Privacy Policy

Who we are

Menoa is a digital health service designed to help women in menopause understand symptoms and gain insight into their health. The service is operated by Menoa AS (org. no. 837 452 562). Contact us at hei@menoa.no.

What data we collect

We collect the following categories of data:

• Account information: Name, email address, password (encrypted)
• Health data: Sleep, energy, mood (1-5 scale), symptoms, menstrual log, free-text notes
• Health profile: Birth year, cycle status, hormone therapy, diagnoses, goals
• AI coach conversations: Messages between you and the coach
• Insights: Automatically generated patterns and summaries based on your data
• Technical data: IP address, user agent (for security and audit)
• Consent log: Timestamp, consent type and IP address (for audit)

Legal basis

Health data is a special category of personal data under GDPR Article 9. We process these based on your explicit consent (Article 9(2)(a)). You give consent before we collect health data, and you can withdraw it at any time.

How we store data

• All health data is stored in the EU (Azure PostgreSQL, Sweden)
• Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Free-text notes have additional application-level encryption (AES-256-GCM)
• Passwords are stored with scrypt hashing

Analytics and insights

We use the following tools to understand how the service is used and improve the experience:

• PostHog: Product analytics that records page views. We have disabled automatic collection of clicks and screen recordings to protect health data. PostHog uses a cookie and localStorage to recognize returning visits. Data is sent to PostHog's servers in the EU.

AI coach and third parties

The AI coach uses Mistral AI via Microsoft Azure, hosted in the EU (Sweden). When you use the coach, your health data is processed within the EU data zone to generate responses. Data is not used to train AI models. AI-powered features are an integral part of the health service and are covered by consent for health data processing.

Data processors

We use the following third parties to deliver the service:

Transfers outside the EU/EEA

All our data processors operate within the EU/EEA. The application is hosted on Microsoft Azure in Sweden. The AI coach (Mistral AI via Azure) is hosted in the EU (Sweden). Resend (email) is a US company that processes data in the EU (Ireland). Transfer of personal data to the US (Resend Inc.) is done in accordance with EU Standard Contractual Clauses (SCCs). Health data is stored in the EU.

Employers (B2B)

If you are connected to a company through Menoa, anonymized and aggregated data may be shared with your employer. This requires your explicit consent, and data is only displayed when there are at least 5 active users. The employer never sees individual data.

Retention

• Health data: as long as your account is active
• AI coach conversations: archived after 6 months, automatically deleted after 12 months (or immediately upon account deletion)
• Security log: 3 years
• Sessions: expire after 7 days

When you delete your account, all associated data is permanently deleted.

Your rights

Under GDPR, you have the right to:

• Access: View all data we have about you (export from profile)
• Rectification: Update your information in your profile
• Erasure: Delete your account and all associated data
• Data portability: Download your data in a machine-readable format (JSON)
• Withdraw consent: At any time, for each purpose separately
• Complaint: You have the right to file a complaint with the Norwegian Data Protection Authority (datatilsynet.no) if you believe we process your personal data in violation of regulations

You can exercise these rights on the profile page in the app or by contacting us at hei@menoa.no.

Contact

For privacy questions, contact us at hei@menoa.no.