anna app logo
The appPerimenopauseArticlesPressJoin the waitlist
Join the waitlist
Privacy Policy

Your data, your call.

Last updated: 16 June 2026. Effective from Q3 2026 launch.
The short version

What you actually need to know.

  • We only collect the data we need to run anna for you.
  • Your health data is encrypted and stored on EU servers.
  • We don't sell or share your data with advertisers. Ever.
  • You can access, export, or delete your data at any time.
  • AI features are explained, not hidden.
  • Research participation is opt-in only. Saying no doesn't affect your access.

The longer sections below cover the specifics required by UK GDPR, EU GDPR, California CCPA, and Washington's My Health My Data Act. We keep the language as plain as the law allows.

On this page

  1. Who we are
  2. What we collect
  3. How we collect it
  4. How we use your data
  5. Who sees your data
  6. International data transfers
  7. How long we keep your data
  8. How we protect your data
  9. Your rights
  10. Children's privacy
  11. Marketing and cookies
  12. Changes to this policy
  13. Complaints
  14. Legal basis summary
  15. US state privacy rights
  16. Glossary
  17. Contact

1. Who we are

anna app is provided by SIA anna app, a private limited company registered in the Republic of Latvia.

  • Registration number: 40203715543
  • Registered: 27 January 2026
  • Registered office: Krišjāņa Barona iela 30A, Riga, Latvia
  • Contact email: elina@annahealth.app

SIA anna app is the data controller responsible for your personal data within the meaning of the UK GDPR, the EU GDPR, and applicable Latvian data protection law.

2. What we collect

2.1 Account data

When you create an account:

  • Email address
  • Date of birth (to confirm you're 18 or over)
  • Password (stored hashed, never readable by us)
  • Subscription status and start date

Sign-in methods available: email and password, Sign in with Apple, or Sign in with Google. If you use Apple or Google, we receive only your name and email address.

2.2 Health data (sensitive personal data)

The most sensitive category we handle. You always control whether to connect it, and you can disconnect at any time.

From Apple Health:

  • Heart rate variability (HRV)
  • Resting heart rate
  • Sleep hours and broad sleep quality
  • Body temperature (Apple Watch only)
  • Steps and activity
  • Respiratory rate

Cycle and reproductive health:

  • Period start and end dates
  • Cycle phase and day
  • Optional symptom notes

Daily check-ins (optional, you can skip every day):

  • Mood, energy, stress (1 to 5 scale)
  • Physical symptoms you choose to track
  • Free-text notes

Explicit consent. You must explicitly consent to the processing of health data. You can withdraw consent at any time in Settings. Withdrawal does not affect lawfulness of processing before withdrawal.

2.3 Device and technical data

  • Device type, operating system, app version
  • IP address (used only for approximate region detection, not stored long term)
  • Crash reports and basic usage events

2.4 Payment data

  • Subscription plan selected
  • Purchase confirmation from the Apple App Store

We don't store your card or banking details. All payments are processed by Apple.

2.5 Communication data

  • Support messages you send us
  • Survey responses
  • Feedback

3. How we collect it

  • Directly from you when you sign up, complete onboarding, log a check-in, or contact us.
  • From your device via Apple HealthKit, with your explicit permission, screen by screen.
  • From third parties if you use Sign in with Apple or Google (name and email only).

We don't buy data from data brokers. We don't augment your profile with data from any source you have not chosen to share.

4. How we use your data

4.1 To run anna (legal basis: contract performance and explicit consent for health data)

  • Daily tips. anna's rule engine reads your wearable data, compares it against your own baseline, and generates one evidence-backed tip each morning. We use Anthropic AI to phrase the tip in clear English. The medical reasoning is rules-based, not AI-generated.
  • Cycle and phase calculation. Predicts your phase from your own data.
  • Pattern analysis. Identifies trends in your 7 to 30 day windows.

4.2 To improve anna (legal basis: legitimate interest)

  • Pseudonymised usage analytics so we know which screens help and which don't.
  • Fix bugs and improve performance.
  • Test new features with aggregated data.

4.3 For research (legal basis: explicit consent, opt-in only)

If you opt in, we share anonymised, aggregated data with research partners studying perimenopause. Saying no doesn't affect your access to any anna feature. You can change your choice in Settings at any time.

4.4 Marketing and analytics (legal basis: consent and legitimate interest)

  • Email. Newsletters, tips, product updates. Unsubscribe link in every email.
  • Push notifications. Tip alerts, check-in reminders. Disable in device settings.
  • Website analytics. We use Plausible, a cookie-free analytics tool that doesn't track you across the web. We don't run Google Analytics, Mixpanel, or social media pixels on our website. See our Cookie Policy for the full list.

We don't share your health data with advertisers. Ever.

4.5 Customer support (legal basis: contract)

If you contact us, we access your account to help. We may review your data only if it's relevant to the question you asked.

4.6 Legal compliance (legal basis: legal obligation)

  • Responding to lawful requests from authorities
  • Preventing fraud
  • Protecting user safety

5. Who sees your data

We don't sell your data. Ever.

5.1 Service providers (data processors)

These companies process data on our behalf under written contracts. They cannot use your data for their own purposes.

ProviderWhat forWhere
SupabaseDatabase hostingEU (Frankfurt)
AppleHealthKit, App Store paymentsEU + US
AnthropicTip phrasing (text only)US, with SCCs
KlaviyoEmail deliveryUS, with SCCs
PlausibleCookie-free website analyticsEU
CloudflareCDN and bot protectionGlobal

Standard Contractual Clauses (EU Commission approved, 2021/914) are in place for all transfers outside the EEA. We have completed Transfer Impact Assessments for each US provider, documenting supplementary measures including encryption and pseudonymisation.

5.2 Research partners (opt-in only)

If you consent, we share anonymised aggregated data only. Data is stripped of all identifiers before sharing. No partner can recover your identity from what we share.

5.3 Legal requirements

We may disclose data if required by law, court order, or to protect user safety. We will challenge overbroad requests where lawful to do so.

5.4 With your explicit consent

For anything else, we ask first.

6. International data transfers

anna is based in Latvia (EU). Some service providers are in the US (Anthropic, Apple iCloud where applicable, Klaviyo).

Safeguards we use:

  • Standard Contractual Clauses (EU Commission Decision 2021/914)
  • EU-US Data Privacy Framework certification where the provider is certified
  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Documented Transfer Impact Assessments for each non-EEA processor

Your data is protected to the same standard regardless of where the processor is based.

7. How long we keep your data

  • Active accounts. As long as your account is active.
  • Inactive accounts. We retain your data so you can return and access historical patterns. No automatic deletion.
  • Deleted accounts. Personal identifiers removed within 24 hours. All data deleted from production within 30 days. All backups overwritten within 90 days. Exception: anonymised research data may be retained if you opted in (it cannot be linked back to you).
  • Legal exception. Payment records retained for 7 years in compliance with Latvian tax law.

8. How we protect your data

8.1 Technical measures

  • TLS (HTTPS) for all data in transit
  • Encryption at rest using industry-standard algorithms
  • EU-based servers with strict access controls
  • Passwords hashed and salted using bcrypt; we never see your password
  • Apple HealthKit handled in compliance with Apple's strict guidelines

8.2 Organisational measures

  • Only authorised personnel can access user data, on a need-to-know basis
  • All personnel sign confidentiality agreements and complete data protection training
  • Regular security review
  • Documented breach response plan; users and the supervisory authority will be notified within 72 hours where required by law

8.3 What you can do

  • Use a strong, unique password
  • Enable Face ID or Touch ID on your device
  • Don't share your login credentials

9. Your rights

Under the UK GDPR and EU GDPR, you have the rights listed below. To exercise any of them, email elina@annahealth.app. We respond within 30 days. There is no charge for reasonable requests.

  • Right of access. Request a copy of all data we hold about you.
  • Right to rectification. Correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"). Request deletion of your account and data. Some data may be retained where law requires it.
  • Right to data portability. Download your data in a structured, commonly used, machine-readable format (JSON).
  • Right to restriction of processing. Limit how we use your data in specific situations.
  • Right to object. Object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent. For health data processing, at any time, in Settings.
  • Rights related to automated decision-making. anna does not make solely automated decisions that produce legal or similarly significant effects on you. Daily tips are not automated decisions in the meaning of Article 22 GDPR.

10. Children's privacy

anna is only for users 18 years or older. We don't knowingly collect data from anyone under 18. If we learn an account is held by someone under 18, we delete it immediately. If you believe a child is using anna, write to elina@annahealth.app.

11. Marketing and cookies

11.1 How to opt out of marketing

  • Email. Unsubscribe link in every email.
  • Push notifications. Disable in device settings or in-app Settings → Notifications.

11.2 Cookies

Our website uses cookies. See our Cookie Policy for the complete list. We use only:

  • Essential cookies (required for the site to work)
  • Plausible analytics (cookie-free, no third-party tracking)
  • Cookie consent management (your preference, stored locally)

If we run paid advertising during the launch window, the Meta pixel may be set only with your explicit consent through the cookie banner.

12. Changes to this policy

We may update this policy from time to time. For material changes, we notify you by:

  • Email to your registered address
  • In-app notification
  • A clear notice on the website

The effective date is shown at the top of this policy. Continued use after the effective date means you accept the updated policy.

13. Complaints

If you're unhappy with how we handle your data:

  1. Contact us first. elina@annahealth.app
  2. File a complaint with your data protection authority:
    • UK: Information Commissioner's Office (ICO), ico.org.uk
    • EU: Your national supervisory authority
    • Latvia: State Data Protection Inspectorate, dvi.gov.lv

14. Legal basis summary

PurposeLegal basis
Provide anna's core servicesContract performance + explicit consent (health data)
Process paymentsContract performance
Customer supportContract + consent (where health data involved)
Improve anna, fix bugsLegitimate interest
Email and marketingConsent + legitimate interest
Research (opt-in only)Explicit consent
Legal complianceLegal obligation

15. US state privacy rights

15.1 California (CCPA / CPRA)

If you live in California, you have the right to:

  • Know what data we collect and how we use it
  • Delete your data
  • Opt out of "sale" or "sharing" of data
  • Correct inaccurate data
  • Non-discrimination if you exercise your rights

We don't sell data for money. We don't share health data with advertisers. To exercise your rights, email elina@annahealth.app.

15.2 Washington (My Health My Data Act)

If you live in Washington, you have additional rights covering consumer health data:

  • Confirm whether we process your health data
  • Access, delete, or withdraw consent
  • Appeal denial of any request

We don't sell consumer health data.

15.3 Other US states

Colorado, Connecticut, Utah, Virginia, Texas, and others grant similar rights. Email us to exercise them.

16. Glossary

  • Personal data. Information that identifies you, directly or indirectly.
  • Sensitive personal data (special category). Includes health, genetic, and reproductive information.
  • Anonymised data. Cannot identify you, even in combination with other data.
  • Pseudonymised data. Identifiers replaced with a key; can be re-linked only with the key.
  • Consent. Your explicit, freely given, specific, informed, and unambiguous agreement. Withdrawable at any time.
  • Legitimate interest. Our business need to process, balanced against your rights and freedoms.
  • Data controller. The entity that determines the purposes and means of processing (that is us).
  • Data processor. A third party that processes data on our behalf under contract.
  • SCCs. Standard Contractual Clauses, EU Commission-approved template contracts for international data transfers.

17. Contact

For privacy questions or to exercise your rights:

  • Email: elina@annahealth.app
  • Address: SIA anna app, Krišjāņa Barona iela 30A, Riga, Latvia
  • Registration number: 40203715543

By using anna, you confirm:

  • You're 18 years or older
  • You have read this privacy policy
  • You consent to the processing of your health data as described

Thank you for trusting us with your data. We take that seriously.

anna app logo
Learn
PerimenopauseArticlesPerimenopause symptomsHow anna is different
Product
The appHow anna worksFAQanna on AndroidPress
Follow
LinkedInInstagramFacebook
Contact
elina@annahealth.app
© 2026 anna app. All rights reserved.
PrivacyTermsCookies