Privacy Policy
Last updated: April 2026
1. Who we are
Applulu ("we", "our", "us") operates Baby Tracker Lulu, a mobile app for tracking baby care activities. This Privacy Policy explains what personal data we collect, why, who we share it with, and the rights you have. Contact: info@applulu.com Representative in the EU (Art. 27 GDPR): info@applulu.com
2. Data we collect
2.1 Account data — email address, hashed password, date of account creation. 2.2 Baby profile data — child's first name (or nickname), date of birth, gender (optional), profile photo (optional), parent-entered notes. You enter this data; we store it. 2.3 Activity logs — feeding, sleep, diaper, skill, outing, tooth, vaccination, temperature, medicine, and growth records you enter. 2.4 Health data (special category — GDPR Art. 9) — medicine records, temperature readings, vaccination records, and growth measurements are health-related information about your child. We process this data only with your explicit consent captured at signup (Art. 9(2)(a)). 2.5 Caregiver sharing — if you invite another caregiver, we store their email (hashed) and role until they accept. 2.6 Subscription data — if you purchase a subscription, RevenueCat stores your pseudonymous Supabase user UUID alongside purchase state. We do not receive card details. 2.7 Device data — we do NOT collect device identifiers, advertising IDs, precise or approximate location, contacts, or analytics events. We do NOT use third-party analytics or advertising SDKs.
3. Legal basis for processing (GDPR)
• Contract (Art. 6(1)(b)) — to operate the App and provide the service you signed up for. • Consent (Art. 6(1)(a) + Art. 9(2)(a)) — for health-related data (medicines, temperature, vaccinations, growth) captured at signup. • Legitimate interest (Art. 6(1)(f)) — fraud prevention, security, debugging. • Legal obligation (Art. 6(1)(c)) — to respond to lawful requests from authorities. You can withdraw consent at any time by revoking health-data consent in Settings, deleting individual entries, or deleting your account. Withdrawal does not affect processing that already took place.
4. How we use your data
• Store, back up, and sync your entries across your devices and invited caregivers. • Generate personalised, non-medical tips based on the data you enter (Smart Advice system — runs on your device, no profiling exported). • Send operational emails (account verification, security notifications). • Send local push notifications on your device (reminders). We do NOT run remote marketing push campaigns. • Investigate abuse, comply with lawful requests, and enforce our Terms. We do NOT profile you for advertising. We do NOT sell your data. We do NOT use your baby's data to train machine-learning models.
5. Who we share data with
We share only the minimum necessary with: • Supabase (hosting database + authentication) — located in the EU / US depending on your region. Data is encrypted in transit (HTTPS) and at rest. • RevenueCat (subscription management) — receives your Supabase user UUID and purchase receipts only. No health or baby data. • Apple / Google — receive purchase receipts directly from the device during in-app purchases. • Caregivers YOU invite — gain read or read+write access to the babies you share with them, according to the role you assigned. We do NOT share data with advertisers, data brokers, or analytics companies.
6. International transfers
If you are in the EU / UK and your data is stored in a US-region Supabase cluster, transfers rely on Standard Contractual Clauses (SCCs) between us and Supabase, plus Supabase's technical measures (encryption, access control). You can request that your data be migrated to an EU-region cluster by contacting info@applulu.com.
7. How long we keep data
• Active accounts — we keep your data as long as the account is active. • Deleted entries (soft delete) — kept for 30 days in a "Recently Deleted" trash, then permanently removed. • Deleted accounts — we remove all personal data within 30 days of your delete request. Backups are purged within 90 days. • Subscription / billing records — retained as required by tax / accounting law (usually 7 years), purchase receipts only, no baby data.
8. Your rights
Under GDPR / UK GDPR / LGPD / CCPA / CPRA you have the right to: • Access the data we hold about you (Settings → Export data — generates a complete CSV / JSON archive). • Rectify inaccurate data (edit entries directly, or email info@applulu.com). • Delete your data ("right to be forgotten") — Settings → Delete account. • Restrict or object to processing. • Data portability — the export archive meets the portability requirement. • Withdraw consent at any time (revoke health-data consent in Settings, delete individual entries, or delete the account). • Lodge a complaint with your local data-protection authority (EU DPAs, UK ICO, Brazil ANPD, California AG). We respond to verified requests within 30 days (GDPR) or 45 days (CCPA).
9. Children's privacy
Baby Tracker Lulu is designed for PARENTS AND CAREGIVERS (adults) to log information about THEIR children. The App is NOT directed to children under 13 (US COPPA) / under 16 (EU GDPR). If you are a parent or caregiver, you are the data controller of your child's information stored in the App. We process this data as your processor, under your instructions. If you believe we have received data directly from a child under 13, please contact info@applulu.com and we will delete it.
10. Security
• All network traffic uses HTTPS with TLS 1.2+. • Passwords are hashed with bcrypt. We never see or store plaintext passwords. • Database access is restricted by Row-Level Security (RLS) — caregivers can only see babies they've been invited to. • Service access to your account is limited to a small number of engineers on a break-glass basis for production incident response, with audit logs. No system is 100% secure. If you suspect your account is compromised, change your password and email info@applulu.com immediately.
11. Cookies and tracking
The App does not use cookies, web beacons, pixels, or similar tracking technology. There are no third-party analytics or advertising SDKs in the App. The website (applulu.com) uses only strictly-necessary session storage; no marketing or analytics cookies.
12. Changes to this policy
We may update this Privacy Policy. Material changes will be notified in-app (a one-time dialog on next open) and by email. Continued use of the App after a change constitutes acceptance. The "last updated" date at the top of this document reflects the most recent change.
13. Contact
Privacy questions, rights requests, or complaints: info@applulu.com EU representative (Art. 27 GDPR): info@applulu.com