Privacy Policy - PeriodBro

Effective date: 14 May 2026. Last updated: 14 May 2026.

PeriodBro helps men understand and support the women in their lives — partners, daughters, mothers — through the menstrual cycle. The data inside this app is intimate, and the political climate around reproductive data is hostile. We take that seriously. This page explains, in plain English, what we collect, what we don’t, and the rights you have.

If you only read one sentence: we don’t sell your data, we don’t share cycle data with advertisers, and we will resist any third‑party request for it that isn’t backed by a valid legal order.

1. Who we are

PeriodBro is operated by Devlet Butaev, an independent sole proprietor (the “data controller” under GDPR; the “business” under CCPA).

Marketing site: periodbro.com
App: app.periodbro.com
Contact for any privacy request: dbutaev@gmail.com

2. Scope

This policy covers two separate surfaces. The data each one handles is different, so we describe them separately:

The marketing site (periodbro.com) — the blog, landing pages, and any contact or newsletter forms.
The app (app.periodbro.com) — the actual cycle‑tracking tool, where you create profiles and log data.

3. What we collect on the marketing site (periodbro.com)

Analytics: aggregated, anonymized usage data via Google Analytics 4 (pages viewed, country, device type, referring source). IP addresses are anonymized before storage.
Search Console: Google Search Console receives aggregate query data so we can improve content. It does not identify you personally.
Contact form / email submissions: if you send us a message or sign up for updates, we receive the email address and message body you submitted.
Server logs: our hosting provider (GoDaddy) keeps standard web server logs (IP, timestamp, request, user agent) for security and abuse prevention, typically for up to 30 days.

4. What we collect in the app (app.periodbro.com)

Account data: your email address (used as login) and optional display name.
Profile data: for each woman you choose to track — partner, daughter, mother, sister, friend — a label or first name, optional birth year, and the cycle data you enter.
Cycle data: period start/end dates, predicted phase, notes, mood entries, and any custom fields you create.
Usage data: minimal, app‑internal events used to make the product work (e.g. last sync timestamp). No third‑party advertising SDKs.

Important. The women you track are usually not the people using PeriodBro. You are responsible for telling them you are tracking their cycle and getting their agreement where appropriate. We strongly encourage transparency — PeriodBro is a tool for conscious partnership, not for surveillance.

5. What we do NOT collect

We do not collect precise location data.
We do not access your contacts, photos, microphone, or camera.
We do not collect government ID, payment card numbers (payments, when introduced, will be handled by a PCI‑compliant processor — we never see the card data), or health insurance information.
We do not use advertising trackers, fingerprinting, or third‑party retargeting pixels in the app.
We do not sell, rent, or trade personal information. Ever.

6. Why we process this data (legal bases under GDPR)

Contract (Art. 6(1)(b)): to provide the app you signed up for — accounts, profiles, cycle predictions, sync.
Legitimate interests (Art. 6(1)(f)): to keep the service running, prevent abuse, measure aggregate site usage, and improve content. You can object at any time.
Consent (Art. 6(1)(a)): for optional things like newsletter signup or non‑essential cookies. You can withdraw consent at any time.
Legal obligation (Art. 6(1)(c)): to comply with applicable laws (e.g. tax records once we have paid users).

Cycle data is treated with the same care as “special category” data under GDPR Art. 9, even where strict classification is debatable. We rely on your explicit consent (Art. 9(2)(a)) when you enter it.

7. Cookies and similar technologies

Strictly necessary: session cookies for login and security. Cannot be disabled.
Analytics: Google Analytics 4 cookies (set only after consent in EU/UK/Switzerland). You can opt out at any time via the cookie banner or your browser settings.
No advertising cookies.

8. Third parties who process data on our behalf

We use a small number of vendors (“sub‑processors”) to run the service. They are bound by data‑processing agreements and may only use data on our instructions:

Base44 — the platform that hosts the app and stores your account and cycle data.
GoDaddy — hosting for the marketing site.
Google (Analytics 4, Search Console) — aggregated traffic measurement on the marketing site only. Not connected to your in‑app data.
Email delivery provider — for transactional emails (password resets, receipts) and the newsletter, if you signed up.

We update this list as the stack evolves. None of these vendors are permitted to sell your data or use it for their own advertising.

9. Sharing data with anyone else, including law enforcement

We do not share your personal data with third parties for their own purposes, and we never share cycle data with advertisers, data brokers, employers, insurers, or “wellness” partners.

The only situations where we disclose data are:

To our sub‑processors above, strictly to run the service.
If we are legally compelled by a valid, binding order issued under applicable law (subpoena, court order, or equivalent). In that case we will: (a) review the order for legal validity, (b) push back on overbroad or unlawful requests, and (c) notify the affected user where the law allows.
To protect the rights, property, or safety of PeriodBro, our users, or the public from imminent harm.

We will not voluntarily provide cycle data, fertility data, or pregnancy‑related data to any government agency in the absence of a binding legal order. Our position: reproductive data belongs to the person it describes, not to the state.

10. Data retention

Account & profile & cycle data: stored while your account is active. Deleted within 30 days of account deletion (backups purge on a rolling 90‑day cycle).
Analytics data: retained in aggregated form in GA4 for up to 14 months.
Server logs: up to 30 days.
Email correspondence: up to 2 years, then deleted unless we are required to keep it longer (e.g. legal claims).
Tax / billing records (when applicable): retained for the period required by tax law in our jurisdiction (typically up to 10 years).

11. Your rights under GDPR (EU/UK/Switzerland)

If you are in the EU, the UK, or Switzerland, you have the following rights:

Access — get a copy of what we hold about you.
Rectification — correct anything inaccurate.
Erasure (“right to be forgotten”) — ask us to delete your data.
Restriction — limit how we use your data while a dispute is resolved.
Portability — receive your data in a portable, machine‑readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — for any processing where consent is the legal basis.
Lodge a complaint — with your national data protection authority.

To exercise any of these rights, email dbutaev@gmail.com. We respond within 30 days. There is no fee for reasonable requests.

12. Your rights under CCPA / CPRA (California)

If you are a California resident, you have the right to:

Know what personal information we collect and how we use it.
Access a copy of that information.
Request deletion.
Correct inaccurate information.
Limit the use of “sensitive personal information” (cycle data is treated as sensitive).
Opt out of the “sale” or “sharing” of personal information — although we do not sell or share personal information within the meaning of the CCPA.
Non‑discrimination — we will not deny service, charge a different price, or provide a different quality of service because you exercised your rights.

To exercise these rights, email dbutaev@gmail.com with “California Privacy Request” in the subject line. We may need to verify your identity before fulfilling the request.

13. Children

PeriodBro is not directed at children under 16. We do not knowingly collect data from users under 16. If you are a parent and discover that your child created an account, contact us and we will delete it.

If you are using PeriodBro to track a minor in your care (for example, your daughter): you are responsible for ensuring this is lawful in your jurisdiction and appropriate for your relationship. The data still belongs, ethically, to her.

14. International data transfers

Some of our sub‑processors (notably Base44 and Google) are based in the United States. When personal data of EU/UK/Swiss users is transferred outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU‑U.S. Data Privacy Framework. Where supplementary measures are required, we apply them.

15. Security

We use TLS encryption in transit, encrypted storage at rest with our hosting providers, and access controls limited to people who genuinely need them (right now: one founder). No internet service can promise perfect security, but we treat your data as if it were our own — because given the topic, that is essentially what it is.

If a data breach occurs that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and the affected users without undue delay, as required by GDPR Art. 33–34.

16. Changes to this policy

We will update this policy as the product, our vendors, or the law changes. The “Last updated” date at the top of this page always reflects the most recent revision. For material changes that affect your rights, we will notify you by email (if we have one for you) or via a prominent notice on the site.

17. Contact

Questions, requests, concerns? Write to dbutaev@gmail.com. A real person reads every email.

— Devlet, founder, PeriodBro