Privacy Policy

Sulu is a personal tracking and reflection tool.

It allows you to record symptoms and note changes over time, based on what you choose to log. It presents summaries and visuals of your own entries so you can review them yourself or share them with a healthcare professional if you choose.

Sulu is not a medical device and does not diagnose, treat, or prevent any medical condition. It does not provide medical advice or recommend treatment.

We collect only the information needed for the app to work.

Information you provide

• the symptoms you choose to track
• daily symptom ratings you enter
• change markers you select (such as stress or illness)
• dates and times of your entries
• optional exports you generate

You decide what to enter. You can leave entries blank or stop using the app at any time.

Account information

If you create an account, we collect:

• your email address
• basic account identifiers needed to sign you in

We do not collect:

• your name
• your address
• your payment card details — payments are processed securely by Stripe, and we never see or store your full card number
• information from your contacts
• information from other apps or devices

Some of the information you choose to enter may relate to your health. This information is:

• self-reported
• entered voluntarily
• used only to display your own records and summaries

The app does not interpret this information, draw medical conclusions, or make recommendations based on it.

We use your information only to:

• display your daily entries, timeline, and weekly snapshots
• generate summaries you request (including doctor exports)
• maintain and improve basic app functionality
• ensure the app works securely and reliably

We do not use your information to:

• provide medical advice
• predict health outcomes
• make automated decisions about you
• target advertising

With healthcare professionals

If you choose to export or share a summary, that information is provided for discussion only. How a healthcare professional uses or interprets that information is outside our control and part of their professional judgement.

With third parties

We do not sell your data.

We use the following service providers to operate Sulu:

• Supabase — database hosting and authentication
• Stripe — payment processing
• Sentry — error monitoring and crash reporting

Each operates under a data processing agreement and processes data only as needed to provide their service. We do not allow third parties to use your information for their own purposes.

We take reasonable steps to protect your information, including secure storage, access controls, and industry-standard safeguards appropriate to the size and nature of the app.

No system is completely risk-free, but we aim to handle your information with care and restraint.

We keep your information only for as long as you choose to use the app. You can delete individual entries or delete your entire account at any time.

• Active account: data is retained for the duration of your account activity.
• After deletion request: primary account data is removed after a 7-day grace period, during which you can cancel the deletion by signing back in.
• Backup copies: purged within 30 days of deletion.
• Legal obligations: limited data may be retained beyond these periods where required by law, for fraud prevention, or to resolve disputes.

Depending on your location, you may have the right to access, correct, export, or delete your data. You can manage most of these directly in the app settings.

If you need help, you can contact us using the details below.

If you are in the European Union, European Economic Area, or the United Kingdom, the following additional information applies to you under the General Data Protection Regulation (GDPR) and UK data protection law.

Legal basis for processing

We process your data on the following legal grounds:

• Account and general data (email, account identifiers): processed to perform our contract with you (Art. 6(1)(b) GDPR) and where necessary for our legitimate interest in operating and securing the app (Art. 6(1)(f)).
• Health-related data (symptoms, severity ratings, cycle data, HRT status, menopause stage): processed on the basis of your explicit consent (Art. 9(2)(a) GDPR), which you provide through a dedicated consent screen before any health data is collected.

You can withdraw your consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew.

Your rights under GDPR

In addition to the general rights described in Section 8, you have the right to:

• Access (Art. 15) — obtain confirmation of whether your data is being processed and receive a copy
• Rectification (Art. 16) — correct inaccurate personal data
• Erasure (Art. 17) — have your data deleted (supported via account deletion in the app)
• Restriction (Art. 18) — limit how your data is used in certain circumstances
• Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format (supported via CSV export in the app)
• Object (Art. 21) — object to processing based on legitimate interest
• Withdraw consent — at any time, without affecting the lawfulness of prior processing
• Lodge a complaint — with your local data protection supervisory authority

You can exercise these rights through the Profile screen in the app or by emailing privacy@suluapp.com.

Cross-border data transfers

Your data is stored and processed using infrastructure provided by our service providers (see Section 5), which may be located outside the EU/EEA. Where data is transferred to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as part of our data processing agreements with those providers.

You can request a copy of the relevant safeguards by contacting us at privacy@suluapp.com.

United Kingdom

If you are in the United Kingdom, references to GDPR in this policy include the UK GDPR as incorporated into UK law under the Data Protection Act 2018. Your rights under UK data protection law are equivalent to those described above.

Data protection contact

For EU or UK data protection enquiries, contact us at privacy@suluapp.com.

This app is not intended for children.

We do not knowingly collect personal information from anyone under the age of 18. If you believe a child has used the app, please contact us so we can remove the data.

We use a small number of essential cookies to keep you signed in and to operate the app securely. These cookies are strictly necessary for the app to function and do not require consent under applicable privacy laws.

We do not use cookies for advertising, analytics, or third-party tracking. If this changes in the future, we will update this policy and obtain your consent where required.

We may update this Privacy Policy from time to time. If we make material changes, we will let you know through the app or by other reasonable means. Continued use of the app after an update means you accept the revised policy.

If you have questions about this Privacy Policy or how your information is handled, you can contact us at:

• Email: privacy@suluapp.com
• App name: Sulu