The honest version.

1. About this policy

This Privacy Policy describes how Evori Ventures Inc. (“Evori,” “Gal,” “we,” “us,” or “our”), a corporation incorporated under the laws of Canada in 2026, collects, uses, discloses, and protects information when you use the Gal mobile application (the “App”), the website at heygal.app (the “Site”), and related services (collectively, the “Services”).

Evori Ventures Inc. is the controller of personal information processed through the Services. By using the Services, you acknowledge that you have read and understood this Privacy Policy.

2. Information we collect

We collect the following categories of information.

Information you provide

• Account information — your email address, a password (stored as a one-way hash), and an optional display name. If you sign in with Apple or Google, we receive an authentication token and the email associated with that account.
• Profile information — age range, height, weight, dietary preferences, health goals, and any other profile fields you choose to fill in.
• Meal logs and food data — descriptions, photos, time of day, portion sizes, and any notes you add.
• Cycle and reproductive health data — period start and end dates, flow, mood, energy, cravings, sleep, symptoms, and any cycle-related notes you choose to log. See Section 5 for the special protections that apply to this data.
• Body and wellness data — weight, measurements, supplements, medications you log, and other wellness signals.
• Communications — messages you send to support, feedback, survey responses, and any other content you submit to us.

Information we collect automatically

• Device and technical information — device model, operating system version, App version, language, time zone, IP address (truncated where possible), and crash diagnostics.
• Usage information — actions you take in the App (such as which screens you view), aggregated and pseudonymous, used to understand how the Services are used and improve them.
• Cookies and similar technologies — on the Site, we use a small number of strictly necessary cookies. See Section 14 for details.

Information from third parties

• Apple HealthKit — only if you grant explicit permission. We may read cycle, weight, activity, and related health metrics. See Section 6 for the specific protections that apply to HealthKit data.
• Sign-in providers — if you sign in with Apple or Google, we receive a verified email and authentication token from that provider.
• Apple App Store / RevenueCat — subscription status (active, cancelled, in trial). We do not receive your payment card details.

3. How we use your information

We use information for the purposes below, on the legal bases indicated in Section 11.

• Provide the Services — store and display your logs, generate the patterns and insights you came for, sync across your devices, and authenticate you.
• Personalize your experience — tailor suggestions to the cycle phase, nutrition profile, and goals you have configured.
• Maintain and improve the Services — monitor performance, fix bugs, prevent abuse, develop new features, and conduct internal analytics.
• Communicate with you — respond to support requests, send service-critical notices (security, billing, policy changes), and, with your consent, send optional product updates.
• Process payments — administer subscriptions through the Apple App Store and our subscription processor (RevenueCat).
• Comply with law — meet legal, regulatory, and tax obligations, and respond to lawful requests as described in Section 17.

We do not use your personal data to train third-party AI models. When we send a meal description to an AI provider for nutrition estimation, we send only the text needed and apply no account identifier; that provider is contractually prohibited from training models on this content.

4. How we share information

We do not sell your personal information. We do not share your meal logs, cycle data, or health information with advertisers, data brokers, or any third party for marketing purposes — ever.

We share limited information with the following service providers, each bound by contract to use the data only to provide their service to us, to maintain confidentiality, and to apply security standards consistent with this policy:

• Cloud infrastructure and database (Supabase Inc.) — stores your account, logs, and cycle data, encrypted at rest. Hosted in a US region under a Data Processing Agreement and Standard Contractual Clauses.
• AI nutrition estimation (OpenAI, L.L.C., or successor providers) — receives meal description text only, with no account identifier, to return a nutrition estimate. No training on submitted content per their API terms.
• Subscription management (RevenueCat, Inc.) — manages subscription state and entitlements. Receives a pseudonymous user identifier and subscription status only.
• Crash and error reporting (Functional Software, Inc. d/b/a Sentry) — receives anonymous crash reports and stack traces to fix bugs.
• Product analytics (PostHog Inc.) — receives pseudonymous, aggregated usage events. No personal content, no meal data, no cycle data is sent.
• Email delivery (Postmark or successor providers) — receives your email address to deliver transactional and (with consent) optional marketing messages.
• Payment processing (Apple Inc.) — handles in-app purchases under its own terms and privacy policy.

We may also disclose information: (i) in connection with a corporate transaction such as a merger, acquisition, or asset sale, in which case we will notify you and ensure equivalent protections apply to your data; (ii) to professional advisors (lawyers, auditors, accountants) under duties of confidentiality; and (iii) as required by law, as described in Section 17.

5. Health and reproductive data — special protections

Reproductive and menstrual health information is sensitive. We treat it with the highest level of care permitted by law and our infrastructure.

• We do not sell or share reproductive health data with anyone, including advertisers, data brokers, insurers, employers, or marketing partners. Period.
• We minimize what we collect. Cycle and symptom logs are stored only for the purpose of giving them back to you and computing your patterns.
• We resist legal demands wherever lawful. If we receive a subpoena, warrant, court order, or other legal process for cycle, period, or pregnancy data, we will assess each request individually, challenge requests we believe overreach or are unlawful, narrow the scope of any production where possible, and notify you before producing data unless legally prohibited from doing so.
• You can delete this data instantly. Cycle, period, and symptom entries can be deleted from inside the App at any time. Account deletion (Section 8) permanently removes all reproductive health data from our active systems within 24 hours and from backups within 30 days.

6. Apple HealthKit

If you choose to enable Apple HealthKit integration, the App may read and (where you authorize) write health and fitness data on your device. The following commitments apply specifically to HealthKit data, in addition to everything else in this policy:

• We use HealthKit data solely to provide and improve features within the App.
• We do not use HealthKit data for advertising, marketing, data mining, or any purpose unrelated to your health, wellness, or the operation of the App.
• We do not share or sell HealthKit data with third parties for advertising, marketing, or any similar service.
• We do not share or disclose HealthKit data to a third party without your express permission.
• You can revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health → Gal.

7. Where your data is stored and international transfers

Your data is primarily stored on infrastructure located in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

For transfers from the European Economic Area, the United Kingdom, Switzerland, or Canada to the United States or other jurisdictions not deemed adequate, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supplemented by encryption in transit and at rest, and by contractual restrictions on our service providers.

8. Data retention and deletion

We retain your information only as long as needed to provide the Services or to meet legal obligations.

• Account and log data — kept for as long as your account is active.
• Account deletion — when you delete your account from inside the App, we permanently remove your personal data from active systems within 24 hours and from backups within 30 days.
• Inactive accounts — accounts inactive for 24 months may be deleted after we send a reminder email.
• Aggregated and anonymized data — once data has been irreversibly aggregated or anonymized so it can no longer identify you, we may retain it indefinitely for product analytics and research.
• Legal holds — we may retain limited information longer than the periods above where required to comply with legal obligations, resolve disputes, or enforce our agreements.

9. Security

We protect your data with administrative, technical, and physical safeguards designed to be appropriate to the sensitivity of the information, including: encryption in transit (TLS) and at rest (AES-256); row-level access controls so each user's data is isolated to their authenticated session; principle-of-least-privilege access for personnel; vulnerability scanning; and incident response procedures. No method of transmission or storage is perfectly secure; in the unlikely event of a breach affecting your personal information, we will notify you and applicable regulators as required by law.

10. Your choices and controls

You can do the following from inside the App, in Settings:

• Access and export — download a complete machine-readable copy of your data as JSON.
• Correct or update — edit any logged entry or profile field.
• Delete entries — remove individual logs at any time.
• Delete your account — permanently wipe your account and all associated data.
• Manage notifications — opt in or out of push notifications and email categories.
• Revoke permissions — disable HealthKit, camera, photos, and other system-level permissions in iOS Settings.

You can also email privacy@heygal.app to exercise any of these rights. We respond within 30 days, and may need to verify your identity before fulfilling certain requests.

11. EEA, UK, and Swiss residents

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR), the UK GDPR, or the Swiss Federal Act on Data Protection apply. The legal bases on which we process your personal data are:

• Performance of a contract — to provide the Services you have requested.
• Legitimate interests — to operate, secure, and improve the Services, where these interests are not overridden by your rights.
• Consent — for processing of special category data (cycle and health information), HealthKit data, optional marketing communications, and other uses where we ask you.
• Legal obligation — where processing is required to comply with law.

You have the right to:

• access your personal data;
• request correction of inaccurate data;
• request erasure;
• request restriction of, or object to, certain processing;
• data portability;
• withdraw consent at any time, without affecting processing already carried out;
• lodge a complaint with your local data protection authority. You can find yours at edpb.europa.eu/about-edpb/about-edpb/members_en.

To exercise any of these rights, contact privacy@heygal.app.

12. California residents

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the rights below.

• Right to know what personal information we have collected about you, the categories of sources, purposes, and recipients.
• Right to delete personal information we have collected, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of any “sale” or “sharing” of personal information for cross-context behavioural advertising. We do not sell or share your personal information as those terms are defined under California law.
• Right to limit use of sensitive personal information. We use sensitive personal information (which includes health and reproductive data) only for the purposes described in this policy and not for inferring characteristics about you for advertising.
• Right to non-discrimination for exercising any of the above.

To exercise these rights, contact privacy@heygal.app. You may also designate an authorized agent to make a request on your behalf, in which case we will verify the agent's authority before responding.

13. Canadian residents

If you are in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws (including, in Quebec, the Act respecting the protection of personal information in the private sector, as modified by Law 25) apply to our handling of your personal information.

• You may request access to, and correction of, the personal information we hold about you.
• You may withdraw consent to our processing, subject to legal or contractual restrictions and reasonable notice.
• You may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, if you are in Quebec, the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).
• For the purposes of Quebec's Law 25, our person responsible for protection of personal information can be reached at privacy@heygal.app.

14. Cookies and similar technologies

On the Site, we use only strictly necessary cookies (for example, to remember whether you have dismissed a banner). We do not use third-party advertising, tracking, or analytics cookies on the Site or in the App.

The App uses the platform's standard advertising identifier framework (App Tracking Transparency on iOS) only to confirm — through the system prompt — that we do not track you across third-party apps and websites. Saying “Ask App Not to Track” (or never being prompted) has no effect on what data we collect, because we do not engage in cross-context tracking in any case.

15. Push notifications

With your permission, we send push notifications for reminders, insights, and service-critical messages. You can disable notifications at any time in iOS Settings → Notifications → Gal, or inside the App in Settings → Notifications.

16. Children's privacy

The Services are intended for users 17 years of age and older. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA, UK, or Switzerland; or under 14 in Quebec). If we learn that we have collected personal information from a child under the applicable age without verified parental consent, we will delete that information promptly. If you believe a child has provided us with personal information, contact privacy@heygal.app.

17. Law enforcement and legal requests

We disclose information to law enforcement, government agencies, or in response to legal process only when we are legally required to do so or where we believe in good faith that disclosure is necessary to protect rights, property, or safety.

For requests touching reproductive health, cycle, period, pregnancy, or related data, we apply the heightened protections described in Section 5: we assess each request individually, challenge requests we believe overreach or are unlawful, narrow scope where possible, and provide advance notice to the affected user unless we are legally prohibited from doing so. We publish information about the legal requests we receive in our annual transparency report.

18. Third-party services

The Services may contain links to third-party websites or integrate with third-party services. This policy does not apply to those third parties; their own privacy policies do. We are not responsible for the practices of those third parties, but we choose them carefully and require them to apply protections consistent with this policy.

19. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or in-App notice before the changes take effect, and we will update the “Last updated” date at the top of this page. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

20. How to contact us

For privacy questions, data subject requests, or anything that doesn't sit right, email privacy@heygal.app. A real person responds, normally within 30 days.