Back to home
B

Privacy Policy

Effective date: [EFFECTIVE_DATE] Last updated: [LAST_UPDATED]

This Privacy Policy describes how [COMPANY_LEGAL_NAME] ("BabyHQ", "we", "us", or "our") collects, uses, shares, and protects personal information when you use our website, chat application, and related services (collectively, the "Service").

By using the Service, you acknowledge the practices described in this Privacy Policy. This Policy should be read alongside our Terms of Service and Medical Disclaimer.

1. Who we are

BabyHQ is operated by [COMPANY_LEGAL_NAME], a company organized under the laws of [JURISDICTION], with its registered address at [COMPANY_ADDRESS].

For privacy-related questions, including the exercise of your rights, contact us at [CONTACT_EMAIL_PRIVACY].

If we are required to designate a Data Protection Officer or EU/UK representative, their contact details are: [DATA_PROTECTION_OFFICER — remove this line if not applicable].

2. Information we collect

We collect the following categories of information:

2.1 Information you provide directly

  • Account information (via our identity provider, Clerk): name, email address, password (hashed), profile photo if provided, authentication method (email/password, Google).
  • Child profile information (provided by you about a child under your care): name or nickname, date of birth, gestational age at birth, birth weight, feeding method, sleep setup, notable health information you choose to share, and any other context you share through the conversational onboarding.
  • Conversation content: the messages you send to and receive from the AI companion, including any information about you, your family, and your child contained in those messages.
  • Preferences and settings: notification preferences, language, timezone.
  • Payment information: limited payment data processed by Stripe; we do not store full credit card numbers.
  • Communications: messages you send to our support team or feedback you submit.

2.2 Information we collect automatically

  • Technical data: IP address, device type, operating system, browser type and version, language settings.
  • Usage data: pages viewed, features used, actions taken (e.g. sending a message, opening a summary tab), timestamps, session duration, referring URLs.
  • Diagnostic data: crash logs, performance metrics, error reports.
  • Cookies and similar technologies: see our Cookie Policy.

2.3 Information from third parties

  • Identity providers: if you sign in with Google or Apple, we receive basic profile information from them (name, email, profile photo) in accordance with your privacy settings with that provider.
  • Payment processor: Stripe provides us with limited information about your transactions (success, failure, subscription status) but not full payment card details.
  • Analytics providers: aggregated and anonymized insights about how the Service is used.

We do not purchase personal information from data brokers.

3. How we use information

We use your information for the following purposes:

| Purpose | Examples | Legal basis (GDPR) | |---------|----------|--------------------| | Provide the Service | Authenticate you, answer your chat messages, generate summary tabs, deliver notifications | Performance of contract (Art. 6(1)(b) GDPR) | | Personalize the experience | Reference past conversations, adapt tone to your child's age | Performance of contract; Legitimate interests (Art. 6(1)(f)) | | Process payments | Create and manage your subscription | Performance of contract | | Communicate with you | Transactional emails (account confirmation, billing), support replies, product updates | Performance of contract; Legitimate interests | | Improve the Service | Analyze usage patterns, fix bugs, evaluate new features | Legitimate interests; where required, consent | | Ensure safety and security | Detect fraud, abuse, and policy violations | Legitimate interests; legal obligation | | Comply with legal obligations | Tax, accounting, responding to lawful requests | Legal obligation (Art. 6(1)(c)) | | Marketing (only with consent) | Newsletters, product announcements | Consent (Art. 6(1)(a)) |

We do not use your conversation content to train foundation AI models, either ours or our providers', unless you provide explicit, informed consent through an opt-in program. At the date of this Policy, no such opt-in program is active.

4. How we share information

We share information only as described below. We do not sell your personal information.

4.1 Service providers (processors)

We share information with vendors that help us operate the Service, under written contracts that require them to protect your data and use it only to provide services to us:

| Provider | Purpose | Data shared | Location | |----------|---------|-------------|----------| | Anthropic (Claude API) | Power the AI conversational companion | Chat messages sent to generate responses; child profile context included in prompts | United States | | Clerk | Authentication, account management | Name, email, authentication data | United States | | Stripe | Payment processing | Name, email, payment details, transaction history | United States (and others per Stripe's policies) | | Neon (database) | Store application data | All application data, including profiles and conversations | [Neon region — to be confirmed: US East or EU] | | Vercel | Host the frontend and serve the Service | Connection metadata (IP, headers), static assets | Global edge network | | Resend | Send transactional emails | Email address, email content | United States / EU | | LangSmith (optional, internal use) | Monitor LLM performance and debug | Anonymized prompt/response traces | United States |

We evaluate each provider for security and privacy practices, and we enter into Data Processing Agreements (DPAs) where required.

4.2 Legal and safety disclosures

We may disclose information when we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, or a legally binding request (such as a subpoena or court order).
  • Enforce our Terms of Service or investigate suspected violations.
  • Detect, prevent, or address fraud, security, or technical issues.
  • Protect the rights, property, or safety of BabyHQ, our users, or others, including situations involving risk to the life or physical safety of a child.

4.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your information may be transferred as part of that transaction. We will notify you (and, where required, obtain your consent) before your information becomes subject to a different privacy policy.

4.4 With your consent

We may share information for other purposes with your explicit consent.

5. Children's privacy

BabyHQ is a service for parents and legal guardians, not for children. We do not knowingly create accounts for or solicit personal information directly from children under the age of 13.

However, BabyHQ necessarily processes information about children (name, date of birth, feeding and sleep patterns, health notes) as provided by you, the parent or guardian. You are responsible for:

  • Ensuring that you have the legal authority to share this information about your child with us.
  • Not providing information about any child other than your own or one for whom you are the authorized caregiver.
  • Not sharing highly sensitive medical information unless necessary, and understanding that such information is processed under the safeguards described in this Policy.

We handle information about children with the same or greater care as adult information. We do not use children's information for advertising, profiling, or any commercial purpose unrelated to providing the Service.

If you believe a child under 13 has created an account without parental consent, please contact us immediately at [CONTACT_EMAIL_PRIVACY] so we can delete the account and associated information.

6. International data transfers

BabyHQ operates from [JURISDICTION] but uses service providers located primarily in the United States. When we transfer personal information outside of your country of residence (including to the United States), we rely on appropriate safeguards, including:

  • Standard Contractual Clauses approved by the European Commission (for transfers from the EEA, UK, and Switzerland).
  • Adequacy decisions where available.
  • Your explicit consent where required and appropriate.

You may request a copy of the safeguards applicable to transfers of your personal information by contacting [CONTACT_EMAIL_PRIVACY].

7. Data retention

We retain personal information for as long as necessary to provide the Service and to comply with our legal obligations, resolve disputes, and enforce our agreements.

Specific retention periods:

  • Account and profile data: for the duration of your account, plus up to 90 days after account closure to allow reactivation; thereafter, deleted or anonymized.
  • Conversation history: for the duration of your account, to provide memory and continuity; deleted within 90 days after account closure.
  • Payment records: retained as required by tax and accounting law (typically 5–10 years depending on jurisdiction).
  • Analytics and diagnostic data: aggregated or anonymized after 13 months at most.
  • Legal holds: we may retain information longer if required by law or necessary to protect rights.

You may request earlier deletion at any time through the Service or by contacting us (see "Your rights" below).

8. Security

We implement technical and organizational measures to protect personal information, including:

  • Encryption in transit (TLS 1.2+) and at rest for sensitive data.
  • Access controls, least-privilege permissions, and authentication for our team.
  • Secure credentials handling via Clerk.
  • PCI DSS compliance for payment processing (handled by Stripe).
  • Regular security reviews of our infrastructure.
  • Incident response procedures, including notification of affected users and regulators as required by law.

No system is perfectly secure. You can help protect your account by using a strong, unique password, enabling two-factor authentication, and keeping your credentials confidential.

9. Your rights

Depending on your location, you have some or all of the following rights regarding your personal information:

  • Right of access: obtain a copy of the personal information we hold about you.
  • Right to rectification: correct inaccurate or incomplete information.
  • Right to erasure ("right to be forgotten"): request deletion of your information, subject to legal exceptions.
  • Right to restriction of processing: limit how we process your information in certain circumstances.
  • Right to data portability: receive your information in a structured, commonly used, machine-readable format.
  • Right to object: object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time (without affecting prior lawful processing).
  • Right to lodge a complaint: with a data protection authority (for EU/UK residents, your local supervisory authority; in Colombia, the Superintendencia de Industria y Comercio).

To exercise your rights, contact [CONTACT_EMAIL_PRIVACY]. We will respond within the time required by applicable law (typically 30 days under GDPR, extendable in complex cases). We may need to verify your identity before acting on your request.

California residents: you also have specific rights under the California Consumer Privacy Act (CCPA) as amended, including the right to know categories of information we collect, the right to delete, the right to correct, and the right to opt out of any sale or sharing. BabyHQ does not sell personal information.

Colombian residents: you have rights under Ley 1581 de 2012 (Habeas Data), including access, update, rectification, and cancellation of your personal information. You may file complaints with the Superintendencia de Industria y Comercio.

10. Cookies and tracking

We use cookies and similar technologies to provide and improve the Service. Our Cookie Policy describes these in detail, including how to exercise your choices.

11. Automated decision-making

BabyHQ uses AI to generate conversational responses and summary content. This is not automated decision-making in the legal sense (GDPR Art. 22) because these outputs do not produce legal effects or similarly significant effects on you — you are free to ignore, question, or override any suggestion. You can always reach out to support or request human review by contacting [CONTACT_EMAIL_SUPPORT].

12. Third-party links

The Service may link to third-party websites or services (e.g. cited sources, pediatric organizations). We are not responsible for the privacy practices of those third parties. Please review their privacy policies before providing them with any information.

13. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect. Continued use of the Service after the effective date of the changes constitutes acknowledgment of the updated Policy.

14. Contact us

For questions about this Policy or your personal information:

  • Email: [CONTACT_EMAIL_PRIVACY]
  • Mail: [COMPANY_LEGAL_NAME], [COMPANY_ADDRESS]

If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection authority in your jurisdiction.

This Privacy Policy is provided in English. If a translation is provided, the English version prevails in case of conflict, except where applicable law requires otherwise.