Back Privacy Policy

Your data
belongs to you.

Effective: March 22, 2026 Version: 1.0

TL;DR

  • All health data stays locally on your device.
  • No registration, account, email, or name required.
  • We don't sell, share, or use your data for advertising.
  • Anonymous diagnostics is optional and can be turned off.
  • Full GDPR and CCPA/CPRA rights respected.
01

Data Controller

The data controller is: Ondřej Hoos, Registration No.: 05467390, registered office at Školská 660/3, 110 00, Praha 1 - Nové Město, Czech Republic (hereinafter "Controller"). Contact email: privacy@pomaia.app

02

Data We Collect

POMAIA processes the following categories of personal data:

Health and cycle data (stored locally on your device):

  • Menstruation records (duration, intensity, start/end dates)
  • Ovulation data (tests, cervical mucus, cervix position)
  • Body measurements (basal temperature, weight, blood pressure)
  • Mood and emotions
  • Sleep (duration, quality)
  • Symptoms (pain, bloating, acne, fatigue, etc.)
  • Medications and supplements (names, dosage, reminders)
  • Sexual activity and contraception
  • Nutrition and exercise
  • Personal notes

User profile (stored locally):

  • Age, average cycle length, PCOS diagnosis (yes/no), unit settings

Technical and analytics data (transmitted remotely):

  • Diagnostic data: crash reports including device type, OS version, and installation identifier (via Firebase Crashlytics) — does NOT contain health or personal data
  • Analytics data: screens visited (screen_view), session duration (via Firebase Analytics, configured in privacy mode: setUserId(null), no health data is transmitted)

Biometric data:

  • The app supports biometric authentication (Face ID / Touch ID). Biometric data is processed exclusively by your device's operating system; the app does not access it.
03

Purpose and Legal Basis

We process your data for the following purposes:

  • Providing app features (cycle tracking, symptom logging, medication management, report generation) — legal basis: performance of contract (Art. 6(1)(b) GDPR) and your explicit consent for health data processing (Art. 9(2)(a) GDPR)
  • Technical diagnostics and bug fixing — legal basis: legitimate interest of the Controller in app stability (Art. 6(1)(f) GDPR)
  • Analytics and app improvement — legal basis: your consent given at first launch (Art. 6(1)(a) GDPR)

Consent for health data processing is obtained during in-app onboarding via active opt-in checkbox. Analytics consent is obtained separately. Both consents can be withdrawn at any time in the app settings.

04

Where Your Data Is Stored

Health and cycle data is stored exclusively locally on your device in an encrypted database (SQLDelight). The Controller does not have direct access to your health data and this data is never transmitted to any remote server.

Data backups (JSON export) are stored exclusively on your device and their security is your responsibility. They can be optionally encrypted with a password.

Technical and analytics data is processed by Firebase (Google LLC) on EU servers or under Standard Contractual Clauses (SCC).

05

Data Sharing with Third Parties

We do not sell or share your health data with third parties. It is not used for advertising, profiling, or sale.

The following third parties process only technical/analytics data or transaction data:

  • Google LLC (Firebase Crashlytics) — diagnostic data including installation identifier and device type
  • Google LLC (Firebase Analytics) — app usage data (screen_view), configured in privacy mode
  • RevenueCat Inc. — subscription management, processes anonymous transaction identifiers and subscription status
  • Apple Inc. / Google LLC — subscription payment processing via App Store / Google Play
06

Your Rights (GDPR)

Under GDPR, you have the following rights:

  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ('right to be forgotten')
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time without affecting the lawfulness of prior processing

You may exercise your rights by contacting: privacy@pomaia.app. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority. For Czech users: Úřad pro ochranu osobních údajů (www.uoou.cz). For Slovak users: Úrad na ochranu osobných údajov (www.dataprotection.gov.sk).

You can delete your local health data at any time using the "Delete all data" feature in app settings or by uninstalling the app.

07

US User Rights (CCPA/CPRA)

If you are a resident of California or another US state with an applicable consumer privacy law, you have the following rights:

  • Right to know what personal information we collect and how we use it
  • Right to request deletion of your personal information
  • Right not to be discriminated against for exercising your privacy rights

We do not sell or share your personal information within the meaning of CCPA/CPRA. To exercise your rights, contact us at: privacy@pomaia.app

08

Subscription and Payments

All subscription payments are processed exclusively through the App Store (Apple) or Google Play (Google). The Controller does not have access to your payment details (card, account). Subscription management is technically provided by RevenueCat Inc.

09

Data Retention

Local health data is stored on your device for as long as you use the app. Uninstalling the app will delete this data subject to your device settings.

Diagnostic data (Firebase Crashlytics) is retained for 90 days. Analytics data (Firebase Analytics) is retained for 14 months.

RevenueCat data (anonymous transaction identifiers) is retained for the duration of the subscription and as required by law.

10

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay in accordance with Articles 33 and 34 of the GDPR, via the app or email (if available).

11

Children

The app is intended for persons aged 16 or older (within the EU) or 13 or older (in the US, in accordance with COPPA). We do not knowingly collect personal data from children. If we discover that we have collected data from a person under the applicable age, we will promptly delete such data.

12

Changes to This Policy

We will notify you of material changes via the app at least 14 days before they take effect. The current version is always available in the app and on our website.

13

Contact

If you have any questions about the processing of your personal data, please contact us at: privacy@pomaia.app