Privacy Policy

[Your Company Name] ("we", "us", or "our") operates the STMT application (the "Service"), a symptothermal fertility tracking tool. We are committed to protecting your personal data and respecting your privacy in accordance with the Swiss Federal Act on Data Protection (nDSG) and the EU General Data Protection Regulation (GDPR).

The data controller responsible for processing your personal data is:

[Your Company Name] [Your Address] Email: [your-email@example.com]

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service. Please read this policy carefully. By using STMT, you acknowledge that you have read and understood this Privacy Policy.

We collect the following categories of personal data:

Account Data: When you register for an account, we collect your email address, chosen display name, and a securely hashed version of your password. If you choose to set profile preferences, such as language or temperature unit, we store those as well.

Health Data (Special Category): To provide the core fertility tracking functionality, we collect and process health-related data that you voluntarily enter into the Service. This includes, but is not limited to: - Basal body temperature (BBT) readings - Cervical mucus observations (texture, consistency, appearance) - Cervix position, firmness, and openness observations - Menstrual flow data (intensity, duration, characteristics) - Physical symptoms (pain, mood, energy levels, and other tracked indicators) - Sexual activity records - Free-text notes and personal observations

Technical Data: When you use the Service, we may automatically collect certain technical information such as your IP address, browser type and version, device type, operating system, and general usage statistics. This data is collected to ensure the Service functions correctly and to improve performance.

We use your personal data for the following purposes:

Providing the Service: Your health data is used to generate fertility charts, identify cycle patterns, apply symptothermal evaluation rules, and display your tracked information back to you in a meaningful way. This is the primary purpose of data collection and the core function of the Service.

Account Management: Your account data is used to authenticate you, manage your account settings, and communicate with you about service-related matters such as password resets or critical security notifications.

Service Improvement: We may use aggregated, fully anonymized, and non-identifiable data to analyze usage patterns and improve the Service. Such anonymized data cannot be traced back to any individual user.

Legal Compliance: We may process your data where necessary to comply with applicable legal obligations, respond to lawful requests from public authorities, or establish, exercise, or defend legal claims.

We process your personal data on the following legal grounds:

Consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)): The processing of your health data, which constitutes special category data under the GDPR, is based on your explicit consent. You provide this consent when you voluntarily enter health-related information into the Service. You may withdraw your consent at any time by ceasing to use the Service and requesting deletion of your data. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Contract Performance (GDPR Art. 6(1)(b)): Processing of your account data is necessary for the performance of the contract between you and us, namely to provide you with access to and use of the Service.

Legitimate Interests (GDPR Art. 6(1)(f)): We may process technical data on the basis of our legitimate interests in maintaining the security and proper functioning of the Service, preventing fraud, and improving our product. These interests are balanced against your rights and freedoms.

Under the Swiss nDSG, processing of personal data is generally permitted unless it constitutes an unlawful breach of personality rights. For sensitive personal data, including health data, we rely on your explicit consent.

We want to be fully transparent about the nature of the data we process. The fertility-related health data you enter into STMT, including basal body temperature readings, cervical mucus observations, cervix position data, menstrual flow records, symptoms, and sexual activity logs, constitutes special category data (also referred to as sensitive personal data) under both the GDPR (Article 9) and the Swiss nDSG.

This category of data receives the highest level of legal protection because of its intimate and sensitive nature. We process this data exclusively on the basis of your explicit consent, which you provide each time you voluntarily enter health information into the Service.

We implement enhanced safeguards for this data, including: - Encryption of health data both in transit (TLS) and at rest - Strict access controls limiting who within our organization can access identifiable health data - Separation of health data from account identifiers where technically feasible - Regular security audits and vulnerability assessments

You have the right to withdraw your consent to the processing of your health data at any time. To do so, you may delete individual data entries within the Service or request complete deletion of all your health data by contacting us. Upon withdrawal of consent, we will cease processing your health data and delete it in accordance with our data retention policy, unless retention is required by law.

We take the security of your personal data very seriously. Your data is stored on secure servers located within the European Economic Area (EEA) or Switzerland. We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction.

These measures include, but are not limited to: - Encryption of data in transit using TLS 1.2 or higher - Encryption of sensitive data at rest using industry-standard encryption algorithms - Secure password hashing using modern, computationally intensive hashing algorithms - Regular software updates and security patches - Access controls and authentication requirements for system administrators - Regular backups with encrypted backup storage - Monitoring for unauthorized access attempts

While we strive to protect your personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we commit to promptly notifying affected users and relevant supervisory authorities in the event of a data breach, in accordance with GDPR Article 33 and the Swiss nDSG.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

Account Data: Your account data is retained for as long as your account remains active. If you delete your account, your account data will be permanently removed within 30 days, except where retention is required for legal or regulatory purposes.

Health Data: Your health data is retained for as long as your account is active and you have not withdrawn consent for its processing. Upon account deletion or withdrawal of consent, health data will be permanently deleted within 30 days.

Technical Data: Server logs and technical usage data are retained for a maximum of 90 days for security and debugging purposes, after which they are automatically purged.

Backup Retention: Data may persist in encrypted backups for up to 90 days after deletion from the primary systems. Backups are automatically overwritten on a rolling basis.

Legal Requirements: In some cases, we may be required to retain certain data for longer periods to comply with legal, tax, or regulatory obligations. In such cases, we will restrict the processing of that data to what is strictly necessary for compliance.

Under the GDPR (Articles 15 through 22) and the Swiss nDSG, you have the following rights regarding your personal data:

Right of Access (Art. 15 GDPR): You have the right to request confirmation as to whether we process your personal data and, if so, to obtain a copy of that data along with information about the purposes of processing, the categories of data concerned, and the recipients or categories of recipients.

Right to Rectification (Art. 16 GDPR): You have the right to request correction of inaccurate personal data and to have incomplete data completed. You can correct most data directly within the Service.

Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the data has been unlawfully processed. You can delete individual entries within the Service or request complete account deletion.

Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. The Service provides an export feature to facilitate this right.

Right to Restriction of Processing (Art. 18 GDPR): You have the right to request restriction of processing in certain circumstances, for example while we verify the accuracy of contested data.

Right to Object (Art. 21 GDPR): You have the right to object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

Under the Swiss nDSG, you additionally have the right to request information about the processing of your personal data free of charge and to request that inaccurate data be corrected.

To exercise any of these rights, please contact us at [your-email@example.com]. We will respond to your request within 30 days. If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, you may contact the supervisory authority in your Member State of residence.

Your personal data is primarily stored and processed within Switzerland and the European Economic Area (EEA). These jurisdictions provide a high level of data protection recognized under the GDPR.

The European Commission has recognized Switzerland as providing an adequate level of data protection (adequacy decision), meaning that transfers of personal data between the EEA and Switzerland do not require additional safeguards.

If it becomes necessary to transfer your data to a country outside of Switzerland or the EEA that does not benefit from an adequacy decision, we will ensure that appropriate safeguards are in place. These may include Standard Contractual Clauses (SCCs) approved by the European Commission, binding corporate rules, or your explicit consent. We will inform you of any such transfers and the safeguards applied.

We do not transfer your health data to countries outside Switzerland and the EEA unless absolutely necessary, and only with appropriate safeguards as described above.

The Service uses cookies and similar technologies as follows:

Essential Cookies: We use strictly necessary cookies to enable core functionality such as user authentication, session management, and security features (such as CSRF protection). These cookies are required for the Service to function and cannot be disabled.

Analytics: If we use analytics tools to understand how the Service is used, we will ensure that they are configured to respect your privacy. Where analytics cookies are used, we will obtain your consent before setting them, in compliance with applicable cookie legislation. We favor privacy-respecting analytics solutions that minimize data collection and avoid cross-site tracking.

We do not use cookies for advertising purposes, and we do not engage in behavioral advertising or user profiling for marketing.

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may impair the functionality of the Service.

We may use a limited number of third-party services to operate and maintain the Service. These may include:

- Hosting and infrastructure providers for data storage and server operation - Email delivery services for transactional emails (such as password resets and account notifications) - Analytics providers (if applicable, as described in Section 10)

We carefully select third-party providers and require that they process your personal data only on our behalf and in accordance with our instructions. We enter into data processing agreements with all third-party processors, as required by GDPR Article 28. These agreements ensure that processors implement appropriate technical and organizational security measures and do not use your data for their own purposes.

We do not sell, trade, or rent your personal data to any third parties. We do not share your health data with third parties except as strictly necessary for the operation of the Service (for example, encrypted data stored by our hosting provider) or as required by law.

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. This minimum age requirement is consistent with GDPR Article 8 and the Swiss nDSG provisions regarding the processing of personal data of minors.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that data from our systems. If you are a parent or guardian and believe that your child under 16 has provided us with personal data, please contact us at [your-email@example.com] so that we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable legislation. When we make material changes to this policy, we will notify you by:

- Posting the updated policy on our website or within the Service - Updating the "Last updated" date at the top of this policy - Sending you a notification via email or an in-app notification for significant changes

We encourage you to review this Privacy Policy periodically. For changes that affect the processing of your health data or that materially reduce your rights, we will seek your renewed consent where required by applicable law. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the updated terms.

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

[Your Company Name] [Your Address] Email: [your-email@example.com]

If we have appointed a Data Protection Officer (DPO), you may contact them directly at: [dpo-email@example.com]

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection supervisory authority:

In Switzerland: Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1, CH-3003 Bern https://www.edoeb.admin.ch

In the EU: You may contact the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.