Your PCOS data stays on your phone: how encryption works

In 2024, the Federal Trade Commission finalised a settlement against Flo Health, one of the largest period-tracking apps in the world, after the company was found to have shared sensitive cycle and pregnancy data with third-party advertising partners [1]. The settlement made one thing very clear. The privacy promises that period-tracker apps had been making for years were, in many cases, not the privacy promises their users thought they were making.

We built Femvia after that became public. Privacy isn't a marketing line for us. It's a choice we built into the app from the start, one that limits what we can ever do with your data. This article explains how.

What Femvia does not collect

We do not ask for your name. We do not ask for your email when you sign up inside the app. We do not ask for your phone number, your date of birth, your address, your insurance details, or your government ID.

You give us a botanical alias when you start: Sage, Ondina, Marigold, whichever you like. That alias is what your account is. It is not linked to anything else. There is no row in our database with your real name and your PCOS (now also called PMOS) symptoms attached to each other.

The waitlist on this site does collect an email, because we need a way to ring the doorbell once when the app opens. After launch, those emails are used only to send you the launch update. They never travel into the app.

What Femvia does collect, and where it lives

Your daily check-ins, symptom notes, cycle dates, mood scores, sleep hours, and movement logs are real data and they matter. We need them to do anything useful for you. So where do they live?

On your phone, by default. The Femvia app keeps your data in a private database on your device, scrambled with AES-256 encryption, the same standard the U.S. National Institute of Standards and Technology uses to protect classified information [4]. The key that unlocks it is created on your phone the first time you install the app. It never leaves.

If you want a backup, the app writes an encrypted backup file to your own iCloud account on iOS, or your own Google Drive on Android. Not to a Femvia server. Your phone, your cloud, your key.

This means a few specific things, all on purpose. We can't read your data. The cloud provider can't read your data (the file is encrypted with your key, which they don't have). And if you delete the app from your phone and the backup from your cloud, the data is gone. There is no copy on a server somewhere that we forgot to mention.

How the AI companion works without seeing your raw notes

This is the part most people ask about. If the app can't read your data, how does the AI companion respond to your questions about it?

The answer is that most of the work happens on your phone. Your phone spots the patterns that build your weekly insights, works out which type of PCOS fits you, and chooses the next card to show you. That all happens right there on your device.

When you ask the AI companion a question that needs context, your phone prepares a small, structured summary of what's relevant to your question. Not raw notes. A summary like: "user has reported elevated luteal fatigue in three of the last four cycles, currently in follicular week one, asking about morning energy." That summary is sent to the model. The model's answer comes back. The raw entries you typed never leave your phone unless you specifically tap "share this entry" to include it in the question.

We never sell this data. We don't train on it. We don't show it to advertisers. Our business model is the Plus plan, paid in your store of choice, with no behavioural advertising.

What jurisdictions this design is built for

We pay attention to two regulations in particular. The U.S. HIPAA Privacy Rule, updated in 2024 to specifically protect reproductive health information, sets the bar for how covered entities must handle this kind of data in the United States [3]. Femvia is not a covered entity (you aren't a patient of ours; we are not a healthcare provider), but the spirit of that rule shapes our defaults.

In India, the Digital Personal Data Protection Act of 2023 sets new requirements for explicit consent, data minimisation, and the right to erasure for any service processing personal data of Indian users [2]. Femvia's architecture, by collecting almost nothing in the first place, meets these requirements by design rather than by policy.

What happens if Femvia ever gets hacked

This is the question we ask ourselves. If our servers were breached tomorrow, what would the attacker get?

The list of things we have in our database is short. A list of botanical aliases. A list of waitlist emails (until launch, then deleted on the schedule we promised). Some operational data about app installs and crash reports, none of which is linked to your identity. That's the extent of what we hold.

The thing we do not hold, and cannot hold by design, is your symptom log, cycle history, sleep data, or mood notes. Those are on your phone. They are encrypted with a key we don't have. An attacker in our database finds, essentially, a list of fake flower names.

That isn't a marketing trick. It's the choice we made about what kind of company we want to be, made before there was any data to lose.

Your control, plainly

You can turn off the cloud backup whenever you like, in which case your data lives only on your phone.

You can delete the backup from your iCloud or Drive yourself, without asking us.

You can delete the app, and there is no server-side data of yours to ask us to remove afterwards. There never was any.

If you want a copy of what we have, we'll send it (it will be a short file). If you want to be forgotten, the answer is: you already are.

This is the long version of what most companies put behind a 40-page privacy policy. The short version fits on one line, and it is the line we say everywhere: your symptoms stay on your phone, and we built the app so that we couldn't read them if we wanted to.