Privacy Policy

1. Information We Collect

We collect information you provide directly to us, such as when you create an account, subscribe to our service, or contact us for support.

Personal Information

• Email address (required for account creation)
• Password (encrypted and securely stored)
• Family preferences (family size, dietary restrictions)
• Meal plan selections and preferences
• Payment information (processed securely through Stripe)

Usage Information

• Pages visited and features used
• Time spent on the service
• Device and browser information
• IP address and general location data

2. How We Use Your Information

Legal Basis for Processing (EU Users)

We process your personal data based on the following legal grounds:

• Contract Performance: To provide our meal planning service and process payments
• Legitimate Interest: To improve our service, prevent fraud, and ensure security
• Consent: For marketing communications (you may withdraw consent anytime)
• Legal Obligation: To comply with tax, accounting, and regulatory requirements

We use the information we collect to:

• Provide and maintain our meal planning service
• Personalize meal plans based on your preferences
• Process payments and manage subscriptions
• Send you weekly meal plans and service updates
• Respond to your comments, questions, and support requests
• Improve our service and develop new features
• Comply with legal obligations
• Conduct food safety validation and analysis (detailed below)

Food Safety Data Processing

Legal Basis: Processing is necessary for our legitimate interests in providing safe meal recommendations and complying with food safety regulations, balanced against your privacy rights.

We process the following information for food safety validation:

• Recipe Generation Data: AI-generated recipes are analyzed for food safety risks using automated systems
• Safety Validation Records: Results of automated safety analysis and professional review decisions
• User Safety Interactions: Your viewing and acknowledgment of food safety disclaimers and warnings
• Professional Review Access: Certified food safety experts may review recipes and validation results for quality assurance
• Audit Trail Information: Comprehensive logs of all safety validation activities for regulatory compliance

Professional Food Safety Review

Important: Our certified food safety professionals may review:

• AI-generated recipes flagged by our safety systems
• Validation system performance and accuracy
• User-reported safety concerns or incidents
• Anonymized usage patterns to improve safety systems

Professional reviewers are bound by strict confidentiality agreements and have access only to information necessary for food safety validation. Personal information is pseudonymized where possible to protect your privacy.

3. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties, except in the following circumstances:

Service Providers

We work with trusted third-party service providers who assist us in operating our service:

• Supabase: Database hosting and user authentication
• Stripe: Payment processing and subscription management
• Resend: Email delivery service
• Vercel: Web hosting and content delivery

International Data Transfers

For EU users: When we transfer your personal data to service providers located outside the European Economic Area (EEA), including the United States, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses with all non-EEA service providers
• Adequacy Decisions: We rely on European Commission adequacy decisions where applicable
• Additional Safeguards: Technical and organizational measures including encryption, access controls, and regular security assessments

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities.

4. Data Security

We implement appropriate security measures to protect your personal information:

• All data transmission is encrypted using SSL/TLS
• Passwords are hashed and securely stored
• Database access is restricted with row-level security
• Regular security updates and monitoring
• Payment information is handled by PCI-compliant Stripe

5. Your Privacy Rights

General Rights

• Access: Request a copy of your personal data within 30 days
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal retention requirements)
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data in certain circumstances
• Objection: Object to processing based on legitimate interests

GDPR Rights (EU Residents)

• Right to withdraw consent for marketing communications
• Right to lodge a complaint with your local data protection authority
• Right to object to automated decision-making (if applicable)

Supervisory Authority (EU Users)

If you are located in the European Union and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority. You can find your local data protection authority contact information at:

• EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en
• Lead Supervisory Authority for cross-border processing: We work primarily with the Irish Data Protection Commission (DPC) for EU-wide matters

California Privacy Rights (CCPA)

• Right to know what personal information is collected and how it's used
• Right to delete personal information (subject to exceptions)
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising privacy rights

To Exercise Your Rights: Contact us at privacy@babywhatnow.com with your request and account information.

6. Cookies and Tracking Technologies

Types of Cookies We Use

• Essential Cookies: Required for login, security, and basic functionality (cannot be disabled)
• Analytics Cookies: Vercel Analytics for usage patterns (privacy-focused, no personal identification)
• Preference Cookies: Remember your meal plan settings and dashboard preferences
• Local Storage: Shopping list checkboxes and user interface preferences

Third-Party Cookies

• Stripe: Payment processing and fraud prevention
• Supabase: Authentication and session management
• Vercel: Performance monitoring and analytics

Managing Cookies: You can control cookies through browser settings, but disabling essential cookies may impair service functionality. Analytics cookies can be disabled without affecting core features.

7. Children's Privacy

While our service provides meal plans for families with toddlers, we do not knowingly collect personal information from children under 13. Our service is designed for use by parents and caregivers who are 18 years or older.

8. International Users and Cross-Border Data Transfers

Data Processing Locations

Our service is hosted in the United States. If you are accessing our service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

EU Users - Cross-Border Transfer Protections

For users located in the European Economic Area (EEA), United Kingdom, or Switzerland:

• Legal Framework: We transfer your personal data to the United States based on Standard Contractual Clauses approved by the European Commission
• Additional Safeguards: We implement supplementary measures including strong encryption, access controls, and regular security assessments
• Data Controller Status: We act as the data controller for your personal information under GDPR
• Processor Agreements: All our US-based service providers have executed Data Processing Agreements with appropriate safeguards

Canadian Users (PIPEDA)

For Canadian users, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and ensure that cross-border data transfers maintain equivalent protection standards.

9. Data Retention

We retain your personal information according to the following schedule:

Account Data

• Active accounts: Retained while account is active plus 90 days after cancellation
• Cancelled accounts: Personal data deleted within 30 days of cancellation request
• Legal compliance data: Retained for 7 years as required by tax and financial regulations

Specific Data Types

• Email preferences: Until you unsubscribe or account deletion
• Usage analytics: Anonymized after 24 months
• Payment records: 7 years for tax compliance
• Support communications: 3 years for service improvement
• Food safety validation records: 7 years for regulatory compliance
• Professional safety reviews: 10 years for professional liability requirements
• Safety interaction records: 7 years (anonymized after 3 years)

Deletion Process

Account deletion permanently removes your personal data within 30 days, except for:

• Legal compliance requirements (tax records, fraud prevention)
• Anonymized analytics data (personally identifiable information removed)
• Data stored by third-party processors (deleted according to their retention policies)
• Food safety compliance records (anonymized to remove personal identification while preserving regulatory compliance)

Right to Erasure and Food Safety Records

Special Notice for EU and California Residents: While we honor your right to erasure (GDPR Article 17) and deletion (CCPA), food safety validation records must be retained for regulatory compliance. When you request deletion:

• Your personal information is immediately deleted from active systems
• Food safety audit trails are anonymized using irreversible pseudonymization
• No personal identification remains possible in the anonymized safety records
• This approach satisfies both privacy rights and food safety regulatory requirements

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

11. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

General Privacy Inquiries

Email: privacy@babywhatnow.com

Support: support@babywhatnow.com

Data Protection Officer (DPO)

For matters specifically related to data protection and GDPR compliance, you may contact our Data Protection Officer:

Email: dpo@babywhatnow.com

Response Time: We will respond to privacy-related inquiries within 30 days, and data subject requests within 30 days as required by GDPR.

Company Information

We Had a Baby, What Now? LLC
Data Controller for EU users
United States