SORA is a period tracking web application operated by Eric Wang, based in Guangzhou, China. Our primary domain is innersora.com.

For any privacy-related questions, you may contact us at: hello@innersora.com

If you use SORA without creating an account:

• All data (cycle logs, mood, flow records) is stored locally in your browser only
• Nothing is transmitted to our servers
• We collect no personal information whatsoever

If you create an account:

• Email address (for authentication)
• Cycle log data you choose to sync (dates, flow level, pain level, mood)
• Language and theme preferences
• Account creation timestamp

We do NOT collect:

• Your location or GPS data
• Contacts, photos, or camera access
• Browsing history or cross-site tracking data
• Advertising identifiers

• To provide the cycle tracking and prediction features
• To send account confirmation and essential service emails
• To remember your language and theme preferences
• To improve the accuracy of cycle predictions over time

We do not use your health data for advertising, profiling, or any purpose beyond providing the SORA service to you.

To operate SORA, we use the following trusted services:

• Supabase — Authentication and encrypted database storage (Tokyo data center, SOC 2 compliant)
• Vercel — Website hosting and content delivery
• Resend — Transactional email delivery (confirmation emails only)
• Google / Apple — Optional OAuth login (governed by their respective privacy policies)

Google Sign-In: When you sign in with Google, SORA only receives your email address for the purpose of creating and identifying your account. SORA's use and transfer to any other app of information received from Google APIs will adhere to Google API Service User Data Policy, including the Limited Use requirements. We do not access your Google contacts, calendar, Drive, or any other Google services.

• Account data is encrypted at rest and in transit (TLS 1.3)
• Supabase enforces Row Level Security — only you can access your own records
• Unregistered users: all data remains on-device in localStorage, never leaves your browser
• We do not store passwords in plain text — authentication uses industry-standard hashing
• Data retention: your account data is retained until you request deletion. Upon account deletion, all associated data is permanently removed within 30 days.

Regardless of where you live, you have the right to:

• Access — Request a copy of all data we hold about you
• Deletion — Request complete deletion of your account and all associated data
• Correction — Request correction of inaccurate information
• Portability — Export your cycle data in a standard format
• Withdraw consent — Stop using SORA and have your data deleted at any time

To exercise any of these rights, email us at hello@innersora.com.

SORA uses browser localStorage (not tracking cookies) to remember your preferences. This data never leaves your device and is not accessible to us or any third party.

We do not use advertising cookies, analytics cookies, or any cross-site tracking technology.

SORA is intended for users aged 18 and above. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it immediately.

If we make significant changes to this Privacy Policy, we will notify registered users by email and update the "Last updated" date at the top of this page.