Minimum data — No AI processing — No selling
Your personal data security is our top priority. We understand that cycle data is highly intimate health information — and we treat it accordingly. This page explains how we protect your data technically, legally, and organisationally.
If you believe you have found a security vulnerability, please report it responsibly to [email protected].
Lunarmates is committed to ensuring the security and protection of personal data in accordance with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act, and all applicable data protection law. Our lead supervisory authority is Datatilsynet (datatilsynet.dk).
Lunarmates runs on a dedicated server hosted by Hetzner Online GmbH, located in Helsinki, Finland — within the European Union. Hetzner is an EU-based company operating under EU law and GDPR. All data remains within the EU at all times.
We do not use cloud infrastructure from US-based hyperscalers such as AWS, Google Cloud, or Azure for our application or database. Your data does not leave the EU.
All data in transit between your device and our server is encrypted using TLS (Transport Layer Security). HTTPS is enforced for all connections — unencrypted HTTP is not permitted.
All data at rest on our server is encrypted. Passwords are hashed using bcrypt and are never stored in plain text. We do not store payment card data — we do not currently offer paid subscriptions.
Lunarmates is built on Ruby on Rails 8, which follows strict security defaults including:
We apply security patches promptly and follow Rails security best practices as a matter of routine.
The most secure data is data that was never collected. Lunarmates is deliberately designed to collect the minimum necessary to provide the service:
Collecting less means there is less to protect — and less that could be exposed.
Lunarmates does not use artificial intelligence, machine learning models, or large language models to process your data, generate relationship advice or suggestions, or provide any form of health guidance.
This is a deliberate design choice, not a technical limitation.
AI models — including the most capable ones available today — are known to hallucinate: to generate confident-sounding outputs that are factually incorrect. Applying such models to intimate health data, or to something as nuanced as a relationship between two people, carries real risks of harm. We believe this would be both unethical and unwise.
We also hold a deeper conviction: women are not a dataset to be modelled. The complexity, mystery, and individuality of a woman's experience cannot and should not be reduced to an AI output. Lunarmates exists to help men pay closer attention — not to replace that attention with an algorithm.
Cycle phase forecasts on Lunarmates are generated by straightforward statistical calculation from period start dates you log. No AI is involved at any stage.
We use a small number of trusted third-party providers, each chosen for their EU compliance and minimal data exposure:
Hetzner Online GmbH — server hosting, Helsinki, Finland. EU-based, GDPR-compliant. Hetzner has access to the physical server but not to application data.
Brevo (Sendinblue SAS) — transactional email and push notification delivery, Paris, France. EU-based, GDPR-compliant. Brevo processes email addresses and push tokens only — no health data.
Browser push services — push notifications are delivered via your browser's built-in infrastructure (Google FCM for Chrome, Mozilla's push service for Firefox, Apple APNs for Safari). We send only notification text — no health data is included in any push payload.
Google OAuth — if you choose to sign in with Google, your email address is received from Google to authenticate your account. No health data is shared with Google. This is optional — you may also register with an email address and password.
We do not use Google Analytics, Facebook Pixel, advertising trackers, or any third-party analytics service.
Access to production data is strictly limited to authorised personnel only. We operate on a principle of least privilege — no one has access to data beyond what is necessary for their role.
In the event of a personal data breach, we will:
If you discover a security vulnerability in Lunarmates, we ask that you report it to us responsibly before disclosing it publicly. Please email [email protected] with:
We will acknowledge your report within 5 business days and work to resolve confirmed vulnerabilities promptly. We will not take legal action against researchers who act in good faith and follow this process.
For security questions, vulnerability reports, or concerns:
For data protection and privacy questions:
Mattrix ApS Bymidten 65, 1tv 3500 Værløse Denmark