Privacy Policy

1. Who runs Girl Harmony

Girl Harmony is operated by Girl Chocolate LLC (the "Company", "we", "us"). This Privacy Policy applies to the Girl Harmony mobile apps (iOS, Android), the Girl Harmony web app at app.girlharmony.com, and the API at api.girlharmony.com.

2. What we collect, and why

2.1 Account information (required to use the app)

• Email address. Provided by you at sign-up. Used to authenticate, send service emails (e.g. password reset, billing receipts), and let you log in across devices.
• Display name. Optional. Used to greet you in the app.
• Authentication identifier. A unique user ID issued by our identity provider (Clerk). Used to associate your data with your account.

2.2 Cycle and health data (the core of the service)

You enter this; we store it on our servers so it syncs between your devices.

• Period start and end dates, predicted dates, flow level, period products used.
• Mood, symptoms, sleep, energy, sex, body basics (height, weight) — only if you log them.
• Supplements, medications, birth control method, conditions you self-report.
• Cycle archetype + onboarding answers.
• Niddah-mode settings (custom + reminder preferences) if you enable it.

2.3 Voice journal data (only if you record)

• The audio file you record (stored encrypted in object storage).
• The transcript of the audio (generated on your device by your browser's built-in speech recognition).
• An AI-generated 1–2 sentence summary + up to 3 emotional themes (generated by our backend).

2.4 Bestie chat data

• Messages you send to Bestie and Bestie's replies. Stored so the conversation persists across sessions and devices. Used to give Bestie context on prior turns.
• Your messages are forwarded to Anthropic to generate a reply. Anthropic does not retain your messages or train models on them under their commercial API terms.

2.5 Device + technical data

• IP address (logged for abuse prevention and the audit trail).
• User agent / device model (rough analytics, error attribution).
• Push notification token (only if you enable notifications).
• Crash reports + error stack traces (Sentry). No PII in error reports.

2.6 Subscription + billing data

• If you subscribe to Premium, your subscription state (active, trial, canceled, period end) is stored on our servers.
• Payment details (card number, etc.) are never seen by us. Stripe handles all payment processing.

3. Where your data lives

All data is encrypted in transit (TLS 1.2+) and at rest (each provider's encryption-at-rest defaults).

4. Who sees your data

By default, no one but you.

The only situations in which a person other than you would see your data:

• You explicitly enable Partner sharing in the app and select what to share. You can pause or revoke this at any time.
• You explicitly export a Doctor Visit PDF and email or hand it to a healthcare provider. We don't share PDFs automatically.
• A senior engineer at Girl Chocolate LLC may need to access a single account's data to investigate a bug you reported. This is logged and audited.
• We are legally compelled by a court order. We will, where lawful, notify you before disclosure.

We never: sell your data, share it with advertisers, allow it to be used for ad targeting, or pass it to insurers or employers.

5. Bestie + AI

Bestie is powered by Anthropic's Claude API. When you send a message to Bestie:

• The message + a snapshot of your cycle context (current phase, recent symptoms, archetype) is sent to Anthropic's servers to generate a reply.
• Per Anthropic's Commercial Terms of Service, your messages are not retained by Anthropic past the immediate request, and not used to train their models.
• The conversation is stored in our database so it persists across your devices.
• You can clear your entire chat history at any time from the trash icon in Bestie.

6. Your rights and controls

6.1 Access + export

You can see everything we store on you from inside the app. To request a JSON export of your full dataset, email support@girlchocolate.co and we will email you a secure download link within 30 days.

6.2 Delete

Open the app → You → Settings → Erase everything. This:

• Permanently deletes every row in our database that belongs to your user.
• Permanently deletes every voice journal audio file and every PDF tied to your account.
• Revokes every active session.
• Cannot be undone.

If you'd rather we delete your account by email, write to support@girlchocolate.co. We process deletions within 30 days.

6.3 Correct

You can edit any logged data directly in the app. For account-level corrections (e.g. email change), email support@girlchocolate.co.

6.4 Object / restrict

If you're in the EEA, UK, California, Virginia, Colorado, Connecticut, or any other state or country with data privacy rights, you have the legal right to object to processing or restrict it. Email us and we'll honor your request.

7. Children

Girl Harmony is intended for users 13 and older. We do not knowingly collect data from anyone under 13. If you are between 13 and 17, please use Girl Harmony with the awareness and permission of a parent or legal guardian. The app's Teen Mode setting limits some features (purchases, partner sharing) for younger users.

8. International transfers

Girl Harmony servers are located in the United States. If you use Girl Harmony from outside the US, your data will be transferred to and stored on US-based infrastructure. We use the Standard Contractual Clauses (SCCs) with our US sub-processors to maintain GDPR-equivalent protections.

9. Security

• All connections use TLS 1.2 or higher.
• All data at rest is encrypted by the underlying provider (Cloudflare, Clerk, Stripe, Resend).
• Authentication uses short-lived JWTs (Clerk).
• Passkeys / WebAuthn are supported and recommended.
• Multi-factor authentication is supported.
• The full audit log of authenticated actions on your account is retained for 90 days.

No security system is perfect. If you become aware of a vulnerability, please email support@girlchocolate.co with the subject line SECURITY.

10. Sub-processors

We rely on the following sub-processors. Their privacy policies are linked.

11. Cookies + similar technologies

Girl Harmony uses the browser's localStorage and IndexedDB to cache your data on-device for offline use. We use a single first-party authentication cookie set by Clerk to keep you signed in. We do not use third-party tracking cookies. We do not embed advertising pixels. We do not run Google Analytics.

12. Changes to this policy

We will update this policy when our practices change. The "Last updated" date at the top reflects the most recent change. For material changes, we'll send an in-app notification and an email at least 30 days before the change takes effect.

13. Contact

Email: support@girlchocolate.co
Mailing: Girl Chocolate LLC, [add address before launch], United States

14. State + region-specific notices

California (CCPA / CPRA)

California residents have the right to know what personal information we collect, to access it, to delete it, and to not be discriminated against for exercising these rights. We do not sell your personal information. We do not share it for cross-context behavioral advertising. To exercise your rights, email support@girlchocolate.co.

EEA + UK (GDPR)

The lawful basis for our processing of your personal data is your consent (Article 6(1)(a)) and the performance of our contract with you (Article 6(1)(b)). You have the right to access, rectify, erase, restrict processing of, port, and object to processing of your data, and the right to lodge a complaint with a supervisory authority. Health data (your cycle, symptoms, etc.) is processed under Article 9(2)(a) — your explicit consent. You can withdraw consent at any time by deleting your account.

Other states

Residents of Colorado, Connecticut, Virginia, Utah, and any other state with comprehensive privacy law have the same access, deletion, correction, and opt-out rights described above. Email us to exercise them.