Effective May 13, 2026 · Last updated May 13, 2026 · Operated by Choclement LLC
The short version
Girl Harmony is a cycle-tracking app built by Choclement LLC. We are not a typical period app. We don't sell your data, we don't run ads, and we don't use behavioral trackers. This is what you actually need to know:
We collect what we need to track your cycle. Periods, symptoms, mood, predictions, and the things you choose to log. Nothing more.
We never sell or share your data with advertisers. Ever. There is no Facebook SDK, no Google Analytics for personal data, no data broker pipeline.
You can delete everything in one tap. No questions asked. Open You → Settings → Delete account, or email us. We honor the request within 30 days (faster in practice — usually within 24 hours).
Bestie (our AI cycle coach) runs on Anthropic's Claude. Under Anthropic's commercial API terms, your prompts aren't used to train models; we use the no-data-retention configuration where available.
Niddah-mode data is religious data. We treat it as the most sensitive category there is. It's never shared, never used for analytics, and you can delete it independently of the rest of your account.
Encryption is on by default. TLS 1.3 in transit, AES-256 at rest (Cloudflare D1, R2).
We're a tracking tool, not a medical device. Don't use Girl Harmony for contraception, fertility planning, or diagnosis. Talk to a clinician for medical decisions.
The rest of this document is the full legally-binding version, modeled after the strongest privacy policies in the women's-health space (Flo, Clue) and adapted to our specific stack and feature set. If anything below contradicts the spirit of the summary above, the spirit wins — email privacy@girlharmony.com and we'll fix it.
1. Who we are
Girl Harmony is operated by Choclement LLC, a US limited liability company (the "Company", "we", "us", "our"). Choclement LLC is also the parent of the Girl Chocolate consumer brand (the functional chocolate product), but the two services have independent privacy practices and separate datasets.
This Privacy Policy applies to:
The Girl Harmony mobile apps on iOS and Android
The Girl Harmony web app at app.girlharmony.com
The Girl Harmony marketing website at girlharmony.com
The Girl Harmony backend API at api.girlharmony.com
Direct email communication between you and our team (e.g. support@girlharmony.com, privacy@girlharmony.com)
It does not apply to the Girl Chocolate e-commerce site (girlchocolate.co), which has its own separate privacy notice.
2. What data we collect
We group the data we collect into seven categories. Each row below tells you what's in it, whether providing it is optional, and what it's used for.
2.1 Account data required
Email address. You provide this at sign-up. We use it to authenticate, send transactional emails (password reset, billing receipt, security notice), and let you sign in across devices.
Display name. First name + last name. Used to greet you in the app and personalize Bestie's replies. You can change or remove these at any time.
Password. Hashed and salted by Clerk, our identity provider. We never see or store your plaintext password.
Authentication identifier. A unique user ID issued by Clerk that ties your account to your data on our servers.
SSO identity (optional). If you sign in with Apple or Google, we receive a unique opaque user ID, your email, and (if you allow) your name. We do not receive your social-account password or unrelated profile data.
2.2 Cycle & health data core feature
You enter this data inside the app. We store it on our servers so it syncs across your devices.
Period start and end dates, predicted dates, flow level, period products used, spotting events.
Symptoms: mood, energy, cravings, pain, sleep, sex/intimacy, water intake.
Body basics (height, weight, BMI), body temperature, cervical fluid observations.
Cycle archetype (assigned by our onboarding algorithm) and the answers you gave during onboarding.
Notes / journal entries you write in the cycle log.
Under GDPR, all of section 2.2 is "special category" data (Article 9) and is processed under your explicit consent. Withdrawing consent is as simple as deleting your account.
2.3 Religious-observance data (Niddah mode) opt-in only
The fact that you have enabled Niddah mode (which custom you selected — Sephardic, Ashkenazi, Yemenite, etc.).
Your hefsek taharah dates, shivah neki'im dates, mikvah dates.
Your reminder preferences (timing, channel).
This is religious data — the strictest category under GDPR Article 9. See section 6 for details on how we handle it.
2.4 Voice journals + photos opt-in only
Voice recordings. The audio file you create when you tap "voice journal". Stored encrypted in Cloudflare R2. We use them to generate a transcript and a 1–2 sentence emotional-theme summary.
Transcripts. Generated either on your device (browser speech recognition) or on our backend using a transcription provider. Stored alongside the audio.
Skin tracker photos. If you photograph your skin to track breakouts/clarity across the cycle, those photos are stored encrypted in Cloudflare R2. They never leave our infrastructure.
You can delete any individual recording, transcript, or photo from the app at any time, and you can delete all of them by erasing your account.
2.5 Bestie chat data opt-in only
The messages you send to Bestie and the replies Bestie generates.
A snapshot of your cycle context (current phase, day of cycle, last few symptoms, cycle archetype) that we attach to each request so Bestie can give relevant answers.
Information about your sexual partners or social graph.
3. Why we collect it
Under GDPR, we are required to identify a legal basis for every category of processing. The table below tells you, for each purpose, what data is involved, why we need it, and the legal basis we rely on.
Purpose
Data used
Legal basis (EU/UK)
Provide the app (cycle tracking, predictions, calendar)
2.1, 2.2
Contract performance — Art. 6(1)(b) GDPR; consent for special-category data — Art. 9(2)(a)
AI cycle coach (Bestie)
2.5 + relevant snapshots of 2.2
Explicit consent — Art. 9(2)(a) (opt-in toggle)
Voice journals + photo skin tracker
2.4
Explicit consent — Art. 9(2)(a) (opt-in per recording)
Legitimate interest — Art. 6(1)(f) (running a responsive support team)
Abuse prevention & fraud detection
2.7 + 2.6
Legitimate interest — Art. 6(1)(f) (protecting the service)
Improve the app (crash + error reports)
2.7 (de-identified)
Legitimate interest — Art. 6(1)(f)
Comply with the law (subpoena, court order)
Whatever the order compels
Legal obligation — Art. 6(1)(c)
4. Who sees your data
By default: nobody but you. Not us, not your partner, not your clinician, not Anthropic past the moment a Bestie reply is generated.
The only situations in which a person other than you sees your data are:
You explicitly share it. If you generate a Doctor Visit PDF and email it to your OB/GYN, that's you sharing. We don't share PDFs automatically.
You enable Partner Sharing (future feature). When this ships, partner sharing will be opt-in per-data-category, revocable in one tap, and shown clearly in your settings.
You report a bug to us. A senior engineer at Choclement LLC may access the affected rows in our database to investigate. Every such access is logged, audited, and limited to the minimum needed to fix the bug. You can ask us not to do this and we'll find another way.
We are legally compelled. If we receive a subpoena, court order, or other legally binding demand, we will (a) verify it is valid, (b) narrow the disclosure to the minimum compelled, and (c) where lawful, notify you before we hand anything over. We will challenge demands we believe are overbroad. We publish an annual transparency report once we have data to publish.
Safety exception. If we have reason to believe disclosure is necessary to prevent imminent harm to you or another person (e.g. a credible threat in a Bestie conversation), we may disclose to the relevant authority. This has never happened to date.
5. Bestie + AI processing
Bestie is Girl Harmony's AI cycle coach. It's powered by Anthropic's Claude language model, accessed through Anthropic's commercial API. When you chat with Bestie:
Your message is sent from your device to our backend (api.girlharmony.com).
Our backend assembles a request that includes (a) your message, (b) a snapshot of your cycle context (current phase, day of cycle, the last 7 days of symptoms, your archetype), and (c) the recent message history of the same conversation.
That request is forwarded to Anthropic's API to generate a reply.
Anthropic streams the reply back to us, we forward it to your device, and we store the message + reply in our database so the conversation persists.
Anthropic's commitments to us (governed by the Anthropic Commercial Terms of Service):
Anthropic does not use API inputs or outputs to train its foundation models. This is a default term of Anthropic's commercial API.
Anthropic retains API request logs only for the period required to operate and secure the service. Where Anthropic offers Zero-Data-Retention (ZDR) for our account tier, we use it; we will publish a confirmation here once ZDR is in force.
Anthropic does not use your data for any purpose other than serving the request that includes it.
Our commitments to you:
You can delete any individual Bestie message or the entire conversation from the app in one tap.
You can turn off Bestie entirely from Settings — we'll preserve your past conversations until you delete them, but stop sending new requests to Anthropic.
We don't use Bestie conversations to train any model of our own. We don't have a model of our own. We're not in the AI-training business.
Bestie's outputs are AI-generated. They are not medical advice. If Bestie tells you something that sounds clinically wrong, please ignore it and flag it to us via the in-app feedback button — we'll investigate.
6. Niddah mode (religious data)
Niddah mode is an optional feature for users who observe Jewish laws of family purity (hilchot niddah). When you enable it, the app helps you track hefsek taharah, the shivah neki'im count, and mikvah dates, with selectable customs.
Information about your religious observance is treated as religious data — the most sensitive category in our database. Specifically:
Under GDPR, religious data is special category data processed under Article 9(2)(a) — your explicit, opt-in consent.
Niddah-mode data is never shared with anyone. Not Anthropic. Not analytics. Not advertisers. Not researchers. Not aggregated.
Niddah-mode data is never exported off our backend except when you yourself generate a Doctor Visit PDF that explicitly includes it.
Niddah-mode data is not sent to Bestie unless you specifically reference it in a message — and even then, only your message is sent, not the underlying dates.
You can disable Niddah mode at any time. When you do, the related history stays in your account (so you can turn it back on without losing it) but isn't processed for anything. You can also explicitly purge the history from Settings → Niddah → "Erase Niddah history".
If you delete your account, all Niddah-mode data is deleted immediately and irrecoverably.
7. Voice journals + photos
Voice journals and skin-tracker photos are the most personal data the app handles. Specific protections:
Audio files are stored in Cloudflare R2, our encrypted object storage. Each object is encrypted at rest with AES-256.
Access to audio is gated by a short-lived signed URL — never a public link. The URL is valid for a few minutes only.
Transcripts are stored alongside the audio in our database, encrypted at rest.
The AI-generated emotional-theme summary (1–2 sentences, up to 3 themes) is produced by sending the transcript to Anthropic under the same no-retention, no-training terms described in section 5. The transcript is not retained by Anthropic.
Photos are handled identically: stored in R2, AES-256 at rest, accessed via short-lived signed URLs, never indexed for ML.
You can delete any individual recording or photo from the app at any time. Deletion is immediate.
8. What we don't do
We do not sell your data. Period. To anyone. For any reason. Not now, not after acquisition, not "anonymized". The Girl Harmony business model is paid subscriptions, full stop.
We do not run advertising. The app has no ads, no sponsored content, and no affiliate placements. We don't need to be the product.
We do not share health data with advertisers, insurers, employers, data brokers, or marketing platforms. Even technical identifiers (IP, device ID, advertising ID) are not shared with any ad platform — because we don't use any ad platforms.
We do not use Facebook SDK, TikTok SDK, AppsFlyer, Adjust, Branch, Singular, Kochava, or any other attribution / advertising / engagement SDK.
We do not run Google Analytics for personal data. The marketing site uses a privacy-friendly visit counter that doesn't set cookies or store user-level data.
We do not train any AI model on your data. We are not in the AI training business.
9. Third-party sub-processors
To run Girl Harmony, we rely on the following sub-processors. Each is contractually bound to handle your data in accordance with this policy. We monitor their security posture and review the list quarterly.
Android Play Store distribution, Sign in with Google, Firebase Cloud Messaging (push notifications on Android)
US
Play Store: device + purchase. SSO: profile email + name. FCM: device push token only — no payload contains personal data.
If we add a new sub-processor, we'll update this table and (for material additions) notify you in-app and by email at least 30 days before the change takes effect.
10. How long we keep your data
Data
Retention
Account data (email, name, password hash)
While your account is active. Purged within 30 days of account deletion.
Cycle & health data
While your account is active. Purged within 30 days of account deletion.
Niddah-mode data
While your account is active. Purged immediately when you delete it, and within 30 days of account deletion.
Voice journals + skin photos
Until you delete them. Purged within 7 days of deletion (including R2 storage and all backups).
Bestie chat history
Until you delete it. Purged within 30 days of account deletion.
Database point-in-time recovery
Up to 30 days via Cloudflare D1. After account deletion, your data is purged from recovery within this window.
Audit log (account-state changes only)
90 days, then automatically rotated out by a daily job.
Worker request logs (IP, path, status)
Held by Cloudflare for short-term observability (typically 7 days). Not used for analytics. We do not export these logs.
Subscription & billing records
Held inside Stripe (our payment processor) for the period required by US tax and consumer-protection law (typically up to 7 years). Our own copy of subscription metadata is purged when you delete your account; you may need to contact Stripe directly to remove records they retain for legal compliance.
Customer support tickets
2 years after the ticket is closed.
De-identified aggregate analytics
Indefinite. "De-identified" means no row in the analytics database can be re-associated with a specific user.
11. Your rights
Regardless of where you live, you have the following rights regarding your data. We honor these for all users — not just users in jurisdictions where the law requires it.
11.1 Access + export
You can see everything we store about you from inside the app. To request a machine-readable export (JSON of your account data, cycle logs, and chat history; voice audio + photos delivered as separate downloadable files), email privacy@girlharmony.com from the address tied to your account and include the line "Right to access — please send my data export." We'll email you a secure download link within 30 days (typically within 1–2 business days).
11.2 Delete
Open the app → You → Settings → Delete account. This:
Permanently deletes every row in our database that belongs to your user.
Permanently deletes every voice journal audio file, photo, and Doctor Visit PDF tied to your account.
Revokes every active session immediately.
Initiates removal from our daily and weekly backups within 30 days.
Cannot be undone.
You can also delete your account from outside the app at app.girlharmony.com/delete-account (required by Google Play). If you can't access the app or the web flow, email privacy@girlharmony.com from the address tied to your account and include the line "Right to erasure — please delete my account." We process all deletion requests within 30 days (typically within 1–2 business days).
11.3 Correct
You can edit any data you've logged directly in the app. For account-level corrections (email change, name change), email privacy@girlharmony.com.
11.4 Restrict / object
You can ask us to restrict or object to specific processing (e.g. "don't use my data for anything except the absolute minimum to keep the app running"). Email privacy@girlharmony.com. We'll respond within 30 days.
11.5 Withdraw consent
Any consent you've given (to use Bestie, voice journals, Niddah mode, etc.) can be withdrawn at any time. The fastest paths: turn off the feature in You → Settings (Bestie, Niddah mode, push notifications, voice journals each have their own toggle), or email privacy@girlharmony.com. Withdrawing consent doesn't affect the lawfulness of prior processing.
11.6 Portability
Same as 11.1 — request a JSON export and you'll get every byte of your data in a standard, machine-readable format.
11.7 Lodge a complaint
If you believe we've mishandled your data, please give us a chance to fix it first: email privacy@girlharmony.com. If we don't satisfy you, you can lodge a complaint with your local data protection authority (in the EU/UK), your state attorney general (in the US), or the FTC.
12. Security
In transit: TLS 1.3 (minimum 1.2), HSTS, certificate transparency monitoring.
At rest: AES-256 encryption by every storage backend we use (Cloudflare D1, R2, KV; Clerk; Stripe; Resend).
Authentication: short-lived JWT sessions issued by Clerk, with refresh rotation. Passkeys (WebAuthn) and multi-factor authentication (TOTP, SMS) are available; see Account → Security in the app to enable them.
Audit trail: account-state changes (sign-ups, profile updates, subscription events, billing webhook receipts, and data deletions) are logged on the server side and retained for 90 days. We do not log the contents of your cycle entries or Bestie messages in our audit trail.
Point-in-time recovery: Cloudflare D1 provides 30-day point-in-time recovery for our production database. We do not run a separate long-term backup pipeline; this means that when you delete your account, your data is purged from primary storage immediately and from D1's recovery window within 30 days.
Access control: production access is restricted to named engineers using hardware-backed credentials. All production access is logged.
Bug bounty / responsible disclosure: if you find a vulnerability, please email security@girlharmony.com. We commit to acknowledging within 48 hours and crediting you (if you wish) once the issue is fixed.
What we don't currently offer: end-to-end encryption (where only your device holds the decryption key) is on our roadmap but not yet available. Today, your data is encrypted at rest with keys held by our infrastructure providers, which means our authorized engineers can technically access it when investigating a bug you reported or complying with a legal order (subject to the audit + minimization rules in section 4). When E2EE ships, we'll update this section.
No security system is perfect. If we have a breach that affects your data, we will notify affected users within 72 hours of discovery, in line with GDPR Article 33 and state breach-notification laws.
13. Children's privacy
Girl Harmony is intended for users 13 and older in the United States and 16 and older in the European Economic Area, the United Kingdom, and Canada. The age threshold matches the legal age of digital consent in each jurisdiction.
We do not knowingly collect data from anyone under the applicable minimum age.
If we learn that we have collected data from a child under the applicable age, we will delete it and the associated account immediately.
If you are a parent or guardian and believe your child has signed up without your consent, email privacy@girlharmony.com with the email address used at sign-up and we will delete the account within 7 days.
For users between the minimum age and 18, certain features (Partner Sharing in the future, purchase flows) are restricted or require parental confirmation.
We comply with COPPA (US), the GDPR Art. 8 (EU), and the UK Age Appropriate Design Code (UK).
14. International data transfers
Choclement LLC and our infrastructure are based in the United States. If you use Girl Harmony from outside the US, your data is transferred to and stored on US-based infrastructure.
For users in the EU, UK, and Switzerland, we rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission, between Choclement LLC and each US-based sub-processor.
Where available, the EU-US Data Privacy Framework, the UK Extension to the DPF, and the Swiss-US DPF. Cloudflare, Stripe, Resend, Anthropic, and Sentry are participants in the DPF.
Supplementary technical measures (TLS, AES-256 at rest, access controls) to address concerns raised by Schrems II.
15. California residents (CCPA / CPRA)
California residents have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):
Right to know. What personal information we collect, the sources, the purposes, and the categories of recipients. The answers are all in this Privacy Policy.
Right to access. A copy of the specific personal information we hold about you, in a portable format.
Right to correct. Inaccurate personal information.
Right to delete. Your personal information.
Right to opt out of sale or sharing. Not applicable — we do not sell or share personal information as defined under the CCPA. We also do not engage in cross-context behavioral advertising.
Right to limit use of sensitive personal information. Your cycle, health, and religious-observance data is sensitive personal information. We only use it to provide the service and as described in this policy. We do not use it for advertising, profiling, or any secondary purpose.
Right to non-discrimination. We will not deny service, charge a different price, or provide a lower-quality service if you exercise any of these rights.
Right to appeal. If we deny a request, you can appeal by replying to our denial email or writing to privacy@girlharmony.com. We'll respond within 45 days.
To exercise any right above, email privacy@girlharmony.com from the email tied to your account. We'll verify your identity using your account email; for highly sensitive requests we may ask for additional verification.
16. Other US state privacy laws
If you reside in Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you have substantively the same rights as California residents listed in section 15: access, correction, deletion, portability, opt-out of sale/sharing (we do neither), opt-out of profiling for legal-or-similarly-significant decisions (we do not profile), and the right to limit use of sensitive personal information.
To exercise any of these rights, email privacy@girlharmony.com from the address tied to your account.
17. EU / UK residents (GDPR)
For users in the European Economic Area, the United Kingdom, and Switzerland:
Data controller: Choclement LLC, New York, NY, United States.
EU/UK representative: we have not yet appointed an Article 27 representative because we are below the regulatory threshold for mandatory appointment. We will appoint one before our EU/UK user base crosses the 250-employee-equivalent threshold and update this section accordingly.
Your rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent. See section 11.
Right to lodge a complaint with your supervisory authority. In the EU, your national data protection authority. In the UK, the Information Commissioner's Office (ICO).
Automated decision-making: we do not engage in automated decision-making that produces legal or similarly significant effects on you. Bestie's replies, cycle predictions, and content recommendations are informational only and do not determine access to services, prices, or rights.
18. Not medical advice. Not a medical device.
Girl Harmony is a cycle-tracking and wellness app. It is not a medical device, contraceptive, fertility-planning tool, or diagnostic instrument.
Predictions are statistical estimates based on the data you log. They will sometimes be wrong. Do not use them as the sole basis for any health decision.
Bestie's replies are generated by an AI model. They are not medical advice. They are not a substitute for a conversation with a clinician.
Choclement LLC is not a HIPAA-covered entity. We are not your healthcare provider. If a clinician sends you a Doctor Visit PDF that you generated in the app, the clinician's handling of that PDF is governed by HIPAA (or its local equivalent), not by this policy.
19. Changes to this policy
We update this policy when our practices change. The "Last updated" date at the top reflects the most recent change.
Material changes (anything that meaningfully expands what data we collect, who we share with, or how we use it): we'll send an in-app banner + an email at least 30 days before the change takes effect. If you don't agree, you can delete your account before the new policy takes effect.
Non-material changes (e.g. fixing typos, clarifying existing language, adding a sub-processor that doesn't change our overall posture): posted here with the date updated. No notification.
Archive: previous versions of this policy are available on request — email privacy@girlharmony.com.