Legal

Consumer Health Data Privacy Policy

Effective Date: 6 May 2026 | Last Updated: 6 May 2026

Issued by: Outfoxed Group PTY LTD | ABN: 24 657 773 889 | app.rhythms.life

Governing frameworks: Privacy Act 1988 (Cth) and Australian Privacy Principles | Washington State My Health My Data Act (RCW 19.373) | EU GDPR | UK GDPR and Data Protection Act 2018

This Consumer Health Data Privacy Policy applies to consumer health data collected by Rhythms, operated by Outfoxed Group PTY LTD (ABN available on request). It supplements our full Privacy Policy and is published in accordance with our obligations under:

  • the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which apply as our primary governing framework as an Australian entity;
  • Washington State's My Health My Data Act (MHMDA, RCW 19.373), which applies to consumers in Washington State;
  • the EU General Data Protection Regulation (EU GDPR), which applies to users in the European Economic Area (EEA);
  • the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, which apply to users in the United Kingdom.

This policy is available at rhythms.life/consumer-health-data-privacy-policy and is linked in the Rhythms app under Profile.

1. Categories of Consumer Health Data We Collect

We collect the following consumer health data only when you voluntarily provide it through the app and only after you have given your explicit consent (see Section 4):

  • First day of your last menstrual period
  • Cycle length (number of days in your cycle)
  • Period length (number of days your period typically lasts)
  • Birth year
  • Whether your periods are regular or irregular
  • Daily energy levels you log through the in-app check-in feature (a 1 to 5 scale)
  • Period start dates you log over time (period history)
  • Daily journal entries you choose to write (any title, body text, and tagged symptoms)

We do not collect blood test results, medical diagnoses, prescription information, genetic data, biometric identifiers, or any other clinical health data.

2. Sources of Consumer Health Data

All consumer health data is collected directly and only from you. We do not obtain your health data from any third-party sources, data brokers, or other applications.

3. Purposes for Which We Collect Consumer Health Data

We collect consumer health data solely to provide the Rhythms service you have requested. Specifically, we use it to:

  • Calculate your current cycle day and phase (Menstrual, Follicular, Ovulatory, or Luteal)
  • Display personalised guidance relevant to your current phase, including nutrition, exercise, work and focus, fasting, and thermal recommendations
  • Show your cycle calendar with predicted phase dates
  • Display your period history and energy logging history
  • Power the cycle calendar export feature
  • Power the cycle sharing feature (if you choose to use it)
  • Improve prediction accuracy over time as you log more cycle data
  • Generate AI Cycle Reflections and the Insights page, summarising patterns across your journal entries, energy logs, and cycle data

We do not use your consumer health data for advertising, marketing profiling, or any purpose unrelated to providing or improving the Rhythms service. We may, however, use your data in aggregate, de-identified form to generate insights about overall usage patterns and trends, which we may publish on our website, in marketing materials, or in reports. Aggregate data is stripped of all personally identifiable information and cannot be used to identify any individual user.

4. Lawful Basis for Processing and Consent

4.1 Lawful Basis (EU GDPR and UK GDPR)

For users in the European Economic Area (EEA) and the United Kingdom, we process your personal data on the following lawful bases under EU GDPR and UK GDPR respectively:

  • Article 6(1)(a) — Consent: we process your personal data on the basis of your explicit consent, given before your health data is first collected.
  • Article 9(2)(a) — Explicit consent for special category data: menstrual and cycle data constitutes data concerning health under Article 9. We process this data only on the basis of your explicit, freely given, specific, informed, and unambiguous consent.

You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

4.2 Lawful Basis (EU GDPR — Additional Detail for EEA Users)

For EEA users, we additionally rely on contractual necessity (Article 6(1)(b)) to process account and cycle data necessary to provide the service you signed up for, and legitimate interests (Article 6(1)(f)) for analytics and product improvement where our interests do not override your privacy rights. Where processing is required to comply with applicable law, we rely on legal obligation (Article 6(1)(c)).

4.3 Sensitive Information (Australian Privacy Principles)

Menstrual and cycle data is health information under the Privacy Act 1988 (Cth) and therefore sensitive information under APP 3.3. We collect sensitive information only with your express consent and only where collection is reasonably necessary to provide the Rhythms service you have requested.

4.4 Affirmative Consent (Washington MHMDA)

For users subject to Washington State's My Health My Data Act, we obtain separate and distinct affirmative consent before collecting consumer health data, as required by MHMDA.

4.5 How Consent is Obtained

Before any health data is collected, we present an in-app consent screen that:

  • describes clearly what data will be collected and how it will be used;
  • links to this policy and our full Privacy Policy;
  • requires a positive, active action (tapping an Accept button) before proceeding;
  • records the consent with a timestamp associated with your account.

You may withdraw consent at any time. Withdrawing consent requires deletion of your account, as your health data is necessary to provide the core Rhythms service. See Section 9.6.

5. Minimum Age

Rhythms is intended for users aged 18 and over. We do not knowingly collect health data from anyone under the age of 18. During account creation, users are required to confirm they are 18 or older.

If you are under 18, please do not use Rhythms or provide any personal or health data. If we become aware that we have collected data from a user under 18, we will delete it promptly. To report this, contact hello@rhythms.life.

6. Categories of Consumer Health Data We Share

6.1 With Service Providers (Data Processors)

We share consumer health data with the following service providers who process it strictly on our behalf and under our instructions. Each provider has entered into a data processing agreement (DPA) with Outfoxed Group PTY LTD:

Supabase
Role: cloud database and authentication provider. All health data is stored in Supabase's infrastructure. Supabase does not use your data for any purpose other than storing and retrieving it at our direction.
Data processing agreement: in place, including obligations consistent with the Australian Privacy Principles and UK International Data Transfer Agreement (IDTA) requirements. Supabase Privacy Policy: supabase.com/privacy

Vercel
Role: web hosting provider. Vercel processes web request data (including IP addresses) as part of standard hosting. Vercel does not receive or process your cycle or health data directly.
Data processing agreement: in place. Vercel Privacy Policy: vercel.com/legal/privacy-policy

Resend
Role: transactional email provider. Resend processes your email address to deliver service emails (account confirmation, password reset, and phase notifications if you have opted in). Resend does not receive your cycle or health data.
Data processing agreement: in place, including UK IDTA addendum. Resend Privacy Policy: resend.com/legal/privacy-policy

Google Analytics (GA4)
Role: anonymised usage analytics. GA4 collects anonymised usage data including page interactions, session information, and general device type. GA4 does not receive, and is not configured to receive, your cycle dates, phase data, energy logs, or any other consumer health data. Analytics data is used only to understand aggregate app usage patterns.
GA4 does not receive any consumer health data. Google Privacy Policy: policies.google.com/privacy

Vercel Analytics
Role: anonymised performance monitoring. Vercel Analytics collects aggregate, anonymised web performance data. It does not receive or process any consumer health data.
Vercel Analytics Privacy Policy: vercel.com/legal/privacy-policy

Stripe
Role: subscription billing. Stripe processes payment card and billing information for Rhythms+ subscribers. Stripe does not receive, access, or process any consumer health data. Billing data and health data are entirely separate.
Stripe Privacy Policy: stripe.com/privacy

Anthropic
Role: AI processing provider for the AI Cycle Reflection and Insights features. When these features run, your recent journal entries, energy logs, and cycle data are sent to Anthropic's Claude API and processed under Anthropic's Commercial Terms of Service.
Processing region: United States. Anthropic Commercial Terms: anthropic.com/legal/commercial-terms. Anthropic Privacy Policy: anthropic.com/legal/privacy

6.2 With Recipients of Your Cycle Share (If You Use This Feature)

If you choose to generate a cycle sharing link, the recipient of that link can view your cycle phase data. This sharing is entirely at your discretion. You can revoke a share at any time from within the app. We do not know the identity of the person you share with.

6.3 No Other Sharing

We do not sell, rent, license, or otherwise share your consumer health data with advertisers, data brokers, insurance companies, employers, government bodies, or any other third parties except as described above or as required by applicable law.

7. Cross-Border Data Transfers

7.1 Australian Privacy Principles — APP 8

Outfoxed Group PTY LTD is an Australian entity. Supabase, Vercel, Resend, and Google are based in the United States. The storage and processing of your health data by these providers constitutes disclosure of personal information to overseas recipients under the Privacy Act 1988 (Cth).

We have taken reasonable steps to ensure that each overseas recipient handles your personal information in a manner consistent with the Australian Privacy Principles, including by entering into data processing agreements with APP-equivalent obligations.

Anthropic also processes data in the United States, under its Commercial Terms of Service.

7.2 EU GDPR — EEA Users

For users in the European Economic Area, transfers of personal data to countries without an EU adequacy decision (including the United States) are made on the basis of Standard Contractual Clauses (SCCs) under EU GDPR, or equivalent approved transfer mechanisms. Copies of applicable transfer agreements are available on request by contacting hello@rhythms.life.

Anthropic also processes data in the United States, under its Commercial Terms of Service.

7.3 UK GDPR — International Data Transfers

For users in the United Kingdom, transfers of personal data to our US-based service providers are governed by:

  • Supabase: UK International Data Transfer Agreement (IDTA) addendum in place.
  • Resend: UK International Data Transfer Agreement (IDTA) addendum in place.
  • Vercel: transfers are conducted under Vercel's standard data processing terms, which include appropriate safeguards for UK data.
  • Google (GA4): Google participates in the UK-US Data Bridge and standard contractual protections apply. GA4 does not process consumer health data.
  • Stripe: Stripe is certified under the UK-US Data Bridge. Stripe does not process consumer health data.
  • Anthropic: transfers are conducted under Anthropic's Commercial Terms of Service.

Copies of applicable data transfer agreements are available on request by contacting hello@rhythms.life.

8. Data Retention

We retain your consumer health data for as long as your Rhythms account remains active. If you delete your account, we will delete all associated consumer health data within 30 days of the deletion request.

Anonymised, aggregated data that cannot be linked back to any individual may be retained indefinitely for service improvement, publishing insights on our website, inclusion in marketing materials or reports, and other lawful purposes. This data is not consumer health data and cannot identify you.

Backup copies of deleted data may persist in encrypted backup systems for up to 90 days following deletion, after which they are permanently purged.

9. Your Rights

The rights available to you depend on the jurisdiction in which you are located. We honour all of the following rights for all users regardless of location.

9.1 Right to Confirm and Access

You may request confirmation of whether we collect, share, or sell consumer health data about you, and request access to that data, including a list of third parties with whom it has been shared.

9.2 Right to Correction

You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Most cycle and energy data can be corrected directly within the app. For corrections that cannot be made in-app, contact hello@rhythms.life.

This right is provided under APP 13 (Privacy Act 1988 (Cth)) and Article 16 of EU GDPR and UK GDPR.

9.3 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or object to our processing. Where processing is restricted, we will continue to store your data but will not process it further without your consent.

This right is provided under Article 18 of EU GDPR and UK GDPR.

9.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another service. On request, we will provide a CSV export of your logged cycle dates and energy data.

This right is provided under Article 20 of EU GDPR and UK GDPR.

9.5 Right to Object

You have the right to object to processing of your personal data where that processing is based on legitimate interests. Where we process data on the basis of consent, the appropriate mechanism is withdrawal of consent (see Section 9.6).

This right is provided under Article 21 of EU GDPR and UK GDPR.

9.6 Right to Withdraw Consent

You may withdraw your consent to our collection and use of your consumer health data at any time. Withdrawing consent requires deletion of your account, as your health data is necessary to provide the core Rhythms service. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

9.7 Right to Delete

You may request deletion of all consumer health data we hold about you. We will action deletion requests within 30 days. You can initiate this by deleting your account in the app at Profile → Delete account, by visiting rhythms.life/delete-account if you cannot sign in, or by contacting us directly at hello@rhythms.life.

When you delete your account, your data is locked immediately and permanently deleted from our production systems within 7 days. You may restore your account within those 7 days by clicking the link in the deletion confirmation email. After 7 days, the deletion is permanent and irrecoverable; encrypted backups are purged within 90 days as described in Section 8.

9.8 Automated Decision-Making

Rhythms uses automated processing to (a) calculate your current cycle day and phase, and (b) generate AI Cycle Reflections and the Insights page from your journal entries, energy logs, and cycle data. Neither produces legal or similarly significant effects within the meaning of Article 22 of the EU GDPR or UK GDPR. AI-generated content is a summary or pattern only — it is not diagnostic and does not make decisions on your behalf.

If you have concerns about how your phase is being calculated, you may contact us at hello@rhythms.life to request a manual review.

9.9 Right to Appeal (Washington MHMDA)

If we decline to action a consumer rights request, you may appeal our decision by contacting hello@rhythms.life with the subject line “Rights Request Appeal” and a description of the original request and our response. We will respond to appeals within 45 days.

If your appeal is denied, we will notify you in writing and inform you of your right to contact the Washington State Attorney General at atg.wa.gov to lodge a complaint.

9.10 How to Exercise Your Rights

To exercise any of the above rights, contact us at hello@rhythms.life. Please include your registered email address and a description of your request. We will respond within 30 days. We may need to verify your identity before processing your request.

Where a request is complex or where we receive a large number of requests, we may extend the response period by a further 60 days. If we extend, we will notify you within the initial 30-day period, explaining the reason for the delay.

10. Data Security

We implement the following measures to protect consumer health data:

  • All data in transit is encrypted using TLS (HTTPS)
  • Data at rest is encrypted by our hosting and database providers
  • Row-level security (RLS) policies in Supabase ensure only your authenticated account can access your data
  • Access to our database and infrastructure is restricted to authorised personnel only
  • Authentication sessions use short-lived JWT tokens

These measures are appropriate to the volume and nature of consumer health data we handle, consistent with reasonable industry standards for wellness applications.

11. Data Breach Notification

11.1 Australian Notifiable Data Breaches Scheme

In the event of an eligible data breach under the Privacy Act 1988 (Cth) — that is, a breach involving personal information that is likely to result in serious harm to any affected individual — we will:

  • notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and in any event within the timeframes required by the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act); and
  • notify each affected individual whose information was involved in the breach and who is at likely risk of serious harm, providing a description of the breach and recommended steps they should take.

11.2 EU GDPR and UK GDPR

For breaches involving the personal data of EEA or UK users, we will:

  • notify the relevant supervisory authority — the Information Commissioner's Office (ICO) for UK users, or the competent EEA supervisory authority for EEA users — within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals; and
  • notify affected EEA or UK users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

11.3 Reporting a Suspected Breach

If you believe your Rhythms account has been compromised or that your data may have been accessed without authorisation, please contact us immediately at hello@rhythms.life with the subject line “Security Concern”.

12. No Sale of Consumer Health Data

We do not sell or offer to sell consumer health data. We never have and will not in the future without first obtaining your explicit authorisation as required by applicable law.

13. Supervisory Authorities and Complaints

If you are not satisfied with our response to a privacy request or complaint, you have the right to contact the relevant supervisory authority for your location:

  • Australia — Office of the Australian Information Commissioner (OAIC)
    Website: www.oaic.gov.au | Phone: 1300 363 992
  • United Kingdom — Information Commissioner's Office (ICO)
    Website: ico.org.uk/make-a-complaint | Phone: 0303 123 1113
  • European Economic Area — Your Local Data Protection Authority
    EEA users may lodge a complaint with the supervisory authority in their member state. A list of EEA data protection authorities is available at edpb.europa.eu.
  • Washington State, USA — Attorney General's Office
    Website: atg.wa.gov | Consumer protection complaints via the AG's Consumer Protection Division

14. Updates to This Policy

We may update this policy to reflect changes in our practices or applicable law. Material changes will be communicated by email before they take effect. The current version is always available at rhythms.life/consumer-health-data-privacy-policy.

15. Contact

Outfoxed Group PTY LTD
Email: hello@rhythms.life
Web: app.rhythms.life
Response time: within 30 days of receiving your request (45 days for Washington MHMDA appeals).

Rhythms Consumer Health Data Privacy Policy v4.2 — May 2026 — Outfoxed Group PTY LTD
Governing frameworks: Privacy Act 1988 (Cth) | Washington State MHMDA | EU GDPR | UK GDPR / DPA 2018

Questions about this policy? Contact us at hello@rhythms.life