Legal
Privacy Policy
InRhythm is operated by [ENTITY NAME] ("we", "us", "our"). Our registered address is [ADDRESS], England.
We are registered with the UK Information Commissioner's Office (ICO), registration reference [ICO REF].
This policy explains how we handle your information when you use InRhythm at app.inrhythm.me.
The most important thing to know first
InRhythm works in two ways, and they are very different for your privacy.
Without an account (local mode)
You can use InRhythm without signing up. When you do, everything you log — your medication, symptoms, hydration, weight, and all other entries — stays on your device. It is stored in your browser and is never sent to us, never stored on our servers, and never shared with anyone.
We cannot see this data, and we have no way to access or recover it. It is yours, on your device, full stop.
The only information we handle in local mode is the standard technical data any website receives when you open it — see Local mode: what we actually handle below.
With an account (synced mode)
When you create an account, InRhythm syncs your data across your devices and backs it up. To do this, your data is stored on our database and passes through the processors listed under Processors. This is when we become responsible for your health data as a "data controller", and most of this policy applies.
iOS app: iCloud sync (an additional option)
If you use the InRhythm iOS app, there is a third option: iCloud sync. If you choose it, your health data is stored in your personal iCloud Private Database — an Apple service that only you can access. We have no access to that data, and it does not pass through our servers or any of the processors listed in this policy.
In this case, we are not a data controller for your health logs. They are governed by Apple's Privacy Policy. The limited technical data described under Local mode: what we actually handle (IP address, device type) still applies when you open the app.
If you want your iOS data to also be accessible on the InRhythm web app (app.inrhythm.me), or on non-Apple devices, you must choose Supabase sync instead — iCloud sync is Apple-device only.
The rest of this policy is organised around these two modes (local and synced). Read the section that applies to how you use InRhythm. If you use iCloud sync on iOS, the local mode section most closely describes your situation — your health data stays out of our hands.
Local mode: what we actually handle
When you use InRhythm without an account, your health logs never reach us. The only data processed on our behalf is the technical information required to deliver the app to your browser:
| Data | Who handles it | Why |
|---|---|---|
| IP address | Vercel (our hosting provider) | To serve you the app and protect against abuse. Held in standard server logs. |
| Browser and device type | Vercel | App compatibility. Held in standard server logs. |
We do not store this technical data ourselves, we do not link it to you, and we do not use analytics, tracking, or advertising cookies of any kind.
Your health entries in local mode:
- Are stored only in your browser's local storage on the device you are using
- Are not transmitted to us or anyone else
- Are not backed up — if you clear your browser data, switch devices, or lose your device, the data is gone and we cannot recover it
- Can be deleted at any time by clearing the app's data in Settings, or by clearing your browser storage
Because your health data is created and stored only on your device and is never transmitted to us, we do not hold, access, or control it. We therefore do not consider ourselves the controller of this on-device data. We remain the controller only of the limited technical data described in the table above.
If you later create an account, the data currently on your device can be synced to your new account. At that point this data becomes covered by the synced mode sections below, and we ask for your explicit consent before that happens.
Synced mode: when you have an account
Everything from here applies when you are signed in to an InRhythm account.
What data we collect
Data you provide directly
| Data | When collected | Category |
|---|---|---|
| Email address | Account registration | Personal data |
| GLP-1 medication name, dose, injection date | Dose logging | Health data (special category) |
| Hydration intake (ml) | Hydration logging | Health data (special category) |
| Protein intake (g) | Nutrition logging | Health data (special category) |
| Body weight (optional) | Progress tracking | Health data (special category) |
| Symptom logs (e.g. nausea, fatigue) | Symptom tracking | Health data (special category) |
| Menstrual cycle data (optional, if perimenopause mode enabled) | Cycle tracking | Health data (special category) |
| HRT medication data (optional, if HRT mode enabled) | Dose tracking | Health data (special category) |
| Strength training activity (optional) | Activity tracking | Health data (special category) |
| Bug reports and support messages (optional) | When you explicitly submit a bug report or support request | Personal data (device type, app context; no health data) |
Most of what you log in InRhythm is special category data (health data) under UK GDPR Article 9. We treat it with the higher level of protection the law requires, and we only process it with your explicit consent (see Lawful basis).
Providing this data is entirely optional. Without it, InRhythm cannot show you personalised history or guidance, but you can still use the app.
Data collected automatically
| Data | Purpose | Held by |
|---|---|---|
| IP address | Security and abuse prevention | Supabase, Vercel (not stored by us) |
| Browser and device type | App compatibility | Vercel (not stored by us) |
| Sync and activity timestamps | Keeping your devices in sync | Supabase |
We do not use analytics services. We do not place advertising or tracking cookies. We do not sell your data. We do not use your data to train AI models.
Lawful basis for processing
Your email address
We process your email address on the basis of contract (UK GDPR Article 6(1)(b)) — it is necessary to give you an account and send you sign-in and account emails.
Your health data
We process your medication, symptom, hydration, nutrition, weight, menstrual cycle, HRT, and activity data on the basis of your explicit consent (Article 9(2)(a)).
You give explicit consent when you:
- Create an account and choose to sync your health data, and
- Enable optional features (perimenopause mode, HRT mode), each of which shows a specific consent prompt before any data is collected
You can withdraw consent at any time by deleting your account (Settings → Delete account). Withdrawing consent does not affect the lawfulness of anything we did before you withdrew it.
Optional product emails
If you opt in to product update emails, we send them only with your consent (Article 6(1)(a)). Marketing emails require consent under the Privacy and Electronic Communications Regulations (PECR), and you can withdraw it at any time using the unsubscribe link in any such email.
How we use your data
| Purpose | Data used | Lawful basis |
|---|---|---|
| Provide the InRhythm app and your account | All data you log | Contract / Explicit consent |
| Send sign-in and account emails | Email address | Contract |
| Sync your data across your devices | All logged data | Explicit consent |
| Derive in-app guidance (e.g. dose phase, nudges) | Health logs | Explicit consent |
| Send optional product update emails | Email address | Consent (opt out anytime) |
Processors
These are the third parties who handle your data on our behalf when you use an account. Each is bound by a written contract that meets UK GDPR Article 28 to process your personal data only on our documented written instructions and to keep it secure.
| Processor | Role | Location | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Database and authentication | EU (Ireland) | None needed — within the EEA |
| Brevo SAS | Sign-in and product emails | EU (France) | None needed — within the EEA |
| Vercel Inc. | App hosting and content delivery | US (and global edge network) | UK International Data Transfer Agreement (IDTA) |
| PowerSync (JourneyApps) | Cross-device data sync | US | UK International Data Transfer Agreement (IDTA) |
| Linear Orbit, Inc. | Bug reports and support ticket submissions (user-initiated only) | US | UK IDTA [PLACEHOLDER: verify Linear DPA] |
Where data is transferred outside the UK (to Vercel, PowerSync, and Linear in the US), we rely on the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, as the appropriate safeguard under UK GDPR Article 46.
Linear receives data only when you explicitly submit a bug report or support message in the app. This data includes your device and browser type, the page you were on, and optionally a support message you write. Linear does not receive health data.
Processor privacy and data-processing terms:
- Supabase DPA
- Vercel DPA
- Brevo DPA
- PowerSync privacy policy
- Linear DPA [PLACEHOLDER: verify at linear.app/dpa]
How long we keep your data
| Data | Retention period |
|---|---|
| Your account and health logs | Until you delete your account |
| Authentication logs | 90 days (held by Supabase) |
| Email send logs | 30 days (held by Brevo) |
| Backups | Deleted within 30 days of account deletion |
| Consent records (anonymised) | 6 years from account deletion |
We keep your health logs only for as long as your account is active, because their only purpose is to show you your own history and guidance. When you delete your account, we delete your health logs and personal data from our active systems immediately and from backups within 30 days.
When you delete your account, we retain an anonymised record of the consents you gave (what you consented to, and when) for 6 years. This record contains no health data — it is kept to allow us to demonstrate we had lawful basis for processing if required by a regulator. The record is not linked to your name or email after deletion.
We will email you to confirm once deletion is complete.
Your rights (both modes)
You have the following rights under UK GDPR. In local mode, you exercise most of these yourself directly on your device; in synced mode, contact us and we will action your request.
| Right | What it means | How to exercise |
|---|---|---|
| Access (Article 15) | Get a copy of the data we hold about you | Local mode: it's all on your device. Synced: email privacy@inrhythm.me |
| Rectification (Article 16) | Correct inaccurate data | Edit it in the app, or email us |
| Erasure (Article 17) | Delete your data | Local mode: clear app data in Settings. Synced: Settings → Delete account, or email us |
| Restriction (Article 18) | Pause processing during a dispute | Email privacy@inrhythm.me |
| Portability (Article 20) | Receive your data in a machine-readable format | Use Settings → Request my data, or email privacy@inrhythm.me |
| Object (Article 21) | Object to processing based on legitimate interests | Email privacy@inrhythm.me |
| Withdraw consent | Stop processing of your health data | Delete your account |
We respond to all rights requests within one calendar month of receiving them. If a request is particularly complex, we may extend this by up to two further months, and we will tell you within the first month if we need to, and why.
Complaints: If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or call 0303 123 1113. We would appreciate the chance to address your concern first — please contact us at privacy@inrhythm.me.
Children
InRhythm is for adults aged 18 and over. We do not knowingly collect data from anyone under 18.
Automated decision-making
InRhythm shows general guidance based on your logs (for example, where you are in your dose cycle). This is informational only. We do not make solely automated decisions, including profiling, that produce legal effects concerning you or similarly significantly affect you (Article 22).
Data protection officer
We are not legally required to appoint a Data Protection Officer (we are a small operation, we do not carry out large-scale systematic monitoring, and health data processing is at small scale with explicit consent). Data protection enquiries are handled directly by us at privacy@inrhythm.me.
When we share data with others
We do not sell your data, and we do not share it with anyone except the processors listed above. We will only disclose your data to others if we are legally required to — for example, in response to a valid court order — and we will tell you where we are permitted to do so.
If something goes wrong (data breaches)
If a security breach affects your personal data, we will report it to the ICO within 72 hours where the law requires it, and we will tell you without undue delay if the breach is likely to put your rights and freedoms at high risk.
Cookies
InRhythm uses only storage that is strictly necessary to provide the service you have requested — to run the app and, in synced mode, to keep you signed in. This is exempt from consent requirements under PECR. We do not use analytics, advertising, or tracking cookies, so no cookie consent banner is required.
Changes to this policy
We will notify account holders by email at least 14 days before making material changes to this policy. The "last updated" date at the top always reflects the current version.
Contact
Data controller: [ENTITY NAME]
Email: privacy@inrhythm.me
Address: [ADDRESS], England