GDPR & Your Data Rights

Effective: May 1, 2026  ·  Applies to EU, EEA, and UK residents

Our Commitment to GDPR

Webb Labs Ltd. is committed to protecting the personal data of users in the European Union, European Economic Area, and United Kingdom in accordance with the General Data Protection Regulation (GDPR) (EU 2016/679) and the UK GDPR as retained in UK law.

This page explains your rights under GDPR, the legal bases on which we process your data, and how to exercise your rights. For our full data practices, see our Privacy Policy.

Data Controller

Webb Labs Ltd.
One Liberty Plaza, 165 Broadway, Lower Manhattan
23rd Floor, New York City, NY 10006, USA
Email: privacy@helloeve.org

Webb Labs Ltd. acts as the data controller for personal data processed through the Eve application and website. For provider-delivered services, healthcare providers act as independent data controllers for their own patient data.

Legal Bases for Processing

We process your personal data under the following legal bases as defined in GDPR Article 6:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Eve Service you signed up for — account management, cycle tracking, notifications, and subscription billing.
  • Legitimate interests (Art. 6(1)(f)): Analytics, fraud prevention, security monitoring, and service improvement, where your interests are not overridden by our interests.
  • Consent (Art. 6(1)(a)): Push notifications, optional Apple Health sync, and any other processing where you have given explicit consent.
  • Legal obligation (Art. 6(1)(c)): Processing required by applicable law, including tax and financial regulations.

Special Category Data (Health Data)

Your menstrual cycle, fertility, and health data qualifies as special category data under GDPR Article 9. We process this data based on:

  • Explicit consent (Art. 9(2)(a)): You provide explicit consent when enabling health tracking features in the app.
  • Necessary for health purposes (Art. 9(2)(h)): When you use telehealth features and share health information with a provider.

You may withdraw consent for health data processing at any time by disabling tracking features or deleting your account.

Your Rights Under GDPR

As a data subject in the EU, EEA, or UK, you have the following rights:

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including how it is used and with whom it is shared.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data. Most data can be updated directly in the app.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Right to Restriction (Art. 18)

Request that we restrict processing of your data in certain circumstances, such as while a dispute is being resolved.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format to transfer to another service.

Right to Object (Art. 21)

Object to processing based on legitimate interests, including profiling. You may opt out of analytics at any time.

Right to Withdraw Consent

Withdraw consent at any time for processing based on consent, without affecting prior processing. Settings → Privacy in the app.

Right to Lodge a Complaint

Lodge a complaint with your national supervisory authority if you believe your rights have been infringed.

How to Exercise Your Rights

You can exercise most rights directly from the Eve app:

  • Export your data: Settings → Privacy → Export Data
  • Delete your account: Settings → Privacy → Delete Account
  • Manage consent: Settings → Privacy → Data & Permissions
  • Revoke Apple Health: iOS Settings → Health → Data Access & Devices → Eve

For requests that cannot be completed in-app, contact our Data Protection team:

Email: privacy@helloeve.org

Subject line: GDPR Data Subject Request

We will respond to all valid requests within 30 days. Complex requests may be extended by up to 60 days with notice.

International Data Transfers

Webb Labs Ltd. is based in the United States. When we transfer personal data from the EU/EEA/UK to the US, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to third-party processors.
  • UK International Data Transfer Agreements (IDTAs) for transfers subject to UK GDPR.

All third-party processors (Supabase, Stripe, Firebase) have signed Data Processing Agreements incorporating appropriate transfer mechanisms.

Data Retention Under GDPR

We retain personal data only as long as necessary for the purposes collected:

  • Account data: Retained while your account is active, deleted within 30 days of account deletion.
  • Health & cycle data: Deleted immediately upon account deletion. Retained for up to 2 years for active accounts.
  • Financial records: Retained for 7 years as required by tax law.
  • Analytics (anonymized): Retained indefinitely as anonymized aggregate data only.

Supervisory Authorities

You have the right to lodge a complaint with your local data protection supervisory authority. Key authorities include:

  • EU: Your national data protection authority (DPA). Find yours at edpb.europa.eu.
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • Ireland: Data Protection Commission — dataprotection.ie
  • Germany: Bundesbeauftragte für den Datenschutz — bfdi.bund.de

Contact

For any GDPR-related questions or to exercise your data rights:

Webb Labs Ltd.

One Liberty Plaza, 165 Broadway, Lower Manhattan

23rd Floor, New York City, NY 10006, USA

Email: privacy@helloeve.org