Privacy Policy
For the Leafyard Hormonal Health Lab iOS app
Last updated: 15 May 2026
Effective from: 1 January 2026
1. About this policy
This policy explains how Leafyard Limited ("we", "us", "our") collects, uses, and protects your personal information when you use Leafyard Hormonal Health Lab (the "App"). We take your privacy seriously, particularly because the App is designed to help you track your hormonal health, which involves sensitive personal data.
For the purposes of UK and EU data protection law, Leafyard Limited is the data controller for the personal information we process about you.
Our details:
Leafyard Limited
C/O Dsg, Chartered Accountants, 43 Castle Street, Liverpool, United Kingdom, L2 9TL
Company number: 11463590
ICO registration number: ZB071586
Contact: [email protected]
2. The information we collect
We collect the following categories of personal information.
Information you provide directly:
- Account details such as email address and password.
- Profile information including hormonal symptoms typically associated with menopause and perimenopause, and health context you choose to share.
- Tracked health information including symptoms, mood and any notes you add.
- Information you send us when contacting support.
Information collected automatically:
- A unique app identifier used to associate data with your account.
We do not collect:
- Information from advertising identifiers.
- Location data.
- Contacts or photos.
3. Special category data
Information about your hormonal health and physical and mental symptoms is classified as "special category data" under UK GDPR (Article 9) and requires extra protection.
We process this data only on the basis of your explicit consent, which you provide when you sign up and begin tracking. You can withdraw this consent at any time by deleting your account, which will remove all of your special category data from our systems (see Section 10).
4. How we use your information and our legal basis
We use your information for the following purposes:
- Providing the core tracking features of the App — Performance of our contract with you (UK GDPR Art. 6(1)(b)) and your explicit consent for health data (Art. 9(2)(a)).
- Creating your account and authenticating you — Performance of our contract with you.
- Sending essential service communications (e.g. password resets, policy changes) — Performance of our contract with you.
- Improving the App through aggregated, anonymised usage analysis — Our legitimate interest in improving our product.
- Complying with legal obligations — Compliance with a legal obligation.
We do not use your data for advertising, profiling for marketing, or any purpose other than providing and improving the App as described above. We do not sell your data to anyone, ever.
5. Who we share your information with
We share limited personal information with the following categories of third party, only as necessary to operate the App:
- Cloud hosting — Heroku stores your account and tracked data in the UK.
- Email delivery — Mailgun delivers transactional emails.
Each of these providers is bound by a data processing agreement that restricts what they can do with your data. We may also disclose information where required by law, court order, or to protect our legal rights.
6. Aggregate reporting to your organisation
Where you access the App through an employer, insurer, or other organisation that pays for your access (the "sponsoring organisation"), we provide that organisation with aggregated, anonymised reports on overall use of the App. This helps them understand wellbeing trends across their population and decide how to support their people, without learning anything about you as an individual.
These reports include only statistical and demographic information, such as:
- Usage patterns and engagement metrics.
- Aggregated wellbeing and symptom-tracking scores.
- Anonymous participation rates.
The following safeguards apply to every report we produce:
- All data is anonymised before any analysis or sharing occurs.
- No narrative or free-text responses (including the notes you add to tracker entries) are ever included.
- Figures are aggregated and only shared when there are enough responses in a cohort to prevent identification of individuals.
- Your name, email, tracker entries, symptoms, and any content you share within the App are never disclosed to your sponsoring organisation in an identifiable format.
We rely on our legitimate interest (UK GDPR Art. 6(1)(f)) in providing a sustainable service to sponsoring organisations as the legal basis for producing these aggregated reports. Because the reports do not identify you, they fall outside the consent requirement for special category data once anonymised.
If you do not want any of your usage to contribute to these aggregate reports — even in anonymised form — you can delete your account, which removes you from the underlying dataset (see Section 8).
7. International transfers
Some of our third-party providers are based outside the UK and EEA. Where this is the case, we ensure your data is protected by appropriate safeguards, including the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or transfers to countries with an adequacy decision from the UK government.
8. How long we keep your information
We keep your personal information for as long as your account is active. If you delete your account, we will delete your data within 14 days, except where we need to retain limited information to:
- Comply with legal obligations (e.g. financial records for tax purposes, typically retained for 6 years).
- Resolve disputes or enforce our agreements.
- Defend against legal claims.
Backups are retained for 14 days and then permanently deleted.
9. Security
We protect your information using:
- Encryption in transit (TLS 1.2 or higher) for all data sent between the App and our servers.
- Encryption at rest for stored data.
- Strict access controls — only authorised personnel can access systems containing personal data, and access to identifiable health data is restricted further.
- Regular security reviews and updates.
- Multi-factor authentication on all administrative systems.
No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours as required by law, and we will notify you without undue delay where the breach is likely to result in a high risk to you.
10. Your rights
Under UK and EU data protection law, you have the following rights:
- Right of access — request a copy of the personal information we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete information.
- Right to erasure ("right to be forgotten") — ask us to delete your information.
- Right to restrict processing — ask us to limit how we use your information.
- Right to data portability — receive your information in a structured, machine-readable format.
- Right to object — object to processing based on our legitimate interests.
- Right to withdraw consent — where we rely on your consent, you can withdraw it at any time.
- Rights related to automated decision-making — you have the right not to be subject to decisions based solely on automated processing that significantly affect you. The App's cycle predictions are informational only and do not constitute automated decision-making in this legal sense.
To exercise any of these rights, contact us at [email protected]. We will respond within one month.
If you are not happy with how we have handled your information, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113. We would appreciate the chance to address your concerns first.
11. Children
The App is not intended for use by children under 18. We do not knowingly collect personal information from children under this age. If you believe a child has provided us with personal information, please contact us and we will delete it.
If you are between 0 and 18, please do not use the App.
12. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you through the App and by email before the changes take effect. The "Last updated" date at the top tells you when the policy was last revised. Continued use of the App after changes take effect means you accept the updated policy.
13. Contact us
If you have any questions about this policy or how we handle your information, please contact:
Leafyard Limited
[email protected]
C/O Dsg, Chartered Accountants, 43 Castle Street, Liverpool, United Kingdom, L2 9TL
Data Protection Officer: Jon Davies — [email protected]