1. Controller

The data controller responsible for the processing of personal data in MyRing is:

Sebastian Lang (trading as langsoftware.de)
contact@langsoftware.de
langsoftware.de

2. Overview of what MyRing does with data

Nothing is sold to third parties. Health-relevant data (cycle, diary) never leaves your device unless you explicitly enable Cloud Backup.

3. Local data — stays on your iPhone

By default, MyRing stores all your cycle data and diary entries on your iPhone only, using Apple Core Data and SwiftData backed by the iOS app container. Apple’s at-rest encryption protects the database when your device is locked.

When you uninstall MyRing, this local data is removed by iOS together with the app.

4. Cloud Backup (optional, opt-in)

If you enable Cloud Backup in Settings → Backup, MyRing encrypts your cycle data and diary entries and uploads them to your authenticated Google Firebase Firestore account. You sign in with one of:

• Apple ID (Sign in with Apple)
• Google account
• Facebook account
• Email + password (Firebase Authentication)

What is stored in Firestore:

• Your cycle history (insertion / removal dates, customisations)
• Your diary entries (mood tags, period strength, notes, appointments)
• Your settings (reminder times, custom messages, colour preferences)

The legal basis for this processing is your consent (GDPR Art. 6 para. 1 lit. a) — you explicitly switch Cloud Backup on. You can revoke consent at any time by signing out and deleting the backup from Settings.

The data is hosted by Google Cloud (Firestore) in the EU region. Google acts as our processor under GDPR Art. 28; the data processing agreement with Google is provided through the Firebase Terms of Service.

5. Authentication

Sign-in is handled by Firebase Authentication. When you sign in:

• With Apple ID: Apple provides us with a stable, pseudonymous user identifier. We do not receive your real Apple ID email unless you choose to share it.
• With Google: your Google account email and basic profile data (name, profile picture URL) are received.
• With Facebook: your Facebook user ID and email are received.
• With Email + password: the email you enter and a securely hashed password are stored by Firebase.

The email address is used only to identify your backup. We do not send marketing emails.

6. Crash reports — Firebase Crashlytics

If MyRing crashes, a crash report containing the device model, iOS version, app version, anonymous installation ID, and the stack trace is sent to Firebase Crashlytics. We do not transmit your cycle data, diary entries, email, or any other identifying information.

Legal basis: legitimate interest in stable, reliable software (GDPR Art. 6 para. 1 lit. f). You can disable crash reporting by uninstalling the app.

7. Anonymous usage events — Firebase Analytics

MyRing logs anonymous events (e.g. premium_activated, diary_period_saved) to Firebase Analytics to understand which features are used. These events do not contain cycle data, diary content, email or any directly identifying information.

Legal basis: legitimate interest in product improvement (GDPR Art. 6 para. 1 lit. f). For users in the EU, an ATT (App Tracking Transparency) prompt asks whether ad-related tracking is allowed — denying the prompt also prevents cross-app linking.

8. Subscriptions — RevenueCat + Apple

Your Premium subscription is managed by Apple App Store. We use RevenueCat as a thin layer in front of the App Store Server Notifications. RevenueCat sees: your Apple App Store receipt, the subscription product ID, the country of purchase, and a pseudonymous identifier. It does not see your cycle data or diary.

Legal basis: contract performance (GDPR Art. 6 para. 1 lit. b) for the subscription itself.

9. Ads (free users only)

Free users see banner ads served by Google Mobile Ads (AdMob) and occasionally interstitials.

• If you consent via the standard EU User Messaging Platform prompt shown on first launch, AdMob may use the IDFA / advertising identifier to serve personalised ads.
• If you decline, AdMob serves non-personalised ads only.

Premium users see no ads, and the AdMob SDK does not initialise an auction for them.

Legal basis: your consent (GDPR Art. 6 para. 1 lit. a) for personalised ads; legitimate interest (Art. 6 para. 1 lit. f) for non-personalised ads.

10. International transfers

Firebase (Authentication, Firestore, Crashlytics, Analytics, In-App Messaging) is operated by Google. Some sub-processing may occur in the United States. Where this happens, the transfer is covered by the EU Standard Contractual Clauses concluded as part of the Google Cloud DPA, plus Google’s additional safeguards (encryption in transit and at rest, restricted access).

11. Retention

12. Your rights

Under GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data („right to be forgotten“)
• Restriction — limit our processing
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — at any time, with effect for the future
• Complain to a supervisory authority — in Germany, your state’s Datenschutzaufsichtsbehörde

To exercise any of these rights, contact us at contact@langsoftware.de. We respond within one month.

13. Children

MyRing is not intended for children under 13. We do not knowingly collect data from children. If you become aware that a child has used MyRing without parental consent, please contact us so we can delete the account.

14. Changes to this policy

We may update this policy from time to time. Material changes will be announced in the app and on langsoftware.de. The „Last updated“ date at the top of this page indicates the current version.

15. Contact

Sebastian Lang
contact@langsoftware.de
langsoftware.de