Last updated: 8th May 2026
Summary Note
This update introduces Health Sync, an optional feature that lets you share your data with Apple Health or Google Health Connect. Your data stays on-device by default. If you use Health Sync, you need to delete any shared data directly from those services.
At 28X, your privacy isn’t just protected, it’s built in.
We designed 28X as a fully private, on-device app. Everything you enter stays safely on your phone. We don’t track you. By default, your cycle or health data is never stored in the cloud unless you choose to enable sharing features. No accounts, no ads, no third-party analytics.
The app uses your information only to support you, like helping track your cycle or symptoms, and no cycle or health data leaves your device unless you choose to export it, enable Health Sync (to Apple or Google Health). You can review, edit, delete or share your data at any time. Deleting the app or deleting your data in settings removes all 28X data stored locally on your device - you will have to delete any data you have exported using Health Sync from those services manually
Since your health data stays on your device and not on our servers, we are not a controller of this data.
We don’t sell your data. When we ask users if they would like to support health research, we ask for clear, one-time consent and it will always be optional.
You can use the app independently if you’re 16 or older. If you’re 13–15, we recommend using it with the knowledge and support of a parent or guardian. If you’re under 13, the app isn’t designed for you to use alone - you must use it with your parent or carer.
If you contact us for help, we’ll only use your info to respond and delete it if you ask.
If we make any major changes, we’ll alert you in app to let you know and ask for your consent again if needed.
Got questions? We’re here to help: info@my28x.com
That’s the short version. Want the full details? Just keep reading — we’ve kept it clear, we promise.
This Privacy Notice sets out how we process the limited information we may collect from you on the 28X Private Period app (the “app”)If you are not comfortable with the content of this notice, please don’t use the app.
28X Ltd (“we”, “us”, “our”) is a UK-based company committed to privacy-first, inclusive design. Our app enables users to track their cycle and symptoms by default, without any cloud-based storage or external data transmission. Optional features including Health Sync is available, if you choose to enable them. For data that remains on your device, we are not the controller of this data.
Contact Details: 28X Ltd, 20 Wenlock Road, London, N1 7GU, United Kingdom info@my28x.com
Everything you enter into the app is stored only on your personal device, never uploaded to our servers. If you choose to enable Health Sync, a copy is written to your iCloud or Google Drive account (See Section 5).. We do not collect any personal data on our servers. We only collect the anonymised and/or aggregated data required to provide app functionality.
When you sign up to use the app, you provide a username, date of birth, details about your menstrual cycle, including the date your last period started, how many days your period lasted, the average length of your cycle, how regular your cycle is, and whether you have any pre-existing conditions that could affect your cycle. You may be asked about the reason you are using the app, such as tracking for health or fertility so that the app can show you content in line with your preferences. We are not the controller of this data.
Our app also facilitates simple data processing including for purchases you make within the app or to allow you to take part in research opportunities, if you choose to do this. We are not the controller of any information provided, generated or transferred as part of these processes. When IP addresses are shared with third parties through the app (for example, to Google Play or the App Store), this is not personal data that we process.
We do not use in-app analytics or third-party tracking tools. However, we may review anonymous, aggregate data provided by Apple and Google through their developer platforms, for example, information about app downloads, crash events or app ratings.
This information helps us improve app stability and user experience, but it is not linked to you personally and is never used for profiling, advertising or behavioural tracking. This information does not amount to personal data. We are not the controller of this data.
Depending on your device settings, your operating system (such as Apple iOS or Android) may include app data in automatic device backups. This process is managed entirely by your device provider and is outside of 28X’s control. We do not access, receive, or store data included in device backups, and we cannot control how your device provider stores or restores this information.
If you choose to purchase visual customisations such as butterflies or other upgrades, the transaction is handled through the App Store or Play Store. We do not process your payment details directly. The App Store or Play Store may provide us with limited information related to the purchase, such as confirmation that the transaction was successful, but we do not receive or store your financial information. These interactions are subject to the privacy terms and conditions of the App Store and Google Play. This information does not amount to personal data. We are not the controller of this data.
We may conduct in-person user testing and feedback sessions to improve the app. If you choose to participate in these sessions, any personal data you provide will only be used for the purpose of gathering feedback and will not be linked to your app data.
If you are a business partner or supplier, we will process business contact details and any other information about you that you share with us.
We are the data controller for limited information processed outside of the app which could be used to identify you, which means that we are responsible for keeping it secure. However, because we do not collect, transmit, or access any personal data from the app, we do not actively process personal data under the UK GDPR, EU GDPR, or U.S. privacy laws in the course of normal app use.
All menstrual and health-related information entered into the app remains on your device only, under your full control. We cannot see or use this data, and it is never transmitted to our servers. We are not the controller of this data.
We follow best-practice guidance from the UK National Cyber Security Centre (NCSC) and the U.S. National Institute of Standards and Technology (NIST) to protect your data. All information you enter is encrypted on your device using AES-CFB-128 encryption, with encryption keys securely stored in the iOS Keychain or Android Keystore.
By default, there is no transmission of your personal data to external servers. If you enable Health Sync, data is transmitted directly to your personal Apple iCloud or Google Drive cloud account — see Section 5.
Your data stays on your device by default. We do not sell it, and we do not use third-party analytics, tracking or advertising tools.
Links on our site may take you to third-party websites. We're not responsible for their privacy practices, so please check their policies when you get there.
If you choose to share data externally — by exporting a report, enabling Health Sync, or taking part in a research study — that sharing is always optional and initiated by you. Once data leaves the app it is no longer covered by this Privacy Notice, and 28X is not responsible for how it is stored, used or shared by any third party.
Health Sync. If you enable Health Sync, 28X writes a copy of your data directly to Apple Health or Google Health Connect on your device. It does not pass through our systems. Once written, it is governed by Apple's and Google's own privacy policies and may be backed up to the cloud or accessed by other apps you have given health permissions to — managed in your device settings, not by 28X.
Research. From time to time we may offer optional opportunities to support health research. These always involve a separate consent process. If you take part, you may complete onboarding questions in-app — this data stays on your device. You will then be directed to the research provider's page via an external link; anything you share goes directly to them, not to us. The external provider may receive limited metadata such as your IP address when you follow the link. 28X does not receive research data, determine research purposes, or act as a controller or processor in relation to data shared directly with research partners.
Turning off sharing and deleting your data. You can turn off any sharing feature in Settings > Data. This stops future transfers but does not delete data already shared. To delete it, go directly to the platform you shared it with — Apple Health, Google Health Connect, iCloud, Google Drive, or wherever you sent a report.
The app is a privacy-focused app. We do not collect or process personal data of any users, including younger users, provided as part of using the app.
You can use the app independently if you’re 16 or older. If you’re 13–15, we recommend using it with the knowledge and support of a parent or guardian. If you’re under 13, the app isn’t designed for you to use alone - you must use it with your parent or carer.
These age limits reflect our Terms of Service and ensure appropriate support for younger users.
If you are a parent or guardian who wishes to delete any data stored on a minor’s device, removing the app or deleting data in settings will permanently erase all local information.
You’re in control of your information.
You can:
If you contact us and share personal data with us outside the app (e.g. by email), we’ll respect your privacy rights there too and you can ask us to delete that data at any time.
In respect of any information that amounts to personal data which we process about you as controller, you may have the following rights under the UK GDPR and EU GDPR:
Some of these rights are not absolute, meaning that exemptions may apply to them or, in certain instances, you may not be able to exercise them.
The app’s functionality allows for reviewing, editing, deleting or exporting your data; or by deleting the app from your device.
Any automated features, like cycle predictions, are performed privately on your device and have no legal or significant impact.
You also have the right to raise a concern with a data protection regulator. In the UK, this is the Information Commissioner’s Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; Tel: 0303 123 1113; www.ico.org.uk.
If you are located in the European Union, you can contact your country’s data protection authority (DPA). A full list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
28X Ltd is not subject to HIPAA, as we do not collect or process any health data. However, we align with U.S. state privacy standards, including California’s CCPA, by ensuring:
The app may request access to certain features on your device to support optional functionality. These permissions are strictly limited and no personal data is collected or transmitted by us.
The app may request:
Device backups are controlled entirely by your operating system and device provider (such as Apple iOS or Android).
Depending on your device settings, your operating system (such as Apple iOS or Android) may include app data in automatic device backups. This process is managed entirely by your device provider and is outside of 28X’s control. We do not access, receive, or store this data.
We may update this Privacy Notice to reflect legal or technical changes or if how we use data ever changes.
If you have questions, concerns or need help, contact us at: info@my28x.com.
.svg)
