Calyx

Privacy Policy

Last updated: April 2026

Note: This is a scaffold privacy policy for development purposes. Before launching to users, this document must be reviewed and finalized by a qualified privacy attorney familiar with applicable regulations (CCPA, GDPR, and potentially HIPAA given the health-adjacent nature of this data).

What is Calyx?

Calyx is a premium wellness application that helps women understand their body patterns and create personalized food and grocery planning. Calyx is not a medical device, diagnostic tool, or healthcare service.

What data we collect

  • Account information: email address, display name
  • Wellness data: cycle dates, period length, cycle length
  • Symptom data: daily scores for energy, mood, sleep, cravings, bloating, hot flashes, brain fog, and notes
  • Preferences: dietary preferences, grocery store, support goals
  • Usage data: pages visited, features used (for product improvement)
  • Subscription data: Stripe customer ID, subscription status (no payment card data)

How we use your data

  • To generate your personalized phase summary and meal plan
  • To create your weekly grocery list
  • When AI processing is enabled: anonymized context (phase label, symptom flags, priority list — no identifiers) is sent to Anthropic to generate polished summary language
  • To process your subscription via Stripe
  • To improve the Calyx product

Data sharing

We do not sell your data. We share data only with:
  • Supabase — our database provider (data hosted in their infrastructure)
  • Anthropic — anonymized context only, for summary generation (when enabled)
  • Stripe — for subscription processing (they receive payment details; we do not)

Your rights

You have the right to:
  • Access your data — request a full export from Settings
  • Correct your data — update it directly in the app
  • Delete your data — request account deletion from Settings
  • Withdraw consent — contact us at any time

Data security

All user data is protected by Supabase Row Level Security policies. This means users can only access their own records — even in the event of an API key exposure. Sensitive keys (service role, Stripe secret, Anthropic key) are never exposed to the browser. All data is transmitted over HTTPS.

Data retention

We retain your data until you request deletion. Consent records are retained for 7 years for legal compliance. Upon account deletion, your data is removed from active systems within 30 days.

Contact

For privacy questions, data requests, or to withdraw consent, contact us at: privacy@calyx.app (placeholder — update before launch)