Privacy Policy

Effective Date: 11 March 2026  |  Last Updated: 11 March 2026

Issued by: Outfoxed Group PTY LTD  |  ABN: ABN: 24 657 773 889  |  team@outfoxed.co  |  app.rhythms.life

Introduction

Rhythms is a menstrual cycle tracking and lifestyle optimisation application operated by Outfoxed Group PTY LTD, a company incorporated in Australia. We are committed to protecting the privacy of everyone who uses our app and website.

We will never sell, rent, or on-sell your personal data to any third party, including advertisers or data brokers.

This Privacy Policy explains what personal information we collect, why we collect it, how it is used and stored, with whom it is shared, and what rights you have. It applies to all versions of the Rhythms application, including the web app at app.rhythms.life and any future mobile applications.

We are subject to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) as our primary governing framework. Where our services are accessed by users in the European Economic Area, we also comply with EU GDPR. Where our services are accessed by users in the United Kingdom, we comply with UK GDPR and the Data Protection Act 2018. This policy constitutes the required notification under APP 5 of the Australian Privacy Principles.

Health data consent: By creating an account you agree to our collection of standard account data (email address, password) as described in this policy. Menstrual cycle data, energy logs, and other health data are collected only after you provide separate, explicit consent through the in-app consent screen presented before health data is first entered. Health data consent is independent of and additional to your account creation. You may withdraw health data consent at any time.

1.  Information We Collect

We collect the following categories of information when you use Rhythms. Cycle and health data is marked as such; all other data is standard personal information. Cycle data is required for the app to function; some other data categories are optional and marked accordingly below.

1.1  Account Information

When you create an account, we collect:

  • Your email address
  • A password (stored as a hashed, irreversible value — we never store your raw password)
  • If you sign in with Google: your Google account name, email address, and profile picture as provided by Google OAuth (optional — you may use email/password or magic link instead)
  • If you use magic link / passwordless sign-in: your email address onl

1.2  Cycle and Health Data

This data is health information. It is collected only after you provide explicit consent through the separate in-app consent screen. We collect only what you voluntarily provide:

  • First day of your last menstrual period
  • Cycle length and period length
  • Birth year
  • Whether your periods are regular or irregular
  • Energy levels logged through the daily check-in feature (1 to 5 scale)
  • Any cycle or period dates you log over time (period history)

We do not collect blood test results, medical diagnoses, prescription information, or any other clinical health data.

Cycle and health data is subject to additional protections. See Section 11 and the Consumer Health Data Privacy Policy at This policy is available at https://www.rhythms.life/legal.

1.3  Usage and Interaction Data

We collect information about how you interact with the app in order to improve the product and personalise your experience:

  • Pages and features you visit and how long you spend on them
  • Buttons and actions you interact with
  • Feature usage frequency (e.g., how often you log energy, visit the calendar)
  • Session start and end times

1.4  Technical and Device Data

Collected automatically by our infrastructure:

  • IP address (logged by Vercel, our hosting provider — see Section 4)
  • Browser type and version
  • Operating system
  • Device type (desktop, tablet, mobile)
  • Referring URL (the page you came from before arriving at Rhythms)
  • Error logs and crash reports

1.5  Communications Data

If you opt in to email communications, or if you contact us directly:

  • Your email address, for transactional emails (account confirmation, password reset, phase change reminders if opted in) via our email provider, Resend
  • Content of any emails or support messages you send to us

We do not send marketing emails without your explicit opt-in. You may unsubscribe from non-essential communications at any time.

1.6  Cycle Sharing Data

If you use the cycle sharing feature:

  • A record that a share was created and its status (active or revoked)
  • The date the share was created

We do not collect the identity of the person you share a link with. No personal data about third parties is collected through this feature.

2.  How We Use Your Information

2.1  Providing and Personalising the App

  • To calculate your current cycle day and phase based on your inputs
  • To display personalised guidance cards tailored to your phase (nutrition, exercise, work and focus, fasting, thermal)
  • To show your cycle history and energy logging history
  • To generate your cycle calendar and calendar export
  • To power the cycle sharing feature

2.2  Account Management

  • To create and maintain your user account
  • To authenticate your identity when you sign in
  • To send transactional emails via Resend: account confirmation, password reset, and similar service communications

2.3  Product Improvement

  • To understand how users interact with features so we can improve the product
  • To identify bugs, errors, and performance issues
  • To make decisions about which features to build or prioritise

2.4  Analytics

  • To measure aggregate usage patterns using Google Analytics (GA4) and Vercel Analytics
  • Analytics data is anonymised or pseudonymised where possible and is used in aggregate. We do not use analytics to build individual user profiles for advertising purposes. Analytics cookies are served to UK users only with prior consent under UK PECR. See Section 5.

2.5  Safety and Legal Compliance

  • To detect, investigate, and prevent fraudulent or unauthorised use of the app
  • To comply with applicable laws and regulations in Australia and other jurisdictions where we operate
  • To enforce our Terms and Conditions

3.  Lawful Basis for Processing

3.1  Australia — Privacy Act 1988 (Cth)

As an Australian entity, we process personal information in accordance with the Australian Privacy Principles.

  • Standard personal information (account data, usage data): collected on the basis that it is reasonably necessary to provide the Rhythms service you have requested.
  • Sensitive information / health data (cycle data, energy logs): collected only with your express consent under APP 3.3, given through the separate in-app consent screen presented before health data is first entered. You may withdraw this consent at any time by deleting your account.

3.2  European Economic Area — EU GDPR

For users in the EEA, we process personal data on the following legal bases:

  • Contractual necessity (Article 6(1)(b)): processing account data, cycle data, and usage data is necessary to provide the service you signed up for.
  • Consent (Article 6(1)(a) and Article 9(2)(a)): for health data (special category data under Article 9), we rely on your explicit consent given through the in-app consent screen. You may withdraw consent at any time by deleting your account.
  • Legitimate interests (Article 6(1)(f)): for analytics and product improvement, where our interests in improving the product do not override your privacy rights.
  • Legal obligation (Article 6(1)(c)): where processing is required to comply with applicable law.

3.3  United Kingdom — UK GDPR

For users in the United Kingdom, we process personal data under the same legal bases as set out in Section 3.2, applied under UK GDPR and the Data Protection Act 2018 rather than EU GDPR. For health data, we rely on explicit consent under UK GDPR Article 9(2)(a) and the corresponding Schedule 1 condition of the Data Protection Act 2018.

Because menstrual and reproductive health data constitutes special category health data, we apply heightened protections throughout our systems. It is never processed for advertising or shared with third parties for commercial purposes.

4.  Service Providers and Third Parties

We use the following third-party service providers to operate Rhythms. These providers process data only on our behalf and under our instructions. We have entered into data processing agreements (DPAs) with each provider. We do not sell or rent your personal data to any third party.

4.1  Supabase — Database and Authentication

All user data — including your account information, cycle data, energy logs, and cycle history — is stored in Supabase, a secure cloud database service. Supabase also handles authentication for email/password and magic link sign-ins. Supabase processes your data as a data processor under our instructions.

DPA in place: yes, including obligations consistent with the Australian Privacy Principles and UK IDTA requirements.

Supabase Privacy Policy: supabase.com/privacy

4.2  Vercel — Hosting and Delivery

The Rhythms web application is hosted on Vercel. Vercel automatically receives and logs technical data including IP addresses and request metadata for every web request. Vercel does not receive your cycle or health data.

DPA in place: yes.

Vercel Privacy Policy: vercel.com/legal/privacy-policy

4.3  Google — OAuth and Analytics

Google Sign-In (OAuth): if you choose to sign in with Google, Google provides us with your name, email address, and profile picture from your Google account. We do not receive your Google password or access to any other Google services.

Google Analytics (GA4): we use GA4 to understand how users interact with the app. GA4 uses cookies and similar tracking technologies to collect anonymised usage data. This data is sent to Google's servers. Google Analytics does not identify individual users by name, and is not configured to receive any cycle, phase, energy, or other health data. GA4 is subject to cookie consent for UK users under PECR. You can opt out at tools.google.com/dlpage/gaoptout.

Google Privacy Policy: policies.google.com/privacy

4.4  Resend — Transactional Email

We use Resend to deliver transactional emails: account confirmation, password reset, and cycle phase notification emails if you opt in. Resend processes your email address solely for delivering these emails. Resend does not receive your cycle or health data.

DPA in place: yes, including UK IDTA addendum.

Resend Privacy Policy: resend.com/legal/privacy-policy

4.5  Stripe — Subscription Billing

We use Stripe for subscription payment processing. When you subscribe to Rhythms+, Stripe collects and processes your payment information (including name, email, and billing details) directly and securely on our behalf. We do not store your card details on our own servers. Stripe retains your payment method to process recurring subscription charges. Stripe may also collect device and usage data for fraud prevention. Stripe is PCI-DSS compliant.

Stripe does not receive, access, or process any consumer health data. Billing data and health data are entirely separate systems.

Stripe Privacy Policy: stripe.com/privacy

4.6  No Other Third-Party Sharing

We do not share your personal data with advertisers, data brokers, market research firms, or any other third parties beyond those listed in this section. We do not build advertising profiles using your health data.

5.  Cookies and Tracking Technologies

We and our service providers use cookies and similar technologies to operate the app and understand how it is used.

5.1  Essential Cookies

These are required for the app to function and cannot be disabled without breaking core functionality:

  • Session cookies: to keep you signed in during your session, managed by Supabase Auth. Supabase deploys on AWS; your session data may be stored on servers outside Australia.
  • Authentication tokens: stored in your browser to maintain your login state between visits

5.2  Analytics Cookies

Google Analytics (GA4) uses cookies to collect anonymised information about how you use the app, such as pages visited and time on page. Vercel Analytics may also collect anonymised technical metrics.

UK users: analytics cookies are served to UK users only with prior consent, in accordance with the UK Privacy and Electronic Communications Regulations (PECR). A cookie consent mechanism is presented before analytics cookies are set for UK users.

All users: you can opt out of GA4 analytics tracking using the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout or by adjusting your browser's cookie settings.

5.3  No Advertising Cookies

We do not use advertising or retargeting cookies. We do not allow third-party advertisers to place cookies through Rhythms.

6.  Data Storage and Security

6.1  Where Your Data is Stored

Your data is stored securely by Supabase. Depending on Supabase's server configuration, data may be hosted in the United States or another jurisdiction outside Australia. We take steps to ensure that cross-border data transfers comply with applicable law, including the Australian Privacy Principles (APP 8) and the applicable GDPR transfer mechanisms for EEA and UK users respectively. See Section 10.

6.2  Security Measures

  • Passwords are hashed using industry-standard algorithms — raw passwords are never stored
  • All data in transit is encrypted using TLS (HTTPS)
  • Data at rest is encrypted by our hosting and database providers
  • Row-level security (RLS) policies in Supabase ensure users can only access their own data
  • Authentication sessions are managed with short-lived JWT tokens
  • Access to our database and infrastructure is restricted to authorised personnel only

No method of electronic storage or internet transmission is completely secure, and we cannot guarantee the absolute security of your data.

6.3  Data Breach Notification

Australian Notifiable Data Breaches scheme: in the event of an eligible data breach — one involving personal information likely to result in serious harm — we will notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable under Part IIIC of the Privacy Act 1988 (Cth), and notify affected individuals where required.

UK GDPR: for breaches involving the personal data of UK users, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of individuals, and notify affected UK users without undue delay where the risk is high.

Reporting a breach: if you believe your account has been compromised, contact team@outfoxed.co immediately with the subject line "Security Concern".

7.  Data Retention

We retain your personal data only for as long as necessary to provide the service, or as required by law.

  • Account data (email, name): retained for the life of your account; deleted within 30 days of account deletion
  • Cycle and health data: retained for the life of your account; deleted within 30 days of account deletion
  • Energy logs: retained for the life of your account; deleted within 30 days of account deletion
  • Server and access logs (Vercel): retained according to Vercel's standard retention policy (typically up to 30 days for log data)
  • Analytics data (GA4): retained according to GA4 data retention settings (typically 14 months by default)
  • Encrypted backup copies: may retain your data for up to 90 days after account deletion, after which they are permanently purged

You can request deletion of your data at any time by contacting team@outfoxed.co or by deleting your account in the app. See Section 9 for your full rights.

8.  Children's Privacy

Rhythms is intended only for individuals who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. During account creation, users are required to confirm they are 18 or older.

If you are under 18, you must not create an account or use the app. If we become aware that we have collected personal data from a person under 18, we will delete that information as soon as reasonably practicable.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at team@outfoxed.co.

9.  Your Privacy Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. We will respond to all valid requests within 30 days.

9.1  Rights Under the Australian Privacy Act (All Users)

  • Access: you may request a copy of the personal information we hold about you
  • Correction: you may request that we correct inaccurate or incomplete personal information. Most cycle data can be corrected directly in the app
  • Deletion: you may request deletion of your personal data (subject to any legal obligations requiring us to retain it)
  • Complaint: you have the right to make a complaint to the OAIC if you believe we have mishandled your personal information — see oaic.gov.au

9.2  Additional Rights for EEA and UK Users (EU GDPR and UK GDPR)

If you are located in the EEA or United Kingdom, you additionally have the following rights:

  • Restriction of processing (Article 18): request that we limit how we process your data in certain circumstances, for example where you contest accuracy
  • Data portability (Article 20): receive your personal data in a structured, commonly used, machine-readable format (CSV export of your cycle dates, period history, and energy log data — available from account settings or on request)
  • Right to object (Article 21): object to processing based on legitimate interests, including analytics
  • Withdraw consent (Article 7): withdraw consent at any time where processing is based on consent — withdrawal does not affect the lawfulness of processing before withdrawal
  • Automated decision-making (Article 22): Rhythms uses automated processing to calculate your cycle phase. This calculation does not produce legal or similarly significant effects and does not constitute automated decision-making within the scope of Article 22. If you have concerns about how your phase is being calculated, you may request a manual review by contacting team@outfoxed.co
  • Lodge a complaint: with your local data protection authority (e.g., the ICO in the UK at ico.org.uk, or the relevant supervisory authority in your EEA member state)

9.3  How to Exercise Your Rights

To exercise any of the rights above, contact us at team@outfoxed.co. Please include your registered email address and a description of your request. We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

Where a request is complex or numerous, we may extend the response period by a further 60 days, notifying you within the initial 30-day period.

10.  Cross-Border Data Transfers

As an Australian company using cloud-based infrastructure, your data may be transferred to and stored in countries outside Australia, including the United States.

10.1  Australian Law (APP 8)

Before disclosing personal information to overseas recipients, we take reasonable steps to ensure those recipients handle your information consistently with the Australian Privacy Principles. This includes entering into data processing agreements with APP-equivalent obligations with Supabase, Vercel, Resend, and Google.

10.2  EU GDPR — EEA Users

For EEA users, transfers to countries without an EU adequacy decision (including the United States) are made on the basis of Standard Contractual Clauses (SCCs) under EU GDPR, or equivalent approved transfer mechanisms.

10.3  UK GDPR — UK Users

For UK users, transfers to the United States require UK-specific transfer mechanisms, which differ from EU SCCs:

  • Supabase: UK International Data Transfer Agreement (IDTA) in place
  • Resend: UK International Data Transfer Agreement (IDTA) in place
  • Vercel: covered by Vercel's standard data processing terms including appropriate UK safeguards
  • Google (GA4 / OAuth): Google participates in the UK-US Data Bridge; standard contractual protections apply
  • Stripe: Stripe is certified under the UK-US Data Bridge

Copies of applicable transfer agreements are available on request by contacting team@outfoxed.co.

10.4  UK

UK users may contact us directly at team@outfoxed.co.

11.  Health Data — Additional Protections

Menstrual cycle data, reproductive health data, and energy data you enter into Rhythms constitute health information under the Privacy Act 1988 (Cth) and sensitive personal data or special category data in other jurisdictions. This data is subject to heightened protections and the additional rights described in the Consumer Health Data Privacy Policy, available at https://www.rhythms.life/consumer-health-data-privacy-policy

Washington State users: the Consumer Health Data Privacy Policy is issued in accordance with the Washington State My Health My Data Act (MHMDA, RCW 19.373) and contains additional rights specific to MHMDA, including the right to appeal a declined request and the affirmative consent requirements.

We apply the following additional protections to health data:

  • Health data is collected only after you provide separate explicit consent through the in-app consent screen
  • Health data is never used for advertising targeting or sold to third parties
  • Health data is stored with row-level security ensuring only your authenticated session can access it
  • Health data is not shared with your employer, insurer, government bodies, or any other third party except where legally required
  • You can delete all your health data at any time by deleting your account

This is a wellness and lifestyle app, not a medical device. Rhythms does not diagnose conditions, recommend medications, or replace professional medical advice. All guidance is general and informational only. See Section 12.

12.  Medical Disclaimer

The information and guidance provided by Rhythms, including phase-specific recommendations for nutrition, exercise, fasting, work, and thermal protocols, is for general wellness and educational purposes only. It does not constitute medical advice, clinical guidance, or a substitute for the advice of a qualified healthcare professional.

Rhythms is not a medical device and as such has not been cleared or approved by the Therapeutic Goods Administration (TGA), the US Food and Drug Administration (FDA), or any other regulatory body as a medical or diagnostic product.

You should not use Rhythms as the basis for any medical decision. Always consult a qualified medical professional before making changes to your diet, exercise routine, medication, or health management, particularly if you have an existing medical condition.

Rhythms is not suitable for and should not be used by:

  • Individuals under 18 years old
  • Pregnant or breastfeeding women (the app does not account for these conditions)
  • People with eating disorders, without medical supervision
  • People with serious underlying conditions, without medical supervision

Nothing in this disclaimer excludes liability that cannot be excluded under applicable law.

13.  California Privacy (CCPA / CPRA)

Rhythms does not sell or share personal information for cross-context behavioural advertising purposes. This means that many of the opt-out rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are not triggered for most users.

If you are a California resident and have questions about your privacy rights, please contact us at team@outfoxed.co. We will assess whether CCPA / CPRA applies based on the applicable business thresholds and will respond accordingly.

14.  Links to Third-Party Websites

Rhythms may contain links to third-party websites or services. We are not responsible for the privacy practices of those websites. We encourage you to review the privacy policy of any third-party site you visit.

15.  Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Post the updated policy at https://www.rhythms.life/legal
  • For material changes to how standard personal data is processed, notify existing users by email before the changes take effect
  • For material changes to how health data is collected or used: we will seek fresh explicit consent before the new processing begins. We will not rely on continued app use as acceptance of material changes to health data processing.

16.  Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact:

Outfoxed Group PTY LTD

Privacy and Data Enquiries

Email: team@outfoxed.co

App: app.rhythms.life

ABN: ABN: 24 657 773 889

We aim to respond to all enquiries within 5 business days and all formal rights requests within 30 days.

Appendix A — Key Definitions

  • Personal Data / Personal Information: any information that relates to an identified or identifiable individual.
  • Health Data / Special Category Data / Sensitive Information: data concerning a person's physical or mental health, including menstrual and reproductive health data. In Australia, this is "sensitive information" under the Privacy Act; in the UK and EEA it is "special category data" under GDPR.
  • Processing: any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
  • Controller: the entity that determines the purposes and means of processing personal data — in this case, Outfoxed Group PTY LTD.
  • Processor: a third party that processes personal data on behalf of the controller, under the controller's instructions (e.g., Supabase, Vercel, Resend).
  • EU GDPR: General Data Protection Regulation — EU privacy law applicable to processing of personal data of EEA residents.
  • UK GDPR: the retained EU law version of the GDPR as it applies in the United Kingdom following Brexit, as amended by the Data Protection Act 2018.
  • APP: Australian Privacy Principles — 13 principles under the Australian Privacy Act 1988 governing the handling of personal information.
  • MHMDA: My Health My Data Act — Washington State law governing consumer health data (RCW 19.373). See the Consumer Health Data Privacy Policy at app.rhythms.life/health-data-privacy.
  • UK IDTA: UK International Data Transfer Agreement — the UK mechanism for transferring personal data to countries outside the UK that do not have an adequacy decision, replacing EU Standard Contractual Clauses for UK transfers.
  • PECR: Privacy and Electronic Communications Regulations — UK law governing use of cookies and electronic communications, including the requirement for prior consent for analytics cookies.

© 2026 Outfoxed Group PTY LTD. All rights reserved.

Rhythms Privacy Policy v3.0 — March 2026 — Outfoxed Group PTY LTD

Governing frameworks: Privacy Act 1988 (Cth)  |  EU GDPR  |  UK GDPR / DPA 2018 / PECR  |  Washington State MHMDA