Privacy Policy

Babylytics is a personal, non-commercial project operated by the app owner (contact below). It is not a medical device, clinic, or licensed healthcare provider. See the Medical Disclaimer.

When you create an account and use the app, the following information is stored:

• Account data: email, display name, hashed password (managed by Supabase Auth).
• Baby profile: name, date of birth, gender, birth weight/height, optional photo, blood type, notes.
• Care logs: feedings, diaper changes, medications and dose logs, measurements, temperature readings, sleep sessions, vaccination schedule.
• Doctor information: doctor names, clinics, phone numbers, email, addresses, appointments (visible only to owners and parents).
• Caregiver access: the emails you invite and the role you grant them.
• Uploaded files: prescriptions, reports, handwritten notes, photos you upload for OCR or archiving.
• OCR output: extracted text and structured data from files you submit for scanning.
• Comments: notes you leave on any log entry.
• Technical logs: standard web-server logs (IP, user-agent, request time) collected by our hosting providers.

We do not use cookies for advertising. We do not sell your data. We do not share it with third parties other than the processors listed in section 6.

For users subject to the EU GDPR, our legal basis for processing health data is your explicit consent, given when you create an account and check the consent box on signup. You can withdraw consent at any time by deleting your account (section 7).

Because the data concerns children, we rely on the consent of the parent or legal guardian creating the account. You must be 18+ to register.

• To display your logs, charts, reports and reminders.
• To send in-app notifications (e.g. medication due, OCR confidence).
• To let caregivers you invite see the data according to their role.
• To operate OCR on files you submit — the image or PDF is sent to Anthropic's Claude API for text extraction, then stored in our database.
• To maintain an audit log of every change (for medical traceability).
• To back up the database and storage for recovery.

Data is stored on Supabase (Postgres + Storage) in their managed cloud, and the app is hosted on Vercel. Backups are maintained by Supabase. Both are US-headquartered companies with global infrastructure.

If you are in the EU, your data may be transferred outside the EU. We rely on the standard contractual clauses (SCCs) in place between these providers and their customers.

• Supabase — database, authentication, storage, backups.
• Vercel — application hosting and CDN.
• Anthropic — Claude AI model used only for OCR of files you submit. Files uploaded for OCR are processed by Anthropic under its zero-retention policy for API requests; no training happens on your data.

You can, at any time:

• Access — view and export your baby's data via the Reports screen (PDF / image).
• Correct — edit any log, profile field, or comment directly in the app.
• Delete — soft-delete individual entries from any log page, or delete your entire baby profile from Settings → Profile.
• Revoke access — remove any caregiver from the Caregivers page.
• Export — use the Full Report to download every entry.
• Full account erasure — email us (section 10). We will permanently delete your account, all babies under your ownership, all logs, storage objects, and audit history within 30 days.

Every table is protected by row-level security — no data is readable or writable without an authenticated session that belongs to the baby's caregivers. Passwords are bcrypt-hashed by Supabase Auth. Traffic is encrypted with TLS. Storage buckets are private; files are only accessible through short-lived signed URLs.

Despite best effort, no system is 100% secure. If you suspect a breach, contact us immediately (section 10).

Active account data is retained for as long as your account exists. Soft-deleted entries are preserved for auditing for up to 2 years, then purged. Server access logs are kept for 30 days. If you delete your account, all rows are hard-deleted within 30 days.

For any privacy question, correction request, or account deletion, email us at ahmedtarekmostafaali@gmail.com. We aim to respond within 5 business days.

We may update this policy occasionally. Material changes will be announced on the app's login page or by email.