Privacy Policy

Last updated: 2025

Our commitment: The privacy and security of your and your child's data is our highest priority. This policy explains how we collect, use and protect your personal data.

1. What Data We Collect

1.1 Account Data

Full name
Email address
Password (encrypted)
Security question and answer (encrypted)

1.2 Baby Data

Baby name
Date of birth
Gender
Baby photos and videos (protected and accessible only through the app)
Growth measurements (weight, height, head circumference)
Developmental milestones
Medical records and notes

1.3 Payment Data

Payment details are processed by Stripe (www.stripe.com)
Stripe complies with PCI-DSS Level 1 and protects your card data
We do NOT store card numbers on our servers
We only keep transaction history

1.4 Technical Data

IP address
Browser and device type
Date and time of access
Cookies (for functionality and security)

1.5 Session Data

Active session monitoring for security
IP address and User Agent for each session
Last activity time
Detection of suspicious session changes (e.g. session hijacking)

2. How We Use Data

We use your data exclusively for:

Service Provision: To allow you to track your baby's development
Account Functions: Creation, management and security of your account
Communication: Sending important notifications and updates
Service Improvement: Usage analysis to improve the application
Payment Processing: Managing subscriptions and payments
Security: Fraud prevention and platform protection

3. How We Protect Data

Security Measures:

Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest (AES-256)
Secure Passwords: Passwords are stored with secure hashing (PBKDF2-SHA256)
Limited Access: Only authorized personnel have access
Regular Backups: Regular backups for protection against loss
Firewall Protection: Protection from malicious attacks
Rate Limiting: Protection from brute-force attacks with request limiting
Security Monitoring: 24/7 monitoring for suspicious activities

3.1 Security Monitoring

Recording failed login attempts
Detection of suspicious activities and brute-force attacks
Automatic logout after suspected session hijacking
Protection from CSRF and XSS attacks

4. Data Sharing

4.1 We Do NOT Sell Your Data

Important: We do not sell, rent or exchange your personal data with third parties for commercial purposes.

4.2 Limited Sharing

We share data only when:

You have given consent: e.g. when you invite family to view the profile
Payment Services: With Stripe for payment processing
Legal Obligation: If required by law or court order
Rights Protection: To protect our or our users' rights

4.3 Service Providers

We work with trusted providers who help us operate the service:

Stripe: Payment processing
Amazon Web Services (AWS): Data storage (photos/videos)

All providers are contractually committed to protecting your data.

4.4 Cloud Storage

Photos and videos are stored on Amazon Web Services (AWS) S3 with encryption and restricted access. Servers are located in the US East region with full compliance with AWS security standards.

5. Your Rights

In accordance with GDPR and legislation, you have the following rights:

Access

Right to see what data we have about you

Correction

Right to correct inaccurate data

Deletion

Right to delete your account and data

Portability

Right to export your data (Premium)

To exercise any of these rights, contact us at support@babyblo.com

6. Shared Access Monitoring

When you use the Shared Access feature to grant access to family members:

6.1 What Data We Collect

Login Date/Time: When the user logged in
Anonymized IP: Partial IP address (e.g. 192.168.xxx.xxx) for security
Device Type: Mobile or Desktop
Activities: What pages/content viewed (photos, milestones etc)
Downloads: What files downloaded

6.2 Why We Collect It

Legal Basis: Legitimate Interest (Article 6(1)(f) GDPR)

We record this information to:

Protect your account from unauthorized access
Show you who has viewed your child's data
Detect suspicious activities

6.3 IP Storage

For security reasons and detection of unauthorized access, we store the IP address of shared access sessions:

✅ Purpose: Detection of suspicious activity and protection of your account
🔒 Protection: Only you (the owner) can see IP addresses
⏱️ Retention: Automatically deleted after 6 months

Note: The full IP is necessary to detect if someone unauthorized has access to your data.

6.4 Data Retention

Sessions and Activities: Automatically deleted after 6 months
Aggregate Statistics: Retained (number of logins, total time) without IP/personal data
Active Sessions: Automatically close after 15 minutes of inactivity

6.5 Your Rights

Access: You can view all shared access history in the Analytics Dashboard
Revocation: You can revoke access at any time from Settings
Deletion: Deleting shared access immediately deletes all related analytics

Note: Shared Access Monitoring protects YOU, not the user you invited. Only YOU see the analytics - not the invited user.

7. Cookies and Tracking

7.1 What are Cookies

Cookies are small text files stored on your device when you visit our website.

7.2 How We Use Cookies

Essential Cookies: For your account functionality (session management)
Session Cookies: Expire after 1 day of inactivity
Remember Me Cookies: Retained for 30 days if you select "Remember me"
Security: We use HttpOnly and SameSite cookies for protection from XSS and CSRF attacks

7.3 Cookie Management

You can control cookies through your browser settings. Note that disabling cookies may affect functionality.

8. Minors Data

Child Protection:

The service is intended for people who care for or monitor a child's development
Baby/child data is protected in the same way as your own
Only you (and those you authorize) have access to your child's data
We do not use children's data for advertising or marketing

9. Data Retention

Active Accounts: We retain your data as long as your account is active
Account Deletion: When you delete your account, all data is permanently and immediately deleted. Nothing is retained
Backups: Backups are created only for active accounts

10. International Transfers

Your files (photos, videos) are stored on Amazon Web Services S3 in the US East region. To protect your data transferred outside the EU, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
AWS security certifications (ISO 27001, SOC 2)
Data encryption in transit and at rest

11. Data Breaches

In case of a security breach affecting your personal data:

We will notify you within 72 hours
We will inform the competent data protection supervisory authorities, in accordance with applicable law
We will take immediate measures to limit the damage
We will inform you of the steps you need to take

12. Third Party Links

Our service may contain links to third-party websites. We are not responsible for the privacy practices of other websites. We encourage you to read the privacy policies of every website you visit.

13. Policy Changes

We may update this privacy policy occasionally. Significant changes will be announced:

With a message in the internal messaging system
On this page with an updated date

Continued use after changes constitutes acceptance of the new policy.

14. Legal Basis for Processing (GDPR)

We process your data based on:

Consent: When you register and use the service
Contract Performance: To provide the service you requested
Legitimate Interest: For improvement and security of the service
Legal Obligation: For compliance with the law (e.g. taxation)

15. Contact & Complaints

Contact for Privacy Issues

For questions about the privacy policy or to exercise your rights:

Email: info@babyblo.com
General Support: support@babyblo.com

Data Protection Authority

You have the right to file a complaint with the:

Competent data protection supervisory authorities, in accordance with applicable law

Our commitment: The security and privacy of your data is in our DNA. We work daily to ensure your and your child's data is protected with the highest standards.