Privacy Policy

1. Introduction

Ocean Drop (“we,” “our,” or “us”) is a cycle-aware companion app for couples. This Privacy Policy explains how we collect, process, store, and protect your personal data when you use the Ocean Drop mobile application (“the App”) and associated website.

Because Ocean Drop processes special category health data (menstrual cycle information, mood scores, energy scores, and symptom data), this policy is drafted in compliance with the General Data Protection Regulation (GDPR), including Article 9 governing the processing of special categories of personal data.

Data Controller:
Ocean Drop / Stefan's Alkimia
Email: contact@oceandrop.app

By using Ocean Drop, you acknowledge that you have read and understood this Privacy Policy. Processing of your health data requires your explicit consent, which you provide during onboarding.

2. Data We Collect

2.1 Special Category Health Data (GDPR Art. 9)

The following data is classified as special category data under GDPR Article 9 because it relates to your physical health:

• Menstrual cycle start dates — used to calculate cycle phases.
• Period flow intensity — self-reported flow level.
• Mood scores — a 1–5 scale rating logged by you.
• Energy scores — a 1–5 scale rating logged by you.
• Symptoms — a text array of self-reported symptoms.
• Cycle length — the average length of your menstrual cycle.

2.2 Account Data

• Display name — the name shown in the app.
• Email address — obtained via Google Sign-In for authentication.
• Partner name — the name of your connected partner, if applicable.

2.3 AI and Interaction Data

• Chat messages — messages exchanged with our AI assistants (Drop and Marina).
• Daily plan feedback — a 1–5 rating plus optional text feedback on generated daily plans.
• Calendar events — events you create or manage within the app.

2.4 Device and Technical Data

• Push notification tokens — used to deliver notifications to your device.
• Device type and operating system — used for app compatibility and debugging.

3. Legal Basis for Processing

We process your data under the following legal bases:

• Explicit consent — GDPR Article 9(2)(a): Processing of your special category health data (cycle dates, flow intensity, mood scores, energy scores, symptoms, and cycle length) is based on your explicit consent, which you provide during onboarding. You may withdraw this consent at any time (see Section 10).
• Legitimate interest — GDPR Article 6(1)(f): General app operation, analytics, security, and service improvements are processed under our legitimate interest in providing and maintaining the App. We have conducted a balancing test to ensure your rights are not overridden.
• Contract performance — GDPR Article 6(1)(b): Processing necessary to provide you with the services you have requested, including account management and feature delivery.

4. How We Use Your Data

We use your data for the following purposes:

• Cycle phase calculation — deriving your current and upcoming cycle phases from your logged cycle data.
• Personalized daily plans — generating phase-aware daily guidance, communication tips, and action suggestions.
• AI chat — providing contextual responses through Drop (for him) and Marina (for her) based on cycle phase and your conversation history.
• Mood and wellness tracking — displaying mood, energy, and symptom trends over time within the app.
• Partner sharing — sharing limited cycle phase information with a connected partner (see Section 6).
• Push notifications — delivering daily plan reminders, partner connection updates, and app notifications.
• Service improvement — using anonymized feedback ratings to improve AI response quality.

We do not use your personal data for advertising, profiling for marketing purposes, or selling to third parties.

5. AI Processing Disclosure

Ocean Drop uses artificial intelligence to provide personalized guidance. Here is exactly how your data interacts with AI systems:

• What is sent to the AI: Your chat messages and current cycle phase context are sent to the OpenRouter API for processing. The AI model used is minimax/minimax-m2.5:free.
• Where it is processed: OpenRouter is a US-based service. Your chat messages and cycle phase context are transmitted to their servers for inference.
• Training opt-out: Your messages are not used to train AI models. OpenRouter processes your data solely for generating responses to your queries.
• What the AI does not see: The AI does not have direct access to your raw health records, authentication credentials, or partner connection details beyond what is included in the conversation context.
• AI limitations: Drop and Marina are AI assistants, not medical professionals. Their responses are generated by AI and should never be treated as medical advice.

6. Partner Data Sharing

Ocean Drop offers an optional partner connection feature. Here is how data sharing works between partners:

• What the male partner can see: Current cycle phase name (e.g., “The Deep,” “The Swell”), energy label (e.g., “Low,” “High”), and mood label (e.g., “Calm,” “Sensitive”). The male partner does not see raw cycle dates, flow intensity, symptom details, or mood/energy scores.
• Consent-based: Partner connection requires an explicit invite code. Both parties must actively choose to connect.
• Female user controls: The female user initiates and controls the connection. She can disconnect from her partner at any time via Profile settings, immediately revoking all shared data access.
• Disconnection: When a partner disconnects, shared data access is revoked immediately. No historical shared data is retained by the other partner's account.

7. Data Protection & Security

We implement the following technical and organizational measures to protect your data:

• Encryption in transit: All data transmitted between your device and our servers is protected by TLS/SSL encryption.
• Encryption at rest: All data stored in our database is encrypted at rest using industry-standard encryption provided by Supabase (hosted in the EU).
• Row-Level Security (RLS): Our database enforces row-level security policies, ensuring users can only access their own data.
• Authentication: User authentication is handled via Google Sign-In with secure token management through Supabase Auth.
• Minimal data collection: We collect only the data necessary to provide the App's features. We do not collect location data, contacts, photos, or browsing history.
• Access controls: Administrative access to production data is restricted and logged.

8. Sub-Processors

We use the following third-party sub-processors to operate Ocean Drop. Each sub-processor is bound by data processing agreements:

We will notify users of any changes to our sub-processors by updating this Privacy Policy.

9. Data Retention

We retain your data according to the following principles:

• Active accounts: All personal data, including health data, chat messages, calendar events, and feedback, is retained for as long as your account remains active.
• Account deletion: When you delete your account (available in-app via Profile → Delete Account, with double confirmation), all associated data is permanently deleted within 30 days. This includes your authentication account and all stored data, performed via cascade deletion. No data is retained after deletion.
• No anonymized retention: We do not retain anonymized or aggregated versions of your health data after account deletion.

10. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You have the right to request a copy of all personal data we hold about you, including health data, chat logs, and account information.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data. You can update most data directly within the App.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data. You can exercise this right directly in the App via Profile → Delete Account, which permanently removes all your data.
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of your data.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object (Art. 21): You have the right to object to processing of your personal data based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Rights Related to Automated Decision-Making (Art. 22): Ocean Drop uses AI to generate personalized guidance. This AI-generated content is advisory only and does not produce legal or similarly significant effects. You have the right to request human review of any AI-generated output that affects you.
• Right to Withdraw Consent: Where processing is based on your consent (including health data processing under Art. 9), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can withdraw consent by deleting your account or by contacting us.

How to exercise your rights: You can exercise most of these rights directly within the App. For any request, you may also contact us at contact@oceandrop.app. We will respond within 30 days of receiving your request.

Supervisory authority: You have the right to lodge a complaint with your national data protection authority if you believe your data protection rights have been violated.

11. Children's Privacy

Ocean Drop is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will take steps to promptly delete that data. If you believe a minor has provided us with personal data, please contact us at contact@oceandrop.app.

12. International Data Transfers

Our primary database is hosted in the EU via Supabase. However, some of our sub-processors are located in the United States (OpenRouter, Google, Expo/EAS). When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): Transfers to US-based sub-processors are governed by EU-approved Standard Contractual Clauses where applicable.
• EU-US Data Privacy Framework: Where applicable, our sub-processors participate in recognized data transfer frameworks.
• Data minimization: We minimize the data transferred internationally. For example, only chat messages and cycle phase context (not raw health data) are sent to OpenRouter for AI processing.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the version number and effective date at the top of this page.
• For significant changes affecting health data processing, we will notify you through the App or via email and may request renewed consent where required by law.
• Continued use of the App after the effective date of changes constitutes acceptance of the revised policy, except where renewed consent is required.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Data Controller: Ocean Drop / Stefan's Alkimia
• Email: contact@oceandrop.app
• Website: oceandrop.stefansalkimia.com

We aim to respond to all data protection inquiries within 30 days.