Your health data belongs to you.

Information We Collect

1.1 Information You Provide

Account Information. When you create an account, we collect your email address and password. During onboarding, you provide your first name, menopause stage (pre-menopause, perimenopause, menopause, or other), and any relevant cycle modifiers (such as IUD type, recent pregnancy, or ovarian cysts).

Conversations with Luna. When you talk to Luna, our AI wellness companion, your messages are processed to provide personalized responses and to extract health-related information such as symptoms, medications, cycle events, and reminders. These conversations are stored locally on your device.

Doctor Notes. When you ask Luna to note something for your doctor, that information is saved locally for inclusion in your doctor report.

Profile Information. You may update your name and menopause stage in your profile settings at any time.

1.2 Health and Fitness Data from Apple HealthKit

With your explicit permission, we read the following data types from Apple HealthKit:

• Sleep analysis (duration, stages)
• Heart rate and heart rate variability (HRV)
• Wrist skin temperature
• Step count
• Menstrual cycle data (period tracking, cycle length)

This data is read from HealthKit on your device and used locally to provide Luna with context about your health patterns. We do not write data to HealthKit. We do not store HealthKit data in iCloud.

1.3 Calendar Data

With your permission, we access your calendar in read-only mode through Apple EventKit. This allows Luna to be aware of your upcoming schedule and detect medical appointments. We do not modify, create, or delete calendar events.

1.4 Clinical Health Records

With your explicit permission, the App can access clinical health records (such as lab results, medications, allergies, and vitals) stored in Apple HealthKit through participating healthcare organizations. This data is accessed locally on your device. Access to clinical records requires a separate permission grant from you and is entirely optional.

How We Use Your Information

We use your information for the following purposes:

• To provide personalized wellness guidance through Luna based on your symptoms, health data, and conversation history
• To extract and organize symptom data, medication tracking, cycle events, and reminders from your natural conversations
• To detect health patterns and generate insights (such as symptom frequency, clusters, trends, and correlations with your cycle)
• To generate doctor reports summarizing your health data for sharing with your healthcare provider
• To send you notifications only when you request a reminder or when passive wearable data surfaces a clinically meaningful pattern
• To authenticate your account and maintain your session

We never use your health data for advertising, marketing, or data mining purposes.

Third-Party Services

To provide the App’s features, we use the following third-party services:

Anthropic (Claude API). Your conversation messages are sent to Anthropic’s API to generate Luna’s responses and to extract health information from your messages. Anthropic processes this data to fulfill the request and does not use it to train their models. See Anthropic’s privacy policy at anthropic.com/privacy for details on their data handling.

ElevenLabs. Luna’s spoken responses are generated using ElevenLabs’ text-to-speech API. The text of Luna’s response is sent to ElevenLabs to generate audio. See ElevenLabs’ privacy policy at elevenlabs.io/privacy for details.

Apple Speech Recognition. When you use voice input, your speech is processed using Apple’s on-device speech recognition (SFSpeechRecognizer). Voice processing occurs locally on your device.

Supabase. If you choose to enable Cloud Backup in your profile settings, your account data and conversation history are encrypted and synced to Supabase, a cloud database provider. This is entirely opt-in. See Supabase’s privacy policy at supabase.com/privacy for details.

Data Storage and Security

4.1 Local-First Architecture

All of your data — conversations, symptoms, medications, cycle events, insights, doctor notes, reminders, and personal context — is stored locally on your device using Apple’s SwiftData framework. The App works fully offline. We never read from cloud storage for display; all reads come from your local device.

4.2 Optional Cloud Backup

You may choose to enable Cloud Backup in your profile settings. When enabled, your data is encrypted and synced to our cloud database (Supabase) so that you can recover your data if you change devices. Cloud Backup is off by default. You can disable it at any time, and your data will continue to be available locally on your device. When Cloud Backup is enabled, data is transmitted using encrypted connections and stored with row-level security policies that ensure only you can access your data.

4.3 HealthKit Data

Health data from Apple HealthKit is read on your device and used locally to provide context to Luna. HealthKit data is not stored in iCloud, is not uploaded to our cloud backup, and is not shared with third parties for advertising or data mining purposes, in accordance with Apple’s HealthKit guidelines.

Data Sharing

We do not sell, rent, or trade your personal information. We share data with third parties only in the following circumstances:

• With the third-party service providers listed in Section 3, solely to provide the App’s features
• When you choose to export a doctor report, the report is generated on your device and shared via iOS’s native share sheet — we do not transmit it
• If required by law, regulation, or legal process
• To protect the safety of our users or the public

Your Rights and Choices

HealthKit and Calendar Permissions. You can grant or revoke access to HealthKit data and calendar data at any time through your device’s Settings app under Privacy & Security.

Cloud Backup. You can enable or disable Cloud Backup at any time in the App’s Profile settings.

Notifications. You can manage notification permissions through your device’s Settings app. Luna only sends notifications when you request a reminder or when passive health data surfaces a pattern worth flagging — never unsolicited check-ins.

Account Deletion. You can delete your account from within the App under Profile. Account deletion permanently removes all of your data from our cloud servers (if Cloud Backup was enabled) and from the local device. This action cannot be undone.

Data Export. You can generate a doctor report that compiles your symptom history, health metrics, medications, cycle data, insights, and doctor notes into a PDF document for sharing with your healthcare provider.

Your Rights Under EU/EEA Law (GDPR)

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) provides you with additional rights regarding your personal data. This section describes those rights and how we comply.

7.1 Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent (Article 6(1)(a) and Article 9(2)(a)): We process your health data, HealthKit data, calendar data, and conversation content based on your explicit consent. You grant this consent during onboarding and through iOS permission prompts that specify each data type and its purpose. You may withdraw consent at any time through the App’s settings or your device’s Privacy & Security settings.
• Contract Performance (Article 6(1)(b)): We process your account information (email, password) as necessary to provide the App’s services to you.
• Legitimate Interest (Article 6(1)(f)): We process limited technical data as necessary for the security and proper functioning of the App.

7.2 Your GDPR Rights

You have the following rights under GDPR. To exercise any of these rights, contact us at privacy@heygirlfriend.app. We will respond within 30 days.

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request that we correct inaccurate personal data. You can also update your name and menopause stage directly in the App’s profile settings.
• Right to Erasure (“Right to Be Forgotten”): You may request deletion of your personal data. You can also delete your account directly within the App, which permanently removes all data from our servers and your device.
• Right to Data Portability: You may request your data in a structured, commonly used format. The App’s doctor report feature exports your health data as a PDF.
• Right to Restrict Processing: You may request that we limit how we process your data in certain circumstances.
• Right to Object: You may object to processing based on legitimate interests.
• Right to Withdraw Consent: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

7.3 International Data Transfers

When you use the App, your conversation data is transmitted to third-party service providers located in the United States (Anthropic and ElevenLabs) for processing. If you enable Cloud Backup, your data is stored on servers operated by Supabase, which may be located outside the EU/EEA.

We ensure that these transfers are protected by appropriate safeguards, including standard contractual clauses approved by the European Commission and/or the service providers’ compliance with applicable data protection frameworks.

7.4 Data Protection Officer and Supervisory Authority

For data protection inquiries, contact us at privacy@heygirlfriend.app. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

7.5 Privacy by Design

Hey Girlfriend! was built with privacy by design and privacy by default principles. All data is stored locally on your device by default. Cloud services are opt-in. Health data permissions are granular and individually controlled. We collect only the minimum data necessary to provide the App’s features.

Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), provides you with specific rights regarding your personal information.

8.1 Your CCPA Rights

As a California resident, you have the right to:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out.
• Right to Limit Use of Sensitive Personal Information: Your health data, menopause stage, and cycle information constitute sensitive personal information under the CCPA. We use this information only to provide the App’s wellness features — never for advertising, profiling, or purposes unrelated to the services you expect.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

8.2 How to Exercise Your Rights

You may submit a request by emailing privacy@heygirlfriend.app or by using the account deletion feature within the App. We will verify your identity before processing your request and respond within 45 days. You may also designate an authorized agent to submit a request on your behalf.

8.3 Automated Decision-Making

Luna uses artificial intelligence to provide wellness guidance, detect symptom patterns, and generate health insights. Luna does not make significant decisions about your access to healthcare, insurance, employment, or other services. Luna’s outputs are informational and do not determine, deny, or limit any service or benefit.

8.4 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers (name, email address, account ID)
• Health information (symptoms, medications, cycle data, HealthKit data, clinical records)
• Internet or electronic network activity (App usage, conversation history)
• Inferences drawn from the above (symptom patterns, health insights)

We do not sell any categories of personal information. We do not share personal information for cross-context behavioral advertising.

Children’s Privacy

Hey Girlfriend! is designed for adults. We do not knowingly collect personal information from children under 13 (or under 16 in the European Economic Area). If we learn that we have collected personal information from a child, we will delete it promptly.

Not Medical Advice

Hey Girlfriend! is a wellness companion, not a medical device or healthcare provider. Luna does not diagnose medical conditions, recommend specific medications or dosages, or provide clinical treatment. The information provided by Luna is for general wellness purposes only and should not be used as a substitute for professional medical advice, diagnosis, or treatment. Always consult a qualified healthcare provider with questions about a medical condition.

Data Retention

Your data is stored locally on your device for as long as you use the App. If you have enabled Cloud Backup, your data is retained on our servers until you delete your account or disable Cloud Backup. When you delete your account, all associated data is permanently removed from our servers. Conversation data sent to third-party APIs (Anthropic, ElevenLabs) is processed in real time and is subject to those providers’ respective data retention policies.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by other means before the changes take effect. Your continued use of the App after the effective date of the revised policy constitutes your acceptance of the changes.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

HG Health LLC

Email: privacy@heygirlfriend.app

Website: heygirlfriend.app