Skip to content

Privacy Policy

Last updated: April 2026

Designed for HIPAA Designed for GDPR Designed for CCPA

1. Introduction

Lylac Health ("we," "us," "our," or "the Company") operates the Lylac Health application and associated services (collectively, the "Platform"). Lylac Health is a women's health technology company dedicated to providing vaginal pH tracking, AI-powered health education, menstrual cycle monitoring, and a curated product marketplace.

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information and protected health information ("PHI") when you use our Platform. It applies to all users of our web application, mobile applications (Android and iOS), and any related services.

We are committed to protecting the privacy and security of your health data. We comply with the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable to your jurisdiction.

Key Principle: Your health data belongs to you. We process it only to provide you with health insights and services you have explicitly consented to. We do not sell your personal information or health data to any third party.

2. Information We Collect

2.1 Account Data

When you register for an account, we collect:

  • Email address — used for account authentication, password recovery, and optional notifications
  • Full name — used for personalization and study identification
  • Age — used to provide age-appropriate health information and ensure compliance with age restrictions
  • Location (city/region) — used for research demographics and localized product availability

2.2 Health Data

The following categories of health information are collected when you actively log entries:

  • Vaginal pH readings — numeric values (3.0–7.0) logged via the daily health form
  • Menstrual cycle data — period start/end dates, flow levels (spotting, light, moderate, heavy), cycle length
  • Sexual activity data — whether vaginal sex occurred, and whether protection was used (protected/unprotected)
  • Symptoms — self-reported symptoms including discharge, odor, itching, discomfort, cramps, bloating, fatigue, and headache
  • Non-period bleeding — spotting or bleeding events occurring outside menstruation
  • Free-text notes — optional additional context you choose to record

Sensitive Health Data: Sexual activity data and vaginal health data are classified as sensitive personal data and special category data under GDPR Article 9. We process this data solely on the basis of your explicit consent and for the purpose of providing health monitoring services.

2.3 Usage Data

  • Chat messages — conversations with the AI health assistant (stored locally for conversation continuity)
  • Product click events — which marketplace products you view or click (for recommendations and affiliate tracking)
  • Timestamps — when you log entries, send messages, or interact with the Platform
  • Session data — login times, session duration, pages visited

2.4 Device Data

When using our mobile application with on-device AI features, we may collect:

  • Device type and model — to determine AI model compatibility
  • Operating system and version — for compatibility and security updates
  • Available RAM — to select the appropriate AI model size for on-device processing

This device data is used solely to optimize the on-device AI experience and is not transmitted to our servers.

2.5 Cookies and Session Data

We use strictly functional session cookies to maintain your authenticated session. See Section 12 for full details.

3. How We Use Your Information

Purpose Data Used Legal Basis (GDPR)
Provide pH insights and health tracking pH readings, symptoms, menstrual data Consent (Art. 6(1)(a), Art. 9(2)(a))
AI-powered health education Chat messages, pH history, cycle data Consent
Product recommendations pH status, symptoms, product clicks Legitimate interest / Consent
Research (de-identified only) Anonymized health metrics, demographics Consent (separate research consent)
Account management and security Email, name, session data Contract performance (Art. 6(1)(b))
Cycle prediction and period tracking Menstrual dates, cycle history Consent
Affiliate product tracking Product click events (no health data) Legitimate interest

AI Processing: Our AI health assistant runs on a local model (Ollama). Your health data is processed locally on our self-hosted infrastructure or on your device. It is never transmitted to external AI services such as OpenAI, Google, or any cloud-based language model provider.

4. On-Device AI Processing

4.1 How On-Device AI Works

Lylac Health utilizes an on-device AI model for certain health insights and chat interactions. This means:

  • The AI model files are downloaded and stored in the application's private directory on your device
  • Health data processed by the on-device AI never leaves your phone
  • AI inference (generating responses and insights) occurs entirely on your device's processor
  • No internet connection is required for on-device AI features once the model is downloaded

4.2 Data Isolation

Data processed on-device is isolated from our servers:

  • On-device chat conversations are stored only in the app's local SQLite database
  • The AI model cannot access data outside the application sandbox
  • Model files are stored in the app-private directory and are not accessible to other applications
  • If you uninstall the application, all on-device AI data is permanently deleted by the operating system

4.3 No External AI Services

We do not send any of the following to external AI services:

  • Your pH readings or health measurements
  • Your menstrual cycle or sexual activity data
  • Your chat messages or conversation history
  • Your symptoms or medical notes
  • Any personally identifiable information

Transparency: Our server-side AI (used for weekly insights when connected) runs on our own self-hosted Ollama instance. This is not a cloud AI service. It operates on infrastructure we directly control, with no data shared with third-party AI providers.

5. HIPAA Compliance

Lylac Health treats all health-related information collected through the Platform as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. We maintain the following safeguards:

5.1 Technical Safeguards

  • Encryption at rest: An application-level AES-256 encryption layer protects sensitive health data fields. The platform refuses to start in production without an encryption key configured. Field-by-field configuration is finalized prior to live participant enrollment.
  • Encryption in transit: All production communications between your device and our servers use modern TLS, enforced at the network edge.
  • Secure sessions: Authentication uses cryptographically signed, server-side sessions with HTTP-only, secure, same-site cookies and a 24-hour idle timeout.
  • Password security: Passwords are stored only as a salted, adaptive one-way hash (bcrypt). Plaintext passwords are never written to logs or shared with any third party.
  • Audit logging: Security-relevant events (login, logout, profile changes, exports, deletions, consent changes, detected incidents) are recorded with the user, timestamp, action, IP address, and user agent. Audit entries are not user-editable through any application route; an external write-once destination is planned for production.
  • Breach detection: Automated monitoring detects suspicious access patterns including brute-force attempts, mass data exports, excessive record access, and off-hours activity
  • Automatic session termination: Sessions expire after 24 hours of inactivity
  • Unique user identification: Each user has a unique identifier; shared accounts are prohibited

5.2 Administrative Safeguards

  • Access controls: Role-based access control (RBAC) with distinct participant and researcher/admin roles
  • Minimum necessary standard: Researchers access only de-identified data; no researcher can access individual PHI without a legitimate research purpose
  • De-identification for research: Research data exports remove all 18 HIPAA identifiers (Safe Harbor method) before export
  • Workforce training: All personnel with access to PHI receive privacy and security training
  • Privacy Officer: A designated Privacy Officer oversees HIPAA compliance
  • Sanction policy: Violations of privacy policies result in disciplinary action

5.3 Physical Safeguards

  • Self-hosted infrastructure: Our database and AI systems run on self-hosted servers under our direct physical control
  • No third-party cloud storage of PHI: Health data is not stored on AWS, Google Cloud, Azure, or any third-party cloud service
  • Facility access controls: Physical access to server infrastructure is restricted to authorized personnel
  • Device and media controls: Procedures for hardware disposal ensure PHI is properly destroyed

5.4 Business Associate Agreements

Currently, no third party has access to your health data. The transactional email service we use receives only your email address and the body of administrative messages (account verification, password reset, breach notifications); it never receives health data. A signed Business Associate Agreement with the production email provider will be in place before the email pathway is switched from its current development configuration to production.

5.5 Breach Detection and Notification

We operate an automated breach detection system that continuously monitors for suspicious activity, including brute-force login attempts, mass data exports, excessive record access, and unusual off-hours access patterns. Detected incidents are automatically logged and escalated to our privacy team.

In the event of a breach of unsecured PHI:

  • Our automated system detects and logs potential breaches in real-time
  • We will notify affected individuals within 60 days of discovering the breach
  • Notification will be provided via email to your registered email address and prominently posted on our Platform
  • If the breach affects more than 500 individuals, we will notify the U.S. Department of Health and Human Services (HHS) and prominent media outlets as required by law
  • The notification will include: a description of the breach, the types of information involved, steps you should take to protect yourself, what we are doing to investigate and mitigate the breach, and contact information for further questions

6. GDPR Compliance (EU/EEA Residents)

If you are located in the European Union, European Economic Area, or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply to our processing of your personal data.

6.1 Legal Basis for Processing

Processing Activity Legal Basis
Health data collection and tracking Explicit consent (Art. 9(2)(a))
Account creation and management Performance of contract (Art. 6(1)(b))
AI health insights Explicit consent (Art. 9(2)(a))
Product recommendations Legitimate interest (Art. 6(1)(f))
De-identified research Explicit consent (Art. 9(2)(a))
Security and fraud prevention Legitimate interest (Art. 6(1)(f))

6.2 Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Art. 15): You may request a copy of all personal data we hold about you. You can do this through your Profile settings or by contacting us.
  • Right to Rectification (Art. 16): You may correct inaccurate personal data via your Profile page or by contacting us.
  • Right to Erasure (Art. 17): You may request deletion of your account and all associated data. This is available through your Profile settings ("Delete My Account") or by contacting our DPO.
  • Right to Data Portability (Art. 20): You may export all your data in a machine-readable format (CSV). This is available through your Profile settings ("Export My Data").
  • Right to Restriction of Processing (Art. 18): You may request that we limit how we process your data while a dispute is being resolved.
  • Right to Object (Art. 21): You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Withdraw Consent (Art. 7(3)): You may withdraw consent at any time through your consent management settings. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.

6.3 Data Protection Officer

Our Data Protection Officer can be contacted at:

We will respond to all GDPR requests within 30 days. If we require additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

All GDPR data subject requests are tracked in our automated request management system with a 30-day SLA countdown. You can submit requests directly through the Platform (Privacy Settings) and track their status.

6.4 How to Exercise Your Rights

  1. In-app: Navigate to Profile > Privacy Settings to access data export, deletion, and consent management
  2. By email: Send your request to dpo@lylachealth.com with proof of identity
  3. We will verify your identity before processing any request

6.5 Cross-Border Data Transfers

Our servers are self-hosted and your data is stored in the jurisdiction where our infrastructure is located. If data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Your explicit consent for specific transfers where no other mechanism applies

6.6 Data Retention Periods

See Section 9: Data Retention for specific retention periods for each data category.

6.7 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Supervisory Authority. A list of EU supervisory authorities is available at edpb.europa.eu.

7. CCPA Compliance (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

7.1 Categories of Personal Information Collected

Category (per Cal. Civ. Code 1798.140) Examples Collected
A. Identifiers Name, email address Yes
B. Personal information (Cal. Civ. Code 1798.80(e)) Name, age Yes
C. Protected classification characteristics Age, sex/gender (implied by app purpose) Yes
D. Commercial information Product click history Yes
F. Internet/network activity Session data, pages visited Yes
G. Geolocation data City/region (user-provided, not GPS) Yes
H. Sensory data N/A No
I. Professional/employment information N/A No
K. Inferences Health status inferences from pH data Yes
L. Sensitive personal information Health data, sexual activity data Yes

7.2 Your Rights Under CCPA/CPRA

  • Right to Know (Sec. 1798.100): You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
  • Right to Delete (Sec. 1798.105): You have the right to request deletion of your personal information. You can exercise this right via Profile > Delete My Account or by contacting us.
  • Right to Correct (Sec. 1798.106): You have the right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing (Sec. 1798.120): You have the right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information with third parties for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information (Sec. 1798.121): You may direct us to limit use of sensitive personal information to purposes necessary to provide the services.
  • Right to Non-Discrimination (Sec. 1798.125): We will not discriminate against you for exercising any of your CCPA rights. You will not receive a different level of service or pricing for exercising your rights.

7.3 We Do Not Sell Your Data

Lylac Health does not sell, rent, or trade your personal information or health data to any third party. We do not share personal information for cross-context behavioral advertising. This includes your health data, sexual activity data, and any other sensitive information.

7.4 How to Submit a Verifiable Consumer Request

To exercise your CCPA rights, you may:

  1. In-app: Use the privacy controls in Profile > Privacy Settings
  2. By email: Send a request to privacy@lylachealth.com

To verify your identity, we will:

  • Match information you provide with information we have on file
  • Ask you to verify your account email via a confirmation link
  • For deletion requests involving sensitive data, require two-factor verification

You may designate an authorized agent to submit a request on your behalf by providing written authorization and proof of the agent's identity.

We will respond to verifiable consumer requests within 45 days. If we need additional time (up to 45 additional days), we will notify you in writing.

7.5 Financial Incentive Notice

We do not offer financial incentives or price differences in exchange for the retention or collection of personal information. Participation in our research study is voluntary and does not constitute a financial incentive under the CCPA.

8. Data Security

We implement industry-standard technical and organizational measures to protect your personal information and health data.

8.1 Encryption

  • At rest: An application-level AES-256 encryption layer protects sensitive fields. Production deployment requires an externally supplied encryption key; the platform refuses to start without it.
  • In transit: All production network communications use modern TLS, enforced at the network edge.
  • Passwords: Stored only as a salted, adaptive one-way bcrypt hash. Plaintext passwords are never written to logs or sent to any third party.
  • Sessions: Server-side, with cryptographically signed, time-limited cookies (HTTP-only, secure, same-site).

8.2 Access Controls and Audit Logging

  • Two roles with distinct permissions: participant and researcher/administrator. Participants can read and write only their own data.
  • Audit logging of security-relevant events: registration, login (successful and failed), logout, profile changes, password reset, consent grants and revocations, study enrollment and withdrawal, data exports, account deletion, and detected incidents.
  • Audit entries include: timestamp, account identifier, action, IP address, user-agent string, resource type, and resource identifier.
  • Audit entries are not user-editable through any application route. A separate write-once destination is planned for production.

8.3 Secure Session Management

  • Server-side sessions with cryptographically signed cookies
  • 24-hour session expiration with automatic renewal on activity
  • Session invalidation on logout, password change, or security events
  • HttpOnly and Secure cookie flags to prevent XSS and man-in-the-middle attacks

8.4 Regular Security Assessments

  • Periodic security audits and vulnerability assessments
  • Rate limiting on all API endpoints to prevent abuse
  • Input validation and sanitization on all user inputs
  • Content Security Policy (CSP) headers to prevent injection attacks
  • Dependency monitoring for known vulnerabilities

9. Data Retention

Data Category Retention Period Basis
Account data (email, name, age) Until account deletion Contract performance
Health readings (pH, period, symptoms) Until account deletion or withdrawal Consent
Chat messages Until account deletion Consent
Product click data 12 months, then auto-deleted Legitimate interest
Audit logs 6 years (HIPAA requirement) Legal obligation
De-identified research data Indefinite (not personal data) Research purposes
Consent records 6 years after last interaction Legal obligation
Deletion request records 3 years (proof of compliance) Legal obligation
Session data 24 hours Functional necessity

9.1 Automated Retention Enforcement

An automated retention routine runs at application startup and on a periodic schedule. Records that exceed their defined retention period are permanently deleted from our active database, and each enforcement action is recorded in the audit log.

9.2 Deletion Procedures

When you request account deletion through the application:

  1. Your health entries, AI conversations, AI-generated insights, product clicks, study enrollment, and consent records are hard-deleted from active storage immediately.
  2. Your user record is anonymized at the same moment: email, name, location, and password hash are cleared and replaced with placeholder values, and the account is marked inactive.
  3. Backups, retained for up to 30 days, are purged on the normal backup-rotation cycle.
  4. De-identified research data that you previously consented to share, and that has already been exported into research datasets, remains in anonymized form.
  5. Audit log entries referencing your (now-anonymized) account are retained for the legally required period; they no longer contain identifying information.

9.3 Backup Retention

Database backups are retained for a maximum of 30 days. After account deletion, your data will be purged from all backups within 30 days. We do not restore deleted accounts from backups.

10. Third-Party Services

We minimize third-party data sharing. The following services have limited interaction with your data:

10.1 Transactional Email

  • Data shared: Your email address and the body of administrative messages (verification, password reset, breach notification).
  • Purpose: Delivering account-related messages.
  • Health data shared: None. Health entries, AI conversations, symptoms, and notes are never sent in email.
  • Status: The pathway currently runs in a development configuration. A signed Business Associate Agreement with the production email provider will be in place before the pathway is switched to production.

10.2 Ollama (Local AI)

  • Data shared with third parties: None
  • Purpose: Ollama is an open-source AI runtime that runs entirely on our self-hosted infrastructure or your device
  • No external API calls: The AI model does not communicate with any external servers
  • Model provenance: We use open-weight models that run locally without phoning home

10.3 Affiliate Product Partners

  • Data shared: Click event (product ID, timestamp, referral code)
  • Health data shared: None. Partners never receive your pH data, symptoms, cycle information, or any health-related information
  • Purpose: Tracking referral commissions for marketplace products
  • When shared: Only when you actively click an external product link

No data brokers. No ad networks. No analytics trackers. We do not use Google Analytics, Facebook Pixel, or any third-party behavioral tracking service.

11. Children's Privacy

11.1 Age Restriction

Lylac Health is intended exclusively for users aged 18 years and older. The Platform collects sensitive sexual health data and provides reproductive health content that is appropriate only for adults.

11.2 Age Verification

  • Users must confirm they are 18 or older during account registration
  • We collect age as part of the registration process and deny access to users who indicate they are under 18
  • Sexual health content and data collection features are restricted to verified adult users

11.3 Discovery of Minor's Data

If we discover that we have inadvertently collected personal information from a user under 18 years of age:

  1. We will immediately suspend the account
  2. All personal data and health information associated with the account will be permanently deleted within 48 hours
  3. If the minor's parent or guardian is identifiable, we will notify them of the data collection and deletion
  4. We will document the incident in our compliance records

If you believe a minor has created an account on our Platform, please contact us immediately at privacy@lylachealth.com.

12. Cookies & Tracking

12.1 Session Cookies (Strictly Necessary)

We use a single session cookie to maintain your authenticated session:

Cookie Name Purpose Duration Type
session Maintains your login state 24 hours Strictly necessary

12.2 What We Do NOT Use

  • No third-party analytics cookies (no Google Analytics, Mixpanel, Amplitude, etc.)
  • No advertising cookies (no Google Ads, Facebook Pixel, etc.)
  • No cross-site tracking (no fingerprinting, no supercookies)
  • No social media tracking pixels
  • No retargeting or remarketing cookies

12.3 Cookie Consent

Because we use only strictly necessary session cookies (which are exempt under GDPR Article 5(3) and the ePrivacy Directive), we do not require a cookie consent banner. Our session cookie is essential for the Platform to function and cannot be opted out of while using the service.

13. Changes to This Policy

13.1 Notification of Changes

If we make material changes to this Privacy Policy, we will:

  • Send an email notification to your registered email address at least 30 days before the changes take effect
  • Display a prominent notice within the application upon your next login
  • Update the "Last updated" date at the top of this policy
  • For changes affecting the processing of health data or sensitive information, we will request renewed consent

13.2 Effective Date

This Privacy Policy is effective as of April 2026. The previous version of this policy (if any) is available upon request.

13.3 Your Continued Use

For non-material changes, your continued use of the Platform after the updated policy becomes effective constitutes acceptance. For material changes to health data processing, we will require explicit re-consent before continuing to process your data under the new terms.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries

Email: privacy@lylachealth.com

Data Protection Officer

Email: dpo@lylachealth.com

Mailing Address

Lylac Health
Attn: Privacy Team
[Address to be provided upon company registration]

We aim to respond to all privacy-related inquiries within 5 business days. GDPR and CCPA requests will be processed within the legally mandated timeframes (30 days and 45 days, respectively).