5. Special Category Data

5.1 Data concerning your health (menstrual cycle information, contraception use, how you feel) and your date of birth (as used to provide insights) is considered "special category data" under UK GDPR.

5.2 We process this data solely to provide the core features and personalised insights of the Services.

5.3 We rely on your explicit consent (under Article 9(2)(a) of UK GDPR) as the lawful condition for processing this special category data. You provide this consent when you agree to provide this information and use the features of the Services that require it.

5.4 You have the right to withdraw your consent for the processing of your special category data at any time. However, please note that withdrawing consent may result in you being unable to use certain features of the Services that rely on this data. To withdraw consent, please contact our DPO at privacy@phaseapp.io.

6. Data Retention

6.1 We will retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

6.2 We will generally retain your personal data for as long as you maintain an active account with us.

6.3 Following the closure or inactivity of your account, we may retain your personal data for a period of up to seven (7) years to comply with legal and accounting obligations, and for the establishment, exercise, or defence of legal claims.

6.4 After the expiry of the applicable retention period, we will securely delete or irreversibly anonymise your personal data.

7. Data Sharing and Subprocessors

7.1 We do not sell your personal data. We may share your personal data with trusted third-party service providers who act as data processors on our behalf ("Subprocessors") to provide specific services.

7.2 These Subprocessors are contractually bound to process your data only under our instructions and to implement appropriate security measures. Our current Subprocessors include:

• Clerk: Authentication services (USA)

• Railway: Database hosting (EU)

• Sentry: Crash reporting and error monitoring (EU)

• RevenueCat: Subscription management and billing processing (USA)

• Google/Firebase Analytics: Usage analytics (USA)

• PostHog: Usage analytics (EU)

• Google Cloud Storage: Data storage (EU)

• Mailchimp: Email communication services (USA)

7.3 We may also disclose your personal data if required by law, regulation, or legal process, or to protect the rights, property, or safety of Your Phase Ltd, our users, or others.

8. International Data Transfers

8.1 Some of our Subprocessors are located outside the United Kingdom (UK). Specifically, Subprocessors are located in the European Union (EU) and the United States (USA).

8.2 Transfers of personal data to the EU are permitted under UK GDPR based on the UK's adequacy regulations regarding the EU's data protection framework.

8.3 When we transfer your personal data to Subprocessors located in the USA or other countries outside the UK or EU not covered by adequacy regulations, we ensure appropriate safeguards are in place as required by UK GDPR. We primarily rely on the UK Information Commissioner's Office (ICO) approved Standard Contractual Clauses (SCCs), including the UK Addendum, supplemented by appropriate technical and organisational measures where necessary, to ensure your data receives a level of protection equivalent to that provided within the UK.

9. Data Security

9.1 We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed.

9.2 Access to your personal data is limited to employees, agents, contractors, and other third parties who have a legitimate business need. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

9.3 We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator (such as the ICO) of a breach where we are legally required to do so.  

10. Your Data Protection Rights

Under UK data protection law, you have rights including:

• Right of Access: To request copies of your personal data.

• Right to Rectification: To request correction of inaccurate personal data.

• Right to Erasure ('Right to be Forgotten'): To request deletion of your personal data where there is no compelling reason for its continued processing.

• Right to Restrict Processing: To request the suspension of processing under certain conditions.

• Right to Data Portability: To request the transfer of your personal data to you or a third party in a structured, commonly used, machine-readable format (applies to data processed based on consent or contract).

• Right to Object: To object to processing based on legitimate interests or for direct marketing.

• Right to Withdraw Consent: To withdraw your consent at any time where we rely on consent to process your data (including explicit consent for special category data).

To exercise any of these rights, please contact our DPO at privacy@phaseapp.io. We may need to request specific information from you to help us confirm your identity.

11. Use of Anonymised Data for Research

11.1 We may anonymise and aggregate data collected through the Services, including health-related data provided by users. Anonymisation is performed to ensure that individuals cannot be identified from the data.

11.2 This anonymised and aggregated data may be used for research purposes, statistical analysis, and to improve the Services and contribute to general knowledge regarding menstrual cycles and productivity. Research findings based on this data may be published or shared but will always be in an aggregated form that does not identify any individual user.

11.3 We process data in this way to contribute to scientific understanding and service improvement. As the data used for research is anonymised according to ICO standards, it is no longer considered personal data under UK GDPR.

12. Children's Privacy

12.1 The Services are not intended for or targeted at individuals under the age of 18.

12.2 We do not knowingly collect personal data from children under the age of 13. If we become aware that we have inadvertently collected personal data from a child under 13 without verifiable parental consent, we will take steps to delete such information promptly.  

13. Cookies

Our websites (www.phaseapp.io and my.phaseapp.io) and potentially parts of our Services may use cookies and similar technologies. For detailed information on the cookies we use and the purposes for which we use them, please see our Cookie Policy available at: https://www.phaseapp.io/cookies  

14. Changes to This Privacy Policy

14.1 We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date.

14.2 We will notify you of any material changes to this policy through the Services (in-app notification or via the browser extension) or by email, where appropriate. We encourage you to review this policy periodically.

15. How to Contact Us and Complaints

15.1 If you have any questions or concerns about this Privacy Policy or our data protection practices, please contact our DPO at: privacy@phaseapp.io.

15.2 You also have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.