plumefeel your flow
Features
About
Support
Download iOS
Legal

Privacy Policy (GDPR)

Last updated: February 2026

Controller (Art. 4 No. 7 GDPR)

Controller for processing personal data via the Plume app and website:

  • Name / Company: [Insert legal entity]
  • Address: [Insert full postal address]
  • Email: support@plumehealth.app

For legal notice details, see Imprint.

Data Protection Contact

For privacy requests, deletion requests, or data subject rights inquiries, contact us at support@plumehealth.app.

If a Data Protection Officer is legally required in your final legal setup, add name and contact details here.

Categories of Data Processed

  • Profile data (for example name, optional family profile information)
  • Cycle entries (for example dates, intensity details)
  • Baby-care entries (for example feeding, sleep, fever-related records)
  • Family circle data (role assignments, sharing permissions, invite metadata)
  • Account/security data (email address, authentication/session metadata)

We do not sell personal data and do not use ad-tech tracking on health entries.

Purposes and Legal Bases (Art. 6 GDPR)

  • App functionality and account operation — Art. 6(1)(b) GDPR (contract performance)
  • Security and abuse prevention — Art. 6(1)(f) GDPR (legitimate interests)
  • Optional family sharing / cloud sync — Art. 6(1)(b) and, where required, Art. 6(1)(a) GDPR (consent)
  • Legal compliance obligations — Art. 6(1)(c) GDPR

Storage and Retention

Plume follows a local-first architecture where possible. Data retention depends on your usage:

  • Local app data remains on-device until you delete or reset it.
  • Cloud-synced records are retained while your account/circle usage is active.
  • Deletion requests are processed without undue delay, subject to legal retention duties.

Recipients and Processors

Where cloud sync is enabled, data may be processed by infrastructure providers acting as processors. At present, this includes Supabase (EU-hosted configuration intended).

Processor agreements (Art. 28 GDPR) should be concluded for all external processors before production launch.

International Data Transfers

If any transfer to a third country occurs, we apply an appropriate transfer mechanism under Chapter V GDPR (for example adequacy decision or Standard Contractual Clauses).

Your Rights (Arts. 15–22 GDPR)

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent at any time (if consent is used)

To exercise rights, email support@plumehealth.app.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, especially in the EU member state of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

Medical Disclaimer

Plume is an informational health companion. It does not provide diagnosis or medical treatment and does not replace professional medical advice.

Changes to this Policy

We may update this policy to reflect legal, technical, or product changes. The current version is always published on this page.

Implementation Note

This policy is designed as a strong GDPR-oriented baseline. Before production publication, legal entity details, processor list, and supervisory authority references should be finalized with legal counsel.