This Privacy Policy explains how we handle your data in the MyDaysX apps (the classic MyDaysX app and the new MyDaysX app, internal codename “MDX2”, which are being merged) and on the website blog.mydaysx.club.
Details: ControllerSupervisory authorityData, purposes & legal basesRecipientsTransfersRetentionYour rightsAutomated decisionsChildrenSecurityCookiesChanges
Christian Albert Mueller, Schwanseestr. 47, 81549 Munich, Germany · info@mydaysx.club · VAT ID: DE298983586.
We have appointed an external Data Protection Officer:
Heiko Jonny Maniero, DGD Deutsche Gesellschaft für Datenschutz · heiko.maniero@dg-datenschutz.de · Tel. +49 (0)800 62 64 376.
You have the right to lodge a complaint with a data protection supervisory authority. The authority competent for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany. You may also contact the authority in your country of residence.
Period days, fertility, ovulation, symptoms, intimate events, notes, basal temperature and weight are health data (special category, Art. 9 GDPR). We process them only to provide the tracking and prediction features, on the basis of your explicit consent (Art. 9(2)(a) GDPR), given during onboarding and withdrawable at any time (turn the features off, erase your data, or delete the app). This data is stored on your device; the new app does not upload it to our servers.
Your birthdate, entered during onboarding, is stored on your device only — it is used for the 16+ age verification and optional fun features, and is never transmitted to our servers.
If you create a server backup (classic app) or restore an older backup during migration, the data is stored over an encrypted (HTTPS) connection on our server in the EU (Hetzner, Finland). Legal basis: your consent (Art. 6(1)(a), Art. 9(2)(a) GDPR). You may also create a local backup file, optionally encrypted with a passphrase.
If you enable health sync, the app reads/writes your menstrual flow and basal body temperature to Apple Health (iOS) or Health Connect (Android) on your device. This data is governed by Apple/Google, stays on your device, and is never transmitted to our servers or shared with advertising/analytics providers. You can disable sync and revoke access at any time.
We process your email only if you subscribe to our newsletter or set a recovery email, for those purposes only (Art. 6(1)(a)/(b) GDPR). The newsletter uses double opt-in (you confirm via a link) and can be unsubscribed at any time.
The classic MyDaysX app uses third-party analytics and diagnostics SDKs — Google Firebase Analytics, Google Crashlytics and GameAnalytics — and, for advertising, Google AdMob with ironSource/Unity LevelPlay mediation (incl. Unity Ads). These may process coarse device information and, where you granted the permission, approximate location. Your manually-entered cycle data is never shared with them.
The new MyDaysX app sends only anonymous, opt-in statistics to our own server in the EU (AWS, Frankfurt) — no advertising identifier, no precise location, never your name or notes, and no IP address is stored. Two separate opt-ins: (1) Anonymous product statistics — country region, app language, theme, app version and which features are used. (2) Research & data products (separate, explicit consent) — additionally coarse, irreversibly anonymous ranges and counts: cycle- and period-length ranges, cycle regularity, age band, symptom and mood frequencies per cycle phase, intimacy frequency (a count, no details), pregnancy/ovulation-test outcome counts, pregnancy starts and contraception type. These are aggregated, protected with k-anonymity and noise, may be turned into synthetic datasets, and may be shared or sold to researchers and companies — they describe patterns, never a person, and can never be traced back to you. Withdrawing either consent stops future contributions immediately and deletes unsent data on the device; already-published anonymous aggregates contain nothing traceable to you. We record the consent version and date (Art. 7 GDPR). Legal basis: your consent (Art. 6(1)(a), Art. 9(2)(a) GDPR for the on-device derivation).
Anonymous crash/error events may be sent to our EU server (AWS, Frankfurt) to fix bugs; no cycle or health data is included. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
If you use Invite Friends, we process only an anonymous, resettable install identifier and your referral code to credit invitations. We do not access your contacts. Legal basis: Art. 6(1)(b)/(f) GDPR.
The free version shows ads via Google AdMob (and its mediation), which may use an advertising identifier as described in Google’s policies. Your cycle and health data are never shared with AdMob or any ad network. Where required, advertising is shown subject to your consent.
Optional “Pro” purchases are processed by Apple App Store or Google Play. They are the merchants of record and handle the payment and any statutory withdrawal; we never receive or store your payment-card details.
The app may ask for device permissions (e.g. notifications, photos for attaching a picture to an entry, health access). Permissions are optional and used only for the stated feature; you can manage them in your device settings.
Our website serves the static pages you are reading. This website uses no advertising or analytics cookies; we only use a strictly necessary cookie to remember your cookie-consent choice, and any non-essential cookies load only after you agree via the cookie banner. See our Cookie Policy. The contact form processes the data you enter to answer your request (Art. 6(1)(b)/(f) GDPR).
If you submit a score in the optional Sky Dash mini-game, we transmit and store: a randomly generated device ID, the score, the platform (iOS/Android) and an optional player pseudonym (auto-generated, or chosen by you — letters/digits only, profanity-filtered on the device and on our server). No IP address is stored, and nothing links the score to your identity or your cycle data. Names are labels, not verified identities. Legal basis: legitimate interest (Art. 6(1)(f) GDPR — providing the game feature). You can reset the pseudonym at any time in the game.
The AI assistant answers general cycle questions. It is OFF until you explicitly agree in the app. When you ask a question, we transmit (with your explicit in-app consent): the text you typed and your cycle log — dates, cycle lengths, symptoms, measurements, moods, intimacy entries and your notes exactly as you wrote them (notes may mention other people). Photos and your name are never transmitted. Also sent: the app language and a random rate-limit ID. The question is processed by xAI Corp. (Grok) as a third-party AI provider under its own privacy policy (linked in the app before you consent). Do not include personal details in your questions; anything you type is transmitted as-is. Answers are general information, not medical advice. Nothing is stored linked to a person on our side. Legal basis: consent (Art. 6(1)(a) GDPR), revocable by simply not using the feature; the in-app opt-in can be reset by reinstalling or contacting us.
We use carefully selected providers; where required, data-processing agreements under Art. 28 GDPR are in place:
Our own servers are located in the EU. Where providers such as Google/AdMob or Apple process data outside the EU, this is based on appropriate safeguards (e.g. EU Standard Contractual Clauses or the EU-US Data Privacy Framework). For the optional AI assistant, the transmission of your typed question to xAI Corp. (USA) takes place on the basis of your explicit consent (Art. 49(1)(a) GDPR), given in the app before first use.
Cycle data stored on your device remains until you delete it or uninstall the app. Older server backups remain available for a limited migration window, then are deleted. Anonymous statistics/diagnostics are kept only as long as needed for the stated purpose. Otherwise we delete data when the purpose no longer applies and no statutory retention obligation prevents it.
Under the GDPR you have the following rights regarding your personal data:
In the app you can erase all your data directly (Settings → Privacy Dashboard → “Erase all my data”). To exercise any right, contact info@mydaysx.club; we respond without undue delay and within one month (Art. 12(3) GDPR). Exercising your rights is free of charge.
Cycle predictions are simple estimates and do not produce legal or similarly significant effects within the meaning of Art. 22 GDPR. The app is not a medical device and not a contraceptive.
The apps are intended for people aged 16 and older; you confirm your age during onboarding.
We use technical and organisational measures (HTTPS in transit, optionally encrypted backups, the app-lock password stored only as a salted hash). Absolute security of internet transmission cannot be guaranteed.
We may update this policy to reflect legal or feature changes. The current version is always available on this page.
Our detailed multilingual GDPR transparency document is available as a PDF (40+ languages), or on our Transparency Document page.
We do not sell your personal data. We disclose data only to the processors listed in section 4 (acting on our instructions), where required by law, or with your consent. Where we rely on legitimate interests (Art. 6(1)(f) GDPR) — e.g. for crash diagnostics, fraud prevention in the referral feature, and the basic operation and security of the service — our interest is to keep the apps stable, secure and improvable; we balance this against your rights and process only the minimum needed.
Providing your data is generally voluntary: cycle data is only processed if you choose to enter it, and analytics/health-sync are opt-in. Without certain data, related optional features may not work.
We do not sell your personal information, and we do not sell or share your health data. Categories we process are described in section 3 (identifiers such as a random install ID or your email if you subscribe; health information stored on your device; coarse usage data if you opt in). In the free version, advertising identifiers may be “shared” with Google AdMob for advertising as defined by California law. You can opt out: use the in-app Ad privacy options (where shown), limit ad tracking in your device settings, or remove ads entirely with Pro. California residents have the rights to know, correct, delete, port, to limit the use of sensitive personal information, and to non-discrimination for exercising these rights. Exercise them in-app (Settings → Privacy Dashboard) or via info@mydaysx.club. We honour authorized agents as provided by law.
This section serves as our Consumer Health Data Privacy Policy. Consumer health data we process: menstrual-cycle and related reproductive-health entries you create yourself in the app (see section 3.1) — collected directly from you, used solely to provide the tracking, prediction, backup, optional health-sync and optional AI-assistant features described above. We do not sell identifiable consumer health data. Properly de-identified, aggregate statistics (see section 3.5) are not consumer health data under these laws; we sell only such de-identified aggregates, we do not use it for advertising, and we do not share it with third parties except the processors listed in section 4 acting on our instructions (and, for the optional AI assistant, the anonymous summary described in section 3.13 with your consent). It stays on your device unless YOU trigger a transfer (backup, health sync, AI question). You may withdraw consent, access or delete your data at any time (in-app: Settings → Privacy Dashboard → “Erase all my data”, or email info@mydaysx.club); we respond within the timeframes required by the applicable law, and you may appeal a refusal by replying to our decision. We do not use geofencing around care facilities.