PMOSly — Privacy Policy
Last updated: 15 July 2026
Draft for review. This document is a draft and must be reviewed by a qualified lawyer
before publication. Placeholders in `[BRACKETS]` must be completed by the developer.
This Privacy Policy explains what personal data PMOSly ("PMOSly", "the app",
"we", "us") collects, why, how it is protected, and the rights you have over it.
PMOSly is a self-tracking app for PMOS (formerly PCOS) — polycystic ovary syndrome — for
iOS and Android. It helps you track your menstrual cycle, symptoms, lab results, medications and
supplements, and — optionally — fertility signals. We built it **privacy-first and
local-first**: your health data lives on your device, and anything that leaves your device for
backup is end-to-end encrypted so that we cannot read it.
Because PMOSly handles reproductive and menstrual health data — among the most sensitive
information there is — we hold ourselves to a higher standard than a typical app, and we explain
exactly how below.
Quick summary (the plain-English version)
- Your cycle, symptom, lab, medication and fertility data stays on your device. An account is
optional — you only need one if you want encrypted backup and sync across devices.
- We can't read your health data. Before it ever leaves your phone, it is encrypted on your
device. Our servers store only an unreadable encrypted blob.
- The trade-off you must understand: because only you hold the key, **if you lose all your
devices and your recovery code, your encrypted backup cannot be recovered — not even by us.**
- No advertising. No third-party ad SDKs, no Google/Firebase Analytics, no selling or sharing
of your data with advertisers. We never sell your data, and we never share reproductive or
fertility data with anyone.
- Insights, trends and your doctor report are calculated on your device, not on our servers.
- Optional, opt-in, anonymous product analytics help us improve the app. They are **off unless
you turn them on**, and never contain health content.
The full detail is below. This summary is for convenience and is not a substitute for the rest
of the policy.
1. Who is responsible for your data (the controller)
The data controller for PMOSly is:
Limit Waste Sp. z o.o.
ul. Grzybowska 87, 00-844 Warszawa, Poland (EU)
KRS: 0000803658 · NIP: 5272905462 · REGON: 384349430
Contact: hello@pmosly.com
Data Protection Officer: not appointed — not mandatory for a controller of this size under GDPR Art. 37; re-assessed as the app grows.
If you have any question about this policy or your data, contact us at hello@pmosly.com.
2. The data we process, and why
2.1 Health data (special category data)
When you use PMOSly you can record information about your PMOS/PCOS and general health, such as:
- menstrual cycle data (period start/end, flow/intensity, spotting, pain);
- symptoms — including androgenic symptoms (acne, hirsutism recorded by body region, hair
loss/thinning, oily skin, acanthosis nigricans), and their severity;
- metabolic data (weight, waist circumference, glucose, energy, appetite/cravings, activity);
- lab/blood results (for example testosterone, LH, FSH, SHBG, AMH, fasting insulin, glucose,
HbA1c, prolactin, TSH, vitamin D, lipid panel), with the values, units, dates and any notes;
- medications and supplements you take (for example metformin, inositol, spironolactone,
hormonal contraception, letrozole/clomiphene, berberine, vitamin D, omega-3), doses, schedules
and adherence;
- mood / mental-health entries (PMOS/PCOS commonly co-occurs with anxiety and low mood);
- self-report questionnaire answers and scores, reminders you set, and optional photos or notes.
2.2 Reproductive and fertility data (optional, extra-sensitive)
If you choose to turn on the optional fertility / trying-to-conceive (TTC) features, you can
also record reproductive data such as basal body temperature (BBT), ovulation-test (OPK)
results, cervical mucus, an estimated fertile window, and intercourse. This data is
especially sensitive. We treat it as "extra-private": it is only recorded if you enable
these features, it is protected by the same end-to-end encryption as the rest of your data, and
the app lets you protect access with a PIN or biometric lock. We do not use it to profile
you, we do not share it, and — because of encryption — we cannot read it.
All of the above (Sections 2.1 and 2.2) is health data, and menstrual/reproductive data is a
special category of personal data under Article 9 GDPR. We treat it accordingly: it is
encrypted on your device (see Section 4) and, where it is backed up, our servers hold only
ciphertext they cannot read.
Where this data lives: primarily in a local database on your device. It is sent to our servers
only if you turn on backup/sync, and only in encrypted form.
2.3 Account data
If you create an account (optional, only needed for backup/sync), we process:
- your email address, used to authenticate you and to secure and recover access to your account;
- (depending on the sign-in method you choose) a passkey/credential.
2.4 Subscription data
PMOSly is freemium. If you subscribe, your purchase is processed by Apple or Google
through their app stores — we never receive or store your card or payment details. Through our
subscription provider (RevenueCat) we receive your entitlement status (e.g. whether you
have an active trial or subscription, the product, and renewal/expiry dates) so the app can unlock
premium features. This is linked to a subscription identifier, not to your health data.
2.5 Sync metadata (please read — honest disclosure)
Even though the content of your health records is encrypted and unreadable to us, the act of
syncing exposes a small amount of metadata to our server for each encrypted record:
- the record type (for example "log entry", "medication", or "profile"),
- timestamps (when a record was created, updated, or deleted).
This means our server can see that an encrypted record of a certain type exists and when you
add, change or delete records — i.e. the cadence of your activity — but **not what the record
says.** We consider this a deliberate, disclosed trade-off of offering encrypted sync. We bind each
encrypted blob cryptographically to its record identity so a record cannot be silently swapped, and
we keep each app in a separate EU database to avoid combining signals across conditions. We do
not use this metadata to profile you or for advertising.
2.6 Product analytics (optional, anonymous, opt-in)
To understand how the app is used and to improve it, we may collect anonymous, first-party
product analytics — for example onboarding steps completed, screens viewed, paywall views, and
subscription events. These analytics:
- are off by default. We ask for your consent during onboarding, and they are collected **only
if you opt in. You can turn them off again at any time in Settings → Privacy**;
- contain only product-usage mechanics — never your health content (no cycle, symptom, lab,
fertility, medication or mood values, no scores, no notes are ever sent to analytics);
- do not use advertising identifiers (no IDFA/Ad ID) or third-party advertising/attribution SDKs;
- are not sent to Google Analytics or Firebase Analytics;
- use no stable identifier linking your usage to your health status; IP is truncated and retention is short.
Our analytics processor is Amplitude, configured with EU data residency (an EU-created
Amplitude project; data is processed and stored in the EU).
2.7 Crash and diagnostic data
We use a crash-reporting tool (Sentry) to detect and fix bugs, and an in-app feedback tool
(Wiredash) if you choose to send feedback. Crash diagnostics are subject to the same opt-in
consent as analytics. Crash reports and feedback are scrubbed of personal and health data
before they reach us.
2.8 Our website (pmosly.app / pmosly.com)
Our marketing website may use privacy-friendly, first-party analytics to understand aggregate
traffic (for example page views and country-level, not street-level, location). We use
Vercel Analytics and, where enabled, a self-hosted OpenPanel instance; these are configured
to avoid cross-site advertising cookies. The website does not show ads or use third-party ad
trackers. Any strictly necessary cookies are used only to make the site work. The website does not
collect your health data.
2.9 Anything sensitive we want to do later requires your explicit opt-in
Any feature that would need our servers to read your data (for example optional server-side AI
narration) is off unless you explicitly turn it on, and would run only on a minimized,
de-identified, temporary slice of data. We will never do this silently, and this policy will be
updated before any such feature ships.
3. Legal bases (GDPR)
| What we process | Legal basis |
|---|---|
| Providing the core app and storing/syncing your encrypted data | Performance of a contract (Art. 6(1)(b)) — our Terms with you |
| Processing your health, menstrual, reproductive and fertility data (special category) | Your explicit consent (Art. 9(2)(a)), given during onboarding; you can withdraw it at any time |
| Managing your account and authentication | Performance of a contract (Art. 6(1)(b)) |
| Subscriptions and entitlements | Performance of a contract (Art. 6(1)(b)) |
| Anonymous first-party analytics (opt-in) | Your consent (Art. 6(1)(a)); you can withdraw it at any time |
| Crash diagnostics (opt-in) | Your consent (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We apply data minimization: we collect only what we need, and we keep health content
unreadable to us by design.
4. How your data is protected: end-to-end encryption (zero-knowledge)
This is the most important part of how PMOSly works, so we explain it plainly.
- Encryption happens on your device. Your cycle, symptom, lab, medication, mood and fertility
data is encrypted on your phone using strong encryption (AES-GCM-256) before any of it is
sent to our servers for backup.
- We store only ciphertext. Our servers (provided by Supabase, hosted in the EU) store
the encrypted blobs. We do not hold the key and cannot decrypt or read your health content.
This is what "zero-knowledge" means — even we cannot read your reproductive data.
- Where the key lives. Your encryption key is stored in your device's secure hardware keychain
(Apple Secure Enclave / Android Keystore). It can sync to your other devices through the platform's
own end-to-end-encrypted keychain (e.g. iCloud Keychain or the Android equivalent).
- Your recovery code. When you create an account we give you a one-time recovery code that
wraps your key, as a backup way to regain access.
- Extra-private data. Fertility / TTC and intercourse data can additionally be protected behind
a PIN or biometric lock on your device.
The trade-off you must understand (data-loss risk)
Because only you control the key, nobody else — including us — can reset it. If you **lose
access to all of your devices AND lose your recovery code, your encrypted backup cannot be
recovered.** We will not be able to restore it for you. This is the unavoidable cost of true
zero-knowledge encryption, and we want you to know it clearly:
**Save your recovery code somewhere safe. If you lose all your devices and your recovery code,
your backed-up data is permanently unrecoverable.**
Data that is only on your device (no account/backup) follows the same logic: if you lose or wipe the
device with no backup, that local data is gone.
Other safeguards: reminders are delivered as local notifications and **push notifications never
contain health content**; access to our infrastructure is restricted and logged; we keep each app in
a separate EU project.
No method of storage or transmission is 100% secure, but zero-knowledge encryption means that even a
breach of our servers would expose only unreadable ciphertext, not your health content.
5. Who we share data with (processors and recipients)
We do not sell your personal data, and we do not share it with advertisers. We never share
your menstrual, reproductive or fertility data with anyone. We use a small number of service
providers ("processors") who act on our instructions:
| Provider | Purpose | What they can access |
|---|---|---|
| Supabase (EU region) | Account authentication and encrypted backup/sync storage | Your email (auth) and encrypted, unreadable health blobs + the sync metadata in Section 2.5 |
| RevenueCat | Subscription/entitlement management | Subscription/entitlement status tied to a subscription identifier — no health data |
| Apple App Store / Google Play | Processing your subscription payment | Your payment details (handled entirely by them; we never see your card data) |
| Amplitude (EU data residency) | Anonymous first-party product analytics (opt-in) | Anonymous usage events — no health content, no ad identifiers |
| Sentry | Crash diagnostics (opt-in) | Scrubbed crash data — no health content |
| Wiredash | In-app feedback (opt-in) | Feedback you choose to send, technical metadata — no health content |
| Vercel / OpenPanel (website) | Website hosting and privacy-friendly website analytics | Aggregate website traffic data — no app health data |
We may also disclose data if legally required (e.g. a valid court order) — but for your health
content this would only ever be unreadable ciphertext, because we do not hold your key. We
consider the protection of reproductive-health data especially important and will resist any
overbroad or unlawful request to the extent the law allows.
Apple and Google process your purchases under their own privacy policies; please review them.
6. International data transfers
Your account data and encrypted backups are hosted in the European Union (Supabase EU region).
We design PMOSly so that no health data is transferred or stored outside the EU/EEA.
Some providers (for example app-store billing, or a non-EU analytics/crash tool if we use one)
may process limited data outside the EEA. Where that happens, the transfer is protected by an
appropriate safeguard such as the EU Standard Contractual Clauses or an adequacy mechanism (e.g. the
EU–US Data Privacy Framework). If our processor list changes in a way that affects transfers, we will
update this policy. (Confirm the final processor list with your lawyer.)
7. How long we keep your data
- On-device data: kept until you delete it or uninstall the app.
- Encrypted backups: kept while your account is active, so you can restore and sync. Deleted
records are removed from the backup as part of sync; deleting your account removes your backups.
- Account/email: kept while your account exists.
- Subscription records: kept as required for billing, tax and accounting obligations.
- Anonymous analytics: kept only for a short period in aggregate form.
When you delete your account, we delete your account data and encrypted backups from our active
systems within a reasonable period, except where we must keep limited records to meet a legal
obligation (e.g. proof of a transaction). See our [account deletion page](https://pmosly.app/delete-account)
for step-by-step instructions.
8. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase your data ("right to be forgotten");
- Port your data — receive it in a structured, machine-readable format;
- Restrict or object to certain processing;
- Withdraw consent at any time (this doesn't affect processing done before withdrawal).
How to exercise them:
- Export your data and delete your account/data directly in the app:
Settings → Privacy → Export data and Settings → Account → Delete account. In-app deletion
removes your encrypted backups from our servers.
- Withdraw consent for health-data processing, or turn off analytics/crash reporting, in
Settings → Privacy.
- For anything else, email hello@pmosly.com and we will respond within the time the law requires
(normally one month).
Note: because of zero-knowledge encryption, an "access/export" request is fulfilled **on your
device**, where your data is readable. We cannot export your health content from our servers because
we cannot decrypt it.
You also have the right to lodge a complaint with a supervisory authority. In Poland this is the
President of the Personal Data Protection Office (UODO), or the authority in your EU country of
residence.
9. Children
PMOSly is not intended for children. You must be at least 16 years old to use the app and
to create an account, consistent with Poland's GDPR Art. 8 digital-consent age. We do not knowingly
collect data from anyone under that age; if we learn that we have, we will delete it.
10. Changes to this policy
We may update this policy as the app evolves or the law changes. We will update the "Last updated"
date and, for material changes (especially anything affecting your health data or a new processing
purpose), we will notify you in the app and, where required, ask for renewed consent before the change
takes effect.
11. Contact
Questions, requests, or complaints:
Limit Waste Sp. z o.o. — hello@pmosly.com — ul. Grzybowska 87, 00-844 Warszawa, Poland (EU)
*This is a draft pending legal review. PMOSly is a wellness and self-tracking tool, not a medical
device and not a method of contraception — see the separate Medical Disclaimer.*