1. Data Controller
BUBBLE DOTS S.L. ("BabyPal", "we", "us", "our") is the data controller responsible for the processing of personal data collected through the BabyPal mobile application and the babypal.io website (together, the "Service").
- Legal name: BUBBLE DOTS S.L.
- Spanish Tax ID (NIF): B27657832
- Registered office: Calle del Bruc 149, 08037 Barcelona, Spain
- Contact: contact@bubbledots.co
2. Information We Collect
a) Account information
- Email address and password (the password is stored only as a salted hash by our authentication provider).
- Sign in with Apple: we receive an Apple relay email and a user identifier; we never receive your Apple ID password.
b) Baby profile and nutrition information
All information below is provided by you as the parent or legal guardian:
- Baby name, birthday, gender.
- Feeding context: weaning stage, dietary preferences, cultural or family food practices.
- Meal photos uploaded for analysis and the resulting nutrient estimates relevant to infants and toddlers (iron, protein, healthy fats, fruits and vegetables, etc.).
- Foods introduced log: which foods have been tried, when, and tolerance notes.
- Allergies and reactions: allergens flagged, reactions logged, severity and free-text notes.
- Daily balance scores and meal history.
c) Subscription information
Subscription status, plan and purchase history managed through Apple and RevenueCat. We never receive or store full payment card details.
d) Technical and usage information
- Device model, operating system version, app version, language, time zone.
- Product analytics events collected via Mixpanel (EU endpoint).
- Diagnostic data (crashes, errors, user id and optional email) collected via Sentry. Screenshots and view hierarchies are never attached to reports sent from production builds.
- Push notification tokens stored in our
device_tokens table so that we can send meal and feeding reminders.
3. How We Use Information
- Provide the core Service: photo analysis, nutrition tracking, foods introduced history, allergy logs and reminders.
- Personalise nutrition guidance based on your baby's age, foods introduced and logged data.
- Manage subscriptions, trials and restores with Apple and RevenueCat.
- Respond to support requests.
- Detect bugs and protect the Service from abuse.
- Comply with legal obligations (tax, accounting, legal claims).
4. Automated Photo Analysis (Not Medical Advice)
BabyPal uses computer vision and rule-based algorithms to identify foods in the photos you upload and to estimate baby-relevant nutrient content based on general pediatric nutrition references.
- Photos may be processed by third-party AI vision providers acting as data processors strictly to return a food recognition result. Photos are not used to train third-party models.
- Estimates are informational and may be inaccurate. You can always adjust results manually.
- BabyPal does not provide medical advice, diagnosis or treatment. Always consult a qualified pediatrician about your child's nutrition, allergies or health.
5. Legal Basis (GDPR)
We process your personal data under Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD) on the following bases:
- Performance of a contract (art. 6.1.b): to provide the Service you subscribed to.
- Consent (art. 6.1.a): for optional features such as push notifications, and for baby data that you provide as legal guardian (art. 8).
- Legitimate interests (art. 6.1.f): to secure the Service, prevent abuse, improve features through aggregate analytics, and defend legal claims.
- Legal obligation (art. 6.1.c): to keep accounting and tax records.
6. Service Providers and Data Sharing
We share the minimum amount of data required with the following providers (data processors):
- Apple Inc. — App Store purchases, Sign in with Apple, Apple Push Notification service.
- RevenueCat, Inc. (USA) — subscription lifecycle management.
- Supabase, Inc. — authentication, database, storage and Edge Functions.
- AI vision providers — image recognition for meal photos, used as data processors with no training on your data.
- Mixpanel, Inc. — product analytics (EU endpoint
api-eu.mixpanel.com). - Sentry (Functional Software, Inc.) — crash reporting (EU ingest
ingest.de.sentry.io). - Google Ireland Ltd. — Google Analytics 4 on the babypal.io website. Only loaded with your consent.
- Meta Platforms Ireland Ltd. — Meta Pixel on the babypal.io website. Only loaded with your consent.
We do not sell or rent your personal data. We may disclose data when required by law or to protect rights, property or safety.
7. International Transfers
Some providers (notably RevenueCat, AI vision providers and, depending on project region, Supabase) may process data outside the European Economic Area. Google (Google Analytics 4) and Meta (Meta Pixel) may also transfer data to the United States when you consent to analytics or marketing cookies on babypal.io. Where required, we rely on the European Commission's Standard Contractual Clauses (SCCs) and additional safeguards.
8. Data Retention
- Active accounts: we keep your data for as long as your account is active.
- Account deletion: when you delete your account from Settings, baby data, meal photos, foods introduced, allergy logs and notes are removed from our active database within 30 days. Encrypted backups are rotated and purged within 90 days.
- Billing records: invoices and subscription data are retained for up to 6 years to comply with Spanish tax and accounting law.
- Diagnostic data: crash reports up to 90 days; analytics events up to 24 months.
9. Your Rights
Under GDPR you can exercise the following rights by writing to contact@bubbledots.co:
- Access, rectification, erasure.
- Restriction and objection to processing.
- Data portability.
- Withdraw consent at any time (without affecting processing carried out before the withdrawal).
- Lodge a complaint with the Spanish Data Protection Authority — Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es.
You can also delete your account directly from the app: Settings → Delete account.
10. Children's Privacy
BabyPal is designed for adults (18+) who are parents or legal guardians. We do not knowingly allow users under 18 to create accounts. All baby-related data is provided by the parent or legal guardian, who acts as the lawful basis for the processing of information about the minor (GDPR art. 8 and LOPDGDD art. 7).
11. Security
We apply technical and organisational measures that include encryption in transit (HTTPS/TLS), encryption at rest in our database and photo storage, salted password hashing, row-level security in Supabase, principle of least privilege, and disabled production screenshot/view-hierarchy capture in crash reports. No system can guarantee absolute security.
12. Cookies
The babypal.io website uses strictly necessary cookies (for example, the cookie that stores your consent preferences). With your prior, informed consent, we also use Google Analytics 4 (analytics) and Meta Pixel (marketing). You can accept, reject or manage your preferences at any time. The mobile application does not use cookies.
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our Service or legal obligations. Material changes will be notified in the app or by email. The "Last updated" date above always reflects the latest version.
14. Governing Law
This Privacy Policy is governed by Spanish law. Any dispute arising from it will be submitted to the Courts and Tribunals of Barcelona, Spain, unless mandatory consumer protection rules provide otherwise.