PrivaCycle Privacy Policy

Effective date: May 18, 2026
App: PrivaCycle (iOS)

This Privacy Policy explains how PrivaCycle handles information when you use the app.

PrivaCycle is designed to work without a developer-operated backend. Your period tracking and related health data is stored on your device, and (if you enable it) an encrypted backup may be stored in Apple iCloud via CloudKit.

1. Who is responsible for processing

Developer / Controller:
Banana Pancakes s.r.o.
Na Pomezi 910/2
Praha 5, 158 00
Czech Republic

Contact: Use the PrivaCycle support page for app support, privacy questions, and deletion/access requests.

2. Key points summary

  • No developer backend: We do not run servers that receive or store your period tracking data.
  • Local-only by default: Your data is stored locally on your iPhone/iPad.
  • Encrypted storage: PrivaCycle encrypts app data on-device and supports unlocking with PIN and/or biometrics.
  • No face data collection: Face ID authentication is handled by iOS. PrivaCycle does not receive, collect, store, transmit, share, or retain face scans, facial geometry, face templates, faceprints, or other face data.
  • Optional iCloud backup (CloudKit): If enabled, PrivaCycle stores an encrypted copy in your iCloud account using CloudKit.
  • Subscriptions via Apple: Payments and subscription management are handled by Apple StoreKit 2. We do not receive your payment card details.

3. Information PrivaCycle processes

3.1 Information you enter in the app (stored locally)

PrivaCycle may process the information you choose to input, such as:

  • menstrual cycle dates and related entries
  • symptoms, notes, tags, and other health-related logs you choose to record

Where this data is processed/stored:

  • On your device, in encrypted form.
  • Not transmitted to any developer-operated servers.

3.2 App security credentials (PIN / biometrics / Face ID)

  • If you set a PIN, the app uses it to control access to encrypted data.
  • If you enable Face ID / Touch ID, authentication is performed by iOS through Apple's LocalAuthentication framework. PrivaCycle does not receive, collect, store, transmit, share, or retain your biometric data or face data. This includes face scans, facial geometry, face templates, faceprints, and any other data derived from your face.
  • PrivaCycle only receives the authentication result from iOS, such as success, cancellation, fallback to PIN, or failure. The app uses that result only to unlock or keep locked your encrypted PrivaCycle data.

Secure Enclave note (technical): iOS uses the Secure Enclave to protect cryptographic material (such as encryption keys) when available. PrivaCycle is designed so that encryption keys are protected by hardware-backed security, and decrypted app data is intended to be available only when you unlock the app (e.g., in memory while the app is in use).

3.3 iCloud / CloudKit (optional)

If you enable iCloud backup/sync:

  • PrivaCycle stores your app data in your iCloud account using Apple CloudKit.
  • PrivaCycle is designed to encrypt your data before it is stored in CloudKit, so the backup is intended to be unreadable without your device's unlock and/or cryptographic keys.

Important: Apple operates iCloud/CloudKit. Apple may process certain account/device/connection information as part of providing iCloud services under Apple's terms and privacy policy. PrivaCycle does not control Apple's processing.

3.4 Subscriptions (StoreKit 2)

If you purchase a subscription:

  • Apple processes the transaction (including payment information).
  • PrivaCycle uses StoreKit 2 on your device to check subscription entitlement/status and enable premium features.

We do not receive:

  • your payment card details
  • your billing address (unless Apple provides it to you directly as part of your Apple account; it is not shared with us)
  • your full Apple ID

We may process locally on-device information such as:

  • whether a subscription is active
  • product identifiers and transaction/receipt-related identifiers provided by StoreKit (used only on-device to enable features)

4. Information we do not collect through the app

PrivaCycle is built to avoid collecting personal data through the app. In particular, we do not collect:

  • your name, email address, or phone number (unless you choose to contact us outside the app)
  • face data, face scans, facial geometry, face templates, faceprints, or other biometric identifiers
  • precise location data
  • contacts
  • photos
  • advertising identifiers (IDFA)
  • cross-app tracking data
  • analytics events sent to a developer server
  • your period/health logs on any developer server

5. How we use information (purpose and legal basis)

PrivaCycle processes your data only to provide app functionality:

Provide core features (cycle tracking, predictions, logs)

Where: on your device

Legal basis (GDPR): performance of a contract (providing the app) / legitimate interest in providing the requested functionality

App security (PIN/biometric lock and encryption)

Where: on your device

Face ID: iOS handles Face ID. PrivaCycle uses only the success/failure result to unlock or keep locked the app.

Legal basis (GDPR): legitimate interest in protecting your data and providing the security features you enable

Optional iCloud backup/sync (CloudKit)

Where: in your iCloud account via Apple CloudKit

Legal basis (GDPR): your choice/consent to enable iCloud + performance of a contract (providing the backup/sync feature you request)

Subscriptions (unlock premium features)

Where: on your device via StoreKit 2

Legal basis (GDPR): performance of a contract (delivering purchased features)

Because we do not operate a backend for your app data, we generally do not have access to your health entries and cannot use them for our own purposes.

6. Sharing and disclosure

6.1 We do not sell or rent your data

We do not sell, rent, or monetize your period tracking data.

6.2 Third parties

PrivaCycle does not share face data or biometric data with any third party because PrivaCycle does not collect or store face data or biometric data. Face ID is handled by iOS on the device.

PrivaCycle uses Apple services that you may choose to use:

  • iCloud/CloudKit (only if you enable iCloud backup/sync)
  • StoreKit 2 (for subscriptions)

Apple's processing of information is governed by Apple's terms and privacy policy. PrivaCycle does not control Apple's systems.

6.3 Legal requirements

If required by law, we may need to respond to valid legal requests. Because PrivaCycle does not run a backend for your health data, we typically would not have your health data to disclose.

7. Data retention

  • On-device data: Stored until you delete it within PrivaCycle or uninstall the app.
  • iCloud/CloudKit data (if enabled): Stored in your iCloud account until you disable iCloud for PrivaCycle and/or delete associated iCloud data (subject to Apple's iCloud behavior and retention rules).
  • Face data / biometric data: PrivaCycle does not retain face data or biometric data because PrivaCycle does not receive, collect, store, transmit, or share it. Face ID enrollment and biometric templates are managed by iOS, not by PrivaCycle.

8. Your controls and choices

You can:

  • set or change your PIN
  • enable/disable Face ID / Touch ID for unlocking
  • enable/disable iCloud/CloudKit backup/sync in iOS settings (and/or within the app if offered)
  • delete entries in the app, or delete all app data (if the app provides a "Delete all data" option)
  • uninstall the app to remove local data

Important security consequence: If you forget your PIN (and there is no recovery mechanism), your encrypted local data may be unrecoverable by design.

9. Your GDPR rights (EEA/UK users)

Depending on your location and applicable law, you may have rights including access, rectification, deletion, restriction, objection, and portability.

Practical limitation: PrivaCycle does not maintain a server-side database of your health logs. In most cases, the way to exercise deletion/access is directly in the app (because the data is on your device / iCloud account).

You also have the right to lodge a complaint with your local data protection authority (for example, in the Czech Republic with the Office for Personal Data Protection).

10. International transfers

PrivaCycle does not transfer your health data to developer-operated servers.

If you enable iCloud/CloudKit, Apple may process and store data in locations consistent with Apple's global infrastructure and your iCloud settings/terms.

11. Children

PrivaCycle is not intended for children. If you are a parent/guardian and believe a child has used the app inappropriately, contact us through the PrivaCycle support page.

12. Changes to this policy

We may update this Privacy Policy to reflect changes in the app or legal requirements. If we make material changes, we will update the effective date above and, where appropriate, provide notice within the app or via the App Store listing.