← Back

Legal

Privacy Policy

Last updated: March 2026

What We Collect

We collect only what is necessary to provide the service:

  • Account data: email address and encrypted password
  • Baby care data: feeding times, sleep sessions, diaper changes, and growth measurements
  • Preferences: timezone, display units, and theme settings
  • Consent record: timestamp and IP address when you agreed to this policy

How We Use It

Your data is used solely to provide the tracking service to you. We do not use your data for advertising, profiling, analytics beyond what you see in the app, or any other purpose.

Data Sharing

We do not sell, rent, or share your personal data with third parties. Your data is stored on secure infrastructure providers (database and hosting) that process data only on our behalf.

Service Providers

We use a limited number of third-party service providers to operate NapAndNote. Each provider only receives the data strictly necessary for its specific function:

  • Push notification services (Google FCM, Apple APNs, Mozilla push services) — used to deliver push notifications to your devices. These services receive only the notification payload and your device's push endpoint.
  • Resend — used for transactional email delivery (e.g., password resets). Receives only your email address and the email content.
  • Railway — our hosting and data storage infrastructure provider. All application data is processed and stored on Railway's servers.
  • Stripe — used for payment processing for subscription billing. Receives only payment-related information (e.g., card details, billing address). We do not store your full payment card details.

These providers act as data processors on our behalf and are contractually obligated to protect your data and use it only for the purposes described above.

Data Security

All connections are encrypted via TLS. Passwords are hashed using bcrypt. Session tokens are cryptographically random. Cookies are secured with HttpOnly, Secure, and SameSite flags.

Data Retention

We retain your data for the following periods:

  • Account data: retained while your account is active
  • Baby care data: retained while your account is active
  • Sessions: automatically cleaned up (expired sessions are removed hourly)
  • Caregiver invites: expire and are deleted after 30 days if unclaimed

Upon account deletion, all your personal data — including account information, baby care data, preferences, push subscriptions, and feedback — is permanently removed.

Caregiver Invites

When you invite a caregiver to share access to your baby's data, their email address is stored to match the invite when they register. Unclaimed caregiver invites expire and are automatically deleted after 30 days. The invitee's email address is used solely for the purpose of matching the invite and is not used for marketing or any other purpose.

Withdrawing Consent

In accordance with GDPR Article 7(3), you have the right to withdraw your consent at any time. You can withdraw consent by deleting your account through the Account Settings page. When you delete your account, all personal data associated with it is permanently removed. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

Your Rights

Under GDPR, CCPA, and similar regulations, you have the right to:

  • Access: View all data we hold about you
  • Export: Download a complete copy of your data in JSON format via Settings
  • Deletion: Permanently delete your account and all associated data via Settings
  • Rectification: Edit any of your tracked entries at any time
  • Portability: Export your data and take it to another service

Do Not Sell My Information

We do not sell personal information. We have never sold personal information. Under the California Consumer Privacy Act (CCPA), you have the right to opt out of the sale of your personal information. Since we do not sell data, no opt-out action is needed.

Cookies

We use only essential cookies required for the service to function: session authentication, CSRF protection, theme preference, and timezone. We do not use tracking cookies, analytics cookies, or advertising cookies.

Children's Privacy

This service is intended for parents and caregivers. The baby care data you enter is controlled by you. We do not knowingly collect information from children.

Changes to This Policy

We will notify registered users by email before making material changes to this policy.