Phase logo
Log in
Sign Up

Privacy Policy.

Effective Date: 1 May 2025
Last Updated: 14 April 2026

1. Introduction

1.1 Your Phase Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our Phase mobile applications, websites, browser extensions, third party integrations, and associated services (collectively, the "Services").
1.2 This policy also informs you about your rights under UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1.3 This policy applies to all personal data processed by Your Phase Ltd in relation to the provision of the Services.

2. Data Controller Information

2.1 Your Phase Ltd is the data controller responsible for your personal data.
2.2 Our registered address is: Work.Life, Kings House, 174 Hammersmith Road, London, UK W6 7JP.
2.3 We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this policy or our privacy practices, please contact our DPO at: privacy@phaseapp.io.

3. Personal Data We Collect

We collect personal data that you provide directly, data generated when you use the Services, and data that you authorise us to access from third-party services.
We may collect and process the following categories of personal data about you:
  • Identity Data: Your name (optional).
  • Contact Data: Your email address.
  • Authentication Data: Your password (stored securely).
  • Health and Profile Data (Special Category Data): Your date of birth, information about your menstrual cycle, information about your contraception use, information about your sleep, and information you provide about how you feel (related to the Services).
  • Task & Event Information: Details of your tasks and calendar events (for example, titles, descriptions, dates, times, and associated metadata) that you enter directly into the Services or that you choose to import from third-party services (such as task managers or calendar providers).
  • Technical Data: Activity/analytics data concerning your usage of the Services, device details (e.g., operating system, device type for debugging and service optimisation), localisation information (language and timezone).
  • Financial Data: Billing information required to process payments for subscription services (processed via our third-party payment processor).

4. How We Use Your Personal Data and Lawful Bases

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances and based on the specified lawful bases:

Category of personal data

Purpose of processing

Lawful basis under UK GDPR Article 6

Specific condition for Special Category Data (UK GDPR Article 9)

Name (Optional)
To personalise your experience within the Services
Consent (Article 6(1)(a))
Not Applicable
Date of Birth
To provide personalised insights as part of the core functionality of the Services.
Consent (Article 6(1)(a))
Explicit Consent (Article 9(2)(a))
Menstrual Cycle Information
To provide personalised insights as part of the core functionality of the Services.
Consent (Article 6(1)(a))
Explicit Consent (Article 9(2)(a))
Contraception Information
To provide personalised insights as part of the core functionality of the Services.
Consent (Article 6(1)(a))
Explicit Consent (Article 9(2)(a))
Information About How You Feel
To provide personalised insights as part of the core functionality of the Services.
Consent (Article 6(1)(a))
Explicit Consent (Article 9(2)(a))
Email Address, Password
For account creation, authentication, and security purposes.
Legitimate Interests (Article 6(1)(f)) - to secure accounts
Not Applicable
Localisation Information (Language, Timezone)
To display the Services in the correct language and reflect the correct date/time.
Legitimate Interests (Article 6(1)(f)) - for service functionality
Not Applicable
Activity & Analytics Data, Device Details
To monitor service usage, troubleshoot issues, improve service performance and features.
Legitimate Interests (Article 6(1)(f)) - for service improvement & maintenance
Not Applicable
Billing Information
To process payments and manage your subscription.
Necessary for the performance of a contract (Article 6(1)(b))
Not Applicable
Email Address
To communicate important service updates or respond to your enquiries.
Legitimate Interests (Article 6(1)(f)) - for service communication
Not Applicable
Email Address
To send marketing communications (where you have consented to receive them).
Consent (Article 6(1)(a))
Not Applicable
Task & Event Information
To provide personalised insights as part of the core functionality of the Services, including by importing tasks and events from third‑party services where you choose to connect them, and displaying additional insights and information about those tasks and events.
Consent (Article 6(1)(a))
Not Applicable

5. Special Category Data

5.1 Data concerning your health (menstrual cycle information, contraception use, how you feel) and your date of birth (as used to provide insights) is considered "special category data" under UK GDPR.
5.2 We process this data solely to provide the core features and personalised insights of the Services.
5.3 We rely on your explicit consent (under Article 9(2)(a) of UK GDPR) as the lawful condition for processing this special category data. You provide this consent when you agree to provide this information and use the features of the Services that require it.
5.4 You have the right to withdraw your consent for the processing of your special category data at any time. However, please note that withdrawing consent may result in you being unable to use certain features of the Services that rely on this data. To withdraw consent, please contact our DPO at privacy@phaseapp.io.

6. Data Retention

6.1 We will retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
6.2 We will generally retain your personal data for as long as you maintain an active account with us. This includes any tasks and events that you have imported from third‑party services, which we retain as part of your account data.
6.3 Following the closure or inactivity of your account, we may retain your personal data for a period of up to seven (7) years to comply with legal and accounting obligations, and for the establishment, exercise, or defence of legal claims.
6.4 After the expiry of the applicable retention period, we will securely delete or irreversibly anonymise your personal data.

7. Data Sharing and Subprocessors

7.1 We do not sell your personal data. We may share your personal data with trusted third-party service providers who act as data processors on our behalf ("Subprocessors") to provide specific services.
7.2 These Subprocessors are contractually bound to process your data only under our instructions and to implement appropriate security measures. Our current Subprocessors include:
  • Clerk: Authentication services (USA)
  • Railway: Database hosting (EU)
  • Sentry: Crash reporting and error monitoring (EU)
  • RevenueCat: Subscription management and billing processing (USA)
  • PostHog: Usage analytics & email communication services (EU)
  • Google Cloud Storage: Data storage (EU)
  • Mailchimp: Email communication services (USA)
  • AppsFlyer: Usage analytics (EU)
  • Google Gemini: AI analysis of tasks & events (USA)
7.3 We may also disclose your personal data if required by law, regulation, or legal process, or to protect the rights, property, or safety of Your Phase Ltd, our users, or others.
7.4 Third‑party services that you choose to connect to the Services (such as calendar providers or task managers) are generally independent controllers of your personal data. They are not our Subprocessors, and their handling of your personal data is governed by their own privacy policies.

8. International Data Transfers

8.1 Some of our Subprocessors are located outside the United Kingdom (UK). Specifically, Subprocessors are located in the European Union (EU) and the United States (USA).
8.2 Transfers of personal data to the EU are permitted under UK GDPR based on the UK's adequacy regulations regarding the EU's data protection framework.
8.3 When we transfer your personal data to Subprocessors located in the USA or other countries outside the UK or EU not covered by adequacy regulations, we ensure appropriate safeguards are in place as required by UK GDPR. We primarily rely on the UK Information Commissioner's Office (ICO) approved Standard Contractual Clauses (SCCs), including the UK Addendum, supplemented by appropriate technical and organisational measures where necessary, to ensure your data receives a level of protection equivalent to that provided within the UK.

9. Data Security

9.1 We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed.
9.2 Access to your personal data is limited to employees, agents, contractors, and other third parties who have a legitimate business need. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
9.3 We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator (such as the ICO) of a breach where we are legally required to do so.  

10. Your Data Protection Rights

Under UK data protection law, you have rights including:
  • Right of Access: To request copies of your personal data.
  • Right to Rectification: To request correction of inaccurate personal data.
  • Right to Erasure ('Right to be Forgotten'): To request deletion of your personal data where there is no compelling reason for its continued processing.
  • Right to Restrict Processing: To request the suspension of processing under certain conditions.
  • Right to Data Portability: To request the transfer of your personal data to you or a third party in a structured, commonly used, machine-readable format (applies to data processed based on consent or contract).
  • Right to Object: To object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: To withdraw your consent at any time where we rely on consent to process your data (including explicit consent for special category data).
To exercise any of these rights, please contact our DPO at privacy@phaseapp.io. We may need to request specific information from you to help us confirm your identity.

11. Use of Anonymised Data for Research

11.1 We may anonymise and aggregate data collected through the Services, including health-related data provided by users. Anonymisation is performed to ensure that individuals cannot be identified from the data.
11.2 This anonymised and aggregated data may be used for research purposes, statistical analysis, and to improve the Services and contribute to general knowledge regarding menstrual cycles and productivity. Research findings based on this data may be published or shared but will always be in an aggregated form that does not identify any individual user.
11.3 We process data in this way to contribute to scientific understanding and service improvement. As the data used for research is anonymised according to ICO standards, it is no longer considered personal data under UK GDPR.

12. Children's Privacy

12.1 The Services are not intended for or targeted at individuals under the age of 18.
12.2 We do not knowingly collect personal data from children under the age of 13. If we become aware that we have inadvertently collected personal data from a child under 13 without verifiable parental consent, we will take steps to delete such information promptly.  

13. Cookies

Our websites (www.phaseapp.io and my.phaseapp.io) and potentially parts of our Services may use cookies and similar technologies. For detailed information on the cookies we use and the purposes for which we use them, please see our Cookie Policy.

14. Changes to This Privacy Policy

14.1 We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date.
14.2 We will notify you of any material changes to this policy through the Services (in-app notification or via the browser extension) or by email, where appropriate. We encourage you to review this policy periodically.

15. How to Contact Us and Complaints

15.1 If you have any questions or concerns about this Privacy Policy or our data protection practices, please contact our DPO at: privacy@phaseapp.io.
15.2 You also have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

16. Third‑Party Integrations and External Services

16.1 As part of the Services, you may choose to connect your account to third‑party services (for example, calendar providers, task management tools, communication tools or other productivity applications) in order to import tasks, events or related information into the Services and, where enabled, to create or update tasks and events in those third‑party services.
16.2 When you connect a third‑party service, we will only access the categories of data that you authorise through that service (for example, task titles, event details, dates and times). We use this data to provide the core functionality of the Services, including displaying your tasks and events and generating personalised insights and recommendations related to them.
16.3 Where the relevant feature is available and you choose to use it (for example, by asking the Services to create or edit an event or task), we may create, update or delete tasks or events in your connected third‑party services on your behalf. These actions are performed only in accordance with your instructions within the Services and the permissions you have granted via the third‑party service.
16.4 We do not control how third‑party services process your personal data in their own systems. Their collection and use of your data is governed by their own privacy policies and terms, and we encourage you to review those carefully.
16.5 You can disconnect a third‑party integration at any time via the relevant settings within the Services or the third‑party service. If you disconnect an integration, we will stop any further data imports from that service and will stop initiating any further changes to your data in that service through the Services. We may continue to process data that has already been imported in accordance with this Privacy Policy and our data retention practices, unless you exercise your rights (for example, to request erasure) as set out in section 10.
16.6 We may anonymise and aggregate data relating to your use of third‑party integrations (for example, how often certain integrations are used) for analytics and service improvement, in which case such data will no longer be considered personal data.