Privacy Policy
Effective date: 01 March 2026

This Privacy Policy explains how DOMLAB LTD, doing business as SimplYou ("SimplYou", "we", "us" or "our") collects, uses, stores, and shares personal data when you use our mobile application (from time to time “App”), website and related services (collectively, the "Services").
We wrote this policy with the EU General Data Protection Regulation ("GDPR"), the ePrivacy rules, the UK GDPR/Data Protection Act 2018, and comparable global privacy laws in mind. If local law provides stronger protection, we follow that standard.
If you reside in the EEA/UK/Switzerland, DOMLAB LTD is the "controller" of your personal data unless stated otherwise.

Key points (summary)
  • We do not sell your personal data.
  • We process health-related data only with your explicit consent and for providing the Services.
  • Your conversations with our AI agent are stored for up to 7 days and then deleted (subject to limited backup retention).
  • We do not share your health data for advertising.
You can access, correct, export, or delete your data and withdraw consent at any time by contacting us via email: services@simplyou.ai

1. What SimplYou does
SimplYou is an AI-powered companion designed to support women during perimenopause, menopause, and postmenopause. The Services may include:
  • Answers to questions directly or indirectly related to perimenopause/menopause across five areas: psychology, gynecology, nutrition, rest/sleep, and physical activity.
  • Symptom tracking and analysis to help reduce anxiety and provide educational guidance on whether a pattern of symptoms may be within a typical range, whether additional medical attention may be appropriate, or whether you should seek urgent medical care.
  • Resource support (dialogues and techniques inspired by Neuro-Linguistic Programming (NLP)) intended to help reduce stress and anxiety and to support motivation and energy.
Important: SimplYou is not a medical device, does not provide medical advice, diagnosis, or treatment, and does not replace a qualified healthcare professional. If you think you may have a medical emergency, contact emergency services immediately.

2. Definitions
Personal data: Any information relating to an identified or identifiable natural person.
Sensitive / special category data: Health-related data and other categories protected under applicable law (e.g., GDPR Article 9).
Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
Controller / Processor: Terms used under GDPR for the entity deciding purposes and means of processing (controller) and the service providers processing data on the controller’s behalf (processors).

3. Personal data we collect
3.1 Data you provide to us
  • Account and profile data: name or nickname, email address, password (stored in hashed form), age range or birth month/year, country, language and time zone.
  • Health and wellbeing data (sensitive): symptoms, mood and wellbeing check-ins, sleep/rest inputs, nutrition-related inputs, physical activity notes, gynecology-related inputs you choose to share, medications and supplements you choose to log, and any free-text notes you add.
  • AI conversations: messages you send to the AI agent and the agent’s responses (including text or voice transcripts where you use voice).
  • Support communications: messages to customer support, feedback, surveys, and reviews.
3.2 Data we collect automatically
  • Device and technical data: device model, operating system and version, app version, language settings, identifiers (such as device identifiers and advertising identifiers where permitted), IP address and approximate location derived from IP (we do not collect your precise GPS location unless you explicitly enable it).
  • Usage data: how you interact with the Services (e.g., screens viewed, features used, taps, session timestamps), crash logs and diagnostic data.
  • Cookies/SDK data: information collected via cookies on our website and via SDKs in the app (see Section 10).
3.3 Data from other sources
We may receive limited information from:
  • App stores (Apple App Store / Google Play) for purchase confirmations and subscription status (we do not receive full payment card details).
  • Third-party sign-in providers (if you choose to use them) to help you log in.
  • Advertising and analytics sources (through Firebase), where you provide consent, to help us measure the effectiveness of our marketing campaigns.
3.4 Optional third-party health integrations
If you choose to connect third-party health services (for example, Apple HealthKit or Google Health Connect), we will import only the data you authorize. Such data is used solely to provide and improve the Services (e.g., to reduce manual logging). We do not use data received from Apple HealthKit or Google Health Connect for advertising and we do not sell it to advertising platforms, data brokers, or resellers.

4. How we use your personal data
We use personal data for the following purposes:
Provide and maintain the Services. Create and manage your account; deliver AI-powered conversations; provide symptom tracking, insights and educational content; send reminders and notifications you configure.
Safety and wellbeing signposting. Detect patterns that may indicate you should seek medical attention and provide educational prompts and safety messages (without diagnosing you).
Improve and develop the Services. Fix bugs, monitor performance, conduct analytics, and improve content and AI prompts and workflows.
Customer support. Respond to requests, troubleshoot issues and communicate with you.
Security and fraud prevention. Protect the Services, prevent abuse, enforce our Terms, and maintain system security.
Marketing (with your consent where required). Send product updates, offers, and measure advertising performance via Firebase; run campaigns via Google Ads, Apple Search Ads (ASO), and social media advertising platforms.
Legal compliance. Comply with applicable laws, respond to lawful requests, and establish, exercise or defend legal claims.

5. Legal bases for processing
If you are located in the EEA/UK/Switzerland, we rely on the following legal bases under GDPR/UK GDPR (and similar bases elsewhere):
  • Contract: to provide the Services you request (e.g., creating your account, delivering features).
  • Consent: for processing sensitive health data, for non-essential cookies/SDKs, and for marketing where required.
  • Legitimate interests: to secure and improve our Services, prevent fraud, and provide customer support (balanced against your rights).
  • Legal obligation: to comply with laws (e.g., accounting, tax, responding to lawful requests).
Sensitive (health) data: where required, we process health-related data only with your explicit consent. You can withdraw consent at any time in by contacting us services@simplyou.ai. Withdrawing consent does not affect processing already performed, but it will stop further processing for the withdrawn purpose.
Below, we describe the purposes for which we process your personal data and our lawful bases for
doing so, including some basic examples:

To support the App’s features, including tailored content, insights and materials in the App, we use the personal data you provide within the App; machine learning models for cycle predictions; the Services you choose to use (e.g. your selected mode) and the App features you interact with; information from connected third-party services (like Apple HealthKit and Google Health Connect); and certain information provided in onboarding questionnaires.


Consent

We use your cycle data to predict future cycles or ovulation, analyse your personal data to offer new features and Services, and suggest articles or materials (e.g., stories, AI assistant) for you to read.

We also customize product and service recommendations and cycle date notifications to you, such as through emails or push notifications. We may also contact you about third-party products and offers.


Consent

We may offer you a discount for SimplYou.

We process transactions and send related information, including confirmations and reminders about your subscription, for account management reasons and other administrative purposes.


Consent

We use your device data to send reminders, like push notifications, if your subscription has expired or is about to expire. If applicable, we may also email you your invoice.

To respond to your comments, questions, requests and to provide you with customer service.

Legitimate interest

We use your name and email to respond to your support request or to contact you about a specific question or issue you’ve raised.

To review App content, feedback and complaints to ensure the App’s clinical safety and medical accuracy.


Legitimate interest

We use your name and email to review support requests that need our medical team’s attention.

To send you technical notices and updates; security alerts, ensure the safety of our App and investigate incidents; support and administrative messages; and customer satisfaction surveys.


Legitimate interest

To request that you update your App to ensure you have access to the latest features.

To enhance your user experience and connect data between the Website and App during the onboarding process.

Legitimate interest

When you sign up for the Services on the Website, we may use a third party deeplinking service, to help us identify you as an existing member when you download the App.


To monitor and analyse trends, usage and activities in connection with our App.


Legitimate interest

Legitimate interest

Promotional communications regarding our Services.

Consent

If you give your consent and we use your personal data, we can post your review or comment on our Website.


To enable you to participate in surveys and promotions.

Consent

If we ask you to participate in a survey or promotion, we use your name, survey responses and any other content (e.g. testimonial videos) that you provide for product improvement and marketing purposes. We may give you a gift for participating in the survey or promotion, so will process your contact details to provide you with this gift.


Promote SimolYou by improving how our advertising and campaigns perform

Consent

We use some technical identifiers to help us understand which advertisements are effective and where our users are coming from. This allows us to improve how SimplYou is promoted. The personal data we use for this purpose does not include health data.


Sign up to SimplYou through SimplYou’s commercial partner offerings

Contract

If you sign up to SimplYou through a SimplYou partner offer, we’ll use unique identifiers to verify that you are a subscriber to the partner’s service.


6. AI agent, voice features, and chat retention
6.1 AI processing
To provide AI-powered conversations and certain insights, we use service providers, including OpenAI (for language model processing). If you use voice features, we use ElevenLabs to process audio inputs/outputs and generate voice responses. We send to these providers only the data necessary to provide the feature (for example, your message content, relevant context you choose to share, and technical metadata).

6.2 Chat retention (7 days)
We store your AI agent conversations (including voice transcripts where applicable) associated with your account for up to 7 days. After this period, we delete them from our primary systems. Limited copies may remain in encrypted backups for a short period (typically up to 30–90 days) before they are overwritten.
You can also delete your account at any time. Account deletion will initiate deletion of your personal data from our active systems, subject to the retention exceptions described in Section 11.

7. How we share your personal data
We do not sell your personal data. We may share your personal data in the following situations:
  • Payments and subscription processing (handled by Apple/Google as independent controllers).
  • Customer communications and support tooling.
  • Analytics and crash reporting.
  • Voice processing (speech-to-speech / text-to-speech where you enable voice).
  • AI processing and safety services.
  • Infrastructure and hosting (including database services).
Examples of categories:
Depending on the features you use, we may engage service providers to help us operate the Services (for example: infrastructure and hosting, databases, analytics, crash reporting, email delivery, push notifications, customer support tooling, and fraud/security monitoring). We list key providers in this policy and may update this list from time to time.

7.1 Types of service providers we may use
Service providers (processors). We use vendors that help us operate the Services, such as database and hosting (Supabase), AI processing (OpenAI), voice processing (ElevenLabs), and analytics/marketing measurement (Firebase). They process personal data under our instructions and contractual safeguards.
Supabase storage: We store your app data in a Supabase-hosted database. Where feasible, we separate direct identifiers (such as email) from health entries and link them using an internal user ID. This is a security and privacy measure (pseudonymization), but the data may still be considered personal data under applicable law.
Firebase. When you become a SimplYou member and give your consent, we share the following personal data with Firebase and connected Google services partners to promote the Services: 
  • technical identifiers: IP address (which may also reveal general location information), Android ID or Google advertising ID (in Android devices), IDFA (for iOS devices), and other similar unique technical identifiers;
  • your subscription status; 
  • information about App usage, such as the fact that you launched the App; and 
  • your advertising identifier if you provide your consent on the settings of your device. 
SimplYou sends your personal data to Firebase, which analyses it and provides us reports and insights on how to optimise our promotional campaigns.
At the same time, your personal data is shared with linked services (e.g. Google Ads, Google Analytics, and Google Play). Linking this information helps us to enhance our app’s functionality, understand how well our marketing efforts are working, and allows us to create targeted campaigns to show you more relevant ads.
Read more about how Firebase and linked services work here. 
Withdrawing your consent: You can withdraw your consent or opt out from the sharing of your personal data with Firebase in accordance with this subsection anytime by adjusting your device settings. You can opt out of receiving push notifications by adjusting your settings on your device at any time.

App stores and payment providers. Apple and Google process payments and subscriptions as independent controllers. We receive limited transaction metadata (e.g., subscription status).
Advertising platforms. We run advertising campaigns (Google Ads, app store optimization/Apple Search Ads, and social media ads). Measurement and attribution is performed via Firebase and may involve sharing limited device identifiers and event data when you provide consent. We do not share your health data for advertising.
Legal and safety reasons. We may disclose data if required by law, in response to lawful requests, or to protect rights, safety and security of users and the Services.
Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy or sale of assets, personal data may be transferred as part of that transaction, subject to applicable law and notices.
De-identified and aggregated data: We may create aggregated or de-identified datasets (where feasible) for analytics, research and product improvement. We do not attempt to re-identify de-identified data unless required by law.
Apple’s AppTrackingTransparency (ATT). In addition to Farebase, for iOS devices, we may use Apple’s ATT tool to help us improve our advertising and help more people discover SimplYou’s Services. If you choose to allow tracking, Apple will ask whether you would like to share your device’s advertising ID (sometimes referred to as a IDFA), and details like your age group, subscription status and the fact you launched the SimplYou App. Please be aware, we do not share your health data with third parties for advertising purposes, and you can change your consent for ATT any time in your phone settings or SimplYou’s consent settings in the App. 

8. International data transfers
Our service providers may process personal data outside your country, including outside the EEA/UK/Switzerland. When we transfer personal data internationally, we use appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum/IDTA, and we implement supplementary measures where necessary.
You can request a copy of relevant transfer safeguards by contacting us (redactions may apply).

9. Security
We implement reasonable technical and organizational measures designed to protect personal data, including:
  • Encryption in transit and at rest for sensitive data where appropriate.
  • Access controls, least-privilege principles, and multi-factor authentication for administrative access.
  • Monitoring, logging, vulnerability management, and incident response procedures.
  • Vendor due diligence and data processing agreements with processors.
No method of transmission or storage is 100% secure. If we become aware of a security incident that affects your personal data, we will take reasonable steps to investigate and notify you and/or regulators when required by law.

10. Cookies, SDKs, and advertising controls
We use cookies on our website and SDKs in our mobile app to operate the Services, understand usage, measure performance, and (with your consent where required) measure marketing campaigns. We categorize these technologies as strictly necessary, performance/analytics, and marketing.
Marketing measurement is performed through Firebase. If you consent, Firebase may collect or receive identifiers such as IP address, Android Advertising ID (GAID) or Apple Identifier for Advertisers (IDFA), and app events (for example, first app open) to help us understand which campaigns are effective.
Firebase is our primary and only marketing measurement/attribution partner. Where you consent and where legally permitted, Firebase may share limited identifiers and event data with connected Google services (such as Google Ads) to help us measure campaign performance. We do not share your health data for advertising purposes.
You can withdraw or adjust consent at any time in the in-app consent settings and/or your device settings. You can also limit advertising identifiers in your device settings.
Apple AppTrackingTransparency (ATT): On iOS, Apple may ask whether you allow tracking across apps and websites owned by other companies. If you deny permission, we will not access IDFA for advertising measurement.

11. Data retention
We keep personal data only as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law.
Typical retention periods:
  • Account and profile data: for the life of your account; deleted or anonymized after account deletion (subject to backups and legal obligations).
  • Deactivated accounts: if you deactivate your account (where available), we may retain your account data for up to 30 days to allow reactivation, after which we delete or anonymize it unless we must keep it for legal reasons.
  • Health and wellbeing data: until you delete it or delete your account.
  • AI conversations: stored up to 7 days (Section 6.2).
  • Support communications: typically up to 36 months after resolution.
  • Transaction records: retained as required by tax/accounting rules (often 7–10 years depending on jurisdiction).
  • Consent logs: retained as needed to demonstrate compliance.

12. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, or export your personal data; to restrict or object to certain processing; and to withdraw consent at any time.
EEA/UK/Switzerland (GDPR/UK GDPR) – your rights include:
  • Access: obtain confirmation of whether we process your data and receive a copy.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: delete your data in certain circumstances.
  • Restriction: limit processing in certain circumstances.
  • Portability: receive your data in a structured, commonly used format.
  • Objection: object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent: for processing based on consent, at any time.
  • Complain: lodge a complaint with your local data protection authority.
Marketing choices: You can opt out of marketing emails at any time using the unsubscribe link in an email, and you can turn off marketing push notifications in your device settings (and, where available, in-app settings).
Authorized agents: Where permitted by law, you may use an authorized agent to submit privacy requests on your behalf. We may request proof of authorization and may also require you to verify your identity directly.
We may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive, as permitted by law.
You can request to delete your account in the app Settings (where available). After deletion, your identifiers are removed from active systems and your remaining data is deleted or anonymized. Deletion from backup systems may take up to 90 days. Once the deletion process begins, it cannot be undone.
If we need more time to action your request, we will let you know and explain the reason for the delay. Please be aware that once the deletion process begins, it can’t be undone. This is because your personal identifiers are immediately unlinked from your App information, which means we can no longer identify you, even if some data temporarily remains in our backup systems.
Your consent is required for us to use your health data. You can withdraw this consent at any time by either contacting us or deleting your account through the App. 
To exercise your rights, contact us (see Section 16). We may need to verify your identity. We typically respond within one month, but this can be extended for complex requests as permitted by law.

13. Automated decision-making and profiling
We may use limited profiling to personalize reminders, content, and educational insights. We do not make solely automated decisions that produce legal or similarly significant effects about you without an appropriate lawful basis (such as your explicit consent) where required by law.

14. Children
Our Services are not directed to children. You must be at least 13 years old to use the Services. If you are in the EEA, UK, or Canada, you must be at least 16 years old. If we learn that we have collected personal data from a child in violation of applicable law, we will take steps to delete it.

15. Additional U.S. State Disclosures
If you are a resident of certain U.S. states, you may have additional rights regarding your personal information. The categories below describe how we collect and use data (categories may overlap):

15.1 Categories of personal data (examples)
  • Identifiers: name, email, online identifiers, IP address, device identifiers.
  • Protected characteristics: age range; gender if you choose to provide it.
  • Commercial information: subscription status and purchase history.
  • Internet/electronic activity: app interactions and advertising/attribution events.
  • Geolocation data: approximate location derived from IP address.
  • Sensitive data: health and wellbeing information you choose to input.

15.2 Purposes and disclosures
We collect and use the categories above to provide and improve the Services, communicate with you, conduct analytics, provide customer support, ensure security, comply with law, and (with consent where required) measure and optimize marketing campaigns. We disclose these categories to service providers and partners described in Section 7.

15.3 Sharing for cross-context behavioral advertising
We may share certain non-health information (such as identifiers and internet/electronic activity data) for marketing measurement and audience building via Firebase and connected advertising platforms, where permitted by law and where you provide consent when required. We do not share your health data for these purposes.
If applicable, you may have the right to opt out of such sharing. You can do so via in-app consent settings, your device advertising settings, or by contacting us.

15.4 California 'Shine the Light'
We do not disclose personal information to third parties for their own direct marketing purposes within the meaning of California Civil Code §1798.83.

16. Additional information.
If your request is unclear, we might reach out to you for clarification. We may also refuse or charge a reasonable fee for requests that are clearly unfounded and/or excessive.
To process your request, we’ll need to verify your identity. Usually, this involves confirming that the request is coming from the email you used to register. If you haven’t registered, we may ask you for additional verification to ensure we respond appropriately. 
Depending on local laws, you may have the right to lodge a complaint with your local data protection authority about any of our activities. If you have any concerns about our privacy practices, please let us know by emailing our support team in accordance with Art 16 below.

16.1 Contact us
Support: support@simplyou.ai | Privacy: info@simplyou.ai | Website: https://simplyou.ai
If you would like to contact our Data Protection Officer (if appointed) or request EU/UK representative details (where applicable), please email info@simplyou.ai.

17. Changes to this policy
We may update this Privacy Policy from time to time. If changes are material, we will notify you through the Services or by email. The 'Effective date' at the top indicates when this policy was last updated.
We use cookies to provide the best site experience.
Ok, don't show again