Privacy Policy

1. Introduction

This Privacy Policy explains how Yunea ('we', 'us', 'our') collects, uses, and protects your personal data when you use our menstrual cycle tracking application. We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR) and Dutch data protection laws. As a Netherlands-based service, we apply GDPR-level safeguards to protect your data, implementing protections aligned with GDPR principles regardless of where you are located.

2. Data Controller

Yunea is the data controller responsible for your personal data. We are operated by Cher-fez, a sole proprietorship registered and operating under Dutch law. You can contact us at:

Cher-fez (Yunea)
KvK: 83651195
The Netherlands
Email: privacy@yunea.app

3. Data We Collect

We collect and process the following categories of personal data:

4. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR:

• Consent (Article 6(1)(a) & Article 9(2)(a)): For processing your health data (special category data), we rely on your explicit consent. You can withdraw consent at any time.
• Contract Performance (Article 6(1)(b)): For account data necessary to provide the service you requested.
• Legitimate Interest (Article 6(1)(f)): For technical data used to improve and secure the service. Our legitimate interests include: (a) maintaining security and preventing fraud; (b) diagnosing technical issues and improving service quality; (c) understanding general usage patterns to enhance the user experience. We apply data minimization principles and conduct balancing tests to ensure our interests do not override your fundamental rights. You have the right to object to processing based on legitimate interests.

5. Special Category Data (Health Information)

Menstrual cycle data, symptoms, and mood information are classified as special category data under GDPR Article 9. This data receives the highest level of protection under EU law.

We only process this data with your explicit consent, which you provide when using the cycle tracking features. You can withdraw consent and request deletion at any time through your profile settings or by contacting us.

6. Reproductive Health Data Protection

We understand the sensitivity of reproductive health data. Your personally identifiable health data regarding menstrual cycles, pregnancies, pregnancy loss, or any reproductive health information is kept strictly private and confidential. We do not sell this data. We do not share it with advertisers. We do not use it for any purpose other than providing you with the Yunea service.

7. We Do Not Sell Your Data

Yunea does not sell, rent, or trade your personal data to any third party. We do not share your health data with advertisers, data brokers, or marketing companies. Your data is used solely to provide and improve the Yunea service for you.

8. Law Enforcement Requests

We are established in the Netherlands and bound by GDPR and Dutch privacy law. These laws provide strong protections for your health data. We have never received a request from law enforcement for user data. If we were to receive such a request, we would: (a) carefully review its legal validity under Dutch and EU law; (b) only comply if legally compelled by Dutch courts; (c) limit any disclosure to the minimum required by law; (d) notify the affected user unless legally prohibited from doing so. We do not voluntarily share user data with any government or law enforcement agency.

9. Data Processors and Third Parties

We use the following third-party service to process your data:

Supabase Inc.

• Service: Database hosting, authentication
• Location: United States (AWS infrastructure)
• Safeguards: EU Standard Contractual Clauses (SCCs), SOC 2 Type II certified

Supabase maintains GDPR compliance and has implemented appropriate technical and organizational measures to protect your data. Data is encrypted in transit and at rest.

10. Cookies, Analytics & Tracking

Yunea does not use cookies, third-party analytics, advertising trackers, or behavioral tracking tools. We do not track your behavior across websites or share data with advertising networks. We may process minimal technical data required to operate and secure the service (such as IP addresses and server logs) through our infrastructure and Supabase. If we introduce analytics or tracking tools in the future, we will update this policy, notify you, and where required, obtain your consent.

11. International Data Transfers

Your data may be transferred to and processed in the United States by Supabase. These transfers are protected by EU Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring your data receives protection equivalent to that in the EU/EEA. We implement additional technical safeguards including encryption to protect your data during transfer and storage.

12. Data Retention

We retain your data for as long as necessary to provide the service:

• Account and health data: Retained while your account is active
• After account deletion: Data is permanently deleted within 30 days
• Backup data: Removed from all backup systems within 90 days of account deletion
• Anonymized, aggregated data (which cannot identify you) may be retained for service improvement purposes

13. Your Rights Under GDPR

As a data subject, you have the following rights regardless of your location:

• Right to Access (Art. 15): Request a copy of your personal data
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your data ('right to be forgotten')
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (CSV or JSON). We may need to verify your identity before fulfilling requests.
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw consent for health data processing at any time

To exercise these rights, contact us at privacy@yunea.app. We will respond within one month as required by GDPR.

14. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS) and at rest
• Row-Level Security (RLS) ensuring you can only access your own data
• Secure authentication using magic links (passwordless)
• Strict access controls limiting who can access infrastructure
• If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by GDPR, and notify affected users as appropriate

15. Children's Privacy

Yunea is not intended for users under 16 years of age. In the Netherlands, the minimum age for providing consent under GDPR is 16. If we discover we have collected data from a user under 16 without parental consent, we will delete it promptly.

16. App Store Privacy

When Yunea becomes available through the Apple App Store or Google Play Store, additional privacy disclosures will be provided through those platforms' privacy labels. We do not sell your data or use it for advertising purposes.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or in-app notification. The 'Last updated' date at the top indicates when this policy was last revised.

18. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ Den Haag
www.autoriteitpersoonsgegevens.nl

19. Language

This Privacy Policy is available in multiple languages. In case of any discrepancy between language versions, the English version shall prevail.

20. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

Email: privacy@yunea.app