Privacy notice
The short version. When you join our waitlist or send us a message, we collect the details you give us so we can contact you about Fig. We keep that information secure, we don't sell it, we don't share it with advertisers, and we'll delete it whenever you ask. Full details below.
1. Who we are
This privacy notice applies to www.figureoutfertility.com and is issued by [Fig Ltd / your registered company name], a company registered in [England and Wales] under company number [XXXXXXXX], whose registered office is at [your registered address].
For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for the personal information described in this notice.
You can reach us at privacy@figureoutfertility.com for any data-protection question.
2. What we collect and why
If you join our waitlist
When you fill in the early-access form on our website, we collect:
- Your first and last name — so we can address you properly when we contact you.
- Your email address — so we can contact you about early access to Fig.
- Your age range (a band, e.g. "30–34") — to understand who's interested in Fig and tailor early-access cohorts.
- Where you are in your IVF journey (e.g. "preparing for first cycle") — to prioritise people who'd most benefit from early access.
- Your country — to understand geographic interest and comply with any country-specific rules.
We also automatically record the date and time of your submission, your browser user-agent string, and the country Cloudflare's network identifies you in. These are used for basic abuse prevention (spotting bot signups) and for understanding our reach. We do not store your IP address.
If you send us a message via the contact form
When you contact us, we collect:
- Your name and email address — so we can reply.
- The topic and content of your message — to answer your question.
- The date and time of your submission and your browser user-agent string — for abuse prevention.
A note on health information. Telling us you're "preparing for first cycle" or "between cycles" is information that relates to your health, which under UK GDPR is "special category data" and gets extra protection. We collect this only with your explicit consent (by submitting the form), use it only to make Fig more useful to you, and you can withdraw consent at any time by emailing us.
3. Our lawful basis for processing
Under UK GDPR we need a lawful basis to process your personal data. Ours are:
- Waitlist signups: your consent (Article 6(1)(a)), and your explicit consent for any health-related information (Article 9(2)(a)).
- Contact form messages: our legitimate interest in responding to enquiries from people who get in touch (Article 6(1)(f)).
- Security and abuse prevention: our legitimate interest in protecting our service and users (Article 6(1)(f)).
4. How long we keep your data
- Waitlist details: until 24 months after your last interaction with us, or until you ask us to delete them — whichever is sooner. If we launch and you become a customer, retention will be governed by our customer terms (which we'll share at that point).
- Contact form messages: 12 months from the date you contact us, or until your matter is resolved — whichever is longer.
- Backups: deleted data may persist in encrypted backups for up to 30 days before being permanently overwritten.
5. Who we share your data with
We do not sell your personal data. We do not share it with advertisers. We do not share it with anyone for marketing purposes.
We use a single sub-processor to run our website and store submissions:
- Cloudflare, Inc. hosts our website, our form-processing service, and our database. Cloudflare acts as our data processor under a Data Processing Addendum. Your data is stored in Cloudflare's Western Europe data centres.
We will also share personal data if we are legally required to (e.g. a court order), to enforce our terms, or to protect the rights and safety of others — but we'll always question whether a request is properly authorised before responding.
6. Where your data is stored
Your data is stored on Cloudflare D1 in Cloudflare's Western Europe region (data centres in Ireland and the UK). Data is never transferred outside the European Economic Area or the UK for storage purposes.
Some operational metadata (e.g. logs, performance metrics) may be processed in other Cloudflare regions globally, but never the contents of your submissions.
7. How we protect your data
We take security seriously. The technical and organisational measures we have in place include:
- HTTPS everywhere. All traffic to and from our site is encrypted in transit.
- Encryption at rest. Cloudflare encrypts D1 data at rest using AES-256.
- Access controls. Our admin dashboard is password-protected and accessible only to authorised Fig personnel. Database access requires authentication and is logged.
- Network-level protection. Cloudflare provides DDoS protection, bot mitigation, and web application firewall coverage by default.
- Honeypot fields and rate limiting on submission forms to deter automated abuse.
- Minimum data principle. We collect only the fields we genuinely need.
- No third-party trackers or advertising pixels on our site.
- Regular review of our practices and dependencies.
No system is perfect, and we cannot guarantee absolute security. If we ever suffer a personal data breach that's likely to result in a risk to your rights and freedoms, we'll notify the Information Commissioner's Office within 72 hours and contact affected individuals where required.
8. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct anything inaccurate.
- Erasure ("the right to be forgotten") — ask us to delete your data.
- Restriction — ask us to limit how we use your data.
- Portability — receive your data in a structured, commonly used format (we use CSV).
- Objection — object to processing based on legitimate interests.
- Withdraw consent — for anything we process based on consent. Withdrawing consent doesn't affect processing that already happened.
- Not be subject to automated decision-making that has legal or similarly significant effects on you. We don't currently do this.
To exercise any of these rights, email privacy@figureoutfertility.com. We'll respond within one month. There's no charge for reasonable requests.
9. Cookies and tracking
Our website doesn't set any cookies. We don't use Google Analytics, Meta Pixel, or any other tracking technology. No third-party scripts load on our pages other than Google Fonts (which serves the fonts we use; Google may log basic information about font requests as described in Google's privacy policy).
If we add analytics in future, we'll choose a privacy-friendly option (such as Cloudflare Web Analytics or Plausible) that doesn't use cookies or track individuals across sites, and we'll update this notice before doing so.
10. Changes to this notice
We may update this notice from time to time — for example, when we add features or change how we work with sub-processors. The "Last updated" date at the top reflects the most recent change. For material changes, we'll contact people on our waitlist by email before the change takes effect.
Previous versions are available on request.
11. Contact and complaints
Any data-protection question, request, or concern:
privacy@figureoutfertility.com
[Fig Ltd / your company name]
[Your registered address]
If you're not happy with how we've handled your data or your request, you have the right to complain to the UK Information Commissioner's Office:
ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
We'd appreciate the chance to address your concern before you do, but you can contact the ICO directly at any time.