Effective as of 2 May 2022.
See the prior versions of our Privacy Policy here.
When you use Flo, you are trusting us with intimate personal data. We are committed to keeping that trust, which is why our policy as a company is to take steps to ensure that individual user's data and privacy rights are protected and to provide transparency about our data practices.
The purpose of our Privacy Policy is to explain what data we collect, how it is used and shared, and how you can control it.
Here’s a summary of our Privacy Policy to give you a quick overview of our data practices. The summary is not a substitute for reading the full policy to obtain important information about your personal data, how we use it and your rights with respect to it. Please read this Privacy Policy in full along with our Terms of Use, but here are a few key takeaways we hope you will find useful:
The data that serves you
When you use Flo, we collect your Personal Data and may use it to improve the user experience, such as increasing the accuracy of predictions, personalizing product offers, the insights you get, etc. For research activities we use only de-identified or aggregated data, which cannot be associated with you.
You can contribute to the growth of the Flo community
If you consent, we may use technical information about your device and other information about you (such as your device’s unique technical identifier, age group, subscription status, and the fact of application launch) for promotional purposes to reach more people like you who we believe may be interested in using the Services. You can always withdraw your consent. Please see the section below titled “Processing to find new Flo users and stay in touch with you” for more information about how to withdraw your consent.
You are in control
You may ask to access, modify, correct, erase, and update your Personal Data by writing to us at support@flo.health. For iOS Flo Premium users, the App also enables you to download a report containing some of your Personal Data from within the App. Please be aware that erasing or modifying some Personal Data you have provided could affect your ability to use certain features of the App that rely on historic data.
Securing your data
We take reasonable and appropriate measures to protect your Personal Data from loss, theft, misuse or unauthorized access.
We limit children’s access to the App
You must be at least 13 to use the App (16 for European Economic Area (“EEA” and United Kingdom (“UK”) residents). We do not knowingly collect information from children under 13 (16 for EEA and UK residents), and we do not allow people to use the App if they are younger than 13 (16 for EEA and UK residents). Moreover, some of the App functions are limited for users that are younger than 18.
You can freely talk to us
We believe in transparent and open dialogue, so we strongly encourage you to contact our Support Team at support@flo.health, our Data Protection Officer at dpo@flo.health or send a message via our dedicated email if you have questions about this Privacy Policy, how we collect or process your Personal Data, or anything else related to our privacy practices.
Table of contents
Introduction
This Privacy Policy explains how Flo Health UK Limited (“Flo” or “we” or “us”) collects, stores, uses, transfers and shares Personal Data from our users (“you”) in connection with the Flo mobile application, Flo Period & Ovulation Tracker (the “App”)*, and the flo.health website including any products and services related to it (the "Website") (all collectively, the “Services”).
*Please note the App may be listed under a different name depending on your location. A full list of names is available here.
We reserve the right to and may change this Privacy Policy from time to time. If we make any material changes, we will notify you by email (sent to the email address provided when you register), through the App, or by presenting you with a new version of this Privacy Policy. If permitted by applicable law, your continued use of the Services after the effective date of an updated version of the Privacy Policy will indicate your acceptance of the Privacy Policy as modified. In some cases, you will be given a choice about whether to explicitly accept changes to the Privacy Policy. If you do not accept the terms of the Privacy Policy, please do not use the Services.
Please check the Privacy Policy posted on our Website and in the App for the latest updates on our data privacy practices.
Personal Data we collect from you
We collect Personal Data about you in a variety of ways. Sometimes we collect Personal Data automatically when you interact with the Services, and sometimes we collect the Personal Data directly from you. At times, we may receive Personal Data about you from other sources and third parties.
Personal Data you provide to us directly:
General Information. When you sign up to use the Services, we may collect Personal Data about you such as:
- Name;
- Email address;
- Year of birth;
- Password or passcode;
- Place of residence and associated location information including time zone and language;
- ID (for limited purposes).
In many cases, we may be able to infer your gender by your use of the Services.
Health and Well-being. When you sign up to use the Services, you may choose to provide Personal Data about your health and well-being such as:
- Weight;
- Body temperature;
- Menstrual cycle dates;
- Details of your pregnancy (if you select the pregnancy mode);
- Various symptoms related to your menstrual cycle, pregnancy and health;
- Other information about your health (including sexual activities), physical and mental well-being, and related activities, including personal life.
You may also allow us to connect to third-party services, such as Apple HealthKit and Google Fit, to enable us to import Personal Data about your health and activities into the App. This imported data may include sports activities, weight, calories burned, heart rate, number of steps/distance traveled, and other data about your health. We will process this data in order to provide you with the App functionality described below. When you choose to have this data imported you are subject to the Google Fit and Apple HealthKit privacy policies and practices.
Personal Data we collect automatically:
When you access or use the Services, we may automatically collect the following information:
Device Information:
- Device model;
- Information about the operating system and its version;
- Unique device identifiers (e.g. IDFA);
- Mobile operator and network information;
- Device storage information;
- Version of your device system.
Location Information:
- IP address;
- Time zone;
- Information about your mobile service provider.
Data about your use of the Services, including, among others:
- Frequency of use;
- Areas and features of the Services that you access, visit or use;
- Engagement with particular features.
To collect this and other information, we may use cookies and other tracking technologies. See more in our Cookie Policy.
Data from external sources. We may receive Personal Data about you from third parties. For example, we may obtain information from third parties, to enhance or supplement existing user information, including to customize and personalize your experience and for statistical purposes and analytics, as described below.
How we use your Personal Data
We will not collect and use your Personal Data without letting you know. Depending on which features of the Services you use, we will process your Personal Data based on one or more of the following legal bases:
- Your consent. For example, on the registration screen when you give us permission to process your Personal Data;
- To fulfill our contractual obligations to you in order to provide the Services to you;
- Legitimate interest. We may process your Personal Data in relation to our interests in providing the Services to you, our commercial interests, including our interest in protecting the security and integrity of the Services, and wider societal benefits;
- Legal obligation. We may be obligated to process some of your Personal Data to comply with applicable laws and regulations.
Below we describe the purposes for which we process your Personal Data and our lawful bases for doing so, including some basic examples:
Purpose of processing | Legal basis for processing | Example |
---|---|---|
To support the existing functions of the App, including customization of content and materials you see when you use the App | Consent | We make automated decisions using your cycle data to predict your future cycles or ovulation, analyze your data to provide you new features and services, and provide certain suggested articles or materials (e.g., stories, health assistant and secret chats) to read |
customization of product and service offerings and making recommendations to you, including third-party products and offerings (excluding data from Apple HealthKit and Google Fit) | Consent | We may offer you a discount for Flo Premium |
to provide and deliver the products and services you request, process transactions and send you related information, including confirmations and reminders | Contract | Using your device data we may send you a reminder, e.g., via push notifications, to log your period or symptoms to make predictions more accurate. You can disable this anytime in your device settings or from within the App using the consent toggle screens |
for billing (invoicing), account management and other administrative purposes, if applicable | Contract | We may send you an email containing your invoice, if applicable |
to respond to your comments, questions and requests and to provide customer service | Legitimate interest | We may process your name and email to reply to your support request or to contact you about a specific query or question you have raised |
to send you technical notices, updates, security alerts and support and administrative messages | Legitimate interest | We may send you an email notification that contains a customer satisfaction survey. You can opt-out of receiving such surveys anytime by contacting us at support@flo.health |
to integrate data between the Website and App in connection with onboarding users | Legitimate interest | As an example, when you sign-up for the Services on the Website we use a third-party, AppsFlyer, to help us identify you as an existing user when you use the App |
to monitor and analyze trends, usage and activities in connection with our App | Consent | We may analyze your browsing activity in the App to understand what you like or dislike about it in order to improve your future experience |
solely with respect to information that you agree to share, for Flo promotional purposes (except data from Apple HealthKit and Google Fit) | Consent | If you give your consent, we can post your review or comment on our website |
to verify your identity | Legal obligation | We may ask for age verification (e.g., an ID) if we have reasonable doubts regarding your age |
Principles of processing
Data minimization and purpose limitation. We will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by you or collect any Personal Data that is not needed for the mentioned purposes. For any new purpose of processing we will ask your separate consent.
No sale of Personal Data. We will not sell or rent your Personal Data. We will not disclose your Personal Data except as otherwise described in this Privacy Policy. We may share your Personal Data with our service providers solely as described in this Privacy Policy. We will also not use information received through your use of the HealthKit and Google Fit framework for advertising or similar services, or sell it to advertising platforms, data brokers, or information resellers.
Your privacy rights
It does not matter what country or region you come from, we are committed to providing you vast privacy rights in relation to your Personal Data.
What rights?
Correction of your Personal Data
If you believe that your Personal Data is inaccurate, you have a right to contact us and ask us to correct such Personal Data.
Restriction of Processing
You have a right to request that the processing of your Personal Data be restricted in some circumstances. For example, you have the right to request the restriction of your Personal Data if you contest the accuracy of your Personal Data and we need some time to verify its accuracy.
Access to your Personal Data (including in portable form)
You have a right to request information about what Personal Data we process about you, to access all your Personal Data, and receive a copy of it, including in a structured and portable form (.json). For iOS Flo Premium users, the App also enables you to download a report containing some of your Personal Data from within the App.
Erasure of your Personal Data
You may ask us to erase your Personal Data if you withdraw your consent to processing, if you believe such processing is unlawful. Please be aware that erasing some Personal Data may affect your experience using certain features of the Services that rely on historic data.
Right to object to the processing of your Personal Data
In some cases, you can object to the processing of your Personal Data, for example, if we process it under the legitimate interest basis, by contacting us at support@flo.health.
How to exercise your privacy rights
Сontact us at support@flo.health to exercise your privacy rights.
We will address your request within 30 days after receipt. It may take us up to 90 days in some cases, for example for full erasure of your Personal Data stored in our backup systems. We will let you know if we need more time and explain the reasons for the delay.
What else?
Please keep in mind that if we receive a vague request, we may contact you to better understand the request. We may also refuse to comply with a request that is manifestly unfounded and with excessive (repetitive) requests.
We might also require you to prove your identity in some cases. Normally, we make sure to verify that the request is coming from the same email as you provided when registering. Where you have not registered your account, we may ask you to undergo additional verification measures in an effort to ensure we are appropriately responding to requests.
Subject to applicable laws, you may have a right to lodge a complaint with your local data protection authority about any of our activities (related to your privacy rights, among others) that you think are not compliant with applicable law. If you have any concerns about our privacy practices, please let us know at privacy@flo.health.
Third parties processing your Personal Data
We will not share your Personal Data with third parties except as specified below.
Processing to find new Flo users and stay in touch with you
With your consent we may share some of your non-health Personal Data with AppsFlyer for marketing and promotional purposes. AppsFlyer is a mobile marketing platform that handles your Personal Data in accordance with our instructions. By using AppsFlyer and its integrated partners for marketing and promotional purposes we are able to reach you and people like you on various platforms and spread the word about Flo. If we need to share your Personal Data with other platforms for this purpose, except as we have explained in this Privacy Policy, we will ask for your consent.
Here is a step-by-step illustration of how we work with AppsFlyer and its integrated partners for marketing and promotional purposes:
1. You become a Flo user and with your consent we start sharing the following Personal Data with AppsFlyer and its integrated partners for marketing and promotional purposes:
a) Technical identifiers: IP address (which may also provide general location information), User agent, IDFA (Identifier for advertisers), Android ID (in Android devices), Google Advertiser ID, Customer-issued user ID and other similar unique technical identifiers;
b) Your age group;
c) Your subscription status;
d) The fact of application launch.
2. Flo sends your Personal Data to AppsFlyer, which analyzes it and provides us reports and insights on how to optimize our promotional campaigns.
3. At the same time, AppsFlyer sends your Personal Data to some of its integrated partners (e.g., Pinterest, Google Ads, Apple Search Ads, FB marketing network and others) to find you or people like you on different platforms, including social media websites. These integrated partners analyze your Personal Data and show relevant information about Flo to people who might be potentially interested in it or remind you about revisiting the App, if you stopped using it a while ago.
4. We reach out to you and new users and provide you with more information about Flo, accurate cycle predictions, information about the meaning of your bodies’ cues and credible information about your health.
Read more about AppsFlyer here and its integrated partners here.
5. Opt-out options. You can withdraw your consent or opt-out from the sharing of your Personal Data with AppsFlyer for marketing and promotional purposes in accordance with this subsection anytime by adjusting your device settings in iOS or Android.
Please note that we also use AppsFlyer to integrate data between the Website and App in connection with onboarding users. You are not able to opt out of AppsFlyer’s processing of your Personal Data for these purposes.
Processing to make the App run
In some situations, we engage other companies to process your Personal Data on our behalf. We refer to these companies as “processors.”
Processors are companies that help us run the Services, support our communication with you or perform other App-related activities. They may process certain Personal Data on our behalf to accomplish the goals related to the App functions and associated activities. We remain responsible for any acts or omissions of our processors and undertake to execute formal data processing agreements with them to the extent required by applicable law.
Here is the list of our main processors upon which we rely:
Type | Processor | Processor's privacy policy | Data collected | Purpose |
---|---|---|---|---|
Infrastructure and security | AWS (Amazon Web Services, Inc.) | AWS privacy policy |
|
|
Infrastructure and security | Cloudflare (Cloudflare, Inc.) | Cloudflare privacy policy |
|
|
Infrastructure and security | Auth0 (Auth0, Inc.) | Auth0 privacy and cookie policy |
|
|
Email communications | SendGrid (SendGrid, Inc., USA) | SendGrid privacy policy |
|
|
Email communications | HubSpot (HubSpot, Inc) | HubSpot privacy policy |
|
|
Email and in-App communications | SurveyMonkey (SurveyMonkey Inc., USA) | SurveyMonkey privacy policy |
|
|
Analytical tools | Looker (Looker Data Sciences, Inc., USA) | Looker privacy policy |
|
|
Analytical tools | Amplitude (Amplitude, Inc.) | Amplitude privacy policy |
|
|
Analytical tools | DataBricks (Databricks, Inc.) | Databricks Privacy Policy |
|
|
Internal functions | Algolia (Algolia, Inc.) | Algolia privacy policy |
|
|
Customer support | Zendesk (Zendesk Inc., USA) | Zendesk privacy policy |
|
|
Customer Support | Customer Thermometer | Customer Thermometer privacy policy |
|
|
Machine Learning Development Platform | Tecton (Tecton, Inc.) | Tecton Privacy Policy |
|
|
Payments | Apple (Apple, Inc.) | Apple privacy policy |
|
|
Payments | Google (Google LLC, USA) | Google privacy policy |
|
|
Payments | Stripe (Stripe, Inc., USA) | Stripe privacy policy |
|
|
User onboarding and data integration | AppsFlyer (AppsFlyer, Inc.) | AppsFlyer privacy policy |
|
|
Aggregated information
We may aggregate, anonymize or de-identify your Personal Data so that it cannot reasonably be used to identify you. Such data is no longer Personal Data. We may share such data with our partners or research institutions or use for statistical purposes, for example, we may share or use general age, demographic information and aggregate statistics about certain activities or symptoms from data collected to help identify patterns across users in articles, blog posts and scientific publications. Sharing this data contributes to the advancement of scientific research on women’s health. Our legal basis for processing your data for this purpose is legitimate interest.
Information posted by you
The App features several community areas like Secret Chats where users with similar interests can share information and support one another.
Any information (including Personal Data) you share in any online community area or online discussion is by design open to the Flo community. You should think carefully before posting any Personal Data in any public forum. What you post can be seen, disclosed to, or collected by third parties and may be used by others in ways we cannot control or predict, including to contact you for unauthorized purposes. Moreover posting your Personal Data in Secret Chats may violate the Secret Chats Rules. If you mistakenly post Personal Data in our community areas and would like it removed, you can send us an email support@flo.health.
Special circumstances
We may also share some of your Personal Data in the following special circumstances:
- in response to subpoenas, court orders or legal processes, to the extent permitted and as restricted by law (including to meet national security or law enforcement requirements);
- when disclosure is required to maintain the security and integrity of the Services, or to protect any user’s security or the security of other persons, consistent with applicable laws. In such cases we may also delete some of your Personal Data (e.g., by resetting your password to avoid unauthorized access);
- when disclosure is directed or consented to by the user who has input the Personal Data;
- in the event that we go through a business transition, such as a merger, divestiture, acquisition, liquidation or sale of all or a portion of its assets, your information will, in most instances, be part of the assets transferred.
Depending on the circumstance, we may rely on legitimate interest or legal obligation as our legal basis for the above processing activities.
Retention of your Personal Data
Except as set forth below, we will retain your Personal Data as long as needed to provide you with the Services or otherwise fulfill the purposes for which it was collected.
Impact of Account Deactivation/Requests to Erase Personal Data: At any time, you can deactivate your account and erase your Personal Data by emailing support@flo.health. If you choose to deactivate your account, Flo will generally delete all your Personal Data and it will not be recoverable should you later create another account.
Impact of App Deletion or Inactivity: If you choose to delete the App from your device or your account becomes inactive, we will retain your Personal Data for a period of 3 years in case you decide to re-activate the Services or re-install the App. The App covers different periods of users’ lifecycle; therefore, retention of your data is needed in some cases to secure your smooth experience with other App functions (e.g., switching to pregnancy mode after cycle tracking).
Limitations: You should be aware that, although we will anonymize or otherwise de-identify your data where possible, we may retain certain Personal Data and other information after your account has been terminated or deleted as necessary to comply with legal obligations, resolve disputes and enforce our agreements.
Security of your Personal Data
General security measures
We implement technical and organizational measures in an effort to protect Personal Data from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data that we process and risks associated with special categories of Personal Data we collect (information about health). These measures include Pseudonymization and tokenization of certain categories of your Personal Data.
Encryption of your Personal Data in transit and in rest.
Systematic vulnerability scanning and penetration testing.
Protection of data integrity.
Organizational and legal measures. For example, our employees have different levels of access to your Personal Data and only those in charge of data management get access to your Personal Data and only for limited purposes required for the operation of the Services. We impose strict liability on our employees for any disclosures, unauthorized accesses, alterations, destructions, misuses of your Personal Data.
Conducting periodical data protection impact assessments in order to ensure that the Services fully adhere to the principles of ‘privacy by design’, ‘privacy by default’ and others. We also commit to undertake a privacy audit in the event of Flo’s merger or takeover.
Please understand that you can help keep your information secure by choosing and protecting your password appropriately, not sharing your password and preventing others from using your mobile device. However, no security system is perfect and, as such, we cannot guarantee the absolute security of the Services, or that your information will not be intercepted while being transmitted to us.
Security breaches
If we learn of a security systems breach, we may either post a notice, or attempt to notify you by email and will take reasonable steps to remedy the breach as specified in applicable law and this Privacy Policy. If we learn of a potential Personal Data breach, together with other actions referred to in the Privacy Policy (such as notifying you in certain cases), we will also undertake particular actions to remedy the breach as appropriate under the circumstances, which may include, logging you out from all the devices, resetting a password (sending a temporary password for you to apply) and performing other reasonably necessary activities and actions.
If you want to report a security incident related to the Services please contact us at security@flo.health.
Children’s privacy
General age limitation. The Services are not intended for children and we do not knowingly collect information about children under 13 years old through the Services. If you are aware of anyone under 13 using the Services, please contact us at support@flo.health and we will take the required steps to delete such information and (or) delete the child’s account.
Age limitation for residents of the European Economic Area and United Kingdom. Due to legal requirements, we do not allow the use of the Services by residents of EEA or the UK younger than 16 years old. If you are aware of anyone younger than 16 using the Services, please contact us at support@flo.health and we will take steps to delete such information and (or) delete the child’s account.
Moreover, some of the App functions are limited for users that are younger than 18.
Communication with you
We may contact you from time to time via email or through other means (like popups or push notifications) to communicate with you about products, services, offers, promotions, rewards, and events offered by us and others, and provide news and information that we think will be of interest to you.
Opt-out options. You can always opt out of receiving emails by unsubscribing via the “Unsubscribe” link contained in the email. Opting-out of these emails or notifications will not end the transmission of important service-related emails that are necessary to your use of the Services. You may also opt out of receiving popups or push notifications by adjusting your settings in your device. If applicable laws prescribe so, we may ask some users to provide their additional consent for such communications.
Please note that we may contact you with information about products, services, offers, promotions, rewards, and events offered by us and others via third-party platforms (like social media). For more information, including instructions for how to opt-out, please see the section above titled ‘Processing to find new Flo users and stay in touch with you’.
Storage and international Personal Data transfers
Flo is based in the United Kingdom (“UK”). Personal Data we collect is transferred to and processed in the U.S. (where it is governed by U.S. law) and to other countries (where it is governed by the laws of those countries). The laws of the U.S. and the laws of other countries may not offer the same protections as the laws of your jurisdiction.
Transfers of Personal Data outside of the European Union, the European Economic Area and the United Kingdom
Personal Data in the European Union (EU), the EEA and the United Kingdom (UK) is protected by the General Data Protection Regulation (GDPR) and Data Protection Act 2018, but some other countries may not necessarily have the same standard of protection for your Personal Data.
Flo transfers Personal Data from the EU, EEA and UK to the U.S. and other third countries. When transferring Personal Data outside the EU, EEA and UK we either implement standard contractual clauses or rely on current European Commission adequacy decisions. For further information please contact support@flo.health.
Privacy Shield Participation
Flo is certified under the EU - U.S. Privacy Shield Framework (“EU Privacy Shield”) and Swiss - U.S. Privacy Shield Framework (“Swiss Privacy Shield” together with the EU Privacy Shield, the “Privacy Shield”) for Personal Data transfers from the EU to the U.S. and from Switzerland to the U.S. On July 16, 2020, the Court of Justice of the European Union invalidated the EU Privacy Shield. We continue to adhere to the Privacy Shield principles for Personal Data transferred up to July 16, 2020 and have maintained our certification. You may view our certification here.
Complaints and Dispute Resolution. We commit to resolve complaints about our collection and use of your Personal Data. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at dpo@flo.health or at the mailing address:
Flo Health UK Limited
27 Old Gloucester Street, London, WC1N 3AX, United Kingdom
Arbitration. You may also be able to invoke binding arbitration for unresolved complaints but prior to initiating such arbitration, a resident of a European country (including Switzerland) participating in the Privacy Shield must first: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from JAMS; and (3) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue. If such a resident invokes binding arbitration, each party shall be responsible for its own attorney’s fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident. The arbitration option may not be invoked if the individual’s same claimed violation of the Principles (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to which the individual was a party; or (3) was previously settled by the parties.
We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission concerning Personal Data transferred under the Privacy Shield.
We have further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the U.S. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit the https://www.jamsadr.com/submit/ for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Data Protection Officer (DPO)
To communicate with our Data Protection Officer, please email at dpo@flo.health or use the contact details below.
Contact us
General
If you have any questions or concerns about your privacy you may contact us at:
Flo Health UK Limited, 27 Old Gloucester Street, London, WC1N 3AX, United Kingdom
Email: support@flo.health or dpo@flo.health
You may also contact your local data protection authority. A list of local data protection authorities is available here.