Legal
Privacy Policy
Last updated: July 12, 2026
1. Introduction, scope, and controller
This Privacy Policy describes how Cyclora collects, uses, discloses, retains, and protects personal data in connection with the Cyclora mobile application (the "App"), the website at cyclora.app (the "Site"), and related services (together, the "Service"). It applies to all users of the Service, wherever located, subject to the jurisdiction-specific provisions in section 12.
The data controller responsible for the processing described in this Policy is [legal entity name and registered address] ("Cyclora", "we", "us", "our"). For privacy inquiries or to exercise any right described below, contact us via the contact form or at privacy@cyclora.app.
In this Policy, "personal data" means any information relating to an identified or identifiable individual; "processing" means any operation performed on personal data, whether or not by automated means; and "health data" means the health and wellbeing information described in section 2, which constitutes special-category or sensitive personal data under applicable law and receives the heightened protections described throughout this Policy.
2. Categories of personal data we collect
2.1 Data you provide
- Account and identity data — your email address and authentication identifiers created when you register, processed through a third-party identity service (including platform sign-in options such as Sign in with Apple, where you choose them). We do not receive or store your password.
- Health and wellbeing data — information you choose to record in the App, which may include: symptoms and their severity and timing; mood, sleep, and energy ratings; menstrual-cycle context; medication-related notes; suspected triggers and daily context flags; timestamped symptom events; and free-text notes. You control entirely what you record.
- AI companion data — the messages you exchange with the optional AI companion and the memory derived from those conversations, as described in section 5.
- Communications data — the contents of messages you send us (for example, through the contact form) and the address we need to reply.
2.2 Data collected automatically
- Device and technical data — device model, operating-system version, App version, language, timezone, identifiers necessary for push-notification delivery, and crash and error diagnostics.
- Usage data — de-identified, content-free events describing feature usage (for example, that a check-in was completed). Usage events are engineered so that they never contain the content of your health data: not the symptom, not the severity, not the note.
- Site analytics — the Site uses a cookieless, privacy-preserving analytics service that measures aggregate traffic without building individual profiles.
We do not collect precise geolocation, contact lists, photographs, or advertising identifiers, and we do not use tracking cookies on the Site.
3. Legal bases and your consent
We process personal data only where a lawful basis applies. In summary:
- Explicit consent — for all processing of health data, and separately for the AI companion. Your consent to health data processing is captured through the dedicated, unticked checkbox presented during account creation, which links to this Policy and describes the processing in plain language. Consent to the AI companion is captured through a separate consent step presented before your first conversation. Each consent is specific, informed, freely given, and separately withdrawable at any time in Settings → Privacy. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Performance of a contract — for account data and the technical operation of the Service you have requested.
- Legitimate interests — for service security, fraud prevention, and improvement of the Service using the de-identified, content-free usage data described above, balanced against your rights and expectations.
- Legal obligation — where retention or disclosure is required by applicable law.
4. Purposes of processing
- Providing the Service — storing your records, synchronizing them across your devices and widget, and presenting them back to you.
- Pattern analysis for you — analyzing the data you have recorded in order to surface possible associations (for example, between a suspected trigger and a symptom) solely for presentation to you within the App. This analysis produces observations, not medical conclusions, and is never used for any purpose other than your own use of the App.
- Reminders and notifications — where you enable them. Notification payloads are deliberately generic and never include symptom names, log content, or other health data, so that sensitive information does not appear on lock screens or transit third-party notification infrastructure.
- Service integrity and improvement — diagnosing faults, securing the Service, and understanding aggregate feature usage through content-free events.
- Support and legal compliance — responding to your requests and meeting legal obligations.
We do not use personal data for third-party advertising; we do not sell or rent personal data; we do not use health data for marketing of any kind; and we do not make automated decisions about you that produce legal or similarly significant effects. Cyclora is a personal wellness product, not a healthcare provider system, and we make no claim of HIPAA coverage; instead we apply the protections described in this Policy to all health data uniformly.
5. The AI companion and its memory
The App includes an optional conversational AI companion. It is inactive until you complete the dedicated consent step described in section 3. The following applies whenever you use it:
- Data processed. Your messages are processed to generate responses. Where necessary to answer you, relevant portions of your recorded data may be included in the processing context, applying a data-minimization principle: the minimum necessary, for the shortest time necessary.
- Processing infrastructure. Responses are generated using third-party AI infrastructure providers acting as our processors under written data-processing agreements. Those agreements prohibit the use of your conversations or data for training AI models and prohibit retention beyond what is required to return a response and maintain service integrity.
- Memory. To remain useful across conversations, the companion maintains a bounded memory of salient facts you have shared (for example, a suspected trigger, or a preference for brief answers). The memory is stored with your account and under your control: you may review it, delete individual entries, or clear it entirely in Settings → AI companion → Memory. Account deletion deletes the memory.
- Limits by design. The companion is not a medical professional, does not diagnose, and is designed to decline requests for diagnosis or treatment decisions and to direct you to qualified clinicians where appropriate.
- Human review. We do not routinely read your conversations. Limited review may occur only where required for safety, security, or legal compliance, under access controls and confidentiality obligations.
6. Product suggestions, referrals, and affiliate links
Within AI companion conversations in the App — and only there — Cyclora may suggest a third-party product (for example, cooling bedlinen, a mattress, nightwear, or a supplement) where it is relevant to the conversation and you have indicated interest. Some suggestions may contain referral or affiliate links from which we earn a commission. No advertising, product placement, or affiliate links appear on the Site or elsewhere in the App. The following applies to all such suggestions:
- No disclosure of personal data to partners. Suggestions are selected within the Service. Referral and affiliate partners do not receive your identity, your health data, or the context in which a suggestion was made.
- Labeling. Referral and affiliate links are identified as such at the point they appear.
- Third-party responsibility. If you follow a link to a partner's site or store, that partner's privacy policy and terms govern from that point onward.
7. Disclosures of personal data (processors and other recipients)
We disclose personal data only as described in this Policy. We use a limited number of third-party service providers ("processors") that process personal data on our documented instructions, under written data-processing agreements imposing confidentiality, security, and data-protection obligations no less protective than this Policy. These fall into the following categories:
- cloud infrastructure, hosting, and data-storage providers;
- identity, authentication, and push-notification delivery providers;
- AI infrastructure providers, as described in section 5;
- network security, content-delivery, and privacy-preserving analytics providers;
- communications and email-delivery providers.
We maintain an internal record of all processors and review their security and data-protection practices before and during engagement. A description of current processor categories relevant to your region is available on request.
Beyond processors, we may disclose personal data: (a) where required by law, regulation, legal process, or enforceable governmental request, and then only to the extent required; (b) where necessary to protect the rights, safety, or property of users, the public, or Cyclora; and (c) in connection with a merger, acquisition, financing, or sale of assets, in which case the successor remains bound by commitments materially consistent with this Policy and we will notify you before health data becomes subject to a different policy. We never disclose personal data to data brokers or advertising networks.
8. International data transfers
The Service is operated for users in the United States, the United Kingdom, and Australia, and personal data may be processed in countries other than the one in which you reside — including the United States, where our primary infrastructure is located. Where applicable law regulates such transfers (for example, the UK GDPR or the Australian Privacy Act 1988), we implement recognized safeguards, which may include contractual data-protection clauses approved under applicable law (such as the UK International Data Transfer Agreement or Addendum), adequacy or equivalent-protection determinations where available, and supplementary technical measures such as encryption in transit and at rest. Details of the safeguards applying to a given transfer are available on request.
9. Security and retention
We apply technical and organizational measures appropriate to the sensitivity of the data, including encryption of personal data in transit and at rest, access controls limiting internal access to personnel who require it to operate the Service, environment separation, and audit logging. Our operational logs are engineered to exclude health data content, free-text notes, AI conversation content, and authentication credentials.
We retain personal data for as long as your account exists. Upon account deletion, personal data — including health data, AI conversations and memory, and account records — is deleted from production systems promptly and expires from encrypted backups within 35 days. De-identified data that does not identify you and contains no health data content may be retained for service improvement. Where law requires longer retention of specific records, we retain only what the law requires, for only as long as it requires.
In the event of a personal data breach affecting your data, we will notify you and the relevant supervisory or regulatory authority where and when applicable law requires (including under the UK GDPR and the Australian Notifiable Data Breaches scheme).
10. Your rights and controls
10.1 Controls available directly in the App
Without contacting us, you can: export your data in a portable format; review and delete AI companion memory; withdraw either consent; disable notifications; and permanently delete your account and all associated data (Settings → Privacy).
10.2 Rights under applicable law
Depending on your jurisdiction, you may have the rights to: access the personal data we hold about you and receive a copy; have inaccurate data corrected; have data erased; restrict or object to certain processing; receive data in a portable format; withdraw consent at any time; and complain to a supervisory or regulatory authority. We honor these rights as set out in section 12. We will respond to verifiable requests within the timeframe applicable law requires (and in any event within 30 days unless the law allows an extension, in which case we will tell you). We do not discriminate against you for exercising any right.
11. Children
The Service is designed for adults navigating the menopause transition and is not directed to anyone under 18. We do not knowingly collect personal data from children; if we learn that we have, we will delete it.
12. Jurisdiction-specific provisions
12.1 United Kingdom
Processing of personal data of UK users is subject to the UK GDPR and the Data Protection Act 2018. Health data is processed on the basis of explicit consent (Article 9(2)(a)). You have the rights described in section 10 and the right to lodge a complaint with the Information Commissioner's Office (ICO).
12.2 United States
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act as amended (CCPA/CPRA) and comparable state privacy laws; accordingly, there is no sale or sharing to opt out of. California residents and residents of other states with comparable laws have the rights to know, access, correct, delete, and port their personal information, and to non-discrimination, exercisable as described in section 10. We treat health data as sensitive personal information and process it only for the purposes described in this Policy, which fall within permitted use categories.
12.3 Australia
We handle personal information of Australian users in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles, including APP 3 and APP 6 as they apply to sensitive (health) information, which we collect and use only with your consent for the purposes described in this Policy. You may request access to and correction of your personal information as described in section 10, and you may complain to us and, if unsatisfied with our response, to the Office of the Australian Information Commissioner (OAIC).
13. Third-party services and links
The Service may contain links to third-party websites and services (including the referral links described in section 6 and sources cited in Site articles). This Policy does not apply to third parties, and we are not responsible for their privacy practices.
14. Changes to this Policy
We may update this Policy from time to time. For material changes — in particular any change affecting health data or the AI companion — we will provide prominent notice in the App before the change takes effect and, where applicable law requires, obtain fresh consent. The "Last updated" date above reflects the current version. Continued use of the Service after a non-material update constitutes acceptance of the updated Policy.
15. Contact
Privacy questions, requests, or concerns: contact form or privacy@cyclora.app. A human replies.