Privacy Policy

Effective date: April 2026

At Cycla, your privacy is not an afterthought. This policy explains what data we collect, why we collect it, how we protect it, and what rights you have under GDPR and other privacy laws.

We process special-category health data, so we hold ourselves to the highest standards of data protection. This policy is written in plain language because you deserve to understand exactly what happens to your data.

1. Who we are

Data controller: Cycla

Website: getcycla.app

Contact: hello@getcycla.app

Privacy enquiries / Data Protection Officer: privacy@getcycla.app

Cycla is based in the European Union and operates under GDPR (General Data Protection Regulation).

2. What data we collect

We collect only the data necessary to provide you with a personalised, cycle-synced fitness experience. Here's what we collect, categorised clearly:

We do not collect: Your name, address, phone number, precise location, or any data from third-party fitness trackers or wearables (wearable integrations are planned for future releases but are not currently active).

3. Why we collect it (legal bases)

Under GDPR, we must have a lawful basis for processing your data. Here's what applies to each type of data:

Health data — Explicit consent (GDPR Article 9(2)(a))

Your menstrual cycle data, symptoms, and health conditions are special-category data under GDPR. We process this data only with your explicit, freely given consent, collected via a dedicated consent screen before any health data is processed.

You can withdraw your consent at any time via Profile → Account → Health data consent → Withdraw. Withdrawing consent will stop all processing of your health data, but will not delete your account. If you want to delete your data entirely, you can do so via Account → Delete account.

Account data — Contract performance (GDPR Article 6(1)(b))

We process your email and birth year to create and maintain your account, which is necessary to provide you with the Cycla service.

Crash reports and analytics — Legitimate interest (GDPR Article 6(1)(f))

We use Sentry to monitor crashes and errors so we can fix bugs and improve app stability. All health, cycle, and symptom data is scrubbed before transmission. Our legitimate interest is ensuring a reliable, functional app. You can object to this processing by contacting privacy@getcycla.app.

Marketing notifications — Consent (GDPR Article 6(1)(a))

We will only send you promotional messages if you opt in. You can withdraw consent at any time via your device notification settings or within the app.

4. How we use your data

We use your data to:

• Adapt your workouts to your menstrual cycle phase, energy levels, and health conditions
• Generate personalised insights about your training patterns, recovery needs, and progress
• Track your workout history and performance over time
• Send you workout reminders and app updates (if you opt in)
• Provide customer support when you contact us
• Improve the app by analysing aggregated, anonymised usage patterns
• Detect and fix bugs via crash reporting (with health data scrubbed)
• Comply with legal obligations (e.g., tax, fraud prevention)

5. Who we share your data with

We share your data only with trusted sub-processors who help us operate the service. All sub-processors are bound by data processing agreements and GDPR-compliant safeguards.

Supabase (database and authentication) — EU region

Supabase stores all your account, health, and workout data. Data is stored in the EU region with row-level security policies ensuring that only you can access your own data. Supabase is a data processor under GDPR.

Privacy policy: supabase.com/privacy

Sentry (error tracking) — US, with Standard Contractual Clauses

Sentry receives crash reports and error logs. All health, cycle, and symptom data is scrubbed before transmission. Sentry may process data in the United States under Standard Contractual Clauses (SCCs) approved by the European Commission.

Privacy policy: sentry.io/privacy

RevenueCat (subscription management)

RevenueCat processes your subscription status to enable premium features. It does not receive any health or workout data, only your subscription entitlement status.

Privacy policy: revenuecat.com/privacy

Apple (App Store and in-app purchases)

Payment processing is handled by Apple via in-app purchase. Apple's privacy policy applies to payment data.

Privacy policy: apple.com/legal/privacy

Expo (push notifications)

Expo processes push notification tokens to deliver workout reminders and app updates. No health or workout data is included in push notification payloads.

Privacy policy: expo.dev/privacy

We do not share your data with: advertisers, data brokers, social media platforms, or any third party for marketing purposes.

6. International data transfers

Your data is primarily stored in the European Union (via Supabase's EU region). However, some sub-processors (e.g., Sentry) may process data in the United States or other non-EU countries.

When data is transferred outside the EU, we ensure it is protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions (where the destination country is recognised by the EU as providing adequate protection)
• Other GDPR-compliant safeguards

You have the right to request details of these safeguards by contacting privacy@getcycla.app.

7. Data retention

We retain your data only as long as necessary to provide the service and comply with legal obligations:

• Health and workout data: retained while your account is active and you have valid consent. If you withdraw consent, we stop processing your health data but retain it until you delete your account.
• Account data: retained while your account is active. When you delete your account, all data is permanently removed.
• Audit logs: retained for 6 years for compliance and fraud prevention purposes.
• Crash reports: retained for up to 90 days in Sentry.

When you delete your account, all your data is permanently and irreversibly deleted from our systems, including backups, within 30 days.

8. Your rights under GDPR

You have the following rights over your data. Most of these rights are already built into the app, so you can exercise them directly without contacting us.

Right of access

You can access all your data at any time via the app. To export a complete copy of your data, go to Profile → Account → Export data. You will receive a JSON file containing all your account, health, and workout data.

Right to rectification

You can edit your profile, cycle data, symptoms, and workout history directly in the app. Go to Profile → Edit profile or edit individual workouts and cycle entries from their respective screens.

Right to erasure (right to be forgotten)

You can delete your account and all associated data at any time via Profile → Account → Delete account. This action is permanent and irreversible. All your data will be removed from our systems within 30 days.

Right to data portability

You can export your data in a structured, machine-readable format (JSON) via Profile → Account → Export data. You can transfer this data to another service if you choose.

Right to withdraw consent

You can withdraw your consent to health data processing at any time via Profile → Account → Health data consent → Withdraw. This will stop all processing of your health data but will not delete your account. If you want to delete all data, use the account deletion option.

Right to restrict processing

You can pause data processing via Profile → Account → Pause data processing. This will stop Cycla from generating new insights or workout recommendations while retaining your data.

Right to object

You can object to processing based on legitimate interest (e.g., crash reporting) by contacting privacy@getcycla.app. We will stop processing unless we have compelling legitimate grounds that override your interests.

Right to lodge a complaint

If you believe we have not handled your data properly, you have the right to lodge a complaint with your national data protection authority. For EU residents, you can find your supervisory authority here: edpb.europa.eu/about-edpb/board/members.

9. Automated decision-making and profiling

Cycla uses automated decision-making to generate personalised workout recommendations and insights based on your cycle phase, energy levels, and training history. This falls under GDPR Article 22 (automated decision-making).

What this means: the app's personalised insights feature analyses your data to recommend workout intensity, volume, and exercise selection. These recommendations are generated algorithmically without human intervention.

Your rights: you can pause personalised insights at any time via Profile → Personalised insights → Pause. You can also manually override any recommendation by selecting your own workout or intensity level.

No automated decision has legal or similarly significant effects on you. All recommendations are advisory and can be ignored or customised.

10. Data security

We take data security seriously. Here's how we protect your data:

• Encryption in transit: all data is transmitted over HTTPS with TLS 1.3 encryption
• Encryption at rest: all data stored in Supabase is encrypted using AES-256 encryption
• Row-level security: Supabase's row-level security policies ensure that only you can access your own data, even in the event of a database breach
• Access controls: only authorised personnel have access to production systems, and all access is logged and monitored
• Data scrubbing: health and cycle data is scrubbed from crash reports before transmission to Sentry
• Regular audits: we conduct regular security audits and penetration testing

If we detect a data breach that poses a risk to your rights and freedoms, we will notify you within 72 hours as required by GDPR.

11. Children's privacy

Cycla is not intended for children under 16. In accordance with GDPR Article 8, we require users to be at least 16 years old.

During onboarding, we ask for your birth year to verify you meet the minimum age requirement. If we discover that a user under 16 has created an account, we will delete the account and all associated data promptly.

If you are a parent or guardian and believe your child under 16 has provided us with personal data, please contact us at privacy@getcycla.app and we will delete the data immediately.

12. Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or new features.

When we make material changes, we will notify you via:

• An in-app notification
• Email (if you have opted in to communications)
• A notice on our website

The updated policy will take effect 30 days after notification, unless the changes are required by law, in which case they may take effect immediately.

We encourage you to review this policy periodically. The "Effective date" at the top of this page indicates when the policy was last updated.

13. Contact us