Effective Date: 11 February, 2026
Nyma Health & Wellness Private Limited ("Company", "we", "our", "us") operates the CycleBae mobile application and related services (the "Service").
This Privacy Policy explains how we collect, use, disclose, and protect your personal data in accordance with applicable data protection laws, including :
India’s Digital Personal Data Protection Act, 2023 (DPDP Act)
EU General Data Protection Regulation (GDPR)
UK GDPR
Brazil’s Lei Geral de Proteção de Dados (LGPD)
Applicable US State Privacy Laws including CCPA/CPRA
Effective Date: 11th February 2026
Nyma Health & Wellness Private Limited ("Company", "we", "our", "us") operates the CycleBae mobile application and related services (the "Service").
This Privacy Policy explains how we collect, use, disclose, and protect your personal data in accordance with applicable data protection laws, including :
India’s Digital Personal Data Protection Act, 2023 (DPDP Act)
EU General Data Protection Regulation (GDPR)
UK GDPR
Brazil’s Lei Geral de Proteção de Dados (LGPD)
Applicable US State Privacy Laws including CCPA/CPRA
Categories of Personal Data We Collect
We collect only data that is necessary to provide the Service.
A. Account Information
Name
Email address
Lawful Basis (GDPR) : Contractual necessity (Article 6(1)(b))
B. Special Category Health Data
Menstrual cycle dates
Physical symptoms
Mood and emotional states
Energy levels
Wellness-related self-reported information
This constitutes special category data under Article 9 GDPR.
Lawful Basis (GDPR) : Explicit consent (Article 9(2)(a))
Health data is processed solely to generate personalized wellness insights within the app.
C. Usage and Device Data
Device identifiers
Log data
Crash reports
App interaction events
Lawful Basis (GDPR) : Legitimate interest (security, fraud prevention, service optimization)
Categories of Personal Data We Collect
We collect only data that is necessary to provide the Service.
A. Account Information
Name
Email address
Lawful Basis (GDPR) : Contractual necessity (Article 6(1)(b))
B. Special Category Health Data
Menstrual cycle dates
Physical symptoms
Mood and emotional states
Energy levels
Wellness-related self-reported information
This constitutes special category data under Article 9 GDPR.
Lawful Basis (GDPR) : Explicit consent (Article 9(2)(a))
Health data is processed solely to generate personalized wellness insights within the app.
C. Usage and Device Data
Device identifiers
Log data
Crash reports
App interaction events
Lawful Basis (GDPR) : Legitimate interest (security, fraud prevention, service optimization)
2. How We Use Your Data
We use personal data strictly for:
Account creation and authentication
Generating personalized cycle and wellness insights
Improving app performance and reliability
Ensuring platform security
We do not use your data for behavioral advertising or profiling for commercial marketing purposes.
2. How We Use Your Data
We use personal data strictly for:
Account creation and authentication
Generating personalized cycle and wellness insights
Improving app performance and reliability
Ensuring platform security
We do not use your data for behavioral advertising or profiling for commercial marketing purposes.
3. No Sale or Sharing of Data
We do not sell, rent, trade, or share your personal data with third parties for monetary or cross-context behavioral advertising purposes as defined under CCPA/CPRA.
As we do not sell or share personal data, “Do Not Sell or Share” opt-out mechanisms are not applicable.
3. No Sale or Sharing of Data
We do not sell, rent, trade, or share your personal data with third parties for monetary or cross-context behavioral advertising purposes as defined under CCPA/CPRA.
As we do not sell or share personal data, “Do Not Sell or Share” opt-out mechanisms are not applicable.
4. Data Retention
We retain your personal and health data:
For as long as your account remains active
For up to 30 days following account deletion to allow recovery
Longer where required to comply with legal obligations
Backup systems may retain encrypted copies for a limited additional period.
After retention periods expire, data is securely deleted or anonymized.
4. Data Retention
We retain your personal and health data:
For as long as your account remains active
For up to 30 days following account deletion to allow recovery
Longer where required to comply with legal obligations
Backup systems may retain encrypted copies for a limited additional period.
After retention periods expire, data is securely deleted or anonymized.
5. Data Security
We implement industry-standard safeguards, including:
AES-256 encryption at rest
TLS 1.3 encryption in transit
Role-based access controls
Secure cloud infrastructure
While we use commercially reasonable safeguards, no system is completely secure.
5. Data Security
We implement industry-standard safeguards, including:
AES-256 encryption at rest
TLS 1.3 encryption in transit
Role-based access controls
Secure cloud infrastructure
While we use commercially reasonable safeguards, no system is completely secure.
International Data Transfers
Your data is processed in India.
For users located in the EEA, UK, or Brazil, we rely on:
Standard Contractual Clauses (SCCs)
Additional technical and organizational safeguards to ensure an adequate level of protection.
International Data Transfers
Your data is processed in India.
For users located in the EEA, UK, or Brazil, we rely on:
Standard Contractual Clauses (SCCs)
Additional technical and organizational safeguards to ensure an adequate level of protection.
7. Service Providers (Processors)
We engage trusted third-party service providers for:
Cloud hosting
Infrastructure management
Email delivery
Analytics and performance monitoring
All processors operate under written data processing agreements and are contractually obligated to protect your data.
7. Service Providers (Processors)
We engage trusted third-party service providers for:
Cloud hosting
Infrastructure management
Email delivery
Analytics and performance monitoring
All processors operate under written data processing agreements and are contractually obligated to protect your data.
8. Automated Processing
CycleBae uses AI systems to generate personalized wellness insights.
CycleBae does not engage in automated decision-making that produces legal or similarly significant effects under Article 22 GDPR.
8. Automated Processing
CycleBae uses AI systems to generate personalized wellness insights.
CycleBae does not engage in automated decision-making that produces legal or similarly significant effects under Article 22 GDPR.
9. Your Privacy Rights
Depending on your jurisdiction, you may have the right to:
Access your data
Correct inaccurate data
Request deletion
Restrict or object to processing
Withdraw consent (including for health data)
Data portability
Lodge a complaint with a supervisory authority
You may exercise these rights via the app or by emailing: team@cyclebae.com
Withdrawal of consent will not affect processing performed prior to withdrawal. Withdrawal may limit access to certain personalized features.
9. Your Privacy Rights
Depending on your jurisdiction, you may have the right to:
Access your data
Correct inaccurate data
Request deletion
Restrict or object to processing
Withdraw consent (including for health data)
Data portability
Lodge a complaint with a supervisory authority
You may exercise these rights via the app or by emailing: team@cyclebae.com
Withdrawal of consent will not affect processing performed prior to withdrawal. Withdrawal may limit access to certain personalized features.
10. Right to Nominate (India Only)
Under the DPDP Act, you may nominate an individual to exercise your rights in case of death or incapacity.
10. Right to Nominate (India Only)
Under the DPDP Act, you may nominate an individual to exercise your rights in case of death or incapacity.
11. Age Restriction
CycleBae is intended only for individuals aged 18 and above.
If we become aware that personal data has been collected from a minor, it will be deleted promptly.
11. Age Restriction
CycleBae is intended only for individuals aged 18 and above.
If we become aware that personal data has been collected from a minor, it will be deleted promptly.
12. Data Breach Notification
In the event of a personal data breach posing risk to individuals, we will notify:
Relevant supervisory authorities within applicable statutory timeframes (e.g., 72 hours under GDPR)
Affected users where required by law
12. Data Breach Notification
In the event of a personal data breach posing risk to individuals, we will notify:
Relevant supervisory authorities within applicable statutory timeframes (e.g., 72 hours under GDPR)
Affected users where required by law
13. AI and Wellness Disclaimer
CycleBae provides wellness-related insights only.
CycleBae is not a medical device.
The Service does not provide medical advice, diagnosis, or treatment.
The app must not be used as a substitute for professional medical care or as a form of birth control.
13. AI and Wellness Disclaimer
CycleBae provides wellness-related insights only.
CycleBae is not a medical device.
The Service does not provide medical advice, diagnosis, or treatment.
The app must not be used as a substitute for professional medical care or as a form of birth control.
14. Changes to This Policy
We may update this Privacy Policy from time to time.
Material changes will be communicated within the app or via email.
15. Contact Information
Data Protection Officer / Grievance Officer:
Arun Velekkat
Email: arun@cyclebae.com
Address:
Nyma Health & Wellness Pvt Ltd
BHIVE Premium, HSR Sector 6
L-148, Bengaluru, 560102
India
Privacy Policy
