Legal
Privacy Policy
Last updated: February 19, 2026
We built Superwoman to help you work with your body — not around it. That means your data, especially your cycle data, is treated with the same care. This policy explains exactly what we collect, how we use it, and the choices you always have.
Transparency
What We Collect
Account data
Your name, email address, and a securely hashed password via Supabase Auth. If you sign in with Google, we receive your name, email, and profile photo.
StandardCycle & health data
Cycle length, period length, last period date, daily period logs (flow level, symptoms, notes), and the phase predictions we calculate.
SensitiveCalendar & event data
Event titles, descriptions, times, categories, recurrence rules, reminders, and attendee emails you enter manually.
StandardGoogle Calendar data
Only if you explicitly connect Google Calendar via OAuth. We store access and refresh tokens in our database, not your browser.
OptionalTechnical data
IP address, browser type, device type, and general usage patterns (pages visited, features used, timestamps) for reliability and debugging.
StandardPurpose
How We Use Your Data
Everything we collect has one purpose: making Superwoman work for you. We use your data to:
- Calculate your cycle phase and generate energy-aware scheduling suggestions
- Store, display, and manage your calendar events
- Sync events with Google Calendar (only if connected)
- Send transactional emails — account setup, password reset, and notifications you opt into
- Debug issues and improve the reliability and performance of the app
We do not use your data for advertising, profiling outside the app, or any purpose unrelated to providing you with Superwoman.
Health Data
A Commitment to Your Privacy
Your cycle and period data is sensitive health information. We treat it accordingly.
- We never sell it — not to advertisers, data brokers, or anyone else.
- We never share it with third parties for marketing, analytics, or research.
- We use it only to run the app — specifically to calculate your cycle phases and personalise your calendar.
- You can delete it at any time from Settings. When you delete your account, all cycle data is permanently removed.
Under GDPR, cycle and health data falls under Article 9 (special category data). We process it on the basis of your explicit consent, given when you enter your cycle information during onboarding.
Sharing
Who We Share With
We do not sell your data. We share it only with the following service providers, and only to the extent needed to operate Superwoman.
Supabase
Infrastructure provider
Hosts our database (PostgreSQL) and handles authentication. Your data is stored on Supabase's servers. Supabase processes data on our behalf under a data processing agreement.
Calendar integration (optional)
Only if you connect Google Calendar. When you do, some data passes through Google's APIs and is subject to Google's Privacy Policy.
Legal authorities
When required by law
We may disclose your data if required by law, court order, or to protect the rights, property, or safety of Superwoman, our users, or others.
Security
How We Protect It
Encrypted in transit and at rest. All data is encrypted in transit via TLS (HTTPS) and at rest by Supabase (AES-256).
Row Level Security. Enabled on every database table — the database enforces that each user can only read and write their own data, even at the infrastructure level.
OAuth tokens in the database, not your browser. Google OAuth tokens are stored securely server-side, not in local storage where they could be accessed by browser scripts.
No payment data stored by us. If we introduce paid plans, payments will be handled by a PCI-compliant processor. We never see or store your card details.
Account & calendar data
Retained while your account is active. Permanently deleted within 30 days of account deletion.
Cycle & health data
Deleted immediately and permanently when you delete your account or remove your cycle data from Settings.
Google OAuth tokens
Deleted when you disconnect Google Calendar from Settings, or when your account is deleted.
Technical logs
Retained for up to 90 days for debugging and reliability purposes, then permanently deleted.
Control
Your Rights
Access
Request a copy of all the personal data we hold about you.
Email support@superwoman.so
Correction
Update your name, email, or cycle data at any time.
Available in Settings
Deletion
Delete your account and all associated data. Permanent and cannot be undone.
Available in Settings
Export
Export your calendar events in ICS or CSV format at any time.
Available in the app
Portability
Request your data in a structured, machine-readable format.
Email support@superwoman.so
Withdraw consent
Disconnect Google Calendar or disable notifications without affecting your account.
Available in Settings
If you are in the EU or UK, you also have the right to lodge a complaint with your local data protection authority if you believe we have mishandled your data.
Fine Print
Cookies, Children & Changes
Cookies
We use essential session cookies only — the ones Supabase Auth needs to keep you logged in. No third-party advertising or tracking cookies. No cookie consent banner needed.
You can block cookies in your browser settings, but this will prevent you from staying logged in.
Children's privacy
Superwoman is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us and we will promptly delete it.
Changes to this policy
If we make material changes — new data categories, new third parties — we'll notify you by email and in-app before the change takes effect. Minor changes update the date at the top of this page.
Continued use after a change goes into effect means you accept the updated policy.
Questions about your data?
We aim to respond to all privacy-related requests within 5 business days.