Privacy Policy

Effective Date: June 17, 2026

This Privacy Policy explains how Tiny FootPrints App LLC ("we," "us," or "our") collects, uses, discloses, and protects your information when you use the Tiny Footprints mobile application ("App" or "Service"). Tiny Footprints is a pregnancy and baby tracker that parents and guardians use to record information about themselves and about their child(ren).

Please read this policy together with our Terms of Service. If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the section titled "Your EEA/UK Rights (GDPR)" and the sections it references apply to you.

Data Controller

The data controller responsible for your personal data is:

Tiny FootPrints App LLC
8735 Dunwoody Place STE N, Atlanta, GA 30350, USA
support@tinyfootprints.app

For any privacy question or to exercise your rights, contact us at support@tinyfootprints.app.

EU/UK Representative and Data Protection Officer

We are based in the United States and offer the App to users in the EEA and UK.

We have not appointed a Data Protection Officer (DPO), and we do not consider one to be required. Under Article 37 of the GDPR a DPO is mandatory only where an organisation's core activities involve large-scale, regular monitoring of individuals or large-scale processing of special-category data. The large majority of what you log is routine care information (for example, sleep and feeding times); the volume of genuinely clinical health data we process is limited, and we operate at a small scale. On that basis we have determined that a DPO is not required, and we keep this assessment under review as the App grows.

We are separately assessing, with legal counsel, whether we are required to appoint an EU and/or UK representative under Article 27. If we determine that a representative is required, we will appoint one and update this policy with their contact details. The responsible privacy contact in the meantime is support@tinyfootprints.app.

1. Information We Collect

We collect the following types of information when you use the App:

Account Information

Email address, name (optional), profile photo (optional), and your account identifier. If you sign in with Google, we receive your Google account email, name, and photo through Google Sign-In.

Subscription Information

Your subscription status, plan, trial and renewal dates, and a customer identifier used with our payments partner (RevenueCat). We do not collect or store your card or bank details; in-app purchases are processed by the Apple App Store or Google Play.

Baby Information

Baby name, date of birth, due date, gender, profile photo, birth measurements (weight, length, head circumference), delivery type, mother's name, and free-text notes.

Baby Health & Care Logs

Sleep sessions; feeding (including amounts, breast side, solids and any allergic reactions); diaper logs (including rash, color, consistency); pumping; growth measurements; and health events such as temperature/fever, symptoms, illness or injury, vaccinations (including reactions), medications, teething, milestones, activity and potty training; plus notes and photos.

Pregnancy & Postpartum Logs

Symptoms, mood, weight and belly measurements, appointments, bump photos, fetal movement and kick counts, contractions, temperature, spotting, postpartum recovery (lochia, pain, pad changes), pelvic-floor sessions, and exercise. On supported devices you may import steps, active energy, distance, and workouts from Apple Health (HealthKit) or Android Health Connect; this requires your separate device permission and is read into your exercise logs.

Birth Records

Birth date/time, birth measurements, delivery type, hospital and doctor name, Apgar scores, notes, and a first photo.

Photos / Media

Baby, log, bump, and birth photos you choose to add.

Sharing & Invitation Data

When you share a baby profile with a partner or caregiver, we process the invitee's email address and the inviter's name and email to deliver and manage the invitation, plus the sharing permissions you set.

Other People's Information

Some fields let you record information that identifies another individual — for example a mother's or partner's name on a profile, or the email address of a co-parent or caregiver you invite. By entering this information you confirm that you may lawfully provide it and, where required, that the other person is aware their information is processed in the App.

Device & Notification Data

A push-notification token and your platform, and your notification, reminder, and email-report preferences (including an unsubscribe token).

Usage / Analytics Data

App events (for example, sign-up method, creating a baby, logging an entry, viewing insights, exporting data), screen views, and Firebase-automatic information such as device type, OS and app version, IP-derived data, and device identifiers. Analytics is keyed to your account identifier and is subject to the in-app opt-out described below. Analytics events record that an action happened (for example, that a log was created) and are not intended to contain the content of your health logs.

Crash / Diagnostic Logs

Crash stack traces, error reports, and device/app state at the time of a crash (via Firebase Crashlytics). Crash reporting is enabled in released versions of the App and disabled in debug builds. There is currently no in-app toggle to disable crash reporting; if you are in the EEA/UK you can object as described in "Your EEA/UK Rights (GDPR)" and we will stop crash collection for your account on request. Crash diagnostics are kept minimal and are not intended to contain the content of your health logs.

App-Integrity Signal

A device/app-integrity attestation token (via Firebase App Check) used to block abusive traffic. This is not your content.

We do not collect precise geolocation, financial/card details, or health-insurance information.

Special-Category (Health) Data — Important

Much of the data above is health data. In particular, your child's growth measurements, temperature/fever, symptoms, illnesses, vaccinations, medications, allergic reactions, diaper details, teething, Apgar scores and delivery type — and, in aggregate, sleep and feeding patterns — reveal information about your child's health. Your own pregnancy and postpartum logs (symptoms, contractions, kicks, lochia, pain, measurements, temperature, and imported health/exercise metrics) are health data about you.

Under the EU/UK GDPR this is "special-category" data. The children whose data you record are the data subjects, even though they do not use the App; you, the parent or guardian, are the account holder who provides this data on the child's behalf. Where the GDPR applies, the condition we rely on to process this special-category data is your explicit consent given as the holder of parental responsibility (and, for your own pregnancy/postpartum data, your own explicit consent). See "Lawful Bases for Processing" and "Children's Data & Parental Consent" below.

2. How We Use Your Information

We use your information to:

3. Lawful Bases for Processing (EEA/UK)

Where the GDPR applies, we rely on the following lawful bases under Article 6, and — for health data — the additional condition under Article 9. Special-category data requires both an Article 6 basis and an Article 9 condition, and for your health logs we pair them on the same basis (consent) so that withdrawing consent genuinely stops the processing.

Special-category (health) data — Article 9: For all health data described above (your child's care/health/growth logs and your pregnancy/postpartum logs), the condition we rely on is Article 9(2)(a) — your explicit consent — and the Article 6 basis for that same data is Article 6(1)(a) consent. For a child's data, that consent is given by you as the holder of parental responsibility on the child's behalf. We obtain this explicit consent when you create your account: to sign up — by email or with Google — you must tick a separate, clearly distinguished box confirming that you are the parent or legal guardian and that you consent to our processing of this health data, and we record that consent together with the date and the version of this policy. You can withdraw this consent at any time, and because health data is processed on consent rather than contract, withdrawing it stops further processing — see "Your EEA/UK Rights (GDPR)."

Providing data: Account information is necessary to create an account; analytics, notifications, email reports, and the optional health-data import are not required and you can decline or disable them while still using the App. The App's core purpose is health tracking, so if you withdraw consent for health-data processing you should stop logging health data and delete the relevant data or your account.

4. Sharing Your Information

We do not sell your personal information. We share data with the service providers below, who act as our processors under data-processing terms and may only use the data to provide services to us. This list is intended to be complete; we will update it if it changes.

We may also disclose information if required by law, subpoena, or to protect rights and safety, or in connection with a merger, acquisition, or sale of assets (with notice where required).

When you share a baby profile, the co-parent or caregiver you invite can view, and depending on the permissions you grant, edit or delete that child's data.

5. International Data Transfers

We are based in the United States, and our processors (including Google/Firebase, RevenueCat, and SendGrid/Twilio for email delivery) store and process personal data — including child special-category health data and photos — on servers in the United States. If you are in the EEA, UK, or Switzerland, using the App involves transferring your data to a country outside your own.

Where we make such transfers, we rely on appropriate safeguards under Chapter V of the GDPR. We understand that Google, RevenueCat, and Twilio/SendGrid make their services available under data-processing terms that incorporate the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), and that some providers are certified under the EU-US Data Privacy Framework. These are the mechanisms we intend to rely upon for international transfers, and we are confirming each provider's current terms. You can request more information about these safeguards by contacting us at support@tinyfootprints.app.

6. Data Retention

We retain your personal data for as long as your account is active, or as needed to provide the Service, and then delete it as described below. We do not currently apply fixed time-based retention periods for the data we hold directly; instead, retention is tied to your use of the App and your deletion choices:

Some data is retained outside this in-app deletion: invitations you received (keyed to your email) are cleaned up by the inviter or server-side rather than by you; isolated remnants can occasionally remain if a delete operation fails, which we address on request; and analytics, crash, and subscription records held by our processors are subject to those providers' own retention periods and are not erased by in-app account deletion. As an indication, Firebase Analytics event data is retained for a limited period set in our Firebase configuration (commonly up to 14 months by default), Crashlytics crash records are retained for a limited period under Google's defaults, and RevenueCat retains subscription records for as long as needed for billing and tax purposes under its terms. Contact support@tinyfootprints.app if you need help removing residual data.

7. Data Storage & Security

Data is stored on Firebase servers in the United States. We use measures such as encryption in transit, encryption at rest provided by our hosting infrastructure (Firebase), authentication, and server-side access controls, and we use App Check to limit abusive access. We are actively hardening our server-side security rules to enforce strict separation between accounts; until that work is fully verified in production, we do not guarantee that these controls are complete, and no method of storage or transmission is ever completely secure.

8. Automated Decision-Making

The App provides rule-based sleep and feeding guidance (for example, an estimated next nap, bedtime, or next feed). This guidance is calculated on your device using simple, deterministic rules applied to your own recent logs. It is informational only, you decide whether to act on it, and it is not medical advice. It does not make any decision that produces legal or similarly significant effects, so it is not "automated decision-making" within the meaning of Article 22 of the GDPR.

9. Children's Data & Parental Consent

The App is designed for adult parents and guardians to record data about their own child(ren), including newborns and infants. Collecting data about your child is the App's core purpose. The child is the data subject but does not use the App; you provide the child's data and, where the GDPR applies, give explicit consent for processing the child's special-category health data on the child's behalf (Article 9(2)(a)). You are responsible for ensuring you have the authority to provide this data and that doing so is lawful, including where you share a child's profile with a co-parent or caregiver.

The Service is intended for use by adults. Our Terms of Service require the account holder to be at least 13 years old (or the minimum age in your jurisdiction). The age limit applies to the account holder, never to the child whose data is recorded. Separately, the GDPR sets a "digital consent" age for consent-based processing — 16 under the EU GDPR by default, lowered to 13 in the UK and in some EU member states, with variation between 13 and 16. This means that even though our Terms permit account holders aged 13 and over, an account holder who is aged 13 to 15 and located in an EEA/UK jurisdiction whose digital-consent age is higher must have a parent or guardian provide consent before consent-based processing can take place; the 13+ Terms floor does not override the higher GDPR age. We do not knowingly allow under-age account holders to use consent-based features of the App without the required parental consent, and we will delete any such account on request.

You can delete a child's data at any time through the in-app deletion controls described in "Data Retention," and deleting your account is designed to remove the children's data you have stored.

10. Source of Data

Most data we hold about a child is provided by you, the parent or guardian, rather than by the child. If a baby profile is shared with you by another account holder, that child's data originates from that other person's account. Information you import from Apple Health or Health Connect originates from your device with your permission.

11. Your Rights & Choices

All users:

Your EEA/UK Rights (GDPR)

If you are in the EEA, UK, or Switzerland, you have the right to:

We aim to respond to rights requests without undue delay and within one month, which we may extend by up to two further months for complex or numerous requests, in which case we will tell you. (For California requests we respond within the CCPA timeframe.) Access and portability requests made under the GDPR are handled free of charge and are not subject to any in-app paywall; if a feature you need is normally paid, we will fulfil a verified rights request without charge through the support channel.

12. Changes to This Policy

We may update this Privacy Policy. We will post changes in the App and on our website and note the new effective date. We will notify you of significant changes (for example, via an in-app banner).

13. Contact Us

For privacy questions or requests, email support@tinyfootprints.app or write to:

Tiny FootPrints App LLC
Atlanta, GA