Privacy Policy
Plain-English summary. PeriFlow stores cycle dates, symptoms, fasts, meals, and journal entries — everything you choose to log. We treat that as health data: encrypted in transit and at rest, hosted in the EU, never sold, never shared with advertisers. You can export or delete everything at any time from inside the app.
1. Who we are
PeriFlow ("we", "us", "our") is operated by the developer of the PeriFlow mobile app. This Privacy Policy explains how we handle personal information when you use the app or periflow.io. We are the data controller for the personal information described below.
2. What we collect
We collect account information (email, display name, auth metadata), health and wellness data (cycle dates, symptom logs, fasts, meals, journal entries, movement check-ins, relief exercise history, profile preferences), subscription status, consent records, and anonymous technical data (event telemetry, crash reports, server logs). We never collect contacts, photos, location, or third-party advertising identifiers. Full detail available on request at hello@periflow.io.
3. How we use it
To run the app, sync your data across devices, process your subscription, answer support requests, and improve the app using anonymous telemetry. We do not sell your data, share it with advertisers, or use it to train machine-learning models.
4. Legal basis (UK / EU users)
We rely on consent (Article 9(2)(a)) for health data; contract (Article 6(1)(b)) for account and subscription operations; legitimate interests (Article 6(1)(f)) for security and anonymous telemetry; and legal obligation (Article 6(1)(c)) where required.
5. Who we share it with
Supabase — database and auth, EU region (Ireland). RevenueCat — subscription state only, no health data. Apple and Google — app distribution and in-app purchases under their own policies. We may disclose data if required by law.
6. Where it lives, how long we keep it
Ireland (eu-west-1), Supabase infrastructure. Account deletion wipes all data within seconds. Backups purged within 30 days. Server logs retained up to 30 days.
7. How we protect it
TLS 1.2+ in transit · AES-256 at rest · Row-level security on every table · Magic-link and OAuth authentication — no passwords · No advertising SDKs. Breach notification within 72 hours of discovery.
8. Your rights
Access, correct, delete, restrict, port, and withdraw consent for your data. Delete your account in-app (Settings → Danger Zone → Delete Account) or email hello@periflow.io. To lodge a complaint: UK — ico.org.uk; EU — your member state's DPA.
9. Children
PeriFlow is for adults 18+. We do not knowingly collect data from minors. Contact us if you believe we have done so.
10. International transfers
Data stored on EU infrastructure. Non-EU processors (e.g. RevenueCat) are covered by Standard Contractual Clauses.
11. California residents
We do not sell or share personal information under CCPA/CPRA. To exercise rights: hello@periflow.io.
12. Changes
Material changes posted here with updated date and in-app notification before effect.