Data Privacy Policy

Last updated: 10th September 2025

This Privacy Policy describes how Emm Technology (“we”, “us,” “our”) collects, uses and discloses information about individuals who use our website, services, tools and features, or who purchase our products or otherwise interact with us (collectively, the “Services”). For the purposes of this Privacy Policy, we are the data controller, and “you” and “your” means you as the user of the Services, whether you are a customer, website visitor, job applicant, representative of a company with whom we do business, or another individual whose information we have collected pursuant to this Privacy Policy.

We may update this Privacy Policy occasionally. When we do, we’ll change the “Last Updated” date at the top. If we make significant changes to how we use or share your information, we’ll try to let you know by email, a notice on our website, or another method that follows the law.

Please read this Privacy Policy carefully. By using any of our Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy.

About Emm

We are Emm Technology Ltd, a UK based company creating smart, comfortable period care. We’re the data controller responsible for the personal data we collect and use.

Registered address: Unit 10 Temple Studios, BS1 6QA

Company number: 12651793

Contact email: hello@emm.co

ICO Registration: ZB961322

The different ways we collect and use your data

We collect personal data depending on how you interact with us. Here's a breakdown of the different situations:

When you purchase an Emm Cup

When you place an order with us, we collect some basic personal information to process and deliver your purchase. This includes:

Your name and contact details (email, phone number)
Your shipping and billing address
Payment information (handled securely by our payment provider – we do not store your full card details)
Your order history

We use this information to:

Process your payment and send you an order confirmation
Deliver your Emm Cup to the correct address
Provide customer support if needed

Legal basis:

Contract (Article 6(1)(b)) – necessary to fulfil your order
Legal obligation (Article 6(1)(c)) – e.g. for tax or record-keeping requirements

When you use the Emm App

When you download and use the Emm App, we collect data that helps the app and device work properly and provides a personalised experience. This includes:

Your name, email, and date of birth (when you create an account)
Menstrual history, body temperature, flow data from the Emm Cup, and symptoms you choose to log (e.g. cramping, fatigue)
Information about contraceptive use (provided during onboarding)
Usage information collected through product analytics tools, which helps us understand how people use the app and improve features

We use this data to:

Help you track your menstrual cycle and any symptoms you log
Enable the Emm Cup to function correctly with the app
Use information such as contraceptive use and cycle data to provide relevant insights and future product features tailored to your needs
Analyse usage patterns to improve app performance and user experience

Legal basis:

Consent (Article 6(1)(a)) – for general account and usage data
Explicit consent (Article 9(2)(a)) – for special category data like menstrual or reproductive health information

When you help us shape our research efforts

If you choose to allow it, we may use the data you generate through the Emm App and Emm Cup to support our research and innovation in menstrual and reproductive health. This includes:

Cup sensor data (e.g. fluid volume, temperature, movement)
Logged symptoms, cycle patterns, and contraceptive use
App usage and interactions (e.g. which features you use most)

We only use this data in a pseudonymised or anonymised format — meaning it’s either stripped of identifiable details or grouped in a way that can’t be linked back to you.

By letting us use your data in this way, you're helping to:

Improve our understanding of menstrual and reproductive health
Build smarter, more inclusive features within the Emm App and Cup
Support wider research around female health to enable better outcomes

Legal basis:

Consent (Article 6(1)(a)) – for using your app and device data for research purposes
Explicit consent (Article 9(2)(a)) – for any special category data, such as health or cycle data, used in research

You can change your mind at any time by updating your settings in the app or contacting us directly.

When you apply for a job with us

We collect:

Your name, contact details, CV, interview notes, and any additional info you provide
Where required, we may ask about right to work documents or equal opportunity data (e.g. gender, ethnicity – optional)

We use this data to manage recruitment, assess your suitability for the role, and stay in touch with you during the process.

Legal basis:

Legitimate interests (Article 6(1)(f)) – to recruit team members
Consent – if we ask to hold your CV for future roles
Legal obligation (Article 6(1)(c)) – where required for right to work checks

When you visit our website

We use cookies and similar tools on our website, and it’s important you know about them. You can review our full [cookie policy link] and manage your cookie preferences at any time by [link to settings].

💡 Cookies are small text files saved on your device when you visit a website. They help the website remember who you are and what you’ve done before, like your preferences. Cookies can’t run programs or give your computer viruses. Only the website that created the cookie can read it.

When you first visit our website, you’ll be asked to choose your cookie preferences. Cookies stored on your device may be either first-party cookies (set by us) or third-party cookies (set by our trusted partners).

Cookies and Analytics

We use a few different tools to help us understand how people use our website and improve their experience. These tools collect information such as:

Your IP address (which may be anonymised)
Device and browser type
Approximate location (e.g. city or region)
Pages visited and time spent on the site
How you got to our site (e.g. via search engine or social media)
General technical data like clicks, scroll depth, interactions with content, and participation in A/B tests

This data is collected using cookies or similar technologies and is aggregated so we can’t directly identify you.

Legal basis:

Consent (Article 6(1)(a)) – for cookies and tracking

Below is a list of the cookies we use and the purposes for which they are used:

Essential cookies

These are essential to the operation of our website and are integral to the functioning of our website, therefore they cannot be removed.

Non-essential cookies

These cookies are additional to the the performance of our Website and help us improve the service we provide to you.

You can choose not to allow non-essential cookies when you visit our website. You can also change your browser settings to block cookies. To learn how to manage cookies in popular browsers, visit the links below:

When we carry out marketing and raise awareness of Emm

We collect and use personal data to help more people discover Emm, stay in the loop, and engage with our community.

This may include:

Your name, email, location, and interest tags when you sign up for newsletters or follow us online
Data from ad campaigns and analytics platforms
Publicly available information when you engage with us on social media

We use this data to:

Share product updates, research opportunities, and upcoming events
Understand how people interact with our content and campaigns
Run targeted adverts and email marketing
Build and support our online community

We use platforms like Facebook, Instagram, TikTok, and YouTube to promote Emm, respond to direct messages, interact with post comments, and create a welcoming space for conversations about menstrual health.

Legal basis:

Consent (Article 6(1)(a)) – for email or SMS marketing
Legitimate interests (Article 6(1)(f)) – for brand awareness, advertising, and public engagement on social platforms

You can unsubscribe from our emails at any time using the link provided, or manage how your data is used on social platforms by adjusting your own privacy settings.

If you participate in one of our research studies

If you join a user research study, we may collect personal data such as your name, contact details, health information, feedback, and (sometimes) photos. We only collect what we need, and always ask for your consent before involving you.

For more details, please read our full [Participant Privacy Notice].

If you work with us as an influencer

We collect:

Your name, contact details, social media handle(s), and payment details
Notes on collaboration agreements or campaign performance

We use this to manage our working relationship, track outcomes, and make payments.

Legal basis:

Contract (Article 6(1)(b)) – to manage the collaboration
Legitimate interests (Article 6(1)(f)) – to promote our brand

When you contact our customer support team

If you get in touch with us - whether by email, chat, WhatsApp, or through the app - we’ll collect the information you provide, including your name, contact details, and the contents of your message. Sometimes, this may include health-related information if you're asking about your Emm Cup or app experience.

We use this data to:

Respond to your questions or troubleshoot any issues
Follow up on product orders or technical concerns
Keep a record of interactions to improve our support services

Legal basis:

Legitimate interests (Article 6(1)(f)) – to support our users and operate our business effectively
Explicit consent (Article 9(2)(a)) – if your support message contains health data

International Data Transfers

We primarily store and process your data within the UK and European Economic Area (EEA).

Specifically, all health and menstrual data collected through the Emm Cup and Emm App is stored securely within the EEA. This means your sensitive information remains in Europe and benefits from strong UK and EU data protection safeguards.

Some of our trusted service providers — such as those offering email marketing, analytics, or survey tools — may process other types of personal data outside of the UK or EEA (for example, in the United States).

When this happens, we ensure your data remains protected by:

Only working with providers that meet strong privacy and security standards
Putting in place safeguards like Standard Contractual Clauses (SCCs) approved by the UK or EU
Carrying out transfer risk assessments where needed to ensure your rights are protected

We’ll always let you know if anything changes that affects your data, and we aim to minimise international transfers wherever possible.

Data Security

All personal data is stored on secure, encrypted platforms - both when in transit and at rest. We use two-factor authentication (2FA) across all key tools to make it much harder for unauthorised users to gain access.

Access to your data is limited to the people at Emm who genuinely need it, and we use role-based permissions to make sure that only the right team members can see sensitive information. No one at Emm can see the personal data you enter into the app unless you choose to share it with us (for example, if you contact customer support). If this changes in the future, we’ll update this policy to explain when and why that access might happen. Where possible, we replace your identifiable details (like your name) with a study ID or user code - that process is called pseudonymisation - so that you're not directly identifiable unless absolutely necessary.

Everyone on our team receives training on data protection and responsible data handling, and we regularly review who has access to what. We also carefully check the third-party services we use — like cloud storage or analytics tools — to ensure they meet our privacy and security standards.

We apply these security practices consistently across everything we do, whether you're using the app, taking part in a study, or just reaching out with a question.

Data Sharing

We don’t sell your personal data, ever.

We may share your data with:

Our trusted service providers (e.g. cloud storage, analytics, customer support platforms)
Regulators or legal bodies if required by law. (We will never share your health data with law enforcement, government agencies, or authorities unless we are legally required to under UK law - and we will always assess the request carefully before doing so.)
Legal or professional advisors in order to take advice, but will do so under obligations of confidentiality.
Partners we collaborate with to support our research and innovation in menstrual and reproductive health (e.g. research organisations), but only if you choose to allow it, and only ever in anonymised form unless we’ve clearly asked for your consent.

All third parties are required to handle your data safely and only for the purposes we’ve agreed with them.

Third parties who are controllers in their own right

Sometimes we link to other companies’ tools or platforms — like survey providers or social media sites. If you choose to interact with them, they may collect your personal data directly, under their own privacy policies.

For example, we might invite you to complete a survey hosted on a third-party platform. In these cases, we don’t share your health data with those platforms, and they won’t have access to your personal information unless you choose to provide it yourself.

We never share your personal health data with these third parties.

International data transfers

We primarily store and process your data within the UK and European Economic Area (EEA).

When this happens, we ensure your data remains protected by:

Only working with providers that meet strong privacy and security standards
Putting in place safeguards like Standard Contractual Clauses (SCCs) approved by the UK or EU
Carrying out transfer risk assessments where needed to ensure your rights are protected

We’ll always let you know if anything changes that affects your data, and we aim to minimise international transfers wherever possible.

How long we keep your data

We only keep your personal data for as long as necessary to fulfil the purposes described in this Privacy Notice - or as required by law. How long we keep it depends on how and why your information was collected. Here's a breakdown:

Enquiries and messages (e.g. via email, WhatsApp, or website forms) are retained for approximately 12 months from the last correspondence, unless they relate to an ongoing relationship with us.
Purchase and payment records (including shipping and billing information) are kept for up to 7 years after your purchase — to comply with tax, accounting, and legal obligations.
App account data (e.g. name, email, health tracking information) is retained until you choose to delete your account. If your account is inactive for 24 months, we’ll email you to confirm whether you’d like to continue using the app. You’ll have 30 days to respond. If we don’t hear from you, your account and associated data will be permanently deleted.
Customer support interactions may be stored for up to 36 months to ensure continuity of service and for training or audit purposes. In certain cases, where needed to resolve ongoing issues or ensure appropriate follow up, we may retain them for longer.
User research data is kept only as long as it remains relevant to our product development. For example, data relating to older, obsolete features may be deleted sooner, while insights that remain useful across product cycles may be retained for several years. Wherever possible, we pseudonymise this data (e.g. by using study IDs). You can request deletion of your research recordings at any time.
Marketing data (e.g. email sign-ups, engagement data) is retained until you unsubscribe or withdraw your consent. We may retain a record of your opt-out for suppression purposes.
Website analytics and usage data (e.g. collected via cookies or Hotjar) is usually retained for up to 12 months after collection.
Job application data is kept for up to 12 months after the process ends in the event you have been unsuccessful, unless you ask us to remove it sooner. If you're successful and offered a role at Emm, we'll keep your data for the duration of your employment and delete it in line with our legal obligations under UK law once you leave.
Influencer collaboration data (e.g. contracts, contact details, payment records) may be retained for up to 7 years after the end of the relationship for audit and legal purposes.

We may retain your data longer if:

we’re required to by law (e.g. financial or regulatory purposes)
it’s necessary to protect someone’s vital interests
it’s needed to resolve or defend a legal claim

We review our data retention practices regularly and aim to delete or anonymise personal data when it’s no longer needed.

Where is my data stored?

We use several trusted cloud-based systems and standard business applications, such as email, document storage, and communication tools. This includes platforms we use to manage research participation, app activity, customer support, marketing, and internal operations.

Health and menstrual data collected through the Emm Cup and Emm App is stored securely within the European Economic Area (EEA). This means your sensitive information stays in Europe under the strong protections of UK and EU data protection law.

Most of the other personal data we process is also stored within the UK or EEA. However, in some cases - such as when we use tools for email marketing, analytics, or customer surveys - your data may be transferred to countries outside the UK or EEA, including the United States.

When this happens, we ensure appropriate safeguards are in place. We rely on Standard Contractual Clauses (SCCs) issued by the European Commission and recognised by the UK, along with the UK Addendum, to protect your information during these international transfers.

We regularly review our suppliers and data flows to make sure your data remains secure and handled in line with data protection laws.

Your Rights

Under data protection law, you have rights over your personal information. You can:

Ask for a copy of your data
Ask us to correct or delete it in certain circumstances
Withdraw your consent at any time - this won’t affect anything we’ve already done with your data, but we’ll stop any future use.
Object to how we use it or ask us to limit certain uses
Request to transfer it to another organisation or someone else in some circumstances.

If you’d like to use any of these rights, contact us at privacy@emm.co.

Complaints

If you have any concerns about how your data is being handled, or if you believe we have not met our obligations under data protection law, you have the right to raise a complaint with us.

You can contact us directly by emailing privacy@emm.co. Please provide as much detail as possible so we can investigate your concern thoroughly and fairly.

Once we receive your complaint, we will aim to respond within 30 calendar days. We will then assess the matter and aim to provide a clear and timely response without undue delay. Where appropriate, we will explain the steps we have taken or plan to take to address your concern.

If you're not satisfied with how we respond, you also have the right to raise your concerns with the UK’s data protection regulator:

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

📞 0303 123 1113 | 🌐 www.ico.org.uk

Data Privacy

We know your menstrual health data is some of the most personal information you share. That’s why we’ve built Emm with privacy and security at its core. We’ve also partnered with Onteigo, our specialist, independent data protection partners, to make sure we’re doing everything we can to handle your information responsibly.
Onteigo supports us by:
- Keeping our privacy practices up to date with UK and EU data protection law (including GDPR).
- Reviewing our policies and processes to make sure they meet the highest standards.
- Providing independent oversight and expert advice on how we protect your data.
This partnership means your privacy isn’t just something we talk about, it’s something we actively invest in, with expert specialists by our side. Click here to view our full Data Privacy Policy.
Your personal and health data is private to you:
- We do not sell your data
- We do not share your health data for advertising
- We only share data with trusted providers who help us run the app securely (like cloud storage). They must follow our instructions and cannot use your data for anything else
Because this includes health data, GDPR gives it extra protection: we can only disclose it when it’s necessary, lawful, and transparent.
If you choose to allow it, we may use the data you generate through the Emm App and Emm Cup to support our research and innovation in menstrual and reproductive health. This includes:
- Cup sensor data (e.g. fluid volume, temperature, movement)
- Logged symptoms, cycle patterns, and contraceptive use
- App usage and interactions (e.g. which features you use most)
We only use this data in a pseudonymised or anonymised format — meaning it’s either stripped of identifiable details or grouped in a way that can’t be linked back to you. By letting us use your data in this way, you're helping to:
- Improve our understanding of menstrual and reproductive health
- Build smarter, more inclusive features within the Emm App and Cup
- Support wider research around female health to enable better outcomes
We use strong security measures designed in line with globally recognised GDPR and FDA cybersecurity guidelines to protect your data, including encryption, secure storage, and strict access controls. Our systems are also tested to meet UK PSTI requirements.
That said, no system in the world is completely risk-free. Sometimes breaches happen because of things like weak passwords, human error, or outdated software. We’ve built safeguards around these risks, including:
- Encrypting your data both in transit and at rest
- Training our team regularly on how to handle sensitive health data securely
- Keeping our systems patched, monitoring for threats, and using external experts to test our defences
- A clear incident response plan. If something does go wrong, we have a robust process in place to respond quickly, limit any impact, and keep you informed.
Because your menstrual health information is classed as special category data under GDPR, the law requires stronger protections and tighter limits on how it can be used or disclosed, which we apply throughout our systems and processes.
Yes, GDPR gives you strong rights over your data, and we make it simple for you to use them. You can request to:
- See what data we hold about you
- Update or correct your information
- Delete your account and data at any time
- Withdraw consent for research or other optional uses
We only keep your data while you actively use Emm. If you delete your account, we remove or anonymise your data unless we’re legally required to keep some for a short time (for example, for financial compliance).