Privacy Policy

SB22 Female Health ApS ("Ryma," "we," "us") is the data controller for the processing of the personal data described in this policy.

Ryma is an AI-powered menopause guide delivered via WhatsApp. Ryma helps women track symptoms, spot patterns and triggers, and generate structured reports for medical consultations.

Ryma is not a doctor, a medical device, or a replacement for professional medical advice. All AI-generated insights are for informational purposes only.

We process your personal data on the following legal bases:

4.1 Ordinary personal data

4.2 Health data (special categories)

Legal basis: We process your health data on the basis of your explicit consent, per GDPR Art. 9(2)(a).

Your consent is obtained at registration, where you actively confirm that you give Ryma permission to process your health data for the purposes described in this policy.

You can withdraw your consent at any time by contacting us at [email protected] or by deleting your account. Withdrawing consent does not affect the lawfulness of processing that took place before the withdrawal. When you withdraw your consent, we delete your health data within 30 days, unless retention is required by law.

Ryma uses artificial intelligence to analyse your symptom data and generate personal insights. This involves profiling within the meaning of the GDPR, as we systematically analyse your personal data to assess aspects of your health.

5.1 What our AI does

• Pattern recognition, identifies recurring symptom patterns over time
• Trigger identification, correlates lifestyle factors (diet, stress, sleep, alcohol) with symptoms
• Intensity tracking, follows changes in symptom severity
• Report generation, summarises your data into structured clinical reports

5.2 Your rights regarding automated processing

Ryma's AI-generated insights are advisory and informational. They do not constitute decisions with legal or similarly significant effects for you within the meaning of Art. 22. You are always free to ignore the insights, and they never replace a medical assessment.

Regardless, you always have the right to:

• Receive an explanation of how a particular insight was generated
• Contest an insight you believe is incorrect
• Request that an insight be reviewed manually by a staff member

Contact [email protected] to exercise these rights.

We use the following third-party services to deliver Ryma. We have entered into data processing agreements (DPAs) with all processors in accordance with GDPR Art. 28.

We update this list on an ongoing basis. You will be informed of material changes to data processors.

Your health data is stored primarily within the EEA. However, certain processors may process data outside the EEA (for example the USA) as part of delivering the service.

When personal data is transferred outside the EEA, we ensure appropriate safeguards in accordance with GDPR Chapter V, including:

• The European Commission's Standard Contractual Clauses (SCCs)
• Adequacy decisions, where they exist
• Supplementary technical and organisational measures, where necessary

You can request a copy of the relevant transfer safeguards by contacting [email protected].

We retain your personal data only for as long as necessary for the stated purpose.

As a data subject you have the following rights under the GDPR. You can exercise your rights by contacting [email protected]. We respond to your request within 30 days.

• Right of access (Art. 15), a copy of all personal data we process about you, in a structured, commonly used, machine-readable format.
• Right to rectification (Art. 16), correction of inaccurate or incomplete data.
• Right to erasure (Art. 17), deletion of your personal data within 30 days, unless retention is required by law.
• Right to restriction (Art. 18), restriction of processing in certain cases.
• Right to data portability (Art. 20), receive your data in a structured, machine-readable format, or have it transferred directly to another controller.
• Right to object (Art. 21), object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7), withdrawal does not affect the lawfulness of earlier processing.

9.1 How to exercise your rights

Send an email to [email protected] with the subject line "GDPR rights" and state which right you wish to exercise. We may ask for identity verification to protect your data.

We respond to all requests within 30 days. In particularly complex cases the deadline may be extended by a further 60 days, and we will inform you of the reason.

9.2 Complaint to a supervisory authority

You have the right to lodge a complaint with a supervisory authority, including:

• The Danish Data Protection Agency (Datatilsynet), www.datatilsynet.dk, email: [email protected]
• Or the supervisory authority in the EU/EEA country where you live or work

We have procedures in place to detect, assess, and handle personal data breaches in accordance with GDPR Art. 33-34.

In the event of a breach likely to result in a risk to your rights:

• We notify the Danish Data Protection Agency within 72 hours of becoming aware of the breach
• We notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms
• We document all breaches and the measures we take

We have carried out a data protection impact assessment (DPIA) in accordance with GDPR Art. 35. The assessment covers the processing of health data via AI-powered analysis and identifies risks and measures to protect your rights.

The DPIA is reviewed and updated at least annually or upon material changes to the processing.

In accordance with the EU AI Act (Regulation 2024/1689) we disclose the following:

• You are interacting with an AI system, not a human, when you communicate with Ryma via WhatsApp
• Ryma uses large language models (LLMs) to generate responses and insights
• The AI system's output is based on patterns in your data and general knowledge, not on clinical examination
• AI-generated insights may contain errors or inaccuracies
• The system improves continuously, and responses may change over time

Our website ryma.health uses cookies. We distinguish between:

• Necessary cookies, required for the website's core functionality (for example session handling). These do not require consent.
• Analytics cookies, used to understand website traffic and usage patterns. Activated only after your explicit consent.
• Marketing cookies, not used at this time. If we introduce them, they will only be activated after consent.

You can change your cookie preferences at any time via our cookie banner on the website.

The WhatsApp service itself does not use cookies from Ryma. Meta/WhatsApp have their own cookies and tracking mechanisms, subject to Meta's own privacy policy.

Ryma is intended solely for adults and is not directed at persons under 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we delete it as soon as possible.

We use technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS) and at rest
• Access control and the principle of least privilege
• Regular security monitoring and logging
• Staff awareness of data security and privacy protection
• Ongoing assessment and updating of security measures

No system is 100% secure. In the event of a data breach we follow the procedures described in section 10.

We may update this privacy policy from time to time. Material changes are communicated with at least 30 days' notice via email, WhatsApp, or on the website. The current version is always available at ryma.health.

If a change requires new consent (for example expanding the purposes of health data processing), we obtain your consent before the change takes effect.

For privacy enquiries, rights, or complaints, contact us:

For complaints you can also contact the Danish Data Protection Agency: www.datatilsynet.dk