Last updated on April 21, 2026.
The data controller for your information is Weigel Consulting SAS. Our Data Protection Officer (DPO) is Igor Weigel, whom you can reach at contact@mylongpath.com.
MyLongPath collects the following categories of data: • Identification data: your email address, which is the only personal detail we strictly require (we use it to create your account, prevent bot signups, and keep each account unique), and your password, which is stored in hashed form. We never ask for your real name; the field is labeled "name or nickname". • Profile data: your age, sex, country, diagnosis date, and medical conditions. • Health data: your daily scores (energy, sleep, mood, anxiety, pain), the treatments you follow, and your symptoms. • Wearable data, only if you opt in: your heart rate, heart rate variability (HRV), sleep, and steps. This data comes from Apple Health on iOS or Health Connect on Android. • Usage data: internal activity logs, which we never share with third parties.
We rely on the following legal bases under the General Data Protection Regulation (GDPR) to process your data: • Your explicit consent, under Article 9.2.a of the GDPR, whenever we process your health data. • Performance of our contract with you, under Article 6.1.b of the GDPR, so that the service can actually function. • Our legitimate interest, under Article 6.1.f of the GDPR, to improve the platform and keep it secure.
We use your data for the following purposes: • To provide you with a personalized health tracking service. • To calculate similarities between profiles, always on an anonymous basis. • To generate AI-powered insights using Vertex AI. • To send you the notifications that are necessary for the service, through our provider Resend. • To improve the platform through usage analytics, measured with Plausible, which does not use cookies.
All your data is hosted on Google Cloud Platform in the europe-west9 region (Paris, France), on infrastructure certified HDS (Health Data Hosting) for the storage of sensitive health data. We apply the following security measures: • Your data is encrypted in transit using TLS 1.3, and at rest on our servers. • Authentication relies on JWT tokens stored in a httpOnly cookie that browser-side JavaScript cannot access. • Wearable access tokens are encrypted with AES-256-GCM before being stored. • Database access is restricted to a private network and is never exposed to the public internet. • Our monitoring stack uses Sentry for error tracking and Plausible for cookie-free usage analytics.
To run MyLongPath, we rely on the following third-party processors, all hosted within the European Union: • Google Cloud Platform, for hosting, databases, and running our application services on Cloud Run. • Vertex AI and the Gemini model, for the AI analyses we apply to your health data. • Resend, for sending our transactional emails in a GDPR-compliant setup. • Plausible, for our web usage analytics, which are cookie-free and GDPR compliant. We never sell your personal data, and we never share it for advertising purposes.
Connecting to a wearable platform (Apple Health on iOS, Health Connect on Android) is entirely optional and always initiated by you. • Authentication tokens are encrypted with AES-256-GCM before being stored on our servers. • You can disconnect a platform and delete the associated wearable data at any time, directly from your profile. • We synchronize the following data, each for a specific purpose: - Sleep: shown on your dashboard so that you can compare measured sleep with how you actually felt. - Steps: used to detect days of intensive activity and to adjust your energy budget in the pacing module. - Heart rate and heart rate variability (HRV): used to detect correlations between intensive days and Post-Exertional Malaise (PEM) crashes. • No wearable data is ever shared with other users.
Your personal and health data is retained for as long as your account remains active. When you delete your account, all of your data is erased permanently and irreversibly within a maximum of 30 days.
Under the General Data Protection Regulation (GDPR), you have the following rights: • Right of access: you can view all of your personal data. • Right of rectification: you can correct any data that is inaccurate. • Right to erasure: you can delete your account and all of your data. • Right to data portability: you can export your data as a PDF report. • Right to object: you can object to any processing of your data. • Right to restriction: you can ask us to restrict how we process your data. Account deletion is available directly from the app, under Profile > Delete my account. To exercise any of your other rights, write to us at contact@mylongpath.com.
MyLongPath only uses cookies that are strictly necessary for the service to work: • mlp-token: our authentication cookie, marked httpOnly and secure. • mlp-locale: a cookie storing your language preference. We do not use any advertising or tracking cookies. Our usage analytics are powered by Plausible, which does not set any cookies at all.
This privacy policy may be updated at any time. If we make any substantial changes, we will notify you clearly before they take effect. The date of the most recent update is always shown at the top of this page.
MyLongPath uses Vertex AI (Google Cloud Platform) with the Gemini model, hosted in the same Paris datacenter (europe-west9) as your application data. • We do not perform any specialized training: we use the generic Gemini model, and the quality of its output relies entirely on our prompt engineering work. • No personal data is ever sent to the AI, meaning no name, no email, no location, and no direct identifier of any kind. • We only send the data that is strictly relevant to each task, for example the evolution of your treatments and symptoms when we generate a personal insight for you. • For community insights about a treatment, which we only trigger once enough users have shared their experience, we send aggregated statistics only, never any individual data. • Under our Vertex AI contract, Google does not reuse the data we submit to train its models.
Menstrual cycle tracking is a fully optional module, disabled by default. It only becomes active once you explicitly opt in from your settings. Legal basis • Menstrual cycle data qualifies as sensitive health data under Article 9 of the General Data Protection Regulation (GDPR). Its processing relies exclusively on your explicit, separate consent, as defined in Article 9.2.a of the GDPR. • You can withdraw this consent at any time, without having to justify yourself and without any impact on the rest of the service. Double opt-in • A first consent enables local tracking, meaning the encrypted storage of your cycles within your own account. • A second, separate and optional consent authorises the inclusion of your data in anonymous journeys under Article 26 of the GDPR. By default, even if you have enabled tracking, your cycle data is excluded from those anonymous journeys. What is collected (only if you enable the module) • Your tracking mode (natural cycle, cyclic contraception, amenorrhea, perimenopause, menopause) and contraception type. • The dates and intensity of your periods, any spotting, and your average cycle length. • These fields are serialised to JSON and encrypted at the application layer using AES-256-GCM before being written to the database, on top of the at-rest encryption already provided by Cloud SQL. • The encryption key is derived per user via HKDF from a master secret stored in Google Secret Manager (europe-west9, Paris, HDS region). • No encryption key, no decrypted data, and no sensitive field value ever transits through our application logs or monitoring tools. What MyLongPath does NOT do • We do not predict ovulation, we do not display any fertility window, and we do not track sexual activity. • We do not share anything with third-party apps: Apple Health and Health Connect remain strictly read-only. • We do not send any push notifications that explicitly mention your cycle without a dedicated opt-in. • No administrator has access to your decrypted data: it can only be read through the app, and only for your own account. EU-only hosting: post-Roe safeguards • Your cycle data is hosted and encrypted exclusively on Google Cloud Platform, in the europe-west9 region (Paris, France, HDS). • The master key is stored in Google Secret Manager, in the europe-west9 region only. • No cycle data, whether encrypted or in plaintext, is ever transferred to US infrastructure or to any other foreign jurisdiction. • If a foreign legal injunction were to target your cycle data, MyLongPath commits to refuse disclosure and to notify you within the bounds allowed by French law. One-tap deletion, decoupled from account deletion • You can delete all your cycle data in a single tap from your settings, without deleting your account and without losing any of your other data (journal, treatments, symptoms, PDF reports). • The deletion is final and covers profiles, history, events, and the associated encryption artefacts. Audit log • Every action you take on your cycle data (create, read, update, delete, export) is logged, with only the technical metadata we actually need: an internal identifier, a timestamp, and the action type. No sensitive value is recorded there. Internal contact • For any question specific to this module, reach out to us at contact@mylongpath.com with the subject “Menstrual cycle module”.
If you have any questions, reach out to us at contact@mylongpath.com.