Effective Date: 11 March 2026 | Last Updated: 11 March 2026
Issued by: Outfoxed Group PTY LTD | ABN: ABN: 24 657 773 889 | team@outfoxed.co | app.rhythms.life
This Consumer Health Data Privacy Policy applies to consumer health data collected by Rhythms, operated by Outfoxed Group PTY LTD (ABN available on request). It supplements our full Privacy Policy at https://www.rhythms.life/legal and is published in accordance with our obligations under:
the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which apply as our primary governing framework as an Australian entity;
Washington State's My Health My Data Act (MHMDA, RCW 19.373), which applies to consumers in Washington State;
the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, which apply to users in the United Kingdom.
This policy is available at https://www.rhythms.life/legal and is linked conspicuously in the Rhythms app wherever consumer health data is collected.
We collect the following consumer health data only when you voluntarily provide it through the app and only after you have given your explicit consent (see Section 4):
First day of your last menstrual period
Cycle length (number of days in your cycle)
Period length (number of days your period typically lasts)
Birth year
Whether your periods are regular or irregular
Daily energy levels you log through the in-app check-in feature (a 1 to 5 scale)
Period start dates you log over time (period history)
We do not collect blood test results, medical diagnoses, prescription information, genetic data, biometric identifiers, or any other clinical health data.
All consumer health data is collected directly and only from you. We do not obtain your health data from any third-party sources, data brokers, or other applications.
We collect consumer health data solely to provide the Rhythms service you have requested. Specifically, we use it to:
Calculate your current cycle day and phase (Menstrual, Follicular, Ovulatory, or Luteal)
Display personalised guidance relevant to your current phase, including nutrition, exercise, work and focus, fasting, and thermal recommendations
Show your cycle calendar with predicted phase dates
Display your period history and energy logging history
Power the cycle calendar export feature
Power the cycle sharing feature (if you choose to use it)
Improve prediction accuracy over time as you log more cycle data
We do not use your consumer health data for advertising, marketing profiling, or any purpose unrelated to providing the Rhythms service.
For users in the United Kingdom, we process your personal data on the following lawful bases under UK GDPR:
Article 6(1)(a) — Consent: we process your personal data on the basis of your explicit consent, given before your health data is first collected.
Article 9(2)(a) — Explicit consent for special category data: menstrual and cycle data constitutes data concerning health under Article 9. We process this data only on the basis of your explicit, freely given, specific, informed, and unambiguous consent.
You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Menstrual and cycle data is health information under the Privacy Act 1988 (Cth) and therefore sensitive information under APP 3.3. We collect sensitive information only with your express consent and only where collection is reasonably necessary to provide the Rhythms service you have requested.
For users subject to Washington State's My Health My Data Act, we obtain separate and distinct affirmative consent before collecting consumer health data, as required by MHMDA.
Before any health data is collected, we present an in-app consent screen that:
describes clearly what data will be collected and how it will be used;
links to this policy and our full Privacy Policy;
requires a positive, active action (tapping an Accept button) before proceeding;
records the consent with a timestamp associated with your account.
You may withdraw consent at any time. Withdrawing consent requires deletion of your account, as your health data is necessary to provide the core Rhythms service. See Section 9.6.
Rhythms is intended for users aged 18 and over. We do not knowingly collect health data from anyone under the age of 18. During account creation, users are required to confirm they are 18 or older.
If you are under 18, please do not use Rhythms or provide any personal or health data. If we become aware that we have collected data from a user under 18, we will delete it promptly. To report this, contact team@outfoxed.co.
We share consumer health data with the following service providers who process it strictly on our behalf and under our instructions. Each provider has entered into a data processing agreement (DPA) with Outfoxed Group PTY LTD:
Supabase
Role: cloud database and authentication provider. All health data is stored in Supabase's infrastructure. Supabase does not use your data for any purpose other than storing and retrieving it at our direction.
Data processing agreement: in place, including obligations consistent with the Australian Privacy Principles and UK International Data Transfer Agreement (IDTA) requirements. Supabase Privacy Policy: supabase.com/privacy
Vercel
Role: web hosting provider. Vercel processes web request data (including IP addresses) as part of standard hosting. Vercel does not receive or process your cycle or health data directly.
Data processing agreement: in place. Vercel Privacy Policy: vercel.com/legal/privacy-policy
Resend
Role: transactional email provider. Resend processes your email address to deliver service emails (account confirmation, password reset, and phase notifications if you have opted in). Resend does not receive your cycle or health data.
Data processing agreement: in place, including UK IDTA addendum. Resend Privacy Policy: resend.com/legal/privacy-policy
Google Analytics (GA4)
Role: anonymised usage analytics. GA4 collects anonymised usage data including page interactions, session information, and general device type. GA4 does not receive, and is not configured to receive, your cycle dates, phase data, energy logs, or any other consumer health data. Analytics data is used only to understand aggregate app usage patterns.
GA4 does not receive any consumer health data. Google Privacy Policy: policies.google.com/privacy
Vercel Analytics
Role: anonymised performance monitoring. Vercel Analytics collects aggregate, anonymised web performance data. It does not receive or process any consumer health data.
Vercel Analytics Privacy Policy: vercel.com/legal/privacy-policy
Stripe
Role: subscription billing. Stripe processes payment card and billing information for Rhythms+ subscribers. Stripe does not receive, access, or process any consumer health data. Billing data and health data are entirely separate.
Stripe Privacy Policy: stripe.com/privacy
If you choose to generate a cycle sharing link, the recipient of that link can view your cycle phase data. This sharing is entirely at your discretion. You can revoke a share at any time from within the app. We do not know the identity of the person you share with.
We do not sell, rent, license, or otherwise share your consumer health data with advertisers, data brokers, insurance companies, employers, government bodies, or any other third parties except as described above or as required by applicable law.
Outfoxed Group PTY LTD is an Australian entity. Supabase, Vercel, Resend, and Google are based in the United States. The storage and processing of your health data by these providers constitutes disclosure of personal information to overseas recipients under the Privacy Act 1988 (Cth).
We have taken reasonable steps to ensure that each overseas recipient handles your personal information in a manner consistent with the Australian Privacy Principles, including by entering into data processing agreements with APP-equivalent obligations.
For users in the United Kingdom, transfers of personal data to our US-based service providers are governed by:
Supabase: UK International Data Transfer Agreement (IDTA) addendum in place.
Resend: UK International Data Transfer Agreement (IDTA) addendum in place.
Vercel: transfers are conducted under Vercel's standard data processing terms, which include appropriate safeguards for UK data.
Google (GA4): Google participates in the UK-US Data Bridge and standard contractual protections apply. GA4 does not process consumer health data.
Stripe: Stripe is certified under the UK-US Data Bridge. Stripe does not process consumer health data.
Copies of applicable data transfer agreements are available on request by contacting team@outfoxed.co.
We retain your consumer health data for as long as your Rhythms account remains active. If you delete your account, we will delete all associated consumer health data within 30 days of the deletion request.
Anonymised, aggregated data that cannot be linked back to any individual may be retained indefinitely for service improvement purposes. This data is not consumer health data and cannot identify you.
Backup copies of deleted data may persist in encrypted backup systems for up to 90 days following deletion, after which they are permanently purged.
The rights available to you depend on the jurisdiction in which you are located. We honour all of the following rights for all users regardless of location.
You may request confirmation of whether we collect, share, or sell consumer health data about you, and request access to that data, including a list of third parties with whom it has been shared.
You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Most cycle and energy data can be corrected directly within the app. For corrections that cannot be made in-app, contact team@outfoxed.co.
This right is provided under APP 13 (Privacy Act 1988 (Cth)) and Article 16 of UK GDPR.
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or object to our processing. Where processing is restricted, we will continue to store your data but will not process it further without your consent.
This right is provided under Article 18 of UK GDPR.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another service. On request, we will provide a CSV export of your logged cycle dates and energy data.
This right is provided under Article 20 of UK GDPR.
You have the right to object to processing of your personal data where that processing is based on legitimate interests. Where we process data on the basis of consent, the appropriate mechanism is withdrawal of consent (see Section 9.6).
This right is provided under Article 21 of UK GDPR.
You may withdraw your consent to our collection and use of your consumer health data at any time. Withdrawing consent requires deletion of your account, as your health data is necessary to provide the core Rhythms service. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
You may request deletion of all consumer health data we hold about you. We will action deletion requests within 30 days. You can initiate this by deleting your account in the app or by contacting us directly at team@outfoxed.co.
Rhythms uses automated processing to calculate your current cycle phase and generate personalised recommendations. This calculation is based on the cycle data you provide. It does not produce legal or similarly significant effects and does not constitute automated decision-making within the scope of Article 22 of UK GDPR. No decisions are made about you on the basis of this calculation without human review.
If you have concerns about how your phase is being calculated, you may contact us at team@outfoxed.co to request a manual review.
If we decline to action a consumer rights request, you may appeal our decision by contacting team@outfoxed.co with the subject line "Rights Request Appeal" and a description of the original request and our response. We will respond to appeals within 45 days.
If your appeal is denied, we will notify you in writing and inform you of your right to contact the Washington State Attorney General at atg.wa.gov to lodge a complaint.
To exercise any of the above rights, contact us at team@outfoxed.co. Please include your registered email address and a description of your request. We will respond within 30 days. We may need to verify your identity before processing your request.
Where a request is complex or where we receive a large number of requests, we may extend the response period by a further 60 days. If we extend, we will notify you within the initial 30-day period, explaining the reason for the delay.
We implement the following measures to protect consumer health data:
All data in transit is encrypted using TLS (HTTPS)
Data at rest is encrypted by our hosting and database providers
Row-level security (RLS) policies in Supabase ensure only your authenticated account can access your data
Access to our database and infrastructure is restricted to authorised personnel only
Authentication sessions use short-lived JWT tokens
These measures are appropriate to the volume and nature of consumer health data we handle, consistent with reasonable industry standards for wellness applications.
In the event of an eligible data breach under the Privacy Act 1988 (Cth) — that is, a breach involving personal information that is likely to result in serious harm to any affected individual — we will:
notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and in any event within the timeframes required by the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act); and
notify each affected individual whose information was involved in the breach and who is at likely risk of serious harm, providing a description of the breach and recommended steps they should take.
For breaches involving the personal data of UK users, we will:
notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals; and
notify affected UK users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
If you believe your Rhythms account has been compromised or that your data may have been accessed without authorisation, please contact us immediately at team@outfoxed.co with the subject line "Security Concern".
We do not sell or offer to sell consumer health data. We never have and will not in the future without first obtaining your explicit authorisation as required by applicable law.
If you are not satisfied with our response to a privacy request or complaint, you have the right to contact the relevant supervisory authority for your location:
Australia — Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au | Phone: 1300 363 992
United Kingdom — Information Commissioner's Office (ICO)
Website: ico.org.uk/make-a-complaint | Phone: 0303 123 1113
Washington State, USA — Attorney General's Office
Website: atg.wa.gov | Consumer protection complaints via the AG's Consumer Protection Division
As Outfoxed Group PTY LTD does not have an establishment in the United Kingdom, we have appointed a UK representative in accordance with Article 27 of UK GDPR. The details of our UK representative are:
[UK Representative name and contact details to be inserted]
Note: UK representative appointment is in progress. This section will be updated when the appointment is confirmed. In the meantime, UK users may contact us directly at team@outfoxed.co.
We may update this policy to reflect changes in our practices or applicable law. Material changes will be communicated by email before they take effect. The current version is always available at https://www.rhythms.life/consumer-health-data-privacy-policy.
Outfoxed Group PTY LTD
Email: team@outfoxed.co
Web: app.rhythms.life
Response time: within 30 days of receiving your request (45 days for Washington MHMDA appeals).
Rhythms Consumer Health Data Privacy Policy v2.0 — March 2026 — Outfoxed Group PTY LTD
Governing frameworks: Privacy Act 1988 (Cth) | Washington State MHMDA | UK GDPR / DPA 2018
.svg)
