1.1 This Privacy Policy

This Privacy Policy covers how NaturalCycles AG (Holding), NaturalCycles Nordic AB, and NaturalCycles USA Corporation (collectively, “Natural Cycles”, “we”, “us”, or “our”) collect and process your Personal Data (defined in section 2) obtained by us through your use of the Services or otherwise shared by you. It is important that you read it together with any other privacy notice that we may provide when we are collecting your Personal Data so that you are fully aware of how and why we are using it. 

We keep our Privacy Policy under regular review and may make changes to it. Any changes will be posted on our website (the “Website”) and, where appropriate, notified to you. 

1.2 The Services

Delivered in the form of an application (the “App”), Natural Cycles is a digital fertility contraceptive cleared by regulators in the US and Europe. The App can also be used as a pregnancy planner and to track a pregnancy. In addition to the App, Natural Cycles has the Website, including a webshop (the “Webshop”) where we sell Natural Cycles’ and business partners’ products, and social media channels (collectively referred to as the “Services”).

We also have a career page on our Website. If you connect with us on the career page, our processing of your personal data will be governed by a separate Recruitment Privacy Policy.

1.3 Controller

Natural Cycles is a controller and responsible for the processing of your Personal Data. We care deeply about the confidentiality and integrity of the information that is shared with us, and will only process your Personal Data in accordance with this Privacy Policy and applicable laws and regulations.

We have appointed a Data Protection Officer (“DPO”). If you have any questions or comments about this Privacy Policy or our processing of your Personal Data, please contact our DPO at dpo@naturalcycles.com or reach out to our customer support at support@naturalcycles.com.

Contact details

For Europe (and global) inquiries:
NaturalCycles Nordic AB
Reg. no 556952-7657
Sankt Eriksgatan 63B
11234 Stockholm, Sweden

For US inquiries:
NaturalCycles USA Corporation
135 West 41st Street
6th Floor
New York, NY 10036

We also use cookies and HTML local storage to distinguish you from other Users of the Services and to remember your preferences. This helps us provide you with a good experience when you use the Services and allows us to improve them. For more information on cookies, please see our Cookie Policy.

3.1 Information you give us

Natural Cycles processes Personal Data provided by you when registering for an account, signing up for a subscription, and using the App, making a purchase on the Webshop, using our social media platforms, answering surveys, contacting our customer support or otherwise corresponding or interacting with us and our Services. Please keep your Personal Data accurate and current. 

You can choose to connect the App to other sources of health data, such as Apple Health Kit. We will then collect personal data that you share with us from the source/sources of your choice.

When signing up for the App, you will be requested to consent to our use of your Sensitive Data (please note that you will need to consent in order for the App to work). You have the right to withdraw your consent at any time by changing the setting in the App, or by contacting us at support@naturalcycles.com. If you provide sensitive data to us by other means than the app - for example via support - this is described in greater detail in section 4.1.

3.2 Information we automatically collect about you and your device

When you are using our Services, we will automatically collect Device, IT and Usage Data. Some Usage Data is collected by using cookies. Please see our Cookie Policy for further details.

3.3 Information we receive from suppliers

We receive Device and Usage Data about you from analytics providers such as Google Analytics and Transaction and Contact Data from our payment service providers.

4.1 – To enable and provide the Services

4.1.1 – General

It follows from the nature of our Services that we must process such Personal Data that you add to the Services to enable and provide them. This includes to administer the Services and our relationship with you, to calculate your daily fertility or to provide information about a pregnancy, to secure the quality and develop the Services and to communicate and provide customer support, as further explained below. Consent for processing sensitive personal data must be obtained in order for the app to work.

4.1.2 – To administer the Services and our relationship with you

We use your User and IT Data to administer the Services and our relationship with you. This includes setting up your account for the App, troubleshooting, system testing as well as notifying you of changes to the Services or technical issues and reaching out to you via in-app messages to ensure your correct and optimal use of the App.

4.1.3 – To calculate your fertility or provide information about a pregnancy

Natural Cycles uses an algorithm that is sensitive to subtle patterns in a woman’s cycle to determine her daily fertility; it does this by analyzing the User Data that is added to the App. If you are using the App to track a pregnancy, it will provide information about the pregnancy based on the User Data that you add to it. Hence, Natural Cycles uses automated methods for processing of User Data in order to provide you with an adequate App.

4.1.4 – To secure the quality and develop the Services

We process your User, Usage and Account Data to monitor and analyze how our customers engage and interact with the Services so that we can secure the quality and develop the Services to better align them with your usage patterns and preferences. While we have access to Personal Data for the purpose of analytics, the results are aggregated and stripped of any Personal Data.

We may also contact and enable you to complete surveys. We use the Profile Data from these surveys to better understand how we can improve your user experience. 

4.1.5 – To communicate with you and provide customer support

We will process Personal Data that you provide in inquiries to our customer support, on our social media channels or through contact forms provided by us at congresses and events, for the purpose of communicating with you and acting on complaints. What type of Personal Data we collect for this purpose depends on the nature of your inquiry. If you are a User, our support agents may request access to your User Data if necessary to appropriately respond to your inquiry. Such access is subject to strict access controls and security measures to protect your integrity.

When you interact with us publicly on our social media channels, ensure that you do not submit any Personal Data that you do not want to be seen by other people. We recommend that you also read through the privacy policies of such platforms.

4.2 – To process purchases and deliver the Services

We use your Identity, Contact, Transaction, IP Data and Account Data to process purchases and manage the delivery of products from the Webshop and subscriptions. This includes logistics, preventing fraudulent payments and contacting you regarding your purchase. 

4.3 – To conduct research

Women's health is important to Natural Cycles and we invest in scientific research in sexual and reproductive health in order to advance women’s health. We also conduct research for the purpose of evaluating the effectiveness and suitability of the App for different user groups. Thirdly we use the results of our research to communicate the benefits and limitations of Natural Cycles to healthcare professionals. All our published research is subjected to independent peer review and has ethical approval from the relevant professional bodies where required. 

If we have your consent, we will use your User Data and other Personal Data that you may provide, in pseudonymized or anonymized form (see the Glossary for more information on pseudonymization), for scientific studies, scientific articles and other research purposes as may be disclosed when your Personal Data is collected. However, Personal Data is anonymized and aggregated before any such publications are shared outside of Natural Cycles. We may also contact you with requests to participate in specific research projects run by us or our business partners. 

Natural Cycles also contributes to research carried out by selected universities, institutions and other parties by sharing anonymized and minimized data with them. For the avoidance of doubt, we do not share any Personal Data with such external parties.

Finally, we may analyze sensitive data in order to publicly share insights learned from aggregated data with the purpose of increasing the public knowledge and understanding of women's health and/or the menstrual cycle. This kind of publication is always based on aggregated anonymized data and as such doesn’t contain any personal information.

4.4 – Marketing

4.4.1 – Marketing Communication

We use Identity, Contact, Device and Marketing Data of our users of the App to send you newsletters and other marketing communications e.g. push notifications regarding Natural Cycles and our Services, including campaigns and offers. We also process Transaction, Account, Contact and Usage data to conduct internal usage analysis for the purpose of creating and sending relevant messages about our products. Some Marketing Data is collected by using cookies. These cookies include third party services that may collect information about your visits to our site for analytics, retargeting and conversion tracking purposes. Please see our Cookie Policy for further details.

4.4.2 – Social media marketing – custom audiences, lookalike audiences and advertising

We use tools that help us identify and reach out to existing and new customers, by matching IP Data, Device Data, hashed (a pseudonymisation technique) Contact Data of people who have been using our Services with people on social media platforms to create so called “Custom Audiences” (this enables us to send targeted ads to people who have been using our Services), and “Lookalike Audiences” (this enables us to send targeted ads to people who have similar traits to our Custom Audience). The social media platforms will not share the hashed email address with third parties or other advertisers and will delete it promptly after the match process is complete. Please note that we do not share any Sensitive Data or group users based on sensitive data for the purpose of Custom and Lookalike Audiences.

4.4.3 – Surveys and interviews

You may also be contacted and enabled to complete surveys or take part in interviews for marketing purposes. We will process the Profile Data that you provide in such surveys and interviews to analyze user preferences, improve and assess the effectiveness of marketing activities, use as marketing material or other promotional purposes as disclosed when your Personal Data is collected. 

4.4.4 – Marketing opt-out

You always have the right to opt-out of receiving marketing communication or having your data being processed to identify Custom and Lookalike Audiences from us by opting out, by adjusting your settings in the App or contacting us at support@naturalcycles.com.

4.5 – To comply with legal obligations

Natural Cycles has been classified as a medical device intended for use as contraception by an EU Notified Body and the United States Food and Drug Administration (FDA). This means that we are subject to medical device regulations which may require the collection and processing of your Personal Data. There are also other legal provisions that require the processing of your Personal Data, such as accounting and fraud prevention laws. For more details, see section 6.1.

We retain your Personal Data for as long as necessary to achieve the purposes set out in this Privacy Policy. In some cases, we may be required to continue to process your Personal Data for a longer period of time to comply with legal obligations (e.g. accounting or audit obligations) or for the establishment, exercise or defense of legal claims. If you stop using your account without deleting it, we will keep your User Data for an additional 3 years. The reason is to give you the possibility to come back at a different stage in your life and obtain your previous data you had then. You always have the right to request your data to be deleted earlier. When we no longer have a reason to keep your Personal Data, if you withdraw your consent, or if you successfully request that we erase it, we have processes in place for anonymizing your Personal Data.

Lawful basis Consent

6.1 Recipients

Natural Cycles never sells your Personal Data and we conduct extensive assessments before engaging any processor to ensure that they have appropriate technical and organizational measures in place that provide adequate protection of your Personal Data. Anyone who is processing Personal Data on our behalf is bound by contractual obligations to keep Personal Data confidential and secure, and to use it only for the purposes as instructed by us. 

Natural Cycles may share your Personal Data: 

1. with our service providers that we use to support and provide our business, such as technical service or operation providers, to the extent needed to enable and provide the Services to you, 
2. with our affiliates (Natural Cycles group companies: NaturalCycles AG (Holding), NaturalCycles Nordic AB, NaturalCycles USA Corporation, related by common ownership or control, to the extent needed to carry out the processing of Personal Data as described in this Privacy Policy,
3. with our successors, if we are involved in e.g. a merger, acquisition or asset sale, giving you notice of this,
4. with others with whom you ask us to share your Personal Data, 
5. Natural Cycles will provide personally identifying data in response to a third-party inquiry only if required by a valid legal process, but will take all possible steps to keep your data private. Natural Cycles will contest the disclosure of your personal data in response to a third-party inquiry to the extent that a reasonable ground for objection exists. Natural Cycles will provide you with prompt prior notice of such a request, to the extent legally permitted, so that an order for relief may be requested. If Natural Cycles reasonably determines that such disclosure is still legally required, then it will seek a confidentiality designation protecting the disclosure, and will only disclose the portion necessary and at the required time, and/or 
6. to protect and defend Natural Cycles, our business partners’ or users’ rights and interests.

If you choose to share your Personal Data with any third person (e.g. a partner), you accept that you have done so at your own risk.

6.2 Payment service providers

We do not process your financial data such as bank account and full credit card number. That information is provided directly to our payment service providers. Our payment service providers are themselves responsible for the processing of your personal data which means that you will be requested to enter into separate agreements directly with them. The personal data you provide to them will be stored in accordance with their privacy policies, which we recommend you to read carefully. 

Any payment transactions carried out by our payment service providers are encrypted and subject to compliance with the Payment Card Industry Security Standard (“PCI DSS”) regulations. PCI DSS requirements help ensure the secure handling of payment information.

6.3 International transfers

Your Personal Data may be transferred and processed in countries outside the EU/EEA where Natural Cycles’ affiliates or service providers are located. Such international transfers are carried out in accordance with applicable laws and are subject to at least one of the following safeguards to protect your Personal Data: 

1. The recipient country has been deemed to provide an adequate level of protection for personal data by the European Commission. 
2. We have entered into model contracts approved by the European Commission which give personal data the same protection it has in Europe.

If your Personal Data is processed in the United States, it may also be subject to protection by federal and state regulations, as well as agency policy and guidance by the Federal Trade Commission.

All information you provide to us is transferred using TLS encryption (HTTPS) and stored on secure servers. We use generally accepted industry standards, technologies, procedures and methods, such as firewalls, encrypted storage, pseudonymization, regular software updates, security scans, access control, audit logging and review of admin actions as well as external penetration tests to protect the integrity of your Personal Data and to prevent unauthorized access. We also have policies and other organizational measures in place, including recurrent employee training on data protection and strict procedures to deal with any suspected personal data breach. 

The Website may contain links to other websites. Please note that we do not accept any responsibility or liability for personal data that may be collected through these websites or services. We recommend that you read their privacy policies before you submit any personal data to them or use their services.

9.1 Your rights

You have the right to:

1. request access to and information about your Personal Data that is being processed by us,
2. request correction of your personal data if it is inaccurate or incomplete, including to provide additional data if relevant information is missing,
3. request erasure of your Personal Data, 
4. object to our processing of your Personal Data (i) if the processing is based on our legitimate interest, or (ii) for direct marketing purposes, 
5. request that we restrict the processing of all or some of your Personal Data in certain situations and to ask us not to send you any direct marketing, and
6. request a copy of your Personal Data in a structured, commonly used and machine readable format and that we transfer your personal data to another controller.

If you have any concerns regarding our processing of your Personal Data, you have the right to file a complaint with the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten), or your local supervisory authority.

For US residents, please see the US Privacy Notice Addendum below for additional information.

9.2 How to exercise your rights

You may contact us in writing at any time to exercise your rights, preferably using the email address that is associated with your user account. We may need to request specific information from you to help us confirm your identity.

We do our best to respond to your request within a few days, and at least within one (1) month. If the request is complicated or if we have received a large number of requests, we may need to prolong our response time with one (1) additional month. 

You can exercise your rights at no cost to you. However, we may charge you a reasonable fee if your request is clearly unfounded, repetitive or excessive.

Natural Cycles complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF,” and together with the EU-U.S. DPF, the “DPF Frameworks”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Natural Cycles has certified to the Department of Commerce that it adheres to (1) the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF, and (2) the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Natural Cycles’ participation in the DPF Frameworks is subject to investigation and enforcement by the U.S. Federal Trade Commission. Natural Cycles will resolve complaints about our collection or use of your personal information in compliance with the DPF Principles and commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF.

You may, subject to its terms, invoke binding arbitration in accordance with Annex I of the DPF Principles:
https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf .

EU and Swiss individuals with inquiries or complaints regarding our DPF Framework policy should first contact Natural Cycles at dpo@naturalcycles.com. With respect to onward transfers of data subject to the DPF Frameworks, we remain liable for processing such transfers in accordance with the DPF Principles.

Natural Cycles further commits to cooperate with the panel established by the DPAs and the Swiss FDPIC with regard to unresolved DPF program complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at

https://edpb.europa.eu/about-edpb/about-edpb/members_en .

Our Services are not subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While we maintain and use Personal Data, we are not a “Covered Entity” or “Business Associate” as defined by HIPAA.

We permit residents of California to use our Services. Therefore, it is our intent to comply with the California Business and Professions Code 22575-22579 and the California Consumer Privacy Act of 2018 (“CCPA”).  If you are a California resident you may request certain information regarding our disclosure of Personal Information to any third parties for their direct marketing purposes.  In summary, you must presume that we collect electronic information from all visitors. You may contact us either at support@naturalcycles.com with any questions or to exercise your rights as a California Resident.  

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Personal Information under the CCPA does not include:

• Publicly available information from government records.
• De-identified or aggregated consumer information.
• Information excluded from the CCPA's scope, such as:
• Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data.
• Financial Information covered by the Gramm-Leach-Bliley Act, and implementing regulations.

12.1 – Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt.  If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.  If you have an account with us, we will deliver our written response to that account.  If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.  Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt.  The response we provide will also explain the reasons we cannot comply with a request, if applicable. 

12.2 – Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.