Privacy Policy
Introduction and Eshe’s Approach to Data Protection
Eshe is a digital service in the field of women’s health and wellbeing, available through a mobile application and related digital features. Depending on which features the user chooses to use, Eshe may provide the ability to create an account, maintain a cycle calendar, track symptoms and medication intake, complete interactive mini check-ups, interact with an AI assistant, view content, post comments, publish materials in community / forum sections, and use other built-in features of the service.
In connection with the operation of these features, Eshe processes personal data, which may include sensitive data related to health, wellbeing, cycle, symptoms, medication intake, user messages, uploaded materials, and other information that the user voluntarily provides when using the service.
This Privacy Policy explains:
what categories of data Eshe processes;
how and for what purposes we use such data;
on what legal bases the processing is carried out;
in which cases third-party services and integrations may be involved in the processing;
what safeguards and limitations apply to the data;
what rights and controls the user has.
Eshe builds its data processing practices on the following principles:
we process personal data lawfully, fairly, and transparently;
we limit processing to specific and lawful purposes;
we design data processing in a way that limits the collection and use of information to the amount necessary for the relevant feature;
we apply an increased level of care and protection to sensitive data and higher-risk data;
we distinguish between different types of user scenarios and do not treat all data as identical in nature, sensitivity, or privacy risk.
Eshe recognizes that different data interaction modes may exist within the same product. For example:
data entered by the user into the calendar, tracking features, and mini check-ups usually relates to personal self-observation features;
data disclosed by the user in the AI chat may be used to generate a response within the relevant feature;
comments, posts, and materials published by the user in community / forum features may have a different visibility regime and different privacy expectations than private personal records.
For this reason, the scope and nature of the data processed depend on which features the user chooses to use, what data the user decides to provide, whether the user enables notifications, initiates a payment, uses AI features, completes mini check-ups, publishes comments or posts, or uploads images, videos, voice messages, or other materials.
This Privacy Policy applies together with other Eshe documents and notices, including the Terms of Use, special notices for individual features, interface messages, as well as separate consents and specific disclaimers where they apply to a particular feature or scenario.
Who We Are and Who This Policy Applies To
Unless expressly stated otherwise in a separate notice, an annex to this Privacy Policy, or a local document for a specific jurisdiction, the operator / controller of personal data within the Eshe services covered by this Privacy Policy is:
FEM HEALTH LIFE LIMITED
Giangou Tornariti 8, Ilia Court 202, 3035 Limassol, Cyprus
Email: official@eshe.space
Phone: +254 00000000
In this Privacy Policy, “Eshe,” “we,” “us,” and “our” mean FEM HEALTH LIFE LIMITED, except where a specific processing activity is expressly attributed to another person or another service provider.
This Privacy Policy applies to the processing of personal data within the Eshe mobile application, related digital interfaces, AI and chat features, calendar and tracking features, mini check-ups, feed and content sections, comments, community / forum features, push notifications, payment scenarios, and other related Eshe services, to the extent that Eshe determines the purposes and means of processing personal data.
This Privacy Policy applies, in particular, to:
users who create an Eshe account;
users who sign in to Eshe using a phone number, WhatsApp, email, Google, or Apple;
users who use the calendar, tracking features, mini check-ups, AI assistant, and other Eshe features;
users who post comments, messages, posts, and other user content;
users who upload images, videos, voice messages, or other materials into chat, comments, or community features;
users who pay for a subscription or other paid features;
users who receive push notifications, emails, service messages, or support;
users of Eshe’s website, landing pages, and other digital touchpoints, where their data is processed in connection with the use of Eshe.
If the user uses third-party platforms, sign-in methods, payment tools, push services, analytics tools, AI services, or other external integrations, part of the processing may also be governed by the terms and policies of the relevant third-party providers. In such cases, Eshe does not replace the rules of the third-party service, but discloses, where applicable, how such integration is used within the operation of Eshe.
What Categories of Data We Process
To provide, support, protect, and improve Eshe, we process different categories of personal data. Not every user provides all of the data listed below; the specific set of data depends on the features used and the user’s actions.
Account and Registration Data
When a user creates or uses an Eshe account, we may process:
phone number;
email address;
name, nickname, or display name, if provided;
age or age category, if required by the relevant scenario;
information about the selected registration or sign-in method;
data related to sign-in confirmation, verification, and access;
the user’s internal account identifier;
account creation date;
information about account status, active sessions, and access to the service.
Technical Data, Device Data, and Usage Data
When using Eshe, we may process:
device type and device model;
operating system version;
application version;
technical identifiers of the application and device;
tokens, session-related data, and other service data necessary for the operation of the application;
push token or similar technical identifier used to send notifications;
IP address;
date and time of use;
information about sessions, technical events, and feature usage;
crash, error, diagnostic, and performance data;
data about transitions, deep links, installations, returns, and relaunches, where related to the operation of the service or the measurement of its use.
Health and Wellbeing Data
Because Eshe includes women’s health and wellbeing features, we may process data that the user voluntarily enters, records, tracks, or otherwise provides through the relevant service features, including:
menstrual cycle information;
cycle calendar data;
symptoms;
wellbeing and condition-related information;
information about medication, pills, or other similar user entries;
reproductive goals or other goals for using the application;
answers entered in interactive scenarios, where they relate to health or wellbeing;
user notes and observations;
other sensitive information that the user voluntarily provides through Eshe.
Depending on applicable law, such data may qualify as sensitive personal data or special category data and is processed with an increased level of protection.
Data Related to Interaction with AI Features
If the user uses the AI assistant or other Eshe AI features, we may process:
the user’s text messages, requests, and wording;
the user’s answers to follow-up questions;
chat history;
responses generated by the system;
timestamps of interactions;
information about the user’s selected purpose for using the application, where necessary to generate a response;
limited context necessary for the operation of the AI feature;
service data related to the request topic, routing, session, and other technical data necessary for the operation of the AI feature.
Such data may overlap with health data if the user discloses information in the AI chat about symptoms, cycle, wellbeing, medications, reproductive questions, or other sensitive topics.
Tracking Data, Mini Check-Ups, and Self-Observation Features
If the user uses the calendar, tracking features, mini check-ups, and other self-observation features, we may process data generated within the relevant functional scenarios, including:
entries made by the user in the calendar;
symptom entries and changes in condition;
answers in mini check-ups;
information about related conditions, observations, and user patterns in using the relevant features;
reminder settings and related preferences;
history of interaction with such features;
internal aggregated or structured events reflecting changes in the user’s condition, where generated for the operation of a specific feature.
This section describes data in the context of how it is generated and used within the product’s functional scenarios, rather than as a separate category of personal data by its nature.
User Content and Uploaded Materials
Eshe may process user content that the user voluntarily creates, publishes, or uploads into the relevant service features. This may include:
messages in the AI chat;
comments under publications;
the user’s own posts in the community / forum section;
images;
videos;
voice messages;
screenshots and other materials that the user expressly chooses to upload.
Depending on its content, such user content may include:
the user’s own personal data;
sensitive health data;
data of third parties;
materials that may be visible to other users if published in community / forum features or in comments.
For this reason, user content and uploaded materials are treated as a higher-risk category of data and are subject to separate control measures.
If the user publishes a comment, post, or other content in a feature intended for interaction with other users, such content may be visible to other users within the relevant feature. The user should independently assess the amount of information disclosed and should not publish sensitive data about themselves or data of third parties beyond what is necessary.
Payment Data and Subscription Data
If the user purchases a subscription or obtains access to paid Eshe features, we may process:
information about the subscription type or plan;
payment status;
subscription start, renewal, end, or cancellation date;
transaction confirmations;
technical and payment identifiers necessary to confirm access;
other limited data necessary to activate, maintain, and verify access to paid features.
Depending on the selected payment method, part of the payment information may be processed by third-party platforms or payment providers, and Eshe may receive only limited information necessary to activate, confirm, and maintain the user’s access.
Marketing, Attribution, and Platform Performance Data
To understand how users find Eshe, how the application is used, and how individual acquisition channels perform, Eshe may process limited categories of data related to usage analytics, attribution, and campaign performance, including:
installation source;
campaign identifiers;
acquisition channel data;
in-app event information;
data about conversion, return, and use of individual features;
technical signals used to measure app usage and user acquisition performance.
Eshe does not sell health data to advertisers and does not treat sensitive health data as an acceptable object of commercial transfer for advertising purposes.
Support and Communication Data
If the user contacts Eshe, receives support, or receives messages from the service, we may process:
support requests;
correspondence with the user;
complaints and requests;
notification settings;
records of service messages, reminders, and other communications;
data voluntarily disclosed by the user as part of the request.
If the user discloses health information or other sensitive content in support communications, such information is also treated according to its nature as sensitive data.
Integration and Third-Party Service Data
If the user uses third-party sign-in, push features, payment mechanisms, analytics services, AI providers, or other integrations, Eshe may process data received from or transmitted to such services to the extent necessary for the operation of the relevant feature. This may include:
authentication confirmations;
technical integration identifiers;
service data related to message delivery;
analytics and attribution events;
payment or subscription status confirmations;
other limited technical data necessary for the operation of a specific integration.
Derived, Structured, and Service Data
In limited cases, Eshe may generate internal derived, structured, or service data based on user inputs and interactions with the service. This may include:
user preferences;
patterns of feature usage;
service classifications of request topics;
internal aggregated events;
summary data necessary for feature continuity, service quality improvement, and technical resilience.
If such data is generated from sensitive user inputs, it is also subject to appropriate safeguards.
Data Processed at the User’s Choice
Certain categories of data are processed only because the user chooses a particular feature, initiates interaction with AI, completes a mini check-up, publishes a comment, creates a post, uploads an image, video, or voice message, enables notifications, or uses a particular sign-in or payment method. This means that Eshe does not require every user to provide all categories of data listed in this section.
How and Why We Process Your Data
Below are the main purposes for which Eshe processes data. For each purpose, the nature of processing depends on the feature used, the category of data, the user’s settings, and the requirements of applicable law.
Creating, Maintaining, and Protecting the Account
We process account and registration data in order to:
create the user’s account;
provide access to Eshe;
maintain the functionality of the account;
confirm the user’s identity at sign-in;
ensure account security and restrict unauthorized access;
keep records of account status and basic service actions related to its use;
send the user messages directly related to the account and access to the service.
For these purposes, we may use:
phone number;
email address;
name, nickname, or display name;
age or age category, where required by a specific scenario;
information about the selected sign-in method;
internal account identifier;
verification data, tokens, and other service information necessary for secure access.
The primary legal basis for this processing is the necessity of processing to create and maintain the account and provide the user with the requested service. In addition, Eshe may process limited technical and service data on the basis of its legitimate interest in protecting accounts, preventing abuse, ensuring platform security, and maintaining its proper operation, provided that such processing is proportionate and does not override the user’s rights.
Authentication and Supported Sign-In Methods
We process data related to authentication so that the user can securely sign in to Eshe using supported sign-in methods, including phone / WhatsApp, email, Google, and Apple.
Such processing includes:
confirming the sign-in method selected by the user;
verifying the right to access the account;
protecting the sign-in mechanism;
supporting continuity of access and preventing unauthorized use of the account.
For these purposes, we may process:
data provided by the user during sign-in;
technical authentication confirmations;
tokens, session-related data, and other technical data necessary for sign-in;
data received from the relevant third-party sign-in service to the extent provided by the selected authentication method.
The primary legal basis for this processing is the necessity of processing to provide the user with the selected sign-in method and access to the service. With respect to securing the sign-in mechanism and protecting against abuse, Eshe may also rely on its legitimate interest in protecting the platform and user accounts.
Providing Eshe’s Core Features
We process data to operate Eshe as a digital service, including:
providing access to the main app features;
operating interfaces, the feed, and built-in scenarios;
saving user entries and actions within the features used;
supporting comments, community / forum features, and other user interactions;
displaying relevant service elements;
supporting continuity of Eshe use across sessions and within different app features.
For these purposes, Eshe may use:
account data;
technical data;
app usage data;
user entries and user content;
certain health and condition-related data, where necessary for the operation of features selected by the user.
The primary legal basis for this processing is the necessity of processing to provide the Eshe features that the user knowingly chooses and uses. Where the operation of a specific feature requires the processing of sensitive data, Eshe relies on the appropriate legal basis, including separate or explicit user consent where required by law.
Eshe recognizes that different core app features may have different data visibility regimes. For example, personal entries in the calendar, tracking features, and mini check-ups are different in nature from comments, posts, and materials that the user chooses to publish in spaces intended for interaction with other users.
Calendar, Tracking, Mini Check-Ups, and Self-Observation Features
If the user uses the cycle calendar, tracking features, mini check-ups, and other self-observation features, Eshe processes data in order to:
save and display the user’s entries;
record changes in cycle, symptoms, conditions, and related observations;
operate interactive scenarios and mini check-ups;
show history, reminders, and other results based on user inputs;
support the internal logic of self-observation features and related digital scenarios;
generate service aggregated events reflecting changes in the user’s condition, where necessary for the operation of the relevant features.
For these purposes, Eshe may process:
cycle data;
symptoms;
wellbeing information;
medication intake information;
answers in mini check-ups;
user notes;
related settings and preferences;
internal service data necessary for the operation of such features.
Because such data may constitute sensitive health data, Eshe processes it only to the extent necessary for the operation of the relevant user scenarios and applies enhanced safeguards. The legal basis for such processing is the provision of the feature that the user knowingly initiates and populates with their own data, as well as explicit or other legally required consent where necessary in light of the nature of the data and applicable law.
Eshe AI Assistant and AI Features
If the user interacts with the Eshe AI assistant or other Eshe AI features, we process data in order to:
receive and interpret the user’s request;
take into account limited relevant context necessary to generate a response;
generate a personalized response within the relevant feature;
maintain the logical continuity of the conversation;
ensure the technical resilience, security, and continuity of the AI feature;
detect technical errors, failures, anomalies, and misuse of the feature;
support the operation of digital user support within Eshe’s architecture.
For these purposes, Eshe may process:
the user’s text messages;
the user’s answers to follow-up questions;
limited conversation history;
the user’s age, if provided;
name or nickname, if used within the relevant scenario;
the user’s selected purpose for using the application;
cycle information and related entries to the extent necessary to respond within the relevant scenario;
images, videos, or voice messages, if the user expressly and voluntarily uploads them into the AI chat as part of the relevant request;
service data related to the request topic, session, and other technical data necessary for the operation of the AI feature.
Eshe’s AI functionality operates through Eshe’s backend infrastructure and not by directly sending data from the client application to an external AI service. In relevant scenarios, Eshe may use external AI providers to generate a response within the service architecture. In such processing, Eshe applies technical measures aimed at limiting unnecessary transfer of directly identifying data and the amount of context where provided by the architecture of the relevant feature and where technically applicable. At the same time, user content itself may contain personal data or sensitive information depending on what the user chooses to say or upload.
Eshe uses a general but purpose-limited approach to AI processing: only the context necessary for the operation of the relevant feature and for generating a relevant response within the user’s request is included in the processing. More detailed technical parameters, internal limitations, and request routing rules are documented in Eshe’s internal technical and governance documents and are not disclosed in full in this Privacy Policy.
Eshe uses only approved providers for AI features and applies internal contractual, service, and technical requirements to such scenarios, aimed at improving processing security and limiting unauthorized use of data.
The primary legal basis for processing data within AI features is the necessity of providing the user with the feature that the user independently initiates and uses. Where health-sensitive data or other sensitive user content is processed within an AI feature, Eshe relies on the appropriate legal basis, including explicit or other legally required consent where necessary. Limited technical processing related to security, resilience, and abuse prevention may also be carried out on the basis of Eshe’s legitimate interest, provided that such processing is proportionate.
Eshe AI features are intended to provide digital, informational, and user support within the Eshe service. They are not intended to provide a medical diagnosis, prescribe treatment, provide emergency assistance, or replace a licensed healthcare professional. Additional terms and limitations relating to AI features may be set out separately in Eshe’s Terms of Use, special notices, or separate disclaimers.
Uploading Images, Videos, Voice Messages, and Other User Content
If the user voluntarily uploads images, videos, voice messages, screenshots, or other materials into the AI chat, comments, community / forum features, or other supported Eshe scenarios, we process such content in order to:
receive, store, and technically process the uploaded material within the relevant feature;
display it to the user or, where provided by the logic of the relevant feature, to other users within that scenario;
use the uploaded material to process the user’s request within an AI feature, if the user has expressly initiated such a scenario;
support the operation of comments, posts, community / forum features, and other forms of user interaction;
enable the delivery, storage, display, moderation, restriction, deletion, and other management of such content in accordance with the service rules;
ensure the security, integrity, and proper operation of the features in which user content is used.
For these purposes, Eshe may process:
images;
videos;
voice messages;
screenshots;
text accompanying the uploaded material;
technical and service data related to the upload, time, session, storage, display, and use of the relevant content.
Eshe treats the upload of such content as a voluntary action by the user. Except where a particular feature by its nature requires the relevant input, Eshe does not treat the upload of images, videos, voice messages, or other materials as a mandatory condition for the basic use of the service.
The processing and visibility regime of uploaded content depends on the relevant feature:
if the user uploads materials into the AI chat or another private user scenario, such content is processed in order to respond to the relevant request and is not intended for publication to other users;
if the user uploads materials into comments, community / forum, or other spaces intended for interaction with other users, such content may be accessible to other users within the relevant feature.
The user is responsible for the content of materials that the user voluntarily uploads or publishes in Eshe features involving user interaction. The user should not disclose sensitive data about themselves beyond what is necessary, or personal data of third parties where the user does not have an appropriate basis or permission for such disclosure.
Because uploaded materials may, depending on their content, include sensitive health information, images of the body, voice, surroundings, and other information that may directly or indirectly identify the user or other persons, Eshe treats such content as higher-risk content and applies separate control measures, access restrictions, and processing rules, taking into account the nature of the relevant feature.
Eshe may restrict, hide, block, delete, or otherwise process user content where necessary to:
comply with the service rules;
protect users;
prevent abuse;
stop unlawful or improper use of the service;
ensure the security, integrity, and resilience of the platform.
The primary legal basis for such processing is the necessity of providing the user with the feature that the user independently initiates and uses, including the ability to upload content within the relevant user scenario. If uploaded content contains sensitive health data or other sensitive user content, Eshe relies on the appropriate legal basis, including explicit or other legally required consent where necessary.
Service Messages, Reminders, and Push Notifications
Eshe may process data in order to send the user service messages, reminders, and push notifications related to the operation of the application, account security, and the features selected by the user.
Such processing may be carried out in order to:
confirm registration, sign-in, access recovery, and other account-related actions;
send messages necessary for the operation of the account and the service;
send reminders related to the calendar, tracking features, mini check-ups, and other features, where such reminders are provided by the relevant feature and depend on the user’s choice or app settings;
inform the user about significant changes, access status, subscription, account security, and other matters directly related to the use of Eshe;
ensure the technical delivery of push notifications, in-app messages, and other service communications.
For these purposes, Eshe may process:
push tokens and other technical delivery identifiers;
account data necessary to address the message;
notification settings and user preferences;
information about the enabling, delivery, opening, or technical status of a notification;
data related to the relevant feature, to the extent necessary to generate and send the message.
Eshe distinguishes between the following types of communications:
mandatory service messages, without which it is not possible to properly ensure account security, access to the service, or the performance of key service actions;
functional reminders and notifications related to specific features that the user has activated, uses, or configured;
other communications, for which separate settings, notices, consents, or special rules may apply.
If the user disables push notifications at the device level or within the available app settings, this may affect the receipt of certain reminders and messages that are not strictly necessary for the operation of the account and the service.
The primary legal basis for such processing is the necessity of ensuring the operation of the relevant Eshe features that the user uses, as well as Eshe’s legitimate interest in maintaining the functionality, security, and continuity of the user service. Where a specific type of communication requires separate consent by law or due to its nature, Eshe relies on the appropriate legal basis.
User Support
If the user contacts Eshe for help, clarification, problem resolution, or submits a complaint, request, or other service-related inquiry, we process data in order to:
receive and register the inquiry;
review the context of the inquiry and the related functional scenario;
respond to the user;
resolve a technical, service-related, or other issue;
manage the inquiry until it is completed;
document the handling of the inquiry;
perform limited analysis of inquiries to improve service resilience, prevent recurring failures, and improve support quality.
For these purposes, Eshe may process:
name, nickname, email, phone number, or other account data, where necessary for communication and identification of the inquiry;
content of the inquiry;
correspondence with the user;
service data related to the inquiry, its status, and processing history;
technical and diagnostic data, where necessary to resolve the issue;
health data or other sensitive content, if the user voluntarily discloses it as part of the inquiry.
The primary purpose of such processing is to review and resolve the user’s specific inquiry. Eshe does not treat sensitive content disclosed by the user in support communications as a free resource for unlimited reuse. Any additional use of such data to improve support quality, service resilience, or prevention of recurring errors is limited to the scope that is genuinely necessary, proportionate, and justified by the relevant operational purpose.
If the user discloses health information, symptoms, cycle data, wellbeing details, mini check-up results, AI-chat content, or other sensitive content in an inquiry, such data is processed to the extent necessary to respond to the inquiry and support the relevant feature.
The primary legal basis for such processing is the necessity of reviewing and handling the user’s inquiry related to the use of Eshe, as well as Eshe’s legitimate interest in ensuring support quality, stability, and proper operation of the service. If sensitive data is processed as part of the inquiry, Eshe relies on the appropriate legal basis, including the user’s voluntary disclosure of such data in connection with their request and other grounds provided by applicable law.
Payments and Subscriptions
If the user purchases a subscription or obtains access to paid Eshe features, we process data in order to:
activate access to paid features;
confirm the existence, status, and validity period of the subscription;
process renewal, modification, termination, or cancellation of access;
technically link the subscription to the user’s account;
send service messages related to payment, access, and subscription status;
detect errors, inconsistencies, duplication, or abuse related to paid access.
For these purposes, Eshe may process:
information about the plan or subscription type;
payment status data;
subscription start, renewal, end, or cancellation date;
transaction confirmations;
technical and payment identifiers necessary to confirm access;
limited information received from a payment platform or payment service provider;
account data necessary to link the subscription to the user.
If payment is processed through an app store, mobile payment system, or another third-party payment provider, the relevant provider may independently process payment information under its own terms, privacy policy, and role in data processing. In such scenarios, Eshe generally does not receive or store the full set of the user’s payment details and receives only the data reasonably necessary to:
confirm payment;
activate or maintain access;
verify subscription status;
support the paid user scenario;
resolve related technical or service issues concerning access.
The primary legal basis for such processing is the necessity of providing the user with the paid feature or subscription that the user independently initiates and uses. In addition, Eshe may process limited data related to access status verification, payment scenario security, and abuse prevention on the basis of its legitimate interest in protecting the service and paid access model, provided that such processing is proportionate.
Platform Security, Abuse Prevention, and Protection of System Integrity
Eshe processes data in order to:
ensure the security of the application, accounts, and internal infrastructure;
prevent unauthorized access, abuse, malicious activity, automated attacks, and other bad-faith scenarios;
detect, analyze, and resolve technical failures, errors, and anomalies;
maintain the integrity, availability, and resilience of internal services and data;
control the proper operation of features, including AI scenarios, content uploads, notifications, subscriptions, and user interactions;
investigate security incidents, violations of the Terms of Use, abuse, and other events that may affect the platform, users, or data.
For these purposes, Eshe may process:
technical and network data;
data about sign-ins, sessions, and access attempts;
tokens, IP addresses, and service identifiers;
log data, diagnostic information, and error reports;
data about suspicious, anomalous, or rule-violating activity;
limited data necessary to verify an incident, mitigate its consequences, and prevent recurrence.
As part of ensuring security, Eshe applies technical and organizational measures, which may include:
restricting internal access to data and infrastructure based on the need to know and perform the relevant function;
role-based and organizational access control mechanisms;
logging and monitoring of significant technical and service events;
measures to protect data in transit and at rest;
isolation, segmentation, and control of internal services and environments;
investigation of incidents and measures to contain, resolve, and prevent their recurrence;
other measures that Eshe considers reasonably necessary, taking into account the nature of the service, platform architecture, and categories of data processed.
Eshe does not disclose the full set of its internal security mechanisms in this Privacy Policy where such disclosure could itself increase risks to users, data, infrastructure, or the platform.
The primary legal basis for such processing is Eshe’s legitimate interest in protecting users, the service, infrastructure, and data, as well as preventing abuse, security violations, and failures. Where certain processing is required by law or necessary to perform obligations to users, Eshe may also rely on the relevant legal basis.
Product Analytics and Service Improvement
Eshe may process data in order to:
understand how users interact with the application and individual features;
measure the use of interfaces, scenarios, and product elements;
identify technical and product-related problem areas;
improve the structure, logic, and usability of the application;
analyze feature stability and overall product performance;
make decisions about service development based on actual feature usage.
For these purposes, Eshe may process:
technical data;
app usage data;
session data and in-product event data;
information about transitions between features;
data about the use of the feed, AI chat, mini check-ups, calendar, community / forum, and other features;
limited aggregated, structured, or service data necessary to analyze product performance.
Eshe separates product analytics from the processing of sensitive health data to the extent necessary for the relevant product purpose, feature architecture, and applicable legal basis. Eshe does not treat sensitive health data as a universal analytics resource and limits its use to the scope genuinely necessary for the relevant feature and permitted by law.
The primary legal basis for such processing is Eshe’s legitimate interest in developing, improving, and technically optimizing the service, provided that such processing is limited, proportionate, and does not override the user’s rights and freedoms. If applicable law requires another legal basis for specific analytics scenarios, Eshe relies on such basis to the relevant extent.
Attribution, Campaign Measurement, and Limited Advertising Analytics
Eshe may process limited categories of data related to attribution and measurement of user acquisition channel performance in order to:
understand from which sources users come to Eshe;
measure the effectiveness of marketing campaigns and acquisition channels;
analyze whether particular channels lead to app installation, registration, or feature usage;
limit ineffective or repetitive campaigns;
improve the allocation of marketing resources.
For these purposes, Eshe may process:
installation source;
campaign identifiers;
acquisition channel data;
attribution and conversion events;
limited technical identifiers used to measure acquisition effectiveness;
other limited data necessary to assess advertising and product performance.
Eshe proceeds on the basis that sensitive health data should not be used as an object of commercial transfer for advertising purposes. Eshe does not sell health data to advertisers. If Eshe uses attribution, campaign measurement, or limited advertising analytics tools, such scenarios are technically and organizationally separated from sensitive health data to the extent required, taking into account the service architecture, legal bases, and nature of the feature used.
The primary legal basis for such processing may be Eshe’s legitimate interest in evaluating user acquisition effectiveness and maintaining the sustainable development of the service, where such processing is limited, proportionate, and does not unjustifiably affect users’ rights. If applicable law requires separate consent or another legal basis for specific attribution tools, device identifiers, SDKs, or similar mechanisms, Eshe relies on the appropriate legal basis.
Compliance with Legal Obligations and Responses to Lawful Requests
Eshe may process data in order to:
comply with applicable legal requirements;
respond to lawful requests from public authorities, courts, regulators, and other authorized persons;
fulfill obligations to retain, disclose, or document information where such obligations are expressly established by law;
protect its rights, legitimate interests, users, service, and infrastructure;
prepare, bring, or defend legal claims;
record and demonstrate compliance with applicable rules, internal policies, and obligations to users.
For these purposes, Eshe may process:
account data;
technical and service data;
data related to the relevant request or legal situation;
limited categories of user data where genuinely necessary to comply with a specific legal requirement or protect Eshe’s legal position.
Eshe assesses such requests and scenarios in light of their lawfulness, scope, necessity, and proportionality. Eshe does not disclose data beyond what is reasonably necessary to comply with the relevant obligation, respond to a lawful request, or protect the company’s legal position. Where applicable law allows Eshe to narrow the scope of disclosure, limit the use of data, request additional confirmation of the requesting party’s authority, or otherwise ensure more proportionate processing, Eshe may use such measures to the extent permitted by law.
The legal basis for such processing is the necessity of complying with legal obligations, as well as Eshe’s legitimate interest in protecting its rights, users, infrastructure, and legal position, where permitted by applicable law.
Legal Bases for Processing
Eshe processes personal data only where there is an applicable legal basis. The specific legal basis depends on the nature of the data, the feature used, the purpose of processing, and the requirements of applicable law.
Eshe does not use one single legal logic for all processing scenarios. We align each significant category of processing with the legal basis that genuinely corresponds to the nature of the relevant feature and the type of data involved.
Necessity to Provide the Service Requested by the User
Eshe processes personal data where this is necessary to provide the user with a feature, scenario, or service that the user independently initiates, selects, or uses.
This legal basis applies, in particular, where processing is necessary for:
creating and maintaining an account;
authentication and sign-in to the application;
providing access to Eshe’s core features;
operating the calendar, tracking features, mini check-ups, and other user scenarios;
processing a user request within an AI feature;
uploading, storing, and displaying user content within the relevant feature;
linking a subscription or paid access to the account;
handling a user inquiry;
delivering messages without which the account, access, or a feature selected by the user cannot function properly.
Eshe relies on this basis only to the extent that the relevant processing is genuinely necessary to perform the feature or service requested and used by the user.
User Consent
Eshe relies on user consent where such consent is required by law or is the appropriate legal basis in light of the nature of the data and the feature.
This is particularly important in scenarios involving:
sensitive health data;
certain types of higher-risk user content;
certain types of notifications, communications, or functional scenarios;
certain analytics, attribution, SDK, or device identifier scenarios, where consent is required;
other situations in which the law requires a freely given, specific, informed, and unambiguous expression of the user’s wishes.
Where consent is required, Eshe obtains it in a form appropriate to the nature of the relevant feature, the category of data, and applicable law. The user has the right to withdraw consent to the extent permitted by law and by the nature of the relevant processing. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.
Eshe’s Legitimate Interest
Eshe may process limited categories of data on the basis of its legitimate interest where such processing:
has a real and lawful purpose;
is objectively necessary for that purpose;
is proportionate;
does not exceed the scope of processing that is reasonably expected;
does not unjustifiably override the rights, freedoms, and interests of the user.
This legal basis may be used, in particular, in connection with:
ensuring platform security;
preventing abuse, fraud, and unauthorized access;
maintaining the stability and technical resilience of the service;
limited diagnostics of errors and failures;
product analytics and service improvement;
limited attribution and measurement of acquisition channel performance, where such processing does not unjustifiably affect the user’s rights and complies with legal requirements;
protecting the legal position of Eshe, users, the service, and infrastructure.
Eshe does not use legitimate interest as a universal basis for all processing. If the nature of the data or the scenario requires another legal basis, including separate consent, Eshe relies on that basis.
Compliance with Legal Obligations
Eshe processes data where such processing is necessary to comply with obligations imposed on the company by applicable law.
This may include cases where Eshe is required to:
retain certain information;
respond to lawful requests from courts, regulators, and other authorized authorities;
comply with requirements related to corporate, tax, financial, or other mandatory regulation;
record and demonstrate compliance with applicable requirements;
retain or disclose data to the extent expressly required by law.
How Eshe Applies Legal Bases in Practice
In general terms, Eshe follows the model below:
account, access, basic functionality, and user scenarios independently initiated by the user are generally based on the necessity to provide the service requested by the user;
sensitive health data, where required by law or by the nature of the processing, is processed on the appropriate legal basis, including explicit or other legally required consent where necessary;
security, abuse prevention, service resilience, limited product analytics, and limited attribution may be based on legitimate interest, subject to the principles of necessity and proportionality;
mandatory disclosures and other legally required actions may be based on compliance with legal obligations;
individual features, screens, technical tools, and integrations may be accompanied by additional notices, separate consents, or special terms where necessary in light of the law and the nature of processing.
Eshe does not use legal bases to arbitrarily expand processing and does not treat them as a formal “fallback” structure. We proceed on the basis that each significant area of processing must be linked to an appropriate legal basis that corresponds to the actual feature and the actual architecture of the service.
AI Processing and Important Limitations
Eshe uses AI features as part of the service’s digital architecture to support certain user scenarios. Such features may be used, in particular, to process user questions, generate personalized responses within the AI chat, maintain continuity of interaction, and support certain digital product features.
What AI Processing Means in Eshe
If the user interacts with the AI assistant or another AI feature, Eshe uses automated processing in order to:
interpret the user’s request;
take into account limited relevant context;
generate a response, digital suggestion, or supportive message;
maintain the logic and continuity of the conversation;
ensure the quality, resilience, and technical operability of the relevant feature;
detect technical errors, failures, anomalies, and misuse of the AI scenario.
Eshe AI features are not a “hidden” or separate system operating outside the product. They are integrated into the service architecture and are used only within the user scenarios in which they are made available to the user.
What Data May Be Involved in AI Processing
Depending on the relevant scenario, AI processing may involve:
the user’s text messages;
the user’s answers to follow-up questions;
limited conversation history;
data related to the user’s selected purpose for using the application;
cycle information, condition-related information, or related user entries to the extent necessary to respond within the relevant request;
images, videos, or voice messages, if the user expressly and voluntarily uploads them into the AI scenario;
service and technical data necessary for the operation of the AI feature.
User content submitted to an AI feature may itself contain personal data or sensitive information depending on what the user chooses to say, show, or upload.
How Eshe Limits AI Processing
Eshe applies a purpose-specific and limited AI processing model. This means that only the context necessary for the operation of the relevant feature and for generating a relevant response within the specific user request is included in the processing.
To support this approach, Eshe applies technical and organizational measures aimed at:
limiting unnecessary transfer of directly identifying data;
limiting the amount of context included in AI processing;
controlling the architecture of interaction between the application, backend infrastructure, and AI components;
internally managing the use of AI providers and related services;
reducing the risk of unauthorized or disproportionate use of user data.
More detailed technical parameters, internal routing rules, governance mechanisms, and limitations are documented in Eshe’s internal technical and organizational documents and are not disclosed in full in this Privacy Policy.
Use of External AI Providers
In relevant scenarios, Eshe may use external AI providers to generate a response or support an AI feature within the service architecture.
Eshe uses only those external AI services that have been approved for the relevant scenario through Eshe’s internal provider selection, assessment, and management processes. Such use is subject to Eshe’s internal requirements regarding:
limiting the volume of data processed;
purpose-specific transfer;
security of the architecture;
reducing the risk of unauthorized use of data;
managing risks related to the processing of sensitive information.
Eshe’s AI functionality operates through Eshe’s backend infrastructure and not by directly sending data from the client application to an external AI service.
The use of an external AI provider does not mean that Eshe transfers all user data to that provider. Eshe follows a model of limited and functionally necessary AI processing required to support a specific feature.
Important Limitations of AI Features
Eshe AI features are intended to provide digital, informational, and user support within the Eshe service.
Eshe AI features:
are not intended to provide a medical diagnosis;
are not intended to prescribe treatment;
are not intended to provide emergency assistance;
do not replace a licensed healthcare professional;
should not be treated as the sole basis for making medically significant decisions.
If the user has symptoms that may require professional medical assessment, urgent assistance, or an in-person consultation, the user should contact a qualified healthcare professional or the relevant assistance service.
User Responsibility When Using AI
Because an AI feature depends on the request, context, and information that the user voluntarily provides, the nature and quality of the response may depend on the completeness, accuracy, and content of the user input.
The user should not:
use AI features for emergency conditions;
rely solely on an AI response as a final medical conclusion;
upload unnecessary sensitive data about themselves into an AI feature beyond what is genuinely necessary for the request;
disclose personal data of third parties through AI features without an appropriate basis.
This section does not release Eshe from its own obligations to process data lawfully, for specific purposes, and securely. It explains to the user the important limitations of the relevant feature.
Legal Basis for AI Processing
The primary legal basis for processing data within AI features is the necessity of providing the user with the feature that the user independently initiates and uses.
Where health-sensitive data or other sensitive user content is processed within an AI feature, Eshe relies on the appropriate legal basis, including explicit or other legally required consent where necessary.
Limited technical processing related to security, resilience, abuse prevention, and maintaining the proper operation of the AI feature may also be carried out on the basis of Eshe’s legitimate interest, provided that such processing is proportionate.
Third-Party Services and Integrations
Eshe uses a number of third-party services and integrations to support individual application features, infrastructure, analytics, notifications, sign-in, AI scenarios, payments, and other technical or operational tasks.
Eshe does not treat all third-party providers as identical in their role or in the nature of processing. Depending on the specific feature, the relevant third-party service may:
process data on Eshe’s behalf;
act in its own role within its own service;
provide technical infrastructure through which the relevant user scenario operates;
participate in limited technical or operational processing necessary to support an Eshe feature.
Categories of Third-Party Services Eshe Uses or May Use
Eshe uses or may use third-party services in the following categories:
infrastructure and cloud services — for hosting, storage, processing, and technical support of data;
authentication and sign-in services — to support sign-in through external platforms or identity providers;
AI services — to support AI features and generate responses in relevant user scenarios;
product analytics services — to measure app usage, stability, and feature behavior;
attribution and campaign measurement services — to assess installation sources, acquisition channels, and limited advertising performance;
notification and message delivery services — to send push notifications and other technical messages;
payment platforms and payment providers — to process payments, confirm subscriptions, and support paid access;
other technical or operational integrations, where necessary for the operation of a specific Eshe feature.
Examples of Services Used by Eshe
Depending on the specific product version, user scenario, and technical configuration, Eshe may use, in particular:
AWS — for infrastructure, data storage, backend services, and related cloud functions;
approved AI providers, including OpenAI — to support AI features in relevant scenarios;
Amplitude — for product analytics and feature usage;
AppsFlyer — for mobile analytics, attribution, and measurement of acquisition channels;
Firebase — for push notifications and related technical functions;
Google — for sign-in, certain technical scenarios, and related integrations;
Apple — for sign-in, platform scenarios, and functions related to the Apple ecosystem;
phone / WhatsApp-based mechanisms — to the extent they are used for registration, access confirmation, or sign-in scenarios;
App Store, Google Play, M-Pesa, and other applicable payment or platform services — to the extent the user uses the relevant payment or access method.
What Data May Be Involved in Third-Party Integrations
Depending on the specific service and scenario, a third-party provider may participate in processing involving, for example:
account and authentication data;
technical and device data;
app feature usage data;
push tokens and technical message delivery data;
limited analytics, attribution, or conversion events;
limited payment and subscription confirmations;
AI request data and limited context — only in scenarios where this is necessary for the relevant AI feature;
other categories of data necessary for a specific Eshe feature.
Eshe does not proceed on the assumption that every third-party service receives access to all categories of user data. The scope of data involved depends on the specific feature, scenario architecture, provider role, and applicable legal basis.
How Eshe Limits the Involvement of Third-Party Services
Eshe proceeds on the basis that the use of third-party services should be:
limited to the purpose of the relevant feature;
proportionate to the nature of the task for which the external service is used;
reasonably necessary from the perspective of product architecture;
accompanied by internal control measures where applicable;
compatible with Eshe’s obligations to protect personal data.
Eshe does not use third-party services as a basis for unlimited expansion of user data processing. If a particular service is used for a specific feature, Eshe limits the involvement of data to the amount genuinely necessary to support that feature.
Role of Third-Party Services
Depending on the specific service and scenario, the relevant provider may act:
as a technical provider supporting infrastructure or delivery of a feature;
as a processor acting on Eshe’s behalf;
as an independent platform or service provider operating under its own terms;
as a participant in limited technical processing without which a specific Eshe feature cannot function properly.
If the user uses a particular sign-in, payment, communication, notification, analytics, or AI scenario, the relevant third-party service may participate in data processing to the extent necessary to support that scenario. This does not mean that Eshe transfers all user data to that service.
Updates to the List and Additional Notices
Eshe may update the list of services used as the product develops, providers are replaced, the architecture changes, or new features are introduced. If such changes affect the nature of data processing, Eshe may update this Privacy Policy and related notices accordingly.
In certain cases, Eshe may provide the user with additional information about third-party services:
through the interface of the relevant feature;
through separate notices;
through specific provisions of this Privacy Policy;
through links to the relevant policies or terms of third-party providers, where necessary to understand the role of such service.
International and Cross-Border Data Transfers
Eshe is a digital service that uses cloud infrastructure, external platforms, and certain technical or operational services that may be located or operate in different countries. As a result, user data may be processed, stored, or otherwise used outside the user’s country of residence.
When International or Cross-Border Processing May Occur
International or cross-border processing may occur, for example, where:
data is hosted or stored in cloud infrastructure located outside the user’s country;
the relevant Eshe feature is supported by an external service or platform operating in another jurisdiction;
the user uses sign-in through an external platform, an international payment service, an AI feature, or another integrated service;
technical routing, processing, delivery, or confirmation of data is required within the distributed infrastructure of the relevant provider;
data is processed in connection with ensuring the stability, security, or operation of the service in international infrastructure.
Eshe’s Approach to International and Cross-Border Processing
Eshe proceeds on the basis that international or cross-border processing must be:
lawful;
proportionate;
purpose-limited;
limited in scope;
accompanied by reasonable technical, organizational, and contractual safeguards where applicable.
Eshe does not allow arbitrary cross-border transfer of all data without functional necessity. Where international processing occurs, it must be linked to the specific service architecture, a specific feature, or a specific provider used to support that feature.
Measures Eshe Uses or May Use
Depending on the specific scenario, Eshe uses or may use, among other things:
contractual restrictions and obligations in relationships with third-party providers;
internal procedures for provider selection, approval, and control;
technical and architectural measures aimed at limiting the amount of data transferred;
access restrictions and purpose-specific transfer;
internal governance mechanisms for high-risk scenarios;
use of regional configurations and infrastructure location restrictions where available and reasonably applicable;
organizational measures to control processing and access;
other measures that Eshe considers reasonably necessary to reduce the risks of cross-border processing.
What the User Should Understand
By using Eshe, the user understands that certain categories of data may be processed in international or cross-border infrastructure to the extent necessary for the operation of the service, the relevant feature, the selected sign-in method, payment method, notifications, analytics, AI scenario, or other integration.
This does not mean that Eshe permits unlimited international transfer of all user data. Eshe follows a model of purpose-specific, limited, and functionally necessary processing, under which cross-border involvement of data must be connected to a specific feature and a specific necessity.
Specific Features of Certain Scenarios
Depending on the architecture of the relevant feature, some categories of data may be processed using infrastructure located in the European Union or other jurisdictions. Eshe may use regional configurations, infrastructure location restrictions, and other technical solutions where available and reasonably applicable, taking into account the nature of the feature, provider, and level of processing risk.
If a specific cross-border processing activity requires a separate notice, separate legal basis, additional safeguards, or a special mechanism under applicable law, Eshe uses such measures to the relevant extent.
Relationship with Other Sections of the Policy
To understand how international or cross-border processing may arise within Eshe, this section should be read together with the sections on:
categories of data;
purposes of processing;
AI features;
third-party services and integrations;
security and safeguards;
user rights.
Data Storage, Retention Periods, Deletion, and Backups
Eshe retains personal data for no longer than is necessary for the purposes for which such data was collected and used, taking into account:
the nature of the relevant feature;
the user’s expectations when using the service;
the need to maintain the functionality, continuity, and security of the service;
the need to handle inquiries, disputes, claims, and incidents;
mandatory requirements of applicable law;
the need to protect the legal position of Eshe, users, the service, and infrastructure.
Eshe does not proceed on the basis of indefinite retention of user data. The retention period depends on the category of data, the purpose of processing, the type of feature through which the data was collected, and the requirements of applicable law.
Category-Based Approach to Retention
Eshe applies a category-based approach to retention periods. This means that different categories of data are retained differently, depending on their purpose, sensitivity, and level of risk.
In particular, retention periods may differ for:
account data;
technical and diagnostic data;
health, self-observation, and mini check-up data;
AI chat history;
uploaded images, videos, voice messages, and other user content;
comments, posts, and materials in community / forum features;
payment and subscription confirmations;
security logs and system logs;
data related to user inquiries;
backups.
Detailed internal retention periods and deletion procedures may be documented in Eshe’s internal retention and governance documents and are not disclosed in full in this Privacy Policy.
Indicative Retention Periods for Main Data Categories
Unless a different period is required by applicable law, an open dispute, investigation, security matter, or another lawful basis, Eshe generally follows the retention periods below.
Account and Profile Data
Account and profile data is retained for the period during which the account remains active and, as a general rule, for up to 12 months after account deletion or discontinuation of service use, unless longer retention is required for security, dispute resolution, abuse prevention, or legal compliance.
Calendar, Tracking, Mini Check-Up, and Other Self-Observation Data
Calendar, tracking, mini check-up, and other self-observation data is retained for the period during which the relevant features are used and, as a general rule, for up to 3 years from the user’s last activity, or until earlier deletion by the user or account deletion, unless another period is required by law or to protect Eshe’s legal position.
AI Chat History
AI chat history is generally retained for up to 3 years from the last interaction in the relevant AI scenario, or until earlier deletion by the user, unless another period is required for security, abuse prevention, incident review, or legal compliance.
Images, Videos, Voice Messages, and Other Materials Uploaded into Private AI or Similar User Scenarios
Images, videos, voice messages, and other materials uploaded into private AI or similar user scenarios are generally retained for up to 12 months from the date of upload, or until earlier deletion by the user, unless longer retention is required to provide the feature, ensure security, resolve a dispute, or comply with law.
Comments, Posts, and Materials Published by the User in Community / Forum Features
Comments, posts, and materials published by the user in community / forum features are generally retained for as long as such content remains published or associated with an active user account, and additionally for up to 12 months after deletion, hiding, or deactivation where necessary for moderation, security, complaint handling, protection of other users, or legal compliance.
Support Requests and Related Records
Support requests and related records are generally retained for up to 24 months after the inquiry is closed, unless longer retention is required to handle a dispute, complaint, security incident, or legal compliance matter.
Technical, System, and Security Logs
Technical, system, and security logs are generally retained for up to 12 months, unless longer retention is required in connection with an incident investigation, security matters, abuse, or legal obligations.
Payment and Subscription Confirmations
Payment and subscription confirmations may be retained for up to 7 years where necessary for accounting, tax, financial, legal, or audit obligations, or for another period established by applicable law or the rules of the relevant payment scenario.
The retention periods listed above are indicative public retention periods. In specific cases, Eshe may retain data for a shorter or longer period where required by law, determined by the nature of the feature, related to security, or objectively necessary to protect Eshe’s legal position.
Retention in Active Systems
Eshe retains data in active systems for the period necessary to:
provide the user with the relevant feature;
preserve the continuity and consistency of the user experience;
display the history of actions, entries, conversations, and other user materials;
ensure the proper operation of subscriptions, support, notifications, product analytics, and security features;
comply with applicable information retention obligations.
If the user continues to use the relevant feature, Eshe may continue to retain the related data for a reasonably necessary period, provided that such retention remains consistent with the purposes of processing.
User Deletion and Deletion Upon Request
Eshe may provide the user with the ability to delete certain data or categories of content through available application, account, or other user interface features. Depending on the nature of the feature, this may include, for example:
deletion of individual entries;
deletion of interaction history, where such functionality is available;
deletion of uploaded materials;
deletion of the account;
submission of a data deletion request.
If the user deletes data or submits a deletion request, Eshe takes steps to delete or stop using the relevant data in active systems to the extent applicable to the specific data category and permitted by law.
However, certain data may be retained for a longer period where necessary:
to comply with legal obligations;
to resolve disputes, handle complaints, or protect legal position;
to prevent abuse and ensure security;
for limited storage in backups within the permitted lifecycle of such backups;
in other cases where retention is expressly permitted or required by applicable law.
Backups
To ensure resilience, recovery, and continuity of service operation, Eshe creates and retains data backups within a defined lifecycle.
Backups:
are used solely for disaster recovery, resilience, and infrastructure continuity purposes;
are not intended for ordinary day-to-day access to data within user scenarios;
are stored in a limited recovery-only environment;
are subject to separate access, retention, rotation, and deletion rules;
are retained for a limited and predefined period, after which they are overwritten, deleted, or removed from the lifecycle in accordance with Eshe’s internal backup rules.
Unless otherwise required by law or related to the investigation of a critical incident, Eshe generally follows a backup retention period of no longer than 90 days.
If the user deletes data or an account, such deletion may not result in the immediate physical disappearance of the relevant information from every backup at the same moment. In such cases, Eshe restricts the use of such data and proceeds on the basis that backups must not be used as a parallel active database for ordinary processing of user information.
Retention Limitation and Further Processing
After the applicable retention period expires, Eshe may:
delete the relevant data;
anonymize or de-identify it where this is permitted and consistent with the purpose;
isolate or archive it under restricted access where necessary by law, for security, for backup purposes, or to protect Eshe’s legal position.
Eshe does not use archiving or backup retention as a basis for indefinitely extending ordinary active processing of user data.
Your Rights and Ways to Control Your Data
Eshe seeks to provide users with reasonable, clear, and practical control over their personal data to the extent provided by applicable law and the nature of the feature used.
User Rights
Depending on applicable law and the nature of the specific processing, the user may have the right to:
receive information about how Eshe processes their data;
request access to their personal data;
request correction of inaccurate or incomplete data;
request deletion of data where there are grounds for doing so;
withdraw consent where processing is based on consent;
object to certain types of processing or request restriction of processing, where permitted by law;
receive data in a portable format where such right applies;
lodge a complaint with a competent data protection authority.
The existence and scope of a specific right may depend on:
the user’s country;
the category of data;
the legal basis for processing;
the nature of the feature or scenario;
Eshe’s legal obligations.
Ways to Control Data Within the Service
Depending on the available functionality, the user may independently manage certain categories of data through the service interface.
In particular, where the relevant functionality is available in the product, the user may:
change profile data;
manage account settings;
manage notifications;
delete individual entries or specific content;
delete materials uploaded by the user;
delete certain interaction histories;
delete the account or initiate a data deletion request.
The availability of a specific control function depends on the current product version, the architecture of the relevant scenario, and applicable law. Eshe does not claim the availability of user controls that are not present in the actual configuration of the relevant feature.
How to Submit a Request
If the user wishes to exercise their rights or submit a request related to personal data, the user may contact Eshe using the contact details provided in this Privacy Policy.
To help process the request more efficiently, the user may include the following subject line:
“Privacy Request / Personal Data Request”
Eshe may request reasonable confirmation of identity or account ownership where necessary to:
protect the user’s data;
prevent unauthorized access;
prevent fraudulent or abusive requests;
properly fulfill the request.
Response Timeframes
Eshe seeks to respond to data subject requests without undue delay and, as a general rule, within 30 calendar days from receiving sufficient information to process the request, unless a different period is required or permitted by applicable law.
If the request is complex, extensive, repetitive, or requires additional verification, Eshe may extend the response period within the limits permitted by law, notifying the user to a reasonable extent where such notification is required or appropriate.
Limitations and Lawful Exceptions
Eshe is not always required to fulfill a request in full. In certain cases, we may refuse, limit, or delay fulfillment where permitted by law and where related, for example, to the need to:
comply with legal obligations;
protect the rights of other persons;
prevent abuse;
ensure service security;
retain data to the extent necessary for a dispute, incident, investigation, or protection of legal position;
take into account technical limitations of backups and infrastructure.
Where Eshe limits fulfillment of a request, we seek to do so only to the extent necessary and permitted by law.
Right to Lodge a Complaint
If the user believes that Eshe processes their personal data in violation of applicable law, the user has the right to lodge a complaint with the competent data protection authority in the relevant jurisdiction, without prejudice to the right to contact Eshe first in an attempt to resolve the matter.
Security and Safeguards
Eshe treats personal data protection as part of the core architecture of the service and applies technical and organizational measures aimed at protecting data against unauthorized access, disclosure, alteration, loss, misuse, and other unlawful scenarios.
General Approach to Security
Taking into account the nature of the service, the categories of data, and the level of risk, Eshe applies measures aimed at:
protecting data transmission;
protecting data storage;
limiting internal access;
segmenting and controlling infrastructure;
detecting, analyzing, and containing incidents;
improving service resilience and security;
reducing the risk of unlawful access to and use of data.
Examples of Security Measures
Depending on the architecture of the relevant feature, infrastructure, and level of risk, Eshe may apply, in particular:
secure data transmission channels;
measures to protect data at rest;
role-based and organizational mechanisms for limiting internal access;
logging and monitoring of significant technical, service, and security events;
separation of environments, internal services, and operational work areas;
management of keys, secrets, and technical credentials through controlled mechanisms;
backups and recovery measures;
procedures for analyzing, containing, investigating, and resolving incidents;
other reasonably necessary security measures.
Limitation of Internal Access
Eshe proceeds on the basis that access to data should be limited to those persons who genuinely need such access to perform the relevant functions, support infrastructure, ensure security, maintain the service, or carry out other permitted tasks.
Internal access is granted based on functional necessity, role-based restrictions, and Eshe’s internal rules. Having access does not mean the right to arbitrarily view, extract, use, or disclose user data.
Logging, Control, and Incident Response
Eshe may log and monitor significant technical, infrastructure, and service events to the extent necessary to:
ensure security;
investigate incidents;
analyze anomalous activity;
prevent abuse;
resolve technical failures;
restore proper operation of the service.
If Eshe identifies an incident affecting the security, integrity, or availability of data or the platform, the company may take measures to:
contain the incident;
limit its consequences;
technically investigate its causes;
resolve identified issues;
prevent recurrence of a similar scenario;
fulfill notification or response obligations where such obligations arise under law.
Limitations on Public Disclosure of Security Measures
Eshe does not disclose in this Privacy Policy the full set of internal technical, architectural, and operational security measures where such disclosure could increase risks to users, data, infrastructure, or the platform.
No Absolute Guarantee
Despite the safeguards applied, no digital service, data transmission infrastructure, or method of storing information can guarantee absolute security. Eshe, however, proceeds on the basis that it must apply reasonable and proportionate safeguards appropriate to the nature of the service and the level of risk associated with the data processed.
Children and Age Restrictions
Eshe is generally intended for users aged 18 and older.
If applicable law expressly permits the use of certain Eshe features by a person under the age of 18 with appropriate consent, permission, or involvement of a parent or other legal guardian, Eshe may take such requirements into account to the relevant extent. However, unless expressly stated otherwise in a separate feature, special notice, or local Eshe document, the service should be regarded as intended for adult users.
Use of the Service by Minors
If the user has not reached the age at which they may independently use the relevant service or provide consent required by law in their jurisdiction, use of Eshe may be:
restricted;
prohibited;
or permitted only with the legally required involvement, permission, or consent of a parent or legal guardian.
For individual features, categories of data, or countries, Eshe may establish additional age conditions, notices, or restrictions.
If Eshe Learns of Improper Use of the Service by a Minor
If Eshe receives information that personal data has been collected or used in violation of applicable age requirements or without the required involvement of a legal guardian, Eshe may take reasonable measures, including:
restricting or suspending access;
requesting additional age confirmation;
requesting confirmation of the authority of a parent or legal guardian;
deleting the account;
deleting or restricting the processing of the relevant data;
taking other measures that Eshe considers reasonably necessary and permitted by law.
Role of a Parent or Legal Guardian
If a parent or legal guardian believes that a child or minor is using Eshe in violation of applicable rules, they may contact Eshe using the contact details provided in this Privacy Policy.
Changes to This Policy
Eshe may update this Privacy Policy from time to time where required due to:
changes in law;
product development and the introduction of new features;
changes to the data processing architecture;
changes to integrations, services, or scenarios used;
changes to data protection and security approaches;
the need to provide users with more accurate, complete, or understandable disclosures.
If changes are material, Eshe may additionally notify users through the application, website, email, in-app message, or another reasonable method, taking into account the nature of the changes and the requirements of applicable law.
The current version of the Policy is published in the relevant location where it is available to the user. The date of the last update may be indicated at the beginning of the document or in another clear manner.
Contact and Requests
If you have questions, requests, or complaints related to this Privacy Policy or the processing of your personal data, you may contact Eshe at:
FEM HEALTH LIFE LIMITED
Giangou Tornariti 8, Ilia Court 202, 3035 Limassol, Cyprus
Email: official@eshe.space
Phone: +254 00000000
For inquiries specifically related to personal data, user rights, data deletion, access to data, or other privacy matters, we recommend using the email address official@eshe.space with the subject line:
“Privacy Request / Personal Data Request”
When you contact Eshe about personal data matters, Eshe may request additional information necessary to:
confirm your identity;
verify account ownership;
clarify the nature of the request;
prevent unauthorized access to third-party data;
properly review the request.
Eshe seeks to review requests within a reasonable period, taking into account the nature of the request, applicable law, and the need to verify the circumstances of the inquiry.
If the user believes that the matter has not been resolved properly, the user may also contact the competent data protection authority in the relevant jurisdiction.
© 2026 FEM HEALTH LIFE LTD. All rights reserved.