under UK law. Anthropic (Claude AI) is a US-based company; data sent to their API is covered by their own GDPR/UK GDPR compliance framework and processed under a data processor relationship.
We may update this privacy policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. If changes affect how we process your health data, we will ask for your explicit consent again before proceeding. Continued use of the app after minor changes constitutes acceptance of the updated policy.
If you have concerns about how we handle your data and we have not resolved them to your satisfaction, you have the right to lodge a complaint with the UK's data protection authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
For privacy enquiries, data requests, or account deletion:
admin@cycle-os.appPlease allow up to 30 days for a response to data rights requests.