Polycystic Ovary Syndrome is a hormonal and metabolic condition affecting roughly 1 in 10 women of reproductive age. It can cause irregular cycles, acne, excess hair growth, hair thinning, weight changes, fatigue, mood changes, and fertility challenges, though symptoms vary widely from person to person.

Alaia is a digital health companion for women with PCOS. It helps you track symptoms, understand patterns, prepare for doctor appointments, and manage your condition with evidence-based tools. It is not a generic period tracker. It is built specifically for the complexity and variability of PCOS.

How is Alaia different from other PCOS apps?

Most health apps assume regular cycles and focus on fertility. Alaia starts from symptoms, supports four different cycle states including absent periods, and generates specialist-specific appointment prep reports. It also includes advocacy tools for women who are still seeking a diagnosis or have been dismissed by their doctor.

Do I need to track my cycle to use it?

No. Many women with PCOS have highly irregular or absent cycles. Alaia works just as well if you focus on symptoms, mood, energy, or medication tracking instead. Your cycle is one input, not the centre of the app.

Yes. Your data is stored securely in the EU, encrypted at rest and in transit, and belongs only to you. Alaia complies with GDPR, including health data protections under Article 9. You can export or delete your data at any time. We never sell your data.

Is Alaia a medical device?

Alaia is designed as a Class I Software as a Medical Device under EU MDR 2017/745. It is a tracking and information tool, not a diagnostic or treatment tool. We are pursuing reimbursement through public health insurance pathways in Belgium, France, and Germany.

Can I share my data with my doctor?

Yes. Alaia helps you create a clear, specialist-specific visit report you can download, email, or bring to your appointment, making it easier to discuss what has been happening and what matters most.

When can I try Alaia?

Alaia is currently in development with beta launch coming soon. Join the waitlist to be the first to get access.

Politique de confidentialité

Note on our legal status: Alaia Healthcare is currently operated by Laure Santolini and Manon Vervaeke, acting as joint data controllers pending the formal incorporation of Alaia Healthcare as a Belgian legal entity. When incorporation is complete, this policy will be updated to name the legal entity as data controller and you will be notified of the change.

1. Who we are

Alaia is a digital health platform designed to support adult women living with or seeking a diagnosis of Polycystic Ovary Syndrome (PCOS). The service is operated by:

Laure Santolini and Manon Vervaeke
doing business as Alaia Healthcare
Antwerp, Belgium

For all privacy-related questions, requests, and concerns, contact us at: privacy@alaiahealthcare.com

This policy is written in English, which is the legally binding version. French and Dutch translations are available; in the event of any conflict between versions, the English text prevails.

2. What this policy covers

This policy explains how Alaia Healthcare collects, uses, stores, and shares your personal data when you use the Alaia mobile application and associated services (collectively, “Alaia” or “the service”). It also explains your rights under the General Data Protection Regulation (GDPR) and how to exercise them.

Please read this policy carefully before using Alaia. By creating an account, you confirm that you have read and understood this policy.

3. What data we collect

3.1 Account and profile data

When you create an account, we collect:

Email address
Password (stored as a cryptographic hash; we never store your password in plain text)
Name (optional)
Date of birth or age range
Country of residence

3.2 Health and symptom data

This is the core data that powers Alaia. It includes:

PCOS diagnosis status and phenotype (if known)
Symptom logs: which symptoms you report, their severity, and the date and time of logging
Menstrual cycle data: period start and end dates, flow, and related symptoms
Medication and supplement records: names, dosages, frequencies, and adherence logs
Appointment records: date, specialty, and any notes you add
Laboratory test results and body measurements you choose to enter
Wellbeing tracker responses (five questions, weekly)
Goals and health profile information from onboarding

This data is Special Category Data under GDPR Article 9 because it concerns health. We apply additional safeguards to this category of data, described in Section 5.

3.3 Usage and analytics data

To improve the service, we collect anonymised and aggregated data about how users interact with Alaia. This includes:

Which features you use and how often
Screens visited and actions taken within the app
Session duration and app opens
Crash reports and error logs

Analytics data is collected only with your explicit consent (optional at onboarding). You can withdraw this consent at any time in Profile > Privacy.

3.4 Device and technical data

We automatically collect certain technical data when you use Alaia:

Device type and operating system version
App version
IP address (used for security and fraud prevention; not linked to your health data)
Crash diagnostics

3.5 Data you do not have to provide

No field in Alaia is mandatory beyond email address and password for account creation. You may leave health fields blank, decline to answer onboarding questions, or skip symptom categories. The more you log, the more useful Alaia becomes, but providing data is always your choice.

4. How we use your data

4.1 Providing the service

We use your data to operate Alaia: to show you your symptom history, generate pattern insights, produce appointment preparation reports, and deliver the features you use.

Lawful basis: Performance of a contract (GDPR Article 6(1)(b)).

4.2 Processing your health data

Your health data is processed to power the core features of Alaia: symptom tracking, cycle analysis, pattern recognition, evidence report generation, and wellbeing tracking.

Lawful basis: Your explicit consent under GDPR Article 9(2)(a). You provide this consent during onboarding. You can withdraw it at any time, which will trigger an account deletion flow.

4.3 Improving Alaia

With your optional consent, we use anonymised and aggregated usage data to understand how Alaia is being used, identify problems, and improve the product.

Lawful basis: Consent (GDPR Article 6(1)(a)), optional and withdrawable.

4.4 Sending you communications

If you have opted in to marketing communications, we may send you product updates, PCOS health content, and information about new features.

Lawful basis: Consent (GDPR Article 6(1)(a)), optional and withdrawable.

4.5 Research participation

If you have separately consented to research participation, anonymised and aggregated data may be included in a future clinical validation study. This processing uses data that cannot be linked back to you individually. It is never a condition of using Alaia.

Lawful basis: Consent (GDPR Article 6(1)(a)), optional and withdrawable, collected as a separate consent category.

4.6 Legal obligations and security

We may process data to comply with legal obligations, respond to lawful requests from authorities, or protect the security and integrity of the service.

Lawful basis: Legal obligation (GDPR Article 6(1)(c)) and legitimate interests (GDPR Article 6(1)(f)).

5. Special category data (health data)

Your symptom logs, cycle data, medication records, test results, and wellbeing tracker responses are Special Category Data under GDPR Article 9. We apply the following additional safeguards to this data:

Explicit consent required. We collect separate, explicit consent for health data processing during onboarding. This consent can be withdrawn at any time.
Encryption at rest and in transit. All health data is encrypted using AES-256 at rest and TLS 1.3 in transit.
EU data residency. Your health data is stored on servers located in the European Union (Ireland, eu-west-1 region). It does not leave the EU in the ordinary course of operations.
Immutable audit trail. Health records older than seven days cannot be altered or deleted except through a formal GDPR erasure request. This protects the integrity of your longitudinal health record.
Access controls. Your health data is accessible only to you. Alaia staff cannot access individual user health records except where strictly required for technical incident resolution, under documented access controls.
No sale of health data. Your health data is never sold, rented, or traded to any third party.

6. Data processors

We use the following third-party service providers to operate Alaia. Each is engaged under a Data Processing Agreement in compliance with GDPR Article 28.

Processor	Purpose	Data location
Supabase	Database, authentication, file storage, and backend functions	EU (Ireland, eu-west-1)
Stripe	Payment processing for direct subscriptions	EU-based processing; PCI DSS Level 1
PostHog	Product analytics (optional, consent-gated)	EU (if self-hosted or EU cloud)
Sentry	Crash reporting and error tracking	EU region
Apple Inc.	App Store distribution and in-app purchases (iOS)	Apple’s infrastructure
Google LLC	Play Store distribution and in-app purchases (Android)	Google’s infrastructure

We do not share your health data with any of these processors except as strictly necessary to provide the service. Apple and Google receive only technical and transaction data, not your symptom or health records.

7. Data transfers outside the EU

Your health data is stored in the EU and does not leave the EU in the ordinary course of operations. Where any processor operates infrastructure outside the EU (for example, some Stripe and Sentry operations), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

8. How long we keep your data

Data category	Retention period
Account and profile data	For the duration of your account, plus 30 days after deletion
Health and symptom data	For the duration of your account, plus 30 days after deletion
Consent records	6 years after account closure (legal obligation)
Anonymised research data (if consented)	Retained in aggregate form after account deletion; cannot be linked back to you
Billing records	7 years (Belgian accounting law)
Crash and error logs	90 days rolling

When you delete your account, all personal data is removed within 30 days. Consent records are retained for 6 years as required by law. Billing records are retained for 7 years as required by Belgian accounting law.

9. Your rights under GDPR

You have the following rights in relation to your personal data. To exercise any of them, contact us at privacy@alaiahealthcare.com. We will respond within 30 days.

Right to access. You can request a copy of all personal data we hold about you. You can also export your data directly in the app via Profile > Privacy > Export my data (JSON and PDF formats).

Right to rectification. You can correct or update any data we hold about you. Most data can be edited directly in the app.

Right to erasure. You can request deletion of your account and all associated personal data. This can be done in Profile > Privacy > Delete account, or by writing to privacy@alaiahealthcare.com. Deletion completes within 30 days.

Right to withdraw consent. You can withdraw any consent you have given (health data processing, analytics, marketing, research participation) at any time via Profile > Privacy > Consent settings. Withdrawing health data consent will close your account as the service cannot function without it.

Right to data portability. You can receive your data in a machine-readable format (JSON) via Profile > Privacy > Export my data.

Right to restriction. You can request that we restrict processing of your data while we are responding to a complaint or dispute.

Right to object. You can object to processing based on legitimate interests. This right does not apply to processing based on contract performance or legal obligation.

Right to lodge a complaint. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données): apd-gba.be.

10. Children

Alaia is intended for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a person under 18 has created an account, please contact us at privacy@alaiahealthcare.com and we will delete the account promptly.

11. Cookies and tracking

The Alaia mobile application does not use browser cookies. On the web (alaiahealthcare.com), we use only strictly necessary cookies required for the website to function. Analytics on our website are subject to a separate cookie consent notice.

12. Security

We apply technical and organisational measures to protect your data, including:

AES-256 encryption at rest
TLS 1.3 encryption in transit
Certificate pinning in production builds
Row-level security on all database tables
Rate limiting on authentication endpoints
Vulnerability scanning via automated tooling

In the event of a data breach affecting your rights and freedoms, we will notify you and the Belgian Data Protection Authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

13. Changes to this policy

We may update this policy from time to time. If we make a material change, we will notify you in-app and by email before the change takes effect. The effective date at the top of this page will always reflect the most recent version. Continued use of Alaia after a policy update constitutes acceptance of the updated terms.

14. Contact

For any questions about this policy or your personal data:

Email:privacy@alaiahealthcare.com
Website:alaiahealthcare.com

Alaia Healthcare
Antwerp, Belgium