Privacy Policy for OVA

Last Updated: June 13th 2026

Ova ("the app", "we") is a menstrual cycle tracking app published by A to Z ("we", "us"). This policy explains what data the app handles, where it is stored, and the choices you have. We built Ova so that your health data stays under your control: it lives on your device, and anything that leaves your device is end-to-end encrypted.

Summary

Your cycle and health data is stored locally on your device.- We do not require an account, email address, or phone number.- Partner sharing is end-to-end encrypted — our servers only ever store ciphertext that we cannot read.- We do not show ads, use analytics trackers, or sell data to anyone.

Data the app collects and how it is used

Health and wellness data (stored on your device)

The app lets you log menstrual cycle dates, flow, moods, symptoms, sleep, hydration, and energy levels. This data is stored in a local database on your device. It is used to display your history, calculate cycle predictions and phase information, and generate on-device insights. It is not transmitted anywhere unless you enable Partner Sharing (see below).

Profile information (stored on your device)

You may optionally add a first name and a profile photo (chosen from your gallery). Both are stored locally on your device and are used only to personalize the app. The photo is never uploaded.

Anonymous account

To support Partner Sharing, the app creates an anonymous Firebase account. This account has no email address, name, or other identity attached to it — it is a random identifier. We cannot use it to identify you.

Partner Sharing (end-to-end encrypted)

If you choose to link with a partner, the app shares your cycle data with that one linked device. This works as follows:
Each device generates an encryption key pair (X25519). The private key never leaves your device and is kept in your device's secure storage.- Data shared with your partner is encrypted on your device with your partner's public key before upload, and can only be decrypted on your partner's device.- Our servers (Google Firebase Firestore) store and relay only the encrypted payload. Neither we nor Google can read its contents.- You can unlink your partner or rotate your keys at any time in the app's settings, which invalidates previously shared access.
If you never enable Partner Sharing, your health data never leaves your device.

Notifications

If you grant notification permission, the app schedules reminders (for example, upcoming period predictions or logging reminders). Notification content is generated on your device. Push delivery may use Firebase Cloud Messaging; message tokens are not linked to your identity.

App lock and biometrics

You can enable an app lock using your device's biometric authentication (fingerprint/face). Biometric verification happens entirely within your device's operating system — the app never sees, stores, or transmits your biometric data.

Service providers

The app uses Google Firebase (Authentication, Firestore, App Check, and Cloud Messaging) to support anonymous sign-in and encrypted partner sync. Google acts as a hosting/relay provider and stores only the encrypted data described above. Google's own infrastructure handling is described in the [Firebase privacy documentation](https://firebase.google.com/support/privacy).

What we do NOT do

No advertising or ad SDKs- No analytics or behavioral trackers- No selling, renting, or sharing of personal data with third parties- No collection of your location, contacts, or browsing data- No human access to your health data — end-to-end encryption makes this technically impossible for synced data

Data retention and deletion

Local data: remains on your device until you delete it in the app or uninstall the app.- Synced (encrypted) data: you can unlink your partner in the app, which stops sharing. Encrypted payloads associated with your anonymous account are deleted when you reset or delete your sync link in the app's settings.- Because we cannot identify which anonymous account belongs to which person, deletion is controlled by you from within the app.

Children

Ova is not directed at children under 13 (or the minimum age in your jurisdiction), and we do not knowingly collect data from them.

Security

Health data is stored on your device; encryption keys are kept in your device's secure storage (Android Keystore-backed). Data shared with a partner is end-to-end encrypted using libsodium (X25519 key exchange with authenticated encryption). No security measure is perfect, but our architecture is designed so that a server breach cannot expose your readable health data.

Your rights

Depending on where you live (e.g., GDPR in the EU/UK, CCPA in California), you may have rights to access, correct, delete, or port your personal data. Because your data is stored on your device and under your direct control, you can exercise these rights directly in the app. For anything else, contact us below.

Changes to this policy

If we change this policy, we will update the effective date above and, for material changes, notify you in the app before they take effect.

Contact

admin@atozsolutions.com.au