Privacy Policy

Last updated: July 15, 2026

Introduction

BabyStamp ("we", "our", or "the Service") explains in this Privacy Policy how information is processed when users use our baby care tracking application ("Service"). This Privacy Policy applies to both the iOS and Android versions of BabyStamp. Where data processing differs by platform, this is indicated explicitly.

This Privacy Policy is provided in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Korean Personal Information Protection Act ("PIPA"), and other applicable data protection laws.

BabyStamp is designed to be fully usable without logging in, and data storage, synchronization, and sharing methods vary depending on whether the user is logged in, which platform the user is on, and which features the user chooses to use.

Data Controller

MoonshotWorks Team · Country: Republic of Korea · Email: support@moonshotworks.net

For inquiries related to data protection or privacy, please contact us at the email address above.

As the Republic of Korea has received an adequacy decision from the European Commission (as of December 2021), a separate EU representative under Article 27 GDPR is not required at this time. Should this status change, we will update this section accordingly.

Legal Bases for Processing

We process personal data based on the following legal grounds under Article 6(1) GDPR:

Processing ActivityLegal Basis
Account sign-in (Sign in with Apple / Google)Contract performance — necessary to create and identify the account used for synchronization
Baby care record sync (logged-in users)Contract performance — necessary to provide the core synchronization service the user has signed up for
Data sharing between usersConsent — initiated and controlled entirely by the user
Diary sync via iCloud (iOS)Contract performance — necessary to provide the diary feature; processed entirely by Apple
Diary cloud backup (Android, optional)Contract performance — necessary to provide the optional diary backup feature the user explicitly enables
Purchase and subscription management (RevenueCat)Contract performance — necessary to validate and manage Pro purchases and subscriptions
Personalized advertising (Google AdMob)Consent — collected via the platform consent mechanism (App Tracking Transparency on iOS; Google UMP consent dialog on both platforms)
Non-personalized advertising (Google AdMob)Legitimate interest — to sustain the free version of the Service, balanced against the minimal data processing involved
Crash reports (Firebase Crashlytics)Legitimate interest — to maintain app stability and fix critical errors
App analytics (Firebase Analytics; Amplitude on iOS)Legitimate interest — to understand usage patterns and improve the Service; mitigated by anonymization
Push notificationsConsent — enabled only when the user grants device-level permission
In-app inquiries (customer support)Contract performance — necessary to receive your support request and reply to you. Any health-related details you choose to include in the free-text message are provided voluntarily by you (Article 9(2)(a) GDPR — explicit consent through your own submission)

Information We Process

1. Account Information (Logged-in Users)

Types of Data

  • Account identifier (user ID) issued by our authentication service
  • The email address associated with your sign-in provider account (Sign in with Apple or Google Sign-In), stored by our authentication service solely to identify your account

Storage

  • Account information is processed through Supabase Auth, a third-party backend service
  • We do not use your email address for marketing or share it with third parties

Retention Period

Retained for the duration of the user's account. Deleted within 30 days of account deletion, except where retention is required by applicable law.

2. Baby Care Records (Logged-in Users · Account-Based Sync)

Types of Data

  • Baby care records such as feeding, sleep, diapers, growth, pumping, and solid food
  • Images attached to the above records

Storage and Synchronization

  • Only for logged-in users, these data are processed through Supabase, a third-party backend service
  • Data are stored under and associated with the user's account (ID) and synchronized across multiple devices logged in with the same account
  • For users who are not logged in, all baby care records are stored only on the device and are not transmitted to any server
  • Supabase is a third-party data processor engaged under a Data Processing Agreement (DPA) and is not permitted to use data for purposes other than providing the Service

Retention Period

Data are retained for the duration of the user's account. Upon account deletion, all associated data are deleted within 30 days, except where retention is required by applicable law.

3. Data Sharing Between Users (Supabase · Optional)

  • Logged-in users may invite other users (such as family members or caregivers) to share baby care records
  • Sharing occurs only upon the user's explicit request and consent
  • Shared data are accessible only to invited accounts
  • We do not arbitrarily determine sharing recipients or scopes
  • Users may revoke sharing at any time, and access permissions are removed immediately

This feature constitutes user-initiated data sharing, not third-party data disclosure.

4. Diary Records (Optional)

Types of Data

  • Baby diary entries created by the user
  • Images attached to diary entries

Storage and Synchronization — iOS

  • On iOS, diary data are synchronized only through the user's personal iCloud account, regardless of login status
  • Data are stored using Apple's CloudKit infrastructure
  • We cannot access, view, or modify diary data stored in iCloud
  • Users may disable synchronization or delete diary data at any time via iCloud settings
  • If Apple Family Sharing is enabled, diary data may be shared within Apple's supported scope
  • Diary data on iOS are not stored, synchronized, or shared via Supabase

Storage and Synchronization — Android

  • On Android, diary data are stored on the device by default
  • Logged-in users may optionally enable diary cloud backup; when enabled, diary entries and attached images are backed up to Supabase under the user's account
  • Diary backup on Android is off by default and activates only upon the user's explicit opt-in
  • Users may disable backup and delete the cloud copy at any time from within the app
  • Backed-up diary data are accessible only to the user's own account and are not included in family sharing

Retention Period

  • iOS: Diary data are retained in the user's iCloud account until the user deletes them. We have no control over iCloud data retention.
  • Android: Backed-up diary data are retained until the user deletes the cloud backup or deletes their account. Upon account deletion, backed-up diary data are deleted within 30 days.

5. Purchase and Subscription Information (RevenueCat)

We use RevenueCat, a third-party subscription management service, to validate and manage BabyStamp Pro purchases:

  • Processed data include purchase receipts/tokens issued by the App Store or Google Play, an app-generated user identifier, device type, and subscription status
  • RevenueCat does not receive your name, email address, or baby care records
  • Payment itself is processed by Apple (App Store) or Google (Google Play); we never receive your payment card details

Retention Period

Purchase records are retained as long as necessary to provide Pro entitlements and to comply with legal obligations regarding transaction records.

6. App Settings Information

The following information may be stored locally on the device or processed via backend services:

  • Selected baby profiles
  • Timer states and notification settings
  • Premium (Pro) purchase status

Retention Period

Stored locally on the device until the app is uninstalled or data is manually cleared by the user.

7. Advertising (Free Users)

For users on the free plan, advertisements are displayed via Google AdMob:

  • The device advertising identifier (IDFA on iOS; Google Advertising ID on Android) is used for personalized advertising only if the user provides consent through the applicable consent mechanism — App Tracking Transparency (ATT) and the Google UMP consent dialog on iOS, or the Google UMP consent dialog on Android
  • If consent is not provided, only non-personalized ads are shown
  • Ads are completely removed for BabyStamp Pro subscribers

Users may withdraw advertising consent at any time:

  • iOS: Settings > Privacy & Security > Tracking, or by resetting the advertising identifier
  • Android: Settings > Google > Ads (delete or reset the advertising ID), or via the privacy options form within the app

Retention Period

Advertising data is managed by Google AdMob in accordance with Google's privacy policy and retention schedules.

8. App Analytics and Crash Reports

We use the following services to improve app quality and stability:

Firebase Crashlytics (iOS and Android)

  • Collects technical information such as device model, OS version, app version, and crash stack traces
  • Does not include information that directly identifies users

Firebase Analytics (iOS and Android)

  • Collects anonymized usage statistics such as sessions, screen views, and DAU

Amplitude Analytics (iOS only)

  • Collects anonymized usage statistics such as feature usage patterns and screen views
  • For logged-in users, events are associated with an anonymous user ID (not linked to name or email)
  • Advertising personalization signals and advertising identifier collection are disabled for analytics purposes
  • The Android version of BabyStamp does not use Amplitude

Retention Period

  • Crashlytics data: retained for 90 days
  • Firebase Analytics data: retained for 14 months (default retention setting)
  • Amplitude data: retained in accordance with Amplitude's data retention policy

9. Device Permissions

We request the following permissions only when necessary:

  • Camera (iOS): To take photos for solid food or diary entries
  • Photos: To attach existing images — via Photo Library access on iOS, or the system photo picker on Android (the Android photo picker grants access only to the individual images you select, without any broad storage permission)
  • Notifications: To send feeding, sleep, or other reminders

10. Inquiries (In-App Customer Support)

When you send us an inquiry from within the app, we process the following. This feature is available whether or not you are logged in.

Types of Data

  • The reply-to email address you enter — required, so that we can answer you. This may be an address you type in and is not necessarily the email associated with a sign-in provider account
  • The category and free-text content of your message. You control what you write; if you describe a problem involving your child, the message may contain your child's name or health-related details
  • Screenshots you choose to attach (up to 3)
  • Technical diagnostics attached automatically and shown to you before you send: app version and build, OS version, device model, language, whether you are logged in, whether you have a Pro subscription, and the number of baby profiles registered
  • A one-way salted hash of your device identifier and of the network address the request came from, used solely to rate-limit abuse. The original values are not stored

Storage and Processing

  • Inquiries are stored in Supabase, and attached screenshots in Supabase Storage
  • A notification containing your message is sent to our support mailbox via Resend, an email delivery service, so that we can read and reply to it. Attached screenshots are included as links that expire after 7 days
  • Our support mailbox is hosted on Apple iCloud Mail
  • We reply to you by email. We do not use the address you provide for marketing, and we do not share it with third parties for their own purposes

Retention Period

  • Inquiries and attached screenshots are deleted automatically 1 year after submission, whether or not you are logged in
  • If you delete your account, inquiries linked to that account — and their attachments — are deleted along with it
  • Because an inquiry sent while logged out is not linked to any account, we cannot identify it from a device alone. To access or delete such an inquiry earlier, contact us from the reply-to email address you used, quoting the inquiry number shown when you sent it
  • A copy of the notification remains in our support mailbox and in Resend's delivery logs; these are retained for the same 1-year period and are then deleted

Please do not include information you would not want us to read. We only need enough detail to understand and fix your problem.

Information We Do NOT Collect

We do not collect:

  • Your name or phone number
  • Any email address other than (a) the sign-in provider email described in Section 1, stored only when you choose to log in and used only for account identification, and (b) the reply-to address you enter when you send us an inquiry, as described in Section 10
  • Location data
  • Device fingerprinting data
  • Sensitive personal profile information, except for any details you voluntarily include in the free-text message of an inquiry (Section 10)
  • Advertising identifiers without user consent

How We Use Information

Processed information is used solely for the following purposes:

  • Displaying and managing baby care records
  • Providing account-based data synchronization and user-to-user sharing features
  • Providing optional diary synchronization (iOS) or diary cloud backup (Android)
  • Validating and managing Pro purchases and subscriptions
  • Generating insights based on baby care patterns
  • Providing on-device AI-based features
  • Sending user-configured notifications
  • Displaying advertisements to free-tier users
  • Receiving and responding to inquiries you send us
  • Improving service stability and functionality

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on users.

International Data Transfers

BabyStamp is operated from the Republic of Korea. When you use our Service, your data may be transferred to and processed in the following jurisdictions:

ServiceProvider LocationTransfer Safeguard
SupabaseUnited StatesStandard Contractual Clauses (SCCs) under Supabase DPA
Google AdMob / FirebaseUnited StatesStandard Contractual Clauses (SCCs) under Google Data Processing Terms
RevenueCatUnited StatesStandard Contractual Clauses (SCCs) under RevenueCat DPA
Amplitude (iOS only)United StatesStandard Contractual Clauses (SCCs) under Amplitude DPA
ResendUnited StatesStandard Contractual Clauses (SCCs) under Resend DPA
Apple iCloud (iOS diary sync; support mailbox)Various (Apple data centers)Apple's compliance with SCCs and applicable data protection commitments

The Republic of Korea has received an adequacy decision from the European Commission, meaning transfers from the EU/EEA to Korea are permitted without additional safeguards.

For transfers to the United States and other jurisdictions, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, as incorporated in our agreements with each data processor.

Data Storage and Security

Supabase (Logged-in Users)

  • Access restricted through authenticated user accounts
  • Encryption applied during transmission (TLS) and at rest
  • Data use limited strictly to service operation purposes under a Data Processing Agreement

iCloud (Diary Data · iOS)

  • Stored using Apple CloudKit infrastructure
  • Encrypted during transmission and at rest
  • Accessible only through Apple ID authentication
  • We do not have access to iCloud-stored data

Third-Party Services (Data Processors)

ServicePurposePlatformPrivacy Policy
Apple iCloudDiary synchronization; hosting of our support mailboxiOS · Androidhttps://www.apple.com/legal/privacy/
SupabaseLogin, sync, sharing, diary backup (Android), and inquiry storageiOS · Androidhttps://supabase.com/privacy
ResendDelivering inquiry notifications to our support mailboxiOS · Androidhttps://resend.com/legal/privacy-policy
RevenueCatPurchase and subscription managementiOS · Androidhttps://www.revenuecat.com/privacy
Google AdMobAdvertisingiOS · Androidhttps://policies.google.com/privacy
FirebaseCrashlytics & AnalyticsiOS · Androidhttps://firebase.google.com/support/privacy
AmplitudeAnalyticsiOShttps://amplitude.com/privacy

These third-party services act as data processors on our behalf and are bound by contractual obligations to process data only as instructed by us and in compliance with applicable data protection laws.

Children's Privacy

BabyStamp does not knowingly collect personal information directly from children under the age of 13 (or 16, where applicable under local law).

All baby-related information is entered and managed by parents or legal guardians. The baby care data recorded in the app relates to the child but is provided and controlled entirely by the parent or guardian.

Your Rights

Under the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access — Request a copy of the personal data we hold about you
  • Right to Rectification — Request correction of inaccurate or incomplete data
  • Right to Erasure (“Right to be Forgotten”) — Request deletion of your personal data, subject to legal retention obligations
  • Right to Restriction of Processing — Request that we limit how we use your data in certain circumstances
  • Right to Data Portability — Receive your data in a structured, commonly used, machine-readable format, or request transfer to another controller
  • Right to Object — Object to processing based on legitimate interests, including for direct marketing purposes
  • Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
  • Right to Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority. If you are in the EU/EEA, you may contact your local Data Protection Authority. In the Republic of Korea, you may contact the Personal Information Protection Commission (PIPC).

To exercise any of these rights, please contact us at support@moonshotworks.net. We will respond to your request within 30 days.

Changes to This Policy

If this Privacy Policy is updated:

  • The “Last updated” date will be revised
  • Significant changes will be communicated through in-app notices
  • Where required by law, we will obtain your consent before applying material changes that affect how your data is processed

Contact Us

MoonshotWorks Team · Email: support@moonshotworks.net · Country: Republic of Korea

For data protection inquiries or to exercise your rights, please contact us at the email address above.