Privacy Policy

Ovaly is built around one radical idea: we never see your data. This page explains exactly what that means.

1. Who is responsible for your data

The data controller for Ovaly is:

Company

RKI-Benito Handels GmbH

Address

Herrgottwiesgasse 149, 8055 Graz, Austria

Email

[email protected]

2. What data Ovaly works with

Ovaly is a cycle tracking app. To work, it processes the following data locally on your iPhone:

• Period start and end dates you log
• Symptoms, mood, flow intensity, sleep quality, energy level, intimacy logs and free-text notes you choose to log
• Profile information you provide during onboarding (name, age, average cycle length, period duration, contraception, health conditions and goals)
• Cycle length, duration, and predicted phases (calculated by the app on your device)
• Optional Apple Health data (wrist temperature, basal body temperature, HRV, cervical mucus, ovulation tests) — only if you grant permission

3. How and where your data is stored

Ovaly does not require an account or login of any kind, because there is nothing for us to log you into.

3a. iCloud Backup

By default, iOS includes Ovaly's data in your device's iCloud backup. This means your cycle data may be transmitted to Apple's servers and stored there as part of your overall device backup. Apple encrypts this data in transit and at rest.

You can exclude Ovaly from iCloud Backup in iOS Settings → [your name] → iCloud → iCloud Backup → This iPhone → Ovaly. This is an iOS-level setting that Ovaly cannot control directly. Ovaly itself does not transmit your data to iCloud.

4. How we get your consent

Cycle data is special-category personal data under Article 9 GDPR. When you first open Ovaly you give explicit consent for this data to be stored on your device by ticking a checkbox before the app opens.

We record the date and the language of your consent in iOS UserDefaults on your iPhone — no copy of this consent record leaves your device.

You can withdraw consent at any time by tapping "Reset All Data" in Settings, which deletes every cycle entry, every prediction Ovaly has made, and the consent record itself. After Reset, the next launch shows the disclaimer screen again so you can decide afresh.

5. Apple Health (HealthKit)

If you connect Ovaly to Apple Health, the app reads only the following data types: wrist temperature, basal body temperature (BBT), heart-rate variability (HRV), cervical mucus quality, and ovulation test results. HealthKit data is used for a single purpose: to make your cycle and ovulation predictions more accurate on your device.

HealthKit data is never written back to Apple Health, never sent off the device, never shared with third parties, never used for advertising, and never sold. Ovaly fully complies with Apple's HealthKit guidelines and will not access HealthKit data unless you explicitly grant permission in iOS. You can revoke that permission at any time in iOS Settings → Privacy & Security → Health → Ovaly.

Once data is in Apple Health, it is governed by Apple's Health-app privacy controls — including iCloud backup if you have enabled it. Ovaly does not control or share Apple Health data outside the device.

6. No tracking, no analytics, no advertising

Ovaly contains zero third-party tracking SDKs. No Firebase. No Mixpanel. No Google Analytics. No advertising networks. No tracking pixels. No telemetry.

We do not know how many times you opened the app, what you tapped, or what you logged. We have built it that way on purpose.

7. No data sharing from the app

The Ovaly app does not share any of your data with anyone, because we do not have it. There are no data processors, no analytics providers, no advertising partners, and no government access mechanisms — because there is no data on our side to share.

(For data you actively submit through the website — such as our email waitlist — see section 11 below.)

8. Data retention

Your data is retained on your device for as long as you keep Ovaly installed. To delete all data immediately:

• Open Ovaly → Settings → Reset All Data, or
• Uninstall the app from your iPhone

HealthKit data remains in Apple Health and is governed separately by Apple's privacy controls.

9. Your rights under the GDPR

Because the controller does not process or store your data, the practical exercise of GDPR rights happens directly on your device:

• Right to access (Art. 15 GDPR): all of your data is visible inside the Ovaly app at any time.
• Right to rectification (Art. 16 GDPR): you can edit your profile and any logged entry directly in the app.
• Right to erasure (Art. 17 GDPR): you can delete all of your data with one tap from Settings → Reset All Data, or by uninstalling Ovaly.
• Right to data portability (Art. 20 GDPR): you can export your data in two formats. The JSON export (Settings → Export Data) produces a structured, machine-readable file in line with the Article 20 standard. The PDF cycle report (Settings → Export Cycle Report) produces a human-readable summary of the same data.
• Right to object and right to restriction: not applicable in a meaningful way, because the controller does not carry out any processing on its servers.
• Right to lodge a complaint: you may at any time contact your local supervisory authority. In Austria this is the Datenschutzbehörde (www.dsb.gv.at).

Note on import: Ovaly does not currently offer a JSON import path, so uninstalling and reinstalling the app does not automatically restore your data. If you want automatic restore, leave Ovaly enabled in iCloud Backup at the iOS level. You can also keep the JSON export file for future use, since import is planned for a later version.

If you have questions about this Privacy Policy, contact [email protected].

10. Children's privacy

Ovaly is not directed at children under 16. We do not knowingly design features for, or solicit data from, users under that age. Parents or guardians who believe a younger user has installed the app on their device should simply uninstall Ovaly to remove all locally stored data.

11. Email waitlist (website only)

If you submit your email address through the waitlist form on ovaly.app, a small amount of data is processed on the website side. This is the only data flow associated with Ovaly that leaves your device.

What is processed:

• The email address you enter
• The IP address from which the form is submitted (used for rate-limiting and abuse prevention)
• The two-letter language code (en/de/hr) of your browser
• The timestamp of submission

Legal basis: your consent (Article 6(1)(a) GDPR), which you give by actively submitting the form.

Where it goes: the form submits to a Cloudflare Pages Function hosted on our domain. The Function relays the data via MailChannels (operated by MailChannels Corporation, Canada, with edge infrastructure including the EU and US) to our [email protected] inbox. The data is not stored in any database — it lives only as an email in our inbox.

Sub-processors involved:

• Cloudflare, Inc. — hosting of the website and Pages Function (US-based, GDPR-compliant under EU Standard Contractual Clauses)
• MailChannels Corporation — email transmission relay (Canada, with adequacy decision under GDPR)
• Microsoft Outlook — our email inbox provider (operated under Microsoft 365, GDPR-compliant)

Retention: we keep your email address until Ovaly's launch notification has been sent, plus a 30-day window for follow-up, after which it is deleted from our inbox. You may request deletion at any earlier time.

Your rights: you can withdraw consent and request deletion at any time by emailing [email protected]. All other GDPR rights — access, rectification, portability, restriction, complaint to the Austrian Data Protection Authority (Datenschutzbehörde) — apply.

12. Changes to this policy

If we ever change how Ovaly handles data, we will publish a new version of this Privacy Policy and update the "Last updated" date at the top of this page. Major changes will be communicated through an in-app notice before they take effect.