Privacy Policy

Last updated: 16. March 2026

1. Introduction

Welcome to FemMed. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how FemMed collects, uses, stores, and protects information about you when you use our medication tracking service.

FemMed is operated by an individual data controller based in Austria and is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Austrian Data Protection Act (Datenschutzgesetz, DSG). As we operate internationally, we also respect applicable data protection laws in the countries where our users are located.

2. Data Controller & Contact

The data controller responsible for your personal data is:

FemMed

Austria

Email: [email protected]

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us at the email address above.

3. Minimum Age

FemMed is intended for users who are at least 16 years old, in accordance with Austrian law and Article 8 of the GDPR as implemented in Austria. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that data has been collected from a person under this age, we will delete it promptly.

4. Personal Data We Collect

We collect only the data that is necessary to provide the FemMed service.

4.1 Account Data

  • Username — stored in encrypted form
  • Email address — stored in encrypted form
  • Password — stored as a one-way cryptographic hash; we cannot recover your original password

4.2 Medication & Health Data

FemMed processes data about the medications you track within the application. This includes:

  • Medications you have linked to your account
  • Dosage information and timing of doses taken
  • Notes you may attach to medication entries

This data is classified as health data under Article 9 GDPR (special category data) and is afforded the highest level of legal protection. It is stored in clear text in our database. We do not currently apply field-level encryption to health data beyond the access controls and server-level security measures described in Section 8.

We are transparent about this and continue to evaluate additional technical safeguards for future versions of FemMed.

4.3 Data We Do Not Collect

We do not collect payment information, government identification, location data, device identifiers, or any behavioural analytics or tracking data.

5. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR:

  • Contract performance (Article 6(1)(b) GDPR): Processing your account data is necessary to create and manage your FemMed account.
  • Explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR): By creating an account and entering your medication information, you give explicit consent to the processing of your health-related data. You may withdraw this consent at any time by deleting your account.
  • Legal obligation (Article 6(1)(c) GDPR): We may process your data where required to comply with a legal obligation under Austrian or EU law.

6. How We Use Your Data

We use your personal data solely for the following purposes:

  • To create, maintain, and secure your FemMed account
  • To enable you to track and manage your medications and dosing schedules
  • To send you service-related communications (e.g. password reset emails)
  • To comply with legal obligations we are subject to as a data controller

We do not use your data for advertising, profiling, or automated decision-making.

7. Data Sharing & Disclosure

We do not sell, rent, or share your personal data with any third parties for commercial purposes — ever.

7.1 Hosting Provider

Your data is stored on infrastructure provided by Hetzner Online GmbH, which operates within the EU/EEA. Our servers are located in Finland. Hetzner acts as a data processor on our behalf and is contractually bound under a Data Processing Agreement (DPA) compliant with GDPR requirements. Hetzner does not have access to your data for any purpose other than infrastructure provision.

7.2 Legal Requirements

We may disclose personal data if required to do so by applicable law, regulation, or court order issued by a competent Austrian or EU authority. We will notify you of such requests where we are legally permitted to do so.

7.3 No Other Sharing

No other third parties receive your personal data. We do not use analytics services, advertising networks, or any other data processors beyond those described above.

8. Data Security

We take the security of your data seriously and have implemented the following technical and organisational measures:

  • Encryption of personally identifiable account data (username and email address) at rest
  • One-way hashing of passwords — your original password is never stored or accessible
  • Data hosted exclusively within the EU/EEA on Hetzner infrastructure
  • Access to the production database restricted to authorised personnel only

Whilst we work hard to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We encourage you to use a strong, unique password for your FemMed account.

9. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will permanently delete all associated personal data from our systems within 30 days, except where we are required to retain certain data for a longer period to comply with legal obligations.

10. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Article 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), subject to certain legal exceptions.
  • Right to restriction of processing (Article 18): Request that we restrict how we process your data in certain circumstances.
  • Right to data portability (Article 20): Receive your personal data in a structured, machine-readable format.
  • Right to withdraw consent (Article 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint (Article 77): Lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, DSB) at dsb.gv.at.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR.

11. International Data Transfers

Your data is stored and processed exclusively within the EU/EEA and is not transferred to countries outside the EEA. If this changes in the future, we will update this Privacy Policy and ensure appropriate safeguards (such as Standard Contractual Clauses) are in place before any such transfer occurs.

12. Health Data (Special Category Data)

Medication information constitutes health data and is classified as a special category of personal data under Article 9 GDPR, receiving heightened legal protections. We process this data only:

  • On the basis of your explicit consent given at the time of account creation and use of the service
  • For the sole purpose of providing the medication tracking functionality you have requested

You may withdraw your consent and request deletion of all health data at any time by contacting us or deleting your account.

13. Cookies & Tracking

FemMed does not use third-party tracking cookies or analytics services. We may use strictly necessary session cookies or tokens required for authentication and the secure operation of the service. These are not used for advertising or profiling purposes.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you via email and/or a prominent notice within the application. The date at the top of this document indicates when it was last updated.

15. Contact & Complaints

For any questions or concerns about this Privacy Policy or the way we handle your personal data, please contact:

[email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with the Austrian Data Protection Authority:

Datenschutzbehörde (DSB)

Barichgasse 40–42, 1030 Vienna, Austria

www.dsb.gv.at

This Privacy Policy was prepared in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Austrian Data Protection Act (DSG). It is provided in English; a German-language version may be provided upon request.