Littles Baby Tracker Privacy Policy

Effective from 25/05/2026 / Last amended 25/05/2026

1. Who We Are

Littles Baby Tracker is operated by Dreams for Littles Ltd ("we", "us", "our"). Our registered address is 18 Tern Road, KY11 8GA, United Kingdom.

We are the data controller for personal data processed through the Littles Baby Tracker application. Our platform API is hosted by DigitalOcean LLC in London, United Kingdom. We also use Supabase for authentication, database, and file storage in the EU, currently Ireland.

For all data protection enquiries, please contact us at: hello@littlesbabytracker.com

2. About This Policy

This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Littles Baby Tracker mobile application and any associated web services (together, "the App"). This policy applies to:

Family users - parents, guardians, and caregivers who use the App to track their baby or child.

Sleep Coach users - sleep coaches and other child health professionals who access the App to support their client families.

We are committed to processing your data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable data protection laws worldwide, including the EU GDPR where applicable to EU residents.

3. Data We Collect

3.1 Family Users

  • Account Information

  • Full name and email address

  • Password (stored in encrypted form - we never hold your password in plain text)

  • Country and timezone

  • Child Profile Data

  • Child's full name

  • Date of birth

  • Gender (optional)

  • Feeding method - breast, formula, or combination (optional)

  • Tracking Data (Special Category Data)

  • The tracking data listed below relates to child health and wellbeing. This data is classified as special category data under UK GDPR and is processed only with your explicit consent, given separately and clearly at the point of collection.

  • Sleep sessions: start and end times, duration, sleep location and type

  • Feeding records: type (breast, bottle, solid food), volume, duration, and side (breastfeeding)

  • Nappy and diaper changes: time, type, and any notes

  • Allergy and reaction logs: food or substance, reaction type and severity, date and time

  • Structured reintroduction protocol tracking: stages completed, dates, and outcome notes (for example, milk ladder or CMPA reintroduction protocols)

  • General notes and observations you choose to add

  • Photos attached to records (if you choose to add them)

  • Payment Information

  • Payment card details are not stored by us. In-app subscription payments are processed by Apple App Store or Google Play Billing, depending on where you subscribed. RevenueCat, Inc. is used to manage subscription status, receipt validation, and entitlement access. We retain only the subscription and billing information needed to administer your account, such as subscription status, entitlement status, receipt or transaction references, store identifiers, and billing dates.

  • Technical and Device Data

  • Device type, operating system, and version

  • App version

  • Approximate location derived from IP address (not GPS location)

  • Server logs and limited diagnostic information needed to investigate bugs, maintain security, and improve reliability

  • Store-provided crash reports and aggregated or anonymised statistics that cannot identify any individual or child

3.2 Sleep Coach Users

  • In addition to account information such as name, email address, and password, we collect:

  • Your business name and logo, if you choose to upload one

  • The client family profiles you are linked to, following the family's acceptance of your invite code, invitation link, or email invitation

  • Coach invitation, access, and activity logs in relation to linked client accounts, retained for security, support, and audit purposes

  • The date, time, and version of the Coach Terms of Use you accept before using coach features. Linked coaches can view and, where permitted, add, edit, or delete linked family baby and activity records for the purpose of providing support and helping correct records.

4. Legal Basis for Processing

  • Under UK GDPR, we rely on the following lawful bases for processing your personal data:

  • Contractual necessity (Article 6(1)(b)): To provide the core features of the App, including creating accounts, storing tracking records, managing subscriptions, and providing coach features where requested.

  • Legitimate interests (Article 6(1)(f)): To improve the App, prevent fraud, maintain security, investigate technical issues, and send service communications. We carefully balance these interests against your rights.

  • Legal obligation (Article 6(1)(c)): To comply with applicable laws including tax, financial record-keeping, and regulatory obligations.

  • Explicit consent for special category data (Article 6(1)(a) and Article 9(2)(a)): All child health tracking data is processed only on the basis of your explicit, freely given, separately obtained consent. You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

5. How We Use Your Data

  • To create and manage your account

  • To deliver core tracking features: logging, storing, and displaying records

  • To enable pattern analysis and insights screens, where available as a subscription feature

  • To enable sleep coach access where a family has actively accepted an invitation or entered a coach access code

  • To process in-app subscriptions through Apple App Store / Google Play Billing and manage subscription entitlements through RevenueCat

  • To send service communications, including account confirmation, password resets, subscription notices, and support messages

  • To send optional product updates and announcements, where you have opted in or where permitted by law; you can unsubscribe at any time

  • To investigate and resolve technical issues and support requests

  • To detect and prevent fraud, abuse, and security incidents

  • To produce anonymised, aggregated statistics that cannot identify any individual or child

  • To comply with legal obligations

6. Coach Access Provisions

The App includes an optional feature allowing families to link with a sleep coach for professional support. This works as follows:

  • A coach may invite a family by generating a unique access code, sending an invitation link, or sending an email invitation through the App.

  • The family must actively accept the invitation or enter the access code before any coach access is granted. Coach access is never automatic.

  • Linked coaches can view and, where permitted, add, edit, or delete a linked family’s baby and activity records for the purpose of providing sleep support, helping correct records, and delivering the agreed coaching service.

  • Families can revoke coach access at any time from within App settings. Revocation takes immediate effect within the App, meaning the coach will no longer be able to view or amend that family’s records through the App.

  • Revocation does not affect any lawful processing already carried out before access was revoked, or any information the coach already holds outside the App as part of their own coaching service.

  • Coach access changes and coach edits are logged with timestamps for security, support, and audit purposes.

  • Coaches are required to accept our Coach Terms of Use before using coach features. We record the date, time, and version of the Coach Terms accepted.

  • Coaches must handle family data in accordance with their professional obligations, our Coach Terms of Use, and applicable data protection law.

  • Where a sleep coach uses the App commercially as part of a service to clients, the coach may act as an independent data controller for information they process in connection with their own coaching service. Families should refer to their coach’s own privacy policy for information about how the coach handles data outside of the App.

7. How We Share Your Data

We do not sell, rent, or share your personal data with third parties for marketing purposes. We may share data in the following limited circumstances:

7.1 Subprocessors and Service Providers

We use the following third-party providers to deliver the App and associated services. We assess them for compliance with applicable data protection law and, where appropriate, use data processing agreements or equivalent contractual safeguards.

DigitalOcean LLC; Supabase - Platform API hosting and server logs; authentication, database, and file storage - United Kingdom (London); EU, currently Ireland

Apple App Store / Google Play Billing; RevenueCat, Inc.

In-app subscription payment processing; subscription management, receipt validation, and entitlement status

Global / relevant app store regions; United States

MailerLite- Website forms, mailing list, and email communications - EU / Netherlands

Firebase Cloud Messaging / Google; app store diagnostic services, where enabled by the user

Push notification delivery; store-provided crash and diagnostic reports

Global; Apple/Google processing locations

7.2 International Data Transfers

Our platform API is hosted in London, UK, and our authentication, database, and file storage are hosted in the EU, currently Ireland. Some providers we use are based in, or may process data from, the United States or other locations. Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place where required, including:

The International Data Transfer Agreement (IDTA) or UK Addendum for UK to non-adequate country transfers, where applicable

Standard Contractual Clauses (SCCs), where applicable

Adequacy decisions, where the destination country has been deemed adequate by the UK or EU

If you are an EU resident, transfers to the UK are currently protected by the EU's adequacy decision for the UK. EU residents' rights under EU GDPR are fully respected.

7.3 Legal Disclosure

We may disclose your data where required by law, court order, or regulatory authority, or where necessary to protect the safety of any person or to prevent fraud or abuse.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

8. Children's Privacy

Littles Baby Tracker is designed exclusively for use by parents, guardians, and caregivers who are 18 years of age or older. The App is not intended to be used directly by children.

We collect data about babies and children only as provided by an adult account holder. We do not knowingly collect personal data directly from children.

Child health data- including sleep records, feeding logs, allergy and reaction records- is special category data under UK GDPR. We treat this data with the highest level of care and process it only on the basis of explicit adult consent.

If you believe we have inadvertently collected data about a child without appropriate parental authority, please contact us immediately at hello@littlesbabytracker.com. We will delete it promptly.

9. Data Retention

Account data: Retained while your account is active and for 6 years after closure to comply with UK tax and accounting obligations.

Child tracking data: Retained while your account is active. On account deletion, child data is deleted within 30 days, unless another authorised user (e.g. a co-parent) retains access to that child's profile.

Payment and subscription records: Retained for 7 years where required for HMRC, accounting, refund, or dispute purposes.

Coach access logs, coach edit logs, and Coach Terms acceptance records: Retained for 12 months after access is revoked, unless a longer period is required for legal, security, audit, or dispute purposes.

Anonymised aggregated data: May be retained indefinitely, as it cannot identify any individual.

You can request deletion of your account and all associated personal data at any time. See Section 10 for your full rights.

10. Your Rights Under UK GDPR

You have the following rights in relation to your personal data. These rights also apply to EU residents under EU GDPR:

Right of access: Request a copy of all personal data we hold about you (a Subject Access Request).

Right to rectification: Ask us to correct inaccurate or incomplete data.

Right to erasure: Ask us to delete your personal data, subject to certain legal exceptions.

Right to restrict processing: Ask us to limit how we use your data in certain circumstances.

Right to data portability: Request your data in a structured, machine-readable format (e.g. JSON).

Right to object: Object to processing based on legitimate interests.

Right to withdraw consent: Where processing is based on consent (including all special category data), you may withdraw it at any time.

Rights related to automated decision-making: We do not use automated decision-making or profiling that produces significant effects on you.

To exercise any of these rights, contact us at hello@littlesbabytracker.com. We will respond within one calendar month and may need to verify your identity first.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: https://ico.org.uk/make-a-complaint

Helpline: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

EU residents may also lodge a complaint with their local data protection supervisory authority.

11. Security

We implement appropriate technical and organisational security measures, including:

Encryption of data in transit using TLS 1.2 or higher

Provider-supported encryption at rest for databases, storage, backups, and infrastructure where available

Strict role-based access controls- staff access to personal data is limited to operational necessity

Audit logs for coach access changes and coach edits; regular security assessments

A 72-hour breach assessment and notification procedure to the ICO in the event of a reportable personal data breach

No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately and change your password.

12. Cookies and Tracking

The Littles Baby Tracker mobile app does not use advertising cookies or third-party behavioural analytics tools. We may use:

Session authentication tokens to keep you logged in

Push notification tokens if you enable notifications; server logs, limited technical diagnostics, and store-provided crash reports to investigate bugs, maintain security, and improve reliability

Any associated marketing website operates under a separate Cookie Policy, which will be made available on that site.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by in-app notification or email at least 14 days before they take effect. Continued use of the App after that date constitutes acceptance of the updated policy.

14. Contact Us

Email: hello@littlesbabytracker.com

ICO Registration Number: ICO:00013036106