Privacy Policy

The data controller responsible for the Ovaly application is RKI-Benito Handels GmbH, based in Graz, Austria. You can reach the controller at any time by writing to [email protected].

Ovaly is designed so that you can track your cycle in detail without ever sending your information to anyone. The data you may choose to enter or grant access to includes: • Menstrual cycle data: period start and end dates, flow intensity, symptoms, mood, sleep quality, energy level, intimacy logs, and free-text notes. • Profile information you provide during onboarding (name, age, average cycle length, period duration, contraception, health conditions and goals). • Predictions and insights that Ovaly calculates locally on your device based on the data above. • Optional Apple Health (HealthKit) data, only with your explicit permission: wrist temperature, basal body temperature (BBT), heart-rate variability (HRV), cervical mucus quality, and ovulation test results.

All data you enter into Ovaly, together with all predictions Ovaly generates, is stored exclusively on your iPhone using Apple's SwiftData framework. No data is transmitted to RKI-Benito Handels GmbH, to any server we operate, to any cloud service, or to any third party. Ovaly does not require an account or login of any kind, because there is nothing for us to log you into.

By default, iOS includes Ovaly's data in your device's iCloud backup. This means your cycle data may be transmitted to Apple's servers and stored there as part of your overall device backup. Apple encrypts this data in transit and at rest. You can exclude Ovaly from iCloud Backup in iOS Settings → [your name] → iCloud → iCloud Backup → This iPhone → Ovaly. This is an iOS-level setting that Ovaly cannot control directly. Ovaly itself does not transmit your data to iCloud.

Cycle data is special-category personal data under Article 9 GDPR. When you first open Ovaly you give explicit consent for this data to be stored on your device by ticking a checkbox before the app opens. We record the date and the language of your consent in iOS UserDefaults on your iPhone — no copy of this consent record leaves your device. You can withdraw consent at any time by tapping "Reset All Data" in Settings, which deletes every cycle entry, every prediction Ovaly has made, and the consent record itself. After Reset, the next launch shows the disclaimer screen again so you can decide afresh.

If you choose to connect Ovaly to Apple Health, the app reads only the health data types listed above (wrist temperature, BBT, HRV, cervical mucus, ovulation test results). HealthKit data is used for a single purpose: to make your cycle and ovulation predictions more accurate on your device. HealthKit data is never written back to Apple Health, never sent off the device, never shared with third parties, never used for advertising, and never sold. Ovaly fully complies with Apple's HealthKit guidelines and will not access HealthKit data unless you explicitly grant permission in iOS. You can withdraw that permission at any time in Settings → Privacy & Security → Health → Ovaly. Once data is in Apple Health, it is governed by Apple's Health-app privacy controls — including iCloud backup if you have enabled it. Ovaly does not control or share Apple Health data outside the device. Ovaly never writes data back to Apple Health. A technically unused write permission exists solely to reliably detect whether the connection to Apple Health is active.

Ovaly does not use any analytics frameworks, telemetry, crash reporters, advertising identifiers, marketing pixels, or third-party SDKs. We do not profile you, we do not target you, and we do not measure your behaviour. There is nothing to opt in to, because there is nothing collecting data in the background.

Because no data leaves your device, nothing is shared with third parties. There are no exceptions. Ovaly does not sell, rent, license, trade or disclose your data to anyone. The controller has no technical means to access the data on your device.

Your data exists only on your device for as long as you keep Ovaly installed. You can delete all entries at any time from Settings → Reset All Data. Uninstalling Ovaly permanently removes every piece of cycle data the app has stored on your iPhone. HealthKit data remains in Apple Health and is governed separately by Apple's privacy controls.

Because the controller does not process or store your data, the practical exercise of GDPR rights happens directly on your device: • Right to access (Art. 15 GDPR): all of your data is visible inside the Ovaly app at any time. • Right to rectification (Art. 16 GDPR): you can edit your profile and any logged entry directly in the app. • Right to erasure (Art. 17 GDPR): you can delete all of your data with one tap from Settings → Reset All Data, or by uninstalling Ovaly. • Right to data portability (Art. 20 GDPR): you can export your data in two formats. The JSON export (Settings → Export Data) produces a structured, machine-readable file in line with the Article 20 standard. The PDF cycle report (Settings → Export Cycle Report) produces a human-readable summary of the same data. • Right to object and right to restriction: not applicable in a meaningful way, because the controller does not carry out any processing on its servers. • Right to lodge a complaint: you may at any time contact your local supervisory authority. In Austria this is the Datenschutzbehörde (www.dsb.gv.at). Note on import: Ovaly does not currently offer a JSON import path, so uninstalling and reinstalling the app does not automatically restore your data. If you want automatic restore, leave Ovaly enabled in iCloud Backup at the iOS level. You can also keep the JSON export file for future use, since import is planned for a later version.

Ovaly is not directed at children under 16. We do not knowingly design features for, or solicit data from, users under that age. Parents or guardians who believe a younger user has installed the app on their device should simply uninstall Ovaly to remove all locally stored data.

We may update this Privacy Policy as the app evolves or as legal requirements change. Any material changes will be communicated through a future app update and reflected in the effective date above. Continued use of Ovaly after the effective date constitutes acceptance of the updated policy.

Questions, requests or concerns regarding this Privacy Policy can be sent to [email protected].

If you submit your email address through the waitlist form on ovaly.app, a small amount of data is processed on the website side. This is the only data flow associated with Ovaly that leaves your device. What is processed: • The email address you enter • The IP address from which the form is submitted (used for rate-limiting and abuse prevention) • The two-letter language code (en/de/hr) of your browser • The timestamp of submission Legal basis: your consent (Article 6(1)(a) GDPR), which you give by actively submitting the form. Where it goes: the form submits to a Cloudflare Pages Function hosted on our domain. The Function relays the data via MailChannels (operated by MailChannels Corporation, Canada, with edge infrastructure including the EU and US) to our [email protected] inbox. The data is not stored in any database — it lives only as an email in our inbox. Sub-processors involved: • Cloudflare, Inc. — hosting of the website and Pages Function (US-based, GDPR-compliant under EU Standard Contractual Clauses) • MailChannels Corporation — email transmission relay (Canada, with adequacy decision under GDPR) • Microsoft Outlook — our email inbox provider (operated under Microsoft 365, GDPR-compliant) Retention: we keep your email address until Ovaly's launch notification has been sent, plus a 30-day window for follow-up, after which it is deleted from our inbox. You may request deletion at any earlier time. Your rights: you can withdraw consent and request deletion at any time by emailing [email protected]. All other GDPR rights — access, rectification, portability, restriction, complaint to the Austrian Data Protection Authority (Datenschutzbehörde) — apply.