Replete← Back home

Privacy Policy – Replete

Effective date: 21st May 2026

The short version

Replete is a small, independent project I built because women with iron deficiency deserve better than to be dismissed. I'm not a big company. I don't have an advertising business. I don't want your data for anything except running Replete for you.

In plain terms:

  • Your symptom and bloodwork data lives in an encrypted EU database. Only you can see it.
  • I never sell, share, or use your data for marketing or AI training.
  • You can export everything or delete your account in one click, from inside Replete.
  • This policy is written by a human, in plain language, on purpose. It will get more formal as Replete grows.

If anything below is unclear, email me: replete.app@proton.me

1. Who I am

Replete (replete.app, app.replete.app) is operated by Róisín Radford, an independent solo founder based in the Netherlands.

Under the GDPR, I am the data controller of any personal data you give me through Replete.

Contact: replete.app@proton.me

2. What I collect

When you create an account:

  • Your email address (to log you in and send essential service emails)
  • A hash of your password (I never see your actual password)

When you use Replete:

  • Symptoms you log – energy, mood, sleep, hair, cycle, GI, etc.
  • Bloodwork results you enter – ferritin, hemoglobin, full iron panel, etc.
  • Reminders and goals you set for yourself

That's it. No tracking pixels, no analytics, no third-party cookies.

3. Health data – Special Category (GDPR Article 9)

The symptoms and bloodwork you log are special category data under Article 9 of the GDPR – the highest protected tier.

I process this only with your explicit consent, given when you tick the dedicated health-data checkbox at signup. You can withdraw this consent at any time by deleting your account, which permanently erases your health data within 30 days.

I will never:

  • Sell your health data to anyone, for any reason.
  • Share it with insurers, employers, advertisers, or any third party not strictly required to run the service.
  • Use it to train AI or machine-learning models.
  • Process it outside the EU/EEA.

4. Lawful basis for processing

What I doWhy I'm allowed to (GDPR)
Running your Replete accountContract – Art. 6(1)(b)
Storing your symptom & bloodwork logsExplicit consent – Art. 9(2)(a)
Sending essential service emails (password reset, etc.)Contract – Art. 6(1)(b)

If I add other processing later, I'll ask for separate opt-in consent and update this policy first.

5. Where your data lives & who can access it

Replete runs on Lovable Cloud, which uses Supabase (authentication + PostgreSQL database) hosted on managed EU infrastructure.

Your data is:

  • Encrypted in transit (HTTPS/TLS)
  • Encrypted at rest on the database
  • Protected by Row-Level Security – the database itself enforces that users can only access their own data

I don't currently use any analytics or third-party tracking services for Replete. If that changes, I'll update this policy and notify users first.

Your data is stored in the European Union. It is not transferred outside the EU/EEA.

6. How long I keep your data

  • Account and health data: until you delete your account. Then permanently erased within 30 days.
  • Email correspondence with me: kept for 1 year after our last exchange, then deleted.
  • Database backups: cycled out within 35 days.

7. How I keep your data secure

  • HTTPS/TLS for all data in transit
  • Bcrypt password hashing – your password is never visible to anyone, including me
  • Encryption at rest on the database
  • Row-Level Security enforced at the database layer
  • 2FA on my own administrative accounts

No system is perfectly secure, but I take this seriously and review my setup as Replete grows. If a breach ever affects your personal data, I will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and inform you directly without undue delay.

8. Your rights under GDPR

You have the following rights, free of charge:

  • Access: get a copy of everything I hold about you
  • Rectification: correct anything wrong
  • Erasure: delete your account and all data
  • Data portability: export your data in a machine-readable format
  • Restriction: pause my use of your data
  • Objection: object to processing
  • Withdraw consent: at any time

Replete already supports one-click data export and account deletion inside your account settings. For anything else, email me at replete.app@proton.me and I'll respond within one month.

9. Cookies

Replete uses only the strictly necessary cookies required to keep you logged in. No advertising, analytics, or tracking cookies. No consent banner is required under EU law for this category.

10. Children

Replete is intended for adults aged 18 and over. I don't knowingly collect data from anyone under 18. If you believe I have, please email me and I'll delete it immediately.

11. Changes to this policy

If I make a material change – adding a new service that processes your data, or changing how health data is handled – I'll update the "Effective date" at the top of this page and email registered users at least 14 days before changes take effect.

12. Complaints

If you're ever unhappy with how I handle your data, please email me first: replete.app@proton.me. I read every email.

You also have the right to complain to the Dutch supervisory authority:

Autoriteit Persoonsgegevens (AP)
Bezuidenhoutseweg 30, 2594 AV Den Haag
autoriteitpersoonsgegevens.nl

13. Contact

Questions about your data, this policy, or anything else?

Email: replete.app@proton.me

– Róisín

← Back home