Privacy Policy

1. Introduction and Controller Identity

This Privacy Policy explains how Plus+ collects, uses, stores, and protects your personal data when you use the Plus+ mobile application ("the App"), visit our website at plushealth.app, or interact with us through other channels.

The data controller responsible for your personal data is:

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (nDSG/revDSG), and all other applicable data protection laws. Given that Plus+ handles sensitive health-related information, we hold ourselves to the highest standards of data protection.

By using Plus+, you acknowledge that you have read and understood this Privacy Policy. Where required by law, we will obtain your explicit consent before processing specific categories of data.

2. What Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

• Email address (used for authentication and account recovery)
• Display name or username (optional)
• Account preferences and settings
• Subscription status (Free or Pro tier)

2.2 Health and Wellness Logs

The core functionality of Plus+ involves tracking sensitive health data that you voluntarily enter, including but not limited to:

• Sexual health activities and related notes
• Menstrual cycle data (period dates, flow, symptoms)
• Sleep duration and quality assessments
• Mood and emotional state entries
• Libido levels and patterns
• Stress levels and contributing factors
• General wellness observations

2.3 Device Integration Data

If you choose to connect third-party devices or platforms, we may receive data from:

• Apple Health (HealthKit)
• Oura Ring
• Whoop
• Fitbit
• Google Health Connect

Data imported from these integrations may include sleep metrics, activity data, heart rate variability, body temperature, and other biometric readings. You control which integrations are active and can disconnect them at any time.

2.4 Usage Analytics

• App usage patterns (features used, session duration) -- collected in anonymized or aggregated form only
• Device type, operating system version, and app version
• Crash logs and performance data (anonymized)

2.5 Communications Data

• Contact form submissions: name, email address, subject, and message content
• Newsletter sign-ups: email address
• Support correspondence

3. Special Category Data (GDPR Article 9)

Much of the data processed by Plus+ qualifies as "special category data" under Article 9 of the GDPR, specifically data concerning health and sexual life. This category of data receives the highest level of protection under European and Swiss data protection law.

We apply additional safeguards to special category data, including on-device storage by default, end-to-end encryption for any cloud-synced data, and strict access controls ensuring that no human at Plus+ can view your individual health entries.

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

4.1 Explicit Consent (Article 6(1)(a) and Article 9(2)(a) GDPR)

For all health and wellness data, sexual health data, and device integration data. You provide explicit consent when you create your account and begin logging data. Consent is freely given, specific, informed, and unambiguous.

4.2 Performance of a Contract (Article 6(1)(b) GDPR)

For processing necessary to provide the Plus+ service, including managing your account, delivering Pro subscription features, and processing payments through the Apple App Store or Google Play Store.

4.3 Legitimate Interest (Article 6(1)(f) GDPR)

For anonymized usage analytics that help us improve the App, ensuring the security and integrity of our systems, and preventing fraud or abuse. We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights.

4.4 Legal Obligation (Article 6(1)(c) GDPR)

Where processing is necessary to comply with applicable laws, such as financial record-keeping for subscription transactions.

5. How We Use Your Data

We use the data we collect for the following purposes:

• Providing and operating the Plus+ App, including generating personalized health insights, pattern recognition, and AI-powered analysis
• Synchronizing data across your devices when you opt into cloud sync
• Processing and managing your Pro subscription
• Responding to your support requests and contact form submissions
• Sending our newsletter (only if you have subscribed)
• Improving the App through anonymized, aggregated analytics
• Ensuring the security of our infrastructure and detecting abuse
• Complying with legal and regulatory obligations

We do not use your personal health data for advertising purposes. We do not build advertising profiles. We do not sell your data. Ever.

6. Data Storage and Security

6.1 On-Device First Architecture

Plus+ is designed with a privacy-first approach. By default, all health and wellness data is stored locally on your device. Data never leaves your device unless you explicitly enable cloud synchronization.

6.2 Optional Cloud Sync

If you enable cloud sync, your data is encrypted end-to-end before leaving your device. This means that even in transit and at rest on our servers, your data cannot be read by anyone -- including us.

6.3 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

• End-to-end encryption for cloud-synced data
• Encryption at rest and in transit (TLS 1.3)
• Secure authentication mechanisms
• Regular security assessments and code reviews
• Access controls ensuring minimal data access on a need-to-know basis
• Incident response procedures for potential data breaches

6.4 Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform you without undue delay, in accordance with GDPR Article 33 and Article 34.

7. Third-Party Services and Device Integrations

Plus+ integrates with the following third-party health platforms at your direction:

7.1 Apple Health (HealthKit)

When you connect Apple Health, the App reads and/or writes health data categories that you explicitly authorize through the iOS permissions system. Apple Health data is governed by Apple's HealthKit guidelines, and we never store HealthKit data on external servers unless you have enabled cloud sync.

7.2 Oura Ring

If you connect your Oura Ring account, we retrieve sleep, readiness, and activity data through the Oura API. This connection requires your explicit authorization through Oura's OAuth flow, and you can revoke access at any time through the Oura app or your Oura account settings.

7.3 Whoop

Connecting Whoop allows Plus+ to import recovery, strain, and sleep data through the Whoop API. Authorization is managed through Whoop's OAuth process, and you may disconnect at any time.

7.4 Fitbit

Fitbit integration imports activity, sleep, and heart rate data via the Fitbit Web API. You authorize this through Fitbit's consent flow, and you can revoke access through your Fitbit account settings or within Plus+.

7.5 Google Health Connect

On Android, Plus+ can connect to Google Health Connect to read and write health data categories you approve. Permissions are managed through the Health Connect permissions system on your device.

For all integrations, data flows from these services into Plus+ only when you initiate a sync or as configured in your settings. We do not share your Plus+ data back to these services unless you explicitly enable write-back functionality for specific data types.

8. Data Sharing

8.1 Advertising on the Free Tier

Users on the free tier will see contextual (non-personalised) advertisements. These ads are selected based on general context, not your personal health data. Our ad partners may receive limited device information (such as device type and operating system) subject to your consent. Ad partners do not receive any of your health or wellness data.

8.2 No Sale of Individual Data

We do not sell individual user data to third parties. Your personal health entries, activity logs, and identifiable information are never provided to any external party for commercial purposes.

8.3 Aggregated, Anonymised Insights

We may in the future share aggregated, anonymised insights derived from large user pools with research partners and commercial partners. Such data is compiled from minimum cohort sizes of 100+ users and cannot be used to identify any individual user. Examples of aggregated insights include:

• Trend reports on general wellness patterns
• Demographic wellness patterns across broad population groups
• Population-level health correlations

Users will be informed before any such aggregated data-sharing program begins. This notice will be provided through the App and/or via email, and where required by law, your consent will be obtained.

8.4 Service Providers (Processors)

We may share limited data with the following categories of service providers ("processors"), who are contractually bound to protect your data:

• Cloud infrastructure providers (for encrypted cloud sync, if enabled by you)
• Payment processors (Apple App Store, Google Play Store -- we do not directly handle payment card information)
• Email service providers (for newsletter delivery and transactional emails)
• Advertising partners (limited device information only, subject to user consent; no health data is shared)
• Anonymized analytics services (no personal data is shared; only aggregated, non-identifiable metrics)

All processors are selected for their commitment to data protection, are located in jurisdictions with adequate data protection standards or operate under appropriate safeguards, and have signed data processing agreements in compliance with GDPR Article 28.

We may also disclose personal data if required by law, court order, or regulatory authority, and only to the minimum extent necessary.

9. International Data Transfers

Plus+ is operated from Switzerland, which the European Commission recognizes as providing an adequate level of data protection.

Where data is transferred to processors located outside Switzerland or the European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission or the Swiss Federal Data Protection and Information Commissioner (FDPIC)
• Other legally recognized transfer mechanisms under GDPR Chapter V and the nDSG

Given our on-device-first architecture, the majority of your sensitive health data never leaves your device and is therefore not subject to international transfer.

10. Your Rights

Under the GDPR and the Swiss nDSG, you have the following rights regarding your personal data:

10.1 Right of Access

You have the right to obtain confirmation as to whether we process your personal data, and to request a copy of that data.

10.2 Right to Rectification

You have the right to correct inaccurate personal data and to complete incomplete data.

10.3 Right to Erasure ("Right to Be Forgotten")

You have the right to request the deletion of your personal data. Within the App, you can delete all your data at any time through the account settings. Upon deletion, all data stored locally on your device and on our servers (if cloud sync was enabled) will be permanently removed.

10.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data under certain circumstances.

10.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

10.6 Right to Object

You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

10.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. For Swiss residents, this is the Federal Data Protection and Information Commissioner (FDPIC). For EU residents, you may contact the supervisory authority in your country of residence.

To exercise any of these rights, please contact us at hello@plushealth.app. We will respond to your request within 30 days.

11. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Health and wellness data stored on-device: retained until you delete it within the App or uninstall the App
• Cloud-synced data: retained until you delete your account or disable cloud sync, at which point it is permanently erased from our servers within 30 days
• Account data: retained for the duration of your account. Upon account deletion, all associated data is purged within 30 days
• Communications data (contact form, support): retained for up to 24 months after the last interaction, unless a longer period is required for legal purposes
• Newsletter subscriptions: retained until you unsubscribe
• Financial records related to subscriptions: retained as required by applicable Swiss and EU tax and commercial law (typically up to 10 years)
• Anonymized analytics data: retained indefinitely as it cannot be linked to any individual

12. Children's Privacy

Plus+ is intended exclusively for users aged 18 and older. The App addresses sexual health topics and collects sensitive health data that is not appropriate for minors.

We do not knowingly collect personal data from individuals under the age of 18. If we become aware that a user is under 18, we will promptly delete their account and all associated data.

If you believe a minor has provided us with personal data, please contact us immediately at hello@plushealth.app.

13. Newsletter and Communications

When you sign up for our newsletter, we collect your email address. We use this solely to send you updates about Plus+, health and wellness content, and product announcements.

• Newsletter subscription is entirely optional and separate from your App account
• Every newsletter includes an unsubscribe link, allowing you to opt out at any time
• We do not share your newsletter email address with third parties for their marketing purposes
• We may use a third-party email service provider to deliver newsletters; such providers act as processors under a data processing agreement

Transactional emails (such as password resets or subscription confirmations) are sent as part of the service and do not require separate consent.

From time to time, we may send communications related to advertising preferences, ad-related policy changes, or updates about our free-tier ad experience. These are considered service communications and are sent to keep you informed about how ads function within the App. You can manage your ad-related preferences within the App settings.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

When we make material changes, we will:

• Update the "Effective date" at the top of this page
• Notify you through the App or via email if the changes significantly affect how we process your personal data
• Where required by law, seek your renewed consent before applying changes to the processing of special category data

We encourage you to review this Privacy Policy periodically. Your continued use of Plus+ after changes take effect constitutes acceptance of the updated policy, except where explicit consent is required.

15. Contact and Data Protection

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

As a sole proprietorship, Plus+ has not appointed a formal Data Protection Officer (DPO) at this time, as it is not required under Article 37 of the GDPR for our current scale of operations. All data protection inquiries are handled directly by the controller and will be addressed promptly and thoroughly.

Should our operations grow to a point where a DPO appointment becomes legally required, we will update this policy accordingly and provide the relevant contact details.

For concerns that cannot be resolved directly with us, you may contact:

• The Swiss Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch
• Your local EU/EEA data protection supervisory authority