CycleLife logoCycleLife
Get started
← Back home

Legal

Privacy Policy

How CycleLife Ecosystem collects, uses, and protects your data. Want the plain-language version? Read our Privacy Summary.

Introduction

CycleLife provides cycle, symptom, and wellness tools designed around a zero-knowledge architecture. This Privacy Policy explains what we collect, how we use it, and the choices you have. It applies to cyclelife.app, the CycleLife web application, and connected hubs (CycleSafe, CycleShift, CycleNourish, CycleMind, Eva, and Learn).

Data We Collect

Account data

When you create an account we store an email address, an optional display name, and authentication metadata managed by our backend provider. If you sign in with Google or Apple, we receive only the identifiers those providers return.

Health and journal data

Cycle entries, symptom logs, calculator history, and journal notes are stored locally on your device by default. When you opt in to encrypted cloud sync, the same content is encrypted on your device with AES-256-GCM before it is uploaded. We receive ciphertext only.

Diagnostic data

We collect minimal server logs (timestamps, request paths, and error codes) needed to keep the service running. We do not run third-party analytics, ad SDKs, or fingerprinting libraries.

How We Use Data

  • Operate and maintain your account and the application.
  • Sync your encrypted backup across devices when you ask us to.
  • Detect abuse and protect the integrity of community spaces.
  • Communicate service updates and respond to your support requests.

We never use your health, cycle, symptom, or journal data for advertising, profiling, or model training.

AI-Specific Data Use

Eva and other in-app assistants are powered by the Lovable AI Gateway, which routes prompts to model providers (currently Google Gemini and OpenAI families). When you send a message to Eva:

  • Your prompt is forwarded to the selected model to generate a reply.
  • We do not attach your account identity or health log to the prompt.
  • Providers are contractually prohibited from training on your prompts.
  • You can disable AI features at any time from Settings → Privacy.

Data Storage & Security

Account and operational data is hosted on EU/US infrastructure managed through our backend platform. Sensitive entries are encrypted on your device before they ever leave it. Keys are derived from your passphrase using PBKDF2 and never transmitted. With Local-only mode enabled, no entry data leaves your device at all.

Cookies & Tracking

We use only essential cookies and local storage to keep you signed in, remember your theme, and unlock your encrypted vault for the session. See our Cookie Policy for details. We do not use advertising or cross-site tracking cookies.

Third-Party Services

  • Backend infrastructure for authentication and encrypted storage.
  • AI Gateway for Eva and assistant features.
  • Email delivery for transactional messages (sign-in, recovery).

Each provider is bound by data-processing terms that prohibit selling, sharing for ads, or training on your content.

Data Sharing

We do not sell your data. We do not share it with advertisers or data brokers. We disclose data only when legally compelled by a valid order and only data we actually possess — which, for encrypted entries, is unreadable ciphertext.

Your Rights

  • Access and export everything we store about you.
  • Correct inaccurate profile data.
  • Erase your account and data with one tap.
  • Withdraw consent for cloud sync at any time.
  • Lodge a complaint with your local data protection authority.

California Privacy Rights (CCPA/CPRA)

California residents have the right to know what personal information we collect, request deletion, correct inaccuracies, and opt out of any "sale" or "share" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

Children's Privacy

CycleLife is not directed to children under 13 (or under 16 in the EEA) and we do not knowingly collect data from them. If you believe a child has created an account, contact us and we will delete it.

International Users

If you access CycleLife from outside the country where our servers are hosted, you consent to the transfer of your account data to that jurisdiction. Encrypted entries remain unreadable to anyone without your passphrase, regardless of where they are stored.

Contact Us

Reach us through the contact page for any privacy question, data request, or complaint.

Effective: May 2026

Questions? Reach us on the contact page.