At 28X, your privacy isn’t just protected, it’s built in.

We designed 28X as a fully private, on-device app. Everything you enter stays safely on your phone. We don’t track you and we don’t store your cycle or health data in the cloud. No accounts, no ads, no third-party analytics.

The app uses your information only to support you, like helping track your cycle or symptoms, and no cycle or health data leaves your device unless you choose to export it. You can review, edit, delete or share your data at any time. Deleting the app or deleting your data in settings removes all 28X data stored locally on your device.

Since your health data stays on your device, we are not a controller of this data. 

We don’t sell your data. When we ask users if they would like to support health research, we ask for clear, one-time consent and it will always be optional.

You can use the app independently if you’re 16 or older. If you’re 13–16, we recommend using it with the knowledge and support of a parent or guardian. If you’re under 13, the app isn’t designed for you to use alone - you must use it with your parent or carer.

If you contact us for help, we’ll only use your info to respond and delete it if you ask.

If we make any major changes, we’ll alert you in app to let you know and ask for your consent again if needed.

Got questions? We’re here to help: privacy@my28x.com

That’s the short version. Want the full details? Just keep reading — we’ve kept it clear, we promise.

‍

Full Notice

This Privacy Notice sets out how we process the limited information we may collect from you on the 28X Private Period app (the “app”)If you are not comfortable with the content of this notice, please don’t use the app.

‍

1. Who we are

28X Ltd (“we”, “us”, “our”) is a UK-based company committed to privacy-first, inclusive design. Our app enables users to track their cycle and symptoms without any cloud-based storage or external data transmission. This also means we are not the controller of this data.

Contact Details: 28X Ltd, 20 Wenlock Road, London, N1 7GU, United Kingdom; privacy@my28x.com

‍

2. What information we process

Data we are not a controller of 

Everything you enter into the app is stored only on your personal device, never uploaded to the cloud. We do not collect any personal data on our servers. We only collect the anonymised and/or aggregated data required to provide app functionality.

When you sign up to use the app, you provide a username, date of birth, details about your menstrual cycle, including the date your last period started, how many days your period lasted, the average length of your cycle, how regular your cycle is, and whether you have any pre-existing conditions that could affect your cycle. You may be asked about the reason you are using the app, such as tracking for health or fertility so that the app can show you content in line with your preferences. We are not the controller of this data. 

Our app also facilitates simple data processing including for purchases you make within the app or to allow you to take part in research opportunities, if you choose to do this. We are not the controller of any information provided, generated or transferred as part of these processes. When IP addresses are shared with third parties through the app (for example, to Google Play or the App Store), this is not personal data that we process. 

We do not use in-app analytics or third-party tracking tools. However, we may review anonymous, aggregate data provided by Apple and Google through their developer platforms, for example, information about app downloads, crash events or app ratings.

This information helps us improve app stability and user experience, but it is not linked to you personally and is never used for profiling, advertising or behavioural tracking. This information does not amount to personal data. We are not the controller of this data. 

Depending on your device settings, your operating system (such as Apple iOS or Android) may include app data in automatic device backups. This process is managed entirely by your device provider and is outside of 28X’s control. We do not access, receive, or store data included in device backups, and we cannot control how your device provider stores or restores this information.

‍

If you choose to purchase visual customisations such as butterflies or other upgrades, the transaction is handled through the App Store or Play Store. We do not process your payment details directly. The App Store or Play Store may provide us with limited information related to the purchase, such as confirmation that the transaction was successful, but we do not receive or store your financial information. These interactions are subject to the privacy terms and conditions of the App Store and Google Play. This information does not amount to personal data. We are not the controller of this data.

‍

Data we are a controller of 

We may conduct in-person user testing and feedback sessions to improve the app. If you choose to participate in these sessions, any personal data you provide will only be used for the purpose of gathering feedback and will not be linked to your app data. 

If you are a business partner or supplier, we will process business contact details and any other information about you that you share with us. 

‍

3. Lawful basis for processing

We are the data controller for limited information processed outside of the app which could be used to identify you, which means that we are responsible for keeping it secure. However, because we do not collect, transmit, or access any personal data from the app, we do not actively process personal data under the UK GDPR, EU GDPR, or U.S. privacy laws in the course of normal app use.

All menstrual and health-related information entered into the app remains on your device only, under your full control. We cannot see or use this data, and it is never transmitted to our servers. We are not the controller of this data.

• If you contact us (e.g. by  email us to ask for help with the app) we will process any personal data in our communications only as needed to fulfil your request, based on our legitimate interests in app user satisfaction, including the continuation of our relationship with app users or, where appropriate, your explicit consent. 
• When we process personal data about you as part of app improvement activities such as in-person user testing and feedback sessions, we will process this data pursuant to our legitimate interests in improving the app including offering an enjoyable experience for users and expanding our app user base.
• If you are a business partner or supplier, we will process business contact details and any other information about you that you share with us as necessary for our legitimate interests in running the app including expanding our partner relationships to assist with the effective operation of the app. 

‍

4. Data security 

We follow best-practice guidance from the UK National Cyber Security Centre (NCSC) and the U.S. National Institute of Standards and Technology (NIST) to protect your data. All information you enter is encrypted on your device using AES-CFB-128 encryption, with encryption keys securely stored in the iOS Keychain or Android Keystore. There is no transmission of your personal data to external servers.

‍

5. Data sharing

The data you provide stays on your device, and there is no external access unless you choose to share, export, back it up or engage with a third party through the app (for example, by taking part in a research study). We do not sell data and we do not use third-party analytics, tracking tools, or ad networks.

From time to time, we may offer opportunities for app users to support health research or studies. These will always involve a separate, one-time consent process. Participation will be entirely optional, and no data will ever be shared without your full, informed agreement.

If you choose to take part in a health research or study through the app, you may be asked to complete onboarding questions within the app. The data you provide when you respond to these onboarding questions will stay on your device and will not be transmitted to our servers. Once you have completed the preliminary onboarding questions, you will be presented with an external link that will take you to the page of the research provider. Any information you choose to share with the research provider will go directly from your device to them. We do not see or store this information on our servers. When you click on an external link, the provider of the external page might receive some metadata relating to your use of the app, such as your IP address.  

You may choose to export your data, for example, to back it up or share it with a healthcare professional. This is entirely at your discretion.

‍

6. Children’s privacy

The app is a privacy-focused app. We do not collect or process personal data of any users, including younger users, provided as part of using the app. 

You can use the app independently if you’re 16 or older. If you’re 13–16, we recommend using it with the knowledge and support of a parent or guardian. If you’re under 13, the app isn’t designed for you to use alone - you must use it with your parent or carer.

These age limits reflect our Terms of Service and ensure appropriate support for younger users.

If you are a parent or guardian who wishes to delete any data stored on a minor’s device, removing the app or deleting data in settings will permanently erase all local information.

‍

7. Your data rights 

You’re in control of your information. 

You can:

• Review, edit, or delete your data at any time within the app
• Export your data if you wish to back it up or share it with a healthcare professional
• Delete the app to permanently erase all locally stored information

If you contact us and share personal data with us outside the app (e.g. by email), we’ll respect your privacy rights there too and you can ask us to delete that data at any time.

‍

UK and EU Users – Your Rights under Data Protection Law

In respect of any information that amounts to personal data which we process about you as controller, you may have the following rights under the UK GDPR and EU GDPR:

• Right to access data 
• Right to rectify inaccurate or outdated data
• Right to delete your data
• Right to restrict or object to the processing of your data
• Right to withdraw consent at any time
• Right to data portability 
• Right not to be subject to automated decisions
• Right to complain to 28X (for any complaints, please email us privacy@my28x.com)
• Right to be informed about how your data is used, which is what we cover in this privacy notice 

Some of these rights are not absolute, meaning that exemptions may apply to them or, in certain instances, you may not be able to exercise them.

The app’s functionality allows for reviewing, editing, deleting or exporting your data; or by deleting the app from your device. 

Any automated features, like cycle predictions, are performed privately on your device and have no legal or significant impact.

You also have the right to raise a concern with a data protection regulator. In the UK, this is the Information Commissioner’s Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; Tel: 0303 123 1113; www.ico.org.uk. 

If you are located in the European Union, you can contact your country’s data protection authority (DPA). A full list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

‍

U.S. Users – HIPAA and State Privacy

28X Ltd is not subject to HIPAA, as we do not collect or process any health data. However, we align with U.S. state privacy standards, including California’s CCPA, by ensuring:

• All user data stays on the device
• No personal data is transmitted, shared or sold
• Users can delete or export their data at any time

‍

8. Device permissions

The app may request access to certain features on your device to support optional functionality. These permissions are strictly limited and no personal data is collected or transmitted by us.

The app may request:

• Wi-Fi or mobile data access – To check for app updates, display educational content or access external links (e.g. support or articles). You can disable this anytime in your device settings.
• File storage – To save app configuration files and enable manual export of your data. These files stay on your device. Deleting the app will remove them.
• Email app access – If you choose to export your data or contact us, your device may open your default email client to send a message. We do not access your email content or address book. 
• Other system-level permissions – Some platforms may request additional permissions automatically (e.g. background processes). 28X does not use these unless essential to app functionality and we do not collect any associated data.

‍

Device backups 

Device backups are controlled entirely by your operating system and device provider (such as Apple iOS or Android).

Depending on your device settings, your operating system (such as Apple iOS or Android) may include app data in automatic device backups. This process is managed entirely by your device provider and is outside of 28X’s control. We do not access, receive, or store this data.

‍

9. Updates to this notice

We may update this Privacy Notice to reflect legal or  technical changes or if how we use data ever changes.

‍

10. Contact us

If you have questions, concerns or need help, contact us at: privacy@my28x.com.

‍