Dalal
Legal

Privacy Policy

Last updated: 14 July 2026

Dalal (“Dalal”, “the app”, “we”, “us”, “our”) is a menstrual- and fertility-tracking application. This policy explains what personal data the app collects, why we collect it, how it is stored and protected, who it is shared with, and the choices and rights you have over it. Dalal is designed to handle sensitive health information, and we treat it accordingly.

By creating an account and using Dalal, you agree to the practices described in this policy.

At a glance

Only what's needed

An email address and the cycle data you choose to log. No name, no phone number, no location, no ad IDs.

Never sold, never advertised

No ads, no third-party trackers, no analytics SDKs, and no sale of your data. Ever.

Encrypted & access-controlled

TLS in transit, encryption at rest, and per-account access controls. Not end-to-end encrypted — see §5 for exactly what that means.

Delete everything, in-app

One in-app action permanently removes your account and data from our servers and your device.

Reminders stay on your phone

Notification content is scheduled and shown on your device. It never reaches our servers.

PDPL & GDPR aware

Processing follows Saudi Arabia's PDPL and, where applicable, the GDPR / UK GDPR. See §4.

01Who is responsible for your data

The party responsible for your personal data (the “data controller”) is the operator of Dalal.

If you have any question about this policy or how your data is handled, contact us at the address above.

02What data we collect

We only collect data that is needed to run the app and provide its features.

2.1 · Account data

  • Email address — used to create your account, sign you in, and send account-related messages such as password resets and email confirmation.
  • Authentication data — a securely hashed password (we never store your password in plain text) and session tokens that keep you signed in.

2.2 · Health and cycle data (sensitive)

Data you choose to enter to track your cycle, including:

  • Period start and end dates and cycle history.
  • Logged symptoms (for example flow, mood, pain, and other markers you record).
  • Fertility signals you record (for example basal body temperature, cervical-mucus observations, and similar entries).
  • Your app mode and preferences (for example whether you are trying to conceive, avoiding pregnancy, or tracking generally) and predicted dates derived from your entries.

This information is health data and is treated as a special/sensitive category of personal data.

2.3 · Settings and preferences

  • App locale/language, measurement units, reminder settings, and other in-app preferences.

2.4 · Data we do NOT collect

  • We do not collect your name, phone number, precise location, contacts, photos, or advertising identifiers.
  • We do not use third-party advertising or analytics/tracking SDKs, and we do not sell your personal data.

03How we use your data

We use your data only to:

  • Create and secure your account and authenticate you.
  • Store your cycle, symptom, and fertility entries and sync them across your devices.
  • Generate cycle and fertility predictions and show them to you in the app.
  • Send local reminders (for example upcoming-period, daily-logging, and cycle-care reminders) that you have enabled. These reminders are scheduled and shown on your device; their content is not transmitted to us.
  • Send account/service emails (confirmation, password reset).
  • Maintain, secure, debug, and improve the reliability of the service.

We do not use your health data for advertising or profiling, and we do not make automated decisions that produce legal or similarly significant effects about you.

04Legal basis for processing

4.1 · Saudi Arabia (PDPL)

For users in the Kingdom of Saudi Arabia, we process personal data in accordance with the Personal Data Protection Law (PDPL) and its Implementing Regulations, overseen by the Saudi Data & AI Authority (SDAIA). Our legal bases are:

  • Your consent — for collecting and processing your health/cycle data, which is sensitive data under the PDPL. You may withdraw consent at any time (see §8).
  • Performance of the agreement — to provide the app's core features once you create an account.
  • Legitimate interests — to keep the service secure and reliable, where permitted under the PDPL and balanced against your rights.

4.2 · EEA / UK users (GDPR)

Where the GDPR (or UK GDPR) applies, we process your data on these bases:

  • Contract — to provide the app's core features once you create an account.
  • Explicit consent — for the processing of your health/cycle data, which is a special category of data. You may withdraw consent at any time by deleting the relevant data or your account (see §8). Withdrawal does not affect processing carried out before withdrawal.
  • Legitimate interests — to keep the service secure and working reliably, balanced against your rights.

05How your data is stored and protected

  • Hosting. Account and cycle data are stored in our managed cloud database provider, Supabase (which hosts data on established cloud infrastructure). A copy of your data is also cached locally on your device so the app works offline.
  • Encryption in transit. All communication between the app and our servers is encrypted using TLS/HTTPS.
  • Encryption at rest. Data stored by our cloud provider is encrypted at rest by the provider.
  • Access controls. Row-Level Security is enforced at the database so that each account can only read and write its own rows. Your data is not accessible to other users.
  • Passwords are stored only as salted hashes managed by our authentication provider.

Important: Dalal uses standard transport and at-rest encryption plus strict per-user access controls. It does not use end-to-end encryption, which means data is stored in a form that our cloud infrastructure can process. We limit access to what is necessary to operate the service, and we would rather state this plainly than promise more than we deliver.

06Who we share data with

We do not sell or rent your personal data. We share data only with:

  • Infrastructure sub-processors that operate the service on our behalf, principally:
    • Supabase — database hosting, authentication, and email delivery for account messages.
  • Legal/authority disclosures — only where required by applicable law, regulation, or valid legal process.

These providers process data under their own security and privacy commitments and only to provide services to us.

07International transfers

Your data may be processed on servers located outside your country of residence (the app's cloud project region is set by us; for example a Supabase region such as Oceania/Sydney or Northeast Asia/Tokyo). Where data is transferred internationally, we rely on appropriate safeguards permitted by applicable law.

For users in the Kingdom of Saudi Arabia, any transfer of personal data outside the Kingdom is carried out in accordance with the PDPL and the SDAIA regulations governing cross-border transfers, including the required safeguards for transfers to jurisdictions with an adequate level of protection or under appropriate contractual protections.

08Your rights and choices

You can:

  • Access and edit your cycle, symptom, and fertility entries directly in the app at any time.
  • Delete your account and data. Dalal includes in-app account deletion. Deleting your account removes your account and associated cycle/health records from our systems and wipes the local copy on your device. Deletion is permanent and cannot be undone.
  • Withdraw consent for health-data processing by deleting the relevant entries or your account.
  • Control reminders and other preferences in the app's settings.

Depending on your jurisdiction, you may also have the right to request a copy of your data, correct it, restrict or object to processing, request portability, and lodge a complaint with the competent authority — in the Kingdom of Saudi Arabia, the Saudi Data & AI Authority (SDAIA); under the GDPR/UK GDPR, your local data-protection authority. To exercise rights that cannot be completed in-app, contact us at the email in §1.

09Data retention

  • We retain your account and health data for as long as your account exists so the app can show your history and predictions.
  • When you delete your account, we delete your personal data from our active systems. Residual copies in encrypted backups are removed on the provider's normal backup-rotation cycle.

10Children's privacy

Dalal is not directed to children under 13 (or the minimum age required by your jurisdiction), and we do not knowingly collect data from them. If you believe a child has provided us personal data, contact us and we will delete it.

11Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you in the app. Continued use of Dalal after an update means you accept the revised policy.

12Contact

Questions or requests about your privacy or this policy:

Email: support@dalall.net