MyLunarPhase

Privacy Policy

Last updated: April 4, 2026

A Note From Our Founder

Hi, I'm the solo developer behind MyLunarPhase. I built this app because I'm passionate about women's health and believe every woman deserves tools that honor her body's natural rhythms.

I want to be crystal clear: I am not here to collect your personal information. Your health data is yours. Period.

MyLunarPhase will never sell, share, or profit from your personal data. I built this app to help, not to harvest. This privacy policy explains exactly what data exists, why, and what happens with it.

What We Store & Why

We only store what is necessary for the app to work for you:

  • -Email & password — So you can sign in to your account. Passwords are hashed with bcrypt and we cannot see them.
  • -Cycle & period data — Your period dates, cycle length, and life stage are encrypted with AES-256-GCM before being stored. Even if someone accessed our database, they could not read your cycle data.
  • -Mood & journal entries — Private to you. Journal notes are encrypted at the application level before storage. No one can see them, including us.
  • -Connected device data — If you connect health devices (like Withings, Oura, or Fitbit), we store the health measurements they send (temperature, sleep, heart rate). This data is encrypted and only used to provide you with wellness insights.
  • -Community posts — Fully anonymous. They cannot be traced back to your account.
  • -Partner sharing — Only happens if you explicitly opt in. You choose what to share and can revoke access anytime.

What We Do NOT Do

  • -We do not sell your data. Ever.
  • -We do not share your data with advertisers or data brokers.
  • -We do not track you across other websites or apps.
  • -We do not use your health data for marketing purposes.
  • -We do not run analytics or ad tracking on this app.

Third-Party Services We Use

To make the app work, we use a small number of trusted services. Here's exactly what each one does and what data it touches:

Supabase (Database)

Stores your account and wellness data. Hosted in the US (Oregon). Data is encrypted at rest and in transit. Supabase does not access or use your data.

Google Sign-In (Authentication)

If you choose to sign in with Google, we receive only your name and email. We do not access your Google contacts, calendar, or any other Google data.

Stripe (Payments)

Handles subscription payments. We never see or store your credit card number. Stripe is PCI-compliant and processes payments securely. We only receive confirmation that a payment was made.

Grok AI (Luna AI Chat)

Powers the Luna AI wellness chat. When you use Luna AI, your message is sent to the AI to generate a response. Conversations are not used to train AI models. Your chat history is stored in your account so you can revisit it.

Resend (Email)

Sends transactional emails like password resets and subscription confirmations. Your email address is shared with Resend solely for delivery. They do not use it for marketing.

Upstash (Rate Limiting)

Prevents abuse by limiting how many requests can be made. It only processes anonymous request counts — no personal data is sent to Upstash.

Netlify (Hosting)

Hosts the web application. Netlify may collect basic server logs (IP addresses, page visits) as part of standard web hosting. We do not add any additional tracking.

Data Security

Your health data deserves the highest level of protection. We go beyond industry standards:

  • -Application-level encryption (AES-256-GCM) — Your sensitive health data (period dates, cycle logs, mood notes, health device measurements) is encrypted before it reaches the database. Even if the database were breached, your data would be unreadable without the encryption key.
  • -Unique encryption per value — Each piece of data is encrypted with its own random initialization vector, so identical information produces completely different encrypted output.
  • -Encrypted in transit — All data between your device and our servers is protected with HTTPS/TLS.
  • -Encrypted at rest — Our database provider (Supabase) encrypts all stored data at the infrastructure level, in addition to our application-level encryption.
  • -Passwords are hashed — Using bcrypt with salt rounds. We cannot view or recover your password.
  • -Payment security — Credit card information is handled entirely by Stripe (PCI-compliant) and never touches our servers.
  • -Cross-device sync — Your cycle data syncs securely across devices so you never lose your data. All synced data is encrypted before transmission and storage.

Connected Health Devices

When you connect a health device (such as Withings, Oura Ring, Fitbit, or others):

  • -We use OAuth 2.0 to securely connect — we never see your device account password.
  • -We only request the minimum data needed (temperature, sleep, heart rate) — never contacts, location, or other unrelated data.
  • -Health measurements are encrypted with AES-256-GCM before storage.
  • -You can disconnect any device at any time from Settings, which permanently deletes all associated data.
  • -We do not share your device data with any third party.

Your Rights & Control

You are always in control of your data:

  • -Delete your account — Anytime from Settings. This permanently removes all your data.
  • -Export your data — Download your information before deleting if you wish.
  • -Revoke partner sharing — Disconnect your partner at any time from Partner settings.
  • -Cancel subscription — Cancel anytime. Your data stays until you choose to delete it.

Cookies

We only use essential cookies required for authentication (keeping you signed in). We do not use advertising cookies, tracking cookies, or any third-party analytics cookies.

Changes to This Policy

If we ever update this policy, we'll notify you within the app. We will never quietly change how we handle your data.

Questions?

I believe in transparency. If you have any questions about your privacy or how your data is handled, please reach out at privacy@mylunarphase.com.