Privacy

Privacy policy.

Last updated: 10 May 2026.

Who's behind this

Hi, I'm Luana. I run ReturnKit as a sole trader from Ireland. If you have a privacy question or want your data deleted, email me directly: privacy@returnkit.life. I reply within a few days (30 max, as GDPR requires).

What stays on your device

Everything you put into the app:

  • Profile stuff: life stage, age, conditions you choose to share (PCOS, ADHD, postpartum, etc.)
  • Activity: cycle dates, focus blocks, journal entries, brain dumps
  • Preferences: theme, mode, settings

This sits in your browser's localStorage. I never see it. It only leaves your device if you turn on cloud sync.

What I see when you sign in

Just your email (so you can sign in across devices) and a random token that proves it's you. If you go paid one day, Stripe handles cards: I never touch them.

What happens with cloud sync (if you turn it on)

Your data gets stored, encrypted in transit, in Cloudflare KV against your account. Mirror of what's on your device. Turn sync off anytime in Settings. Delete the cloud copy with one button.

Health data (the sensitive bit)

Some of what ReturnKit helps you organise (conditions, medications, cycle, perimenopause and postpartum notes, your kids' health details) counts as special-category data under GDPR (Article 9), so it gets the strongest treatment. It lives on your device by default and never leaves unless you choose. If you turn on cloud sync, I process it only on the basis of your explicit consent (the sync toggle itself), and you can withdraw that consent anytime by turning sync off or deleting the cloud copy. I never sell it, never use it for advertising, and never train AI models on it.

The AI Copilot

When you tap "Ask", your prompt goes over HTTPS to the AI provider set in Settings (Anthropic's Claude or Google's Gemini). Before it's sent, identifying details (your name, date of birth, your kids' and partner's names, exact dates) are stripped by default; ages and health context stay so the help is useful. They process it, return an answer; I don't keep the prompt afterwards. Policies: Anthropic, Google.

The companies that touch the infrastructure

Small list, each one only sees what they need:

  • Cloudflare: hosts sign-in and cloud sync storage
  • Vercel: hosts the website
  • Anthropic or Google: only when you tap "Ask" (whichever AI provider you've set)
  • Stripe: when paid plans launch (not yet)

All of them are GDPR-compliant and use EU-approved data transfer agreements. None of them are advertisers or data brokers.

Your rights (the GDPR bit)

You can:

  • See your data: export a JSON file from Settings
  • Fix anything inaccurate: edit it in the app
  • Delete everything: the "Delete my account" button removes it within minutes
  • Take your data with you: the same JSON export
  • Withdraw consent: turn off sync, or delete your account
  • Complain to a regulator: you can contact the Irish Data Protection Commission at any time

Cookies

None. Just localStorage and a service worker so the app works offline. Both strictly necessary, no banner needed.

Age

You need to be 16+ to use ReturnKit. That's the GDPR digital-consent age in Ireland.

One important thing

ReturnKit helps you plan and journal. It's not a medical device and it doesn't replace your GP, your therapist, or your consultant. Cycle phases and condition tags are organisational, not diagnostic. Always talk to a real clinician for medical decisions.

If this policy changes

I'll tell you in the app and ask you to re-confirm consent if anything material shifts. Small wording fixes happen quietly. The date at the top is always current.

Questions? privacy@returnkit.life. I read every email.