Privacy Policy
Late Bloomer handles sensitive data — your health, your symptoms, your body. This page sets out exactly what we collect, why we collect it, who we share it with, and how you can take it back. Plain English where we can; legal language only where the GDPR makes us.
1. Who we are
Late Bloomer is operated by Nicola Doherty, a sole trader in Ireland, trading as "Late Bloomer" (Business Name registration in progress with the Companies Registration Office; RBN to be updated here on issue).
For the purposes of the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018, the data controller is:
8 Vernon Mews, Clontarf, Dublin 3, D03 X7W0, Ireland
hello@latebloomer.app
2. What we collect
| Category | Examples | Why |
|---|---|---|
| Account | Name, email, encrypted password (or Apple/Google sign-in identifier) | To create and secure your account |
| Health & fitness | Sleep, heart rate variability, activity from Apple Health (if you grant permission); your daily symptom check-ins (energy, sleep, mood, joint pain, hot flushes); completed sets, reps, and weights | To tune the day's session to your body |
| Programme data | Menopause stage, training experience, equipment, goals, exercise swaps | To personalise your programme |
| Device | Push-notification token (Firebase Cloud Messaging), iOS version, app version | To deliver reminders |
| Crash & performance | Stack traces, error messages, screen-render timings, app version, iOS version, device model, anonymised user identifier | To detect and fix crashes and performance regressions |
| Product analytics | Screen views, taps, feature use (e.g. "started a session", "completed check-in") tied to your user identifier; never the content of check-ins or messages | To understand which features help and which need improvement |
| Purchase | Subscription tier, renewal date, transaction identifiers from Apple | To know what plan you're on and to honour billing |
| Coach messages | Free-text messages between you and your coach (Coached / Premium plans only) | To deliver the coaching service you bought |
| Form-check video | Videos you record and upload (Premium plan only) | For your coach to review form and reply |
What we do not collect: precise location, contacts, browsing history outside the app, advertising identifiers. We do not track you across other apps or websites. We do not sell your data, and we do not show advertising in the app.
3. Why we're allowed to process it (legal bases)
- Contract (GDPR Art. 6(1)(b)) — to provide the programme, sessions, coaching, and billing you signed up for.
- Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) for special-category health data) — you grant Apple Health permissions inside iOS, and you tap to submit each symptom check-in. You can withdraw consent any time in iOS Settings → Privacy & Security → Health → Late Bloomer.
- Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent fraud, and improve the programme based on aggregate, de-identified outcomes.
- Legal obligation (Art. 6(1)(c)) — to keep tax and accounting records as required by Irish Revenue.
4. Apple Health data — extra commitments
Apple HealthKit data (sleep, HRV, activity) is read on your device and used to inform the recommendation engine. We make these specific promises, in line with Apple's HealthKit terms:
- We will never use HealthKit data for advertising or other data-mining purposes.
- We will never sell HealthKit data to a data broker, insurer, or any other third party.
- We will never disclose HealthKit data to a third party without your explicit consent for that specific disclosure.
- HealthKit data is used only to deliver and personalise the service you purchased.
If you decline HealthKit access the app still works — recommendations rely on your check-ins instead.
5. Who we share data with (subprocessors)
We use the following service providers. Each is bound by a Data Processing Agreement that requires GDPR-equivalent safeguards.
| Provider | What for | Data location |
|---|---|---|
| Supabase | Account, programme, and check-in data hosting | EU (Frankfurt) |
| Firebase Cloud Messaging (Google Ireland) | Push notifications | EU / US (SCCs) |
| Apple App Store | Subscription billing, sign-in | EU / US |
| Stripe Payments Europe | Equipment rental payment (Ireland only) | EU |
| Google (Sign in with Google) | Optional federated sign-in | EU / US (SCCs) |
| Sentry (Functional Software Inc.) | Crash and performance monitoring | EU (Frankfurt) — region-locked |
| PostHog Inc. | Product analytics — which features are used | EU (Frankfurt) — region-locked |
We do not share data with advertisers, insurers, employers, or data brokers — full stop.
6. International transfers
Where data is transferred outside the European Economic Area (for example to Google or Apple servers in the US), we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
7. How long we keep it
- Active accounts — for as long as your subscription is active.
- After account deletion — production data is deleted within 30 days of your request. Encrypted backups roll off within a further 60 days.
- Tax / billing records — retained for 6 years as required by Irish tax law (Section 886, Taxes Consolidation Act 1997).
- Coach messages — retained for the lifetime of your account, then deleted with the account.
8. Your rights
Under the GDPR you have the right to:
- Access — get a copy of the data we hold on you. One-tap export from Profile → Privacy → Export my data.
- Rectification — correct anything that's wrong.
- Erasure — delete your account and data. One-tap from Profile → Privacy → Delete my account. Completed within 30 days.
- Restriction and objection — limit how we use your data, or object to processing based on legitimate interests.
- Portability — receive your data in a machine-readable format (JSON).
- Withdraw consent — at any time, including by revoking HealthKit access in iOS Settings.
- Complain — to the Irish Data Protection Commission at www.dataprotection.ie or any other EU supervisory authority.
To exercise any of these rights, email hello@latebloomer.app from the address on your account. We aim to respond within 30 days.
9. Security
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Authentication uses Apple Sign-In, Google Sign-In, or password + secure session tokens stored in the iOS Keychain. We follow the principle of least privilege internally and review access quarterly.
10. Children
Late Bloomer is not directed at people under 16 and we do not knowingly collect data from anyone under 16. If you believe we have collected data from a child, email hello@latebloomer.app and we will delete it.
11. Cookies and tracking
This website (latebloomer.app) does not use cookies or analytics. The app does not use cross-app advertising identifiers and does not track you across other apps or websites.
12. Changes to this policy
If we make material changes we will email you and update the "Last updated" date above at least 14 days before the changes take effect. The current version always lives at latebloomer.app/privacy.
13. Contact
Email hello@latebloomer.app for any privacy question. A real person reads it.