Kymara Health Privacy Policy

Last updated: 16 May 2026

Kymara Health (“Kymara”, “we”, “us”, or “our”) provides a digital product that helps people understand and manage their menstrual cycles, hormones, and related health concerns via our website at https://kymarahealth.com (the “Site”) and associated tools and services (collectively, the “Services”).

This Privacy Policy explains how we collect, use, and protect information when you use the Services. Because Kymara deals with sensitive health‑related data, we take privacy and security seriously and design our systems and processes with that in mind.

By using the Services, you agree to the practices described in this Privacy Policy.

1. Who we are and how to contact us

Kymara Health is operated by an independent software business based in South Africa. If you have questions about this Privacy Policy or how we handle your data, you can contact us at:

• Email: support@kymarahealth.com
• Website: https://kymarahealth.com

2. Information we collect

We collect information in three main ways: information you provide directly, information collected automatically, and information from our partners.

2.1 Information you provide directly

When you use Kymara, you may provide:

• Account information – such as your name, email address, and password (your password is never stored in plain text). Supabase Auth stores password hashes using modern hashing algorithms.
• Profile and preferences – such as date of birth or age range, cycle length, goals (for example “manage PMS”, “support fertility”), and notification preferences.
• Health‑related information – such as cycle dates, period flow, symptoms, mood, sleep, sexual activity, use of emergency contraception, PCOS‑related symptoms and screening responses, and other information you choose to log in the app.
• Support communications – when you contact us for help, we collect the information you provide in messages, including your email and any screenshots you share.

Providing health information is optional, but the app works best if you provide enough data for us to generate insights and tools tailored to you.

2.2 Information collected automatically

When you use the Services, we automatically collect certain technical and usage information, for example:

• Device and browser type
• Operating system and approximate location derived from IP address
• Pages viewed, buttons clicked, and time spent in different parts of the app
• Referring website or campaign parameters (for example UTM tags)

We use PostHog as our product analytics platform to collect event data and understand how the app is used, so we can improve features and onboarding. PostHog provides controls to limit what is captured and to mask sensitive fields.

2.3 Payment and billing information

Kymara uses Dodo Payments as our payments provider and merchant of record. When you upgrade to a paid plan:

• Dodo collects and processes your payment card details and related billing information on its own PCI‑compliant infrastructure.
• We receive limited billing information from Dodo, such as a customer ID, the last 4 digits of your card, card brand, and subscription status.

We never store or see your full card number or CVC. Dodo, as merchant of record, is responsible for handling card data and PCI DSS compliance.

3. How we use your information

We use the information we collect for the following purposes:

• To provide and maintain the Services – including account creation, login, cycle tracking, calculators, and personalized tools and insights.
• To personalize your experience – for example, tailoring content, tools, or reminders based on your cycle patterns, symptoms, and goals.
• To process payments and manage subscriptions – including creating checkout sessions, managing subscription status, and enabling self‑service billing changes via the Dodo customer portal.
• To communicate with you – such as sending onboarding emails, product updates, reminders, and responding to your support requests. We use Resend to deliver transactional emails.
• To analyze and improve the product – using PostHog event data to understand how features are used, identify bugs, and test improvements. We configure PostHog to avoid collecting unnecessary personal data and to mask sensitive fields where appropriate.
• To enforce our Terms of Use – including protecting against misuse, fraud, or security incidents.
• To comply with legal obligations – such as responding to lawful requests from authorities where required.

We do not sell your personal information or health logs to third‑party advertisers.

4. Legal bases for processing (if you are in the EU/UK)

If you are located in the European Economic Area, UK, or a region with similar laws, we process your personal data on the following legal bases:

• Consent – for collecting and processing your health‑related data, and for optional analytics and marketing emails where required.
• Contract – to provide the Services you sign up for, including your Kymara account and subscription.
• Legitimate interests – to maintain and improve the Services, prevent fraud and abuse, and support customer service, where these interests are not overridden by your rights and interests.
• Legal obligations – to comply with legal requirements and respond to lawful requests.

You can withdraw your consent at any time where consent is the basis for processing, for example by deleting your health logs or closing your account.

5. How we share information

We share information with a small number of trusted processors and service providers, only as necessary to operate the service:

• Supabase – hosts our database, authentication, and certain serverless functions. Supabase encrypts customer data at rest and in transit and offers security features such as row‑level security and strong password hashing.
• Dodo Payments – processes subscription payments, stores card details, and operates the customer billing portal. Dodo acts as merchant of record and is responsible for PCI DSS compliance related to card data.
• PostHog – provides first‑party product analytics so we can understand usage and improve the app. We configure PostHog to avoid capturing sensitive free‑text inputs and to limit the set of properties we track.
• Resend – sends transactional emails such as login emails, onboarding, and receipts.
• Infrastructure providers – such as Vercel (hosting) and logging/monitoring tools that help us run the app reliably.

We may also share information when required by law, in connection with a business transaction (such as a merger or acquisition), or to protect our rights or the safety of users.

We do not allow third‑party ad networks to track you across non‑Kymara apps or websites based on your health data.

6. Data retention

We retain your information for as long as your account is active and as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

In practice:

• Account and health logs are kept while you maintain an account.
• If you delete your account, we aim to delete or irreversibly anonymize your personal data within a reasonable period, subject to any legal retention requirements (for example, limited billing records).
• Aggregated, non‑identifiable analytics data may be retained to help us understand long‑term product performance.

7. Your rights and choices

Depending on where you live, you may have the following rights regarding your personal data:

• Access – request a copy of the personal data we hold about you.
• Correction – ask us to correct inaccurate or incomplete data.
• Deletion – request that we delete your personal data, subject to certain exceptions.
• Restriction – ask us to limit processing of your data in certain cases.
• Portability – request a copy of your data in a structured, commonly used format.
• Objection – object to certain types of processing, such as analytics, where applicable.

You can exercise many of these rights directly in the app (for example, editing profile information or deleting logs). For other requests, contact us at support@kymarahealth.com and we will respond in accordance with applicable laws.

If you are in the EU/UK and are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.

8. Security

We apply technical and organizational measures to protect your information, including:

• Encrypting data in transit (HTTPS) and at rest via Supabase.
• Limiting access to production data to authorized personnel and service accounts.
• Using strong password hashing for authentication.
• Relying on Dodo Payments to handle payment card data on PCI‑compliant infrastructure, so our systems never store card numbers.

No online service can guarantee perfect security, but we work to protect your information and promptly investigate incidents.

9. Children’s privacy

Kymara is not intended for children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at support@kymarahealth.com so we can delete it.

10. International transfers

Our service providers (for example Supabase, Dodo, PostHog, Vercel, Resend) may process data in countries other than your own. Where required, we rely on appropriate safeguards for such transfers, such as standard contractual clauses or equivalent mechanisms offered by those providers.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices or legal requirements. If we make material changes, we will notify you by updating the “Last updated” date at the top and, where appropriate, via email or in‑app notice.

Your continued use of the Services after the updated policy becomes effective means you accept the changes.

12. Contact

If you have any questions, concerns, or requests about this Privacy Policy or how we handle your data, please contact:

• Email: support@kymarahealth.com
• Website: https://kymarahealth.com