Privacy Policy for Phasa
hello@phasa.health
Effective Date: 28th October 2025  
Last Updated: 28th October 2025
Introduction
Phasa ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.
By using Phasa, you agree to the collection and use of information in accordance with this policy.
Information We Collect
1. Account Information
  • Email address - Used for account creation and login
  • Password - Stored securely using industry-standard encryption
  • Name/Preferred name - What you'd like to be called in the app
  • Date of birth - To verify you are at least 18 years old and provide age-appropriate content
2. Identity Information (Optional)
  • Gender identity - To personalize your experience
  • Pronouns - For community interactions (you control visibility)
  • Display name - How you appear in community features
3. Health Information
Phasa collects sensitive health data to provide personalized tracking and insights:
Surgery & Medical History:
  • Surgery type (hysterectomy, endometrial ablation, etc.)
  • Surgery dates (planned or completed)
  • Surgical details (ovaries kept/removed, surgery reasons)
  • Birth control information (type, duration, bleeding patterns)
Daily Health Tracking:
  • Menstrual cycle data (period dates, duration, flow)
  • Cycle length and phase calculations
  • Moods and emotional wellbeing
  • Physical symptoms (cramping, headaches, hot flashes, spotting, etc.)
  • Energy levels
  • Vaginal discharge observations
  • Free-text health notes
Journal Entries:
  • Written reflections about your health and wellbeing
  • AI-generated insights based on your entries
4. Community Data
If you participate in our community features:
  • Posts and comments (public or anonymous based on your settings)
  • Reactions and interactions with other posts
  • Community preferences (anonymous mode, pronoun visibility)
5. Technical & Usage Data
  • Push notification tokens (to send you reminders)
  • Notification preferences (enabled/disabled, reminder times)
  • Conversation history with AI assistant
  • Device information and app usage patterns
  • Timestamps of your activities
How We Use Your Information
We use your information to:
  1. Provide Core Services:    - Track your menstrual cycles and hormonal patterns    - Generate personalized insights about your health    - Send daily reminder notifications    - Enable community features and support
  1. Improve Our App:    - Analyze usage patterns to enhance user experience    - Develop new features based on user needs    - Fix bugs and improve performance
  1. Communicate With You:    - Send transactional emails (password resets, account updates)    - Deliver push notifications for daily check-ins    - Respond to your support requests
  1. Legal Compliance:    - Comply with applicable laws and regulations    - Enforce our Terms of Service    - Protect against fraud and abuse
Third-Party Data Sharing
OpenAI (AI Assistant)
To provide AI-powered insights and support, we share de-identified health information with OpenAI, including:
  • Surgery and medical history context
  • Cycle patterns and symptom data
  • Mood trends and health observations
  • Portions of journal entries (when you interact with AI features)
What We Don't Share: We do not send your name, email address, account ID, date of birth, or other personal identifiers to OpenAI. Your conversations with the AI are based solely on your health patterns, not your identity.
OpenAI's Data Use: OpenAI processes this anonymized health data to generate personalized insights. As of our last update, OpenAI does not use API data to train their models. Data may be retained for up to 30 days per their data retention policies.
Analytics & Infrastructure Services
We use third-party services to operate our app:
  • Supabase - Database and authentication infrastructure
  • Expo - Mobile app development platform
These services may collect technical and usage data to provide their services. We select service providers that maintain strong privacy and security practices.
We DO NOT:
  • Sell your personal information to third parties
  • Share your health data with advertisers
  • Use your data for marketing purposes without consent
  • Share identifiable information with AI providers
Data Security
We take data security seriously:
Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest   Authentication: Secure password hashing and token-based authentication   Access Controls: Row-level security policies restrict data access to your own data   Regular Backups: Your data is regularly backed up securely   Secure Infrastructure: Hosted on enterprise-grade cloud infrastructure with industry-standard security practices
However, no method of transmission over the internet is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.
Your Privacy Rights & Controls
In-App Controls
  • Anonymous Mode: Hide your identity in community features
  • Pronoun Visibility: Control whether pronouns are shown publicly
  • Notification Settings: Enable/disable and customize reminders
  • Data Export: Request a copy of your data
  • Account Deletion: Delete your account and all associated data from settings
Legal Rights (Depending on Your Location)
Under GDPR (EU/UK users):
  • Right to access your data
  • Right to rectification (correct inaccurate data)
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent
  • Right to lodge a complaint with a supervisory authority
Under CCPA (California users):
  • Right to know what personal information is collected
  • Right to know whether personal information is sold or disclosed
  • Right to delete personal information
  • Right to opt-out of sale of personal information (we don't sell your data)
  • Right to non-discrimination for exercising privacy rights
Under Other State Laws: If you reside in Virginia, Colorado, Connecticut, Utah, or other states with privacy laws, you may have additional rights.
To exercise your rights, contact us at: hello@phasa.health
We will respond to your request within the timeframe required by applicable law (typically 30-45 days).
Data Retention
  • Active Accounts: We retain your data for as long as your account is active and as needed to provide services
  • Deleted Accounts: Upon account deletion, all personal data is permanently deleted within 30 days
  • Backups: Deleted data may persist in encrypted backups for up to 90 days before permanent removal
  • Legal Obligations: We may retain certain data longer if required by law or to resolve disputes
Children's Privacy
Phasa is not intended for children under 18. We do not knowingly collect personal information from children under 18. If you believe a child under 18 has provided us with personal information, please contact us immediately and we will take steps to delete such information.
Age Verification: During sign-up, we verify that users are at least 18 years old.
Health Information & Medical Disclaimer
Important Notices:
Not a Medical Device: Phasa is a personal health tracking tool and is not a medical device. It does not provide medical advice, diagnosis, or treatment.
Not HIPAA Covered: While Phasa collects health information, we are not a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse). The app is not intended to replace medical care.
Consult Healthcare Providers: Always consult with qualified healthcare providers for medical decisions. If you experience a medical emergency, call emergency services immediately.
No Doctor-Patient Relationship: Using Phasa does not create a doctor-patient relationship.
International Data Transfers
Your information may be transferred to and processed in countries other than your own, including the United States. These countries may have data protection laws different from your country.
We ensure appropriate safeguards are in place:
  • Standard contractual clauses approved by the European Commission (for EU data)
  • Adequacy decisions where applicable
  • Your explicit consent where required
California Shine the Light Law
California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
Do Not Track Signals
Some browsers have "Do Not Track" features. Our app does not currently respond to Do Not Track signals.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
  • Posting the updated Privacy Policy in the app
  • Updating the "Last Updated" date at the top
  • Sending you an in-app notification or email (for significant changes)
  • Requiring you to review and accept major changes before continued use
Your continued use of Phasa after changes become effective constitutes acceptance of the updated policy.
We encourage you to review this Privacy Policy periodically.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices:
Email: hello@phasa.health