Privacy Policy
This Privacy Policy explains how Oana ("we", "us") processes personal data when you use the Oana app and website (the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR) and the UK GDPR. We take the privacy of your health data extremely seriously.
1. Data controller
Oana is the data controller for the personal data processed through the Service. You can reach us at privacy@oanacycle.com.
2. Data we collect
Provided by you
- Account data: email, password (hashed), first name.
- Profile & onboarding: age, height, weight, goals, dietary preferences, training preferences.
- Health data (special category under Art. 9 GDPR): cycle dates, symptoms, mood, energy, sleep, workouts, nutrition logs, photos you choose to upload.
- Communications you send to support or to the in-app AI coach.
Collected automatically
- Device and usage data: device type, OS, app version, crash logs, anonymous interaction analytics.
- Cookies and similar technologies on the website (strictly necessary and, with consent, analytics).
From third parties (only with your consent)
- Apple Health, Google Health Connect or other connected devices for steps, sleep, heart rate.
- Payment processors confirm subscription status; we do not receive your full card details.
3. Why we process your data (purposes & legal bases)
- Provide the Service — performance of contract (Art. 6(1)(b)).
- Process your health data to personalise insights — your explicit consent (Art. 9(2)(a)), which you give during onboarding and can withdraw at any time.
- Account security & fraud prevention — legitimate interest (Art. 6(1)(f)).
- Service improvement & aggregated analytics — legitimate interest, using pseudonymised or aggregated data.
- Transactional emails (welcome, password reset, billing) — performance of contract.
- Marketing emails — only with your consent (Art. 6(1)(a)), revocable via the unsubscribe link or in Settings.
- Legal obligations — e.g. tax, accounting, responding to lawful requests (Art. 6(1)(c)).
4. AI features
The in-app coach uses large language models to generate suggestions based on the context you choose to share. Conversations are processed by our AI provider strictly to deliver the response. We do not use your identifiable health data to train third-party models.
5. Sharing your data
We share data only with the following categories of recipients, under contractual safeguards:
- Cloud hosting and database (Supabase / AWS, EU region where available).
- Email delivery providers for transactional and (opt-in) marketing emails.
- Analytics and crash reporting providers, configured to minimise personal data.
- Payment processors (Apple, Google, Stripe) for subscription management.
- Authorities, when required by law.
We never sell your personal or health data.
6. International transfers
Where data is transferred outside the EEA/UK, we rely on European Commission adequacy decisions or Standard Contractual Clauses with supplementary measures to protect your data.
7. Retention
- Account data: while your account is active and up to 12 months after deletion for legal claims.
- Cycle and health logs: until you delete them or delete your account.
- Billing records: as required by tax law (typically up to 10 years).
- Support communications: up to 3 years.
8. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten").
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent at any time (without affecting prior lawful processing).
- Lodge a complaint with your local Data Protection Authority. A list is available at edpb.europa.eu.
You can exercise most rights directly in the app (Settings → Data & privacy) or by contacting privacy@oanacycle.com. We respond within one month.
9. Security
We implement organisational and technical safeguards including encryption in transit (TLS) and at rest, Row-Level Security on our database, least-privilege access controls, audit logs and regular security reviews. No system is 100% secure — please use a strong, unique password.
10. Children
The Service is not directed to users below the age of digital consent in their country (16 in the EU unless a lower age has been set). We do not knowingly collect data from children.
11. Changes
We will notify you of material changes to this policy in-app or by email. The "Last updated" date at the top reflects the latest version.
12. Contact & DPO
For any privacy question, to exercise your rights, or to reach our Data Protection contact, email privacy@oanacycle.com.