Privacy Policy — Baby Ledger AI

Last updated: June 4, 2026

The Baby Ledger AI mobile application (the "Service") is operated by Fong Shui Labs LLC, a New York limited liability company (referred to in this Privacy Policy as "we," "our," or "us"). Contact: [email protected] (general) and [email protected] (privacy inquiries). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service.

1. Information We Collect

Account information

Email address
Password (stored as a salted hash — we cannot see your password)
Optional display name
If you sign in with Apple: Apple provides us with a private relay email address (or your real email if you choose) and, on first sign-in only, your first and last name. We never receive your Apple ID password.
If you sign in with Google: Google provides us with your email address, display name, and profile photo URL. We never receive your Google password.

Baby profile information

Baby's name, date of birth, gender (optional)
Birth measurements (weight, height) — optional
Whether the baby was born preterm and gestational age — optional, used to compute corrected age for percentiles
Baby photo and cover photo (optional, stored in Supabase Storage)

Tracking data

Feeding logs (type, duration, amount, time)
Sleep logs
Diaper logs
Growth measurements (weight, height, head circumference)
Health logs (temperature, medications, vaccines)
Milestones
Food scan results and photos
Appointments

AI improvement data — opt-in only

AI chat history (your questions and the AI's answers) is only stored when you turn on "Help improve our AI" in Settings → Privacy. This is off by default. When stored, we save the question text, the response text, and an anonymized snapshot of your baby's context (age in months, gender, preterm flag) — we do not store your baby's name, date of birth, or your email alongside this data.
AI scan corrections — when you tap "Not quite" after a food scan and tell us what the food actually was, we save the original AI guess + your correction text + the baby's age in months. We do not save the baby's name, date of birth, or any other PII alongside corrections.
This data is automatically purged after 180 days unless flagged for review.

Device and diagnostic information

Device type and OS version (for crash reporting)
App version
Time zone (for local-time display of logs)
Crash reports via Sentry: when the app crashes or hits an error, a stack trace is sent to Sentry for diagnosis. Personally identifiable information (email, baby name, date of birth, photos) is automatically scrubbed before upload. You can opt out of crash reports in Settings → Privacy.

What we do NOT collect

We do not collect your location
We do not collect your contacts
We do not track you across other apps or websites
We do not sell your data, ever
We do not use your data, photos, chat questions, or scan results to train AI models — neither ours nor any third party's. Per our agreements with our AI providers, prompts sent to Google Gemini and Anthropic Claude are not used by those providers to train their models. (See Section 2 for the one narrow exception: opted-in chat history may, in the future, be used to improve our own prompts and few-shot examples; this would never include identifying data.)

2. How We Use Your Information

To provide the Service — display your logs, generate charts, power AI features
To power AI features — food scan images and chat questions are sent to our AI providers (primarily Google Gemini; Anthropic Claude as fallback when the primary provider is unavailable) for analysis. Per our agreements with both providers, your prompts are NOT used to train their models. We discard the image at the AI provider after processing.
To personalize recommendations — age-appropriate nutrition portions, milestones, sleep windows, weight-adjusted calorie targets
To send notifications — feeding/sleep reminders and the daily summary, only if you enable them
To enforce usage limits — tracking daily scan and chat counts per user for subscription tiers
(Opt-in only) To improve our AI prompts and suggested-questions feature — if you turn on "Help improve our AI" in Settings → Privacy, we may use your anonymized chat questions (no name, no DOB, no email) as few-shot examples in our prompts and to identify question patterns. We do not fine-tune or train any third-party AI model on this data.

3. Data Storage and Security

Your data is stored in Supabase, a SOC 2 Type II certified cloud database. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Each user's data is isolated via Postgres Row Level Security — other users can never read your data.

4. Third-Party Services

We use the following third-party services. Each has its own privacy policy:

Supabase (database, auth, storage) — https://supabase.com/privacy
Google Gemini (primary AI provider for food scanning and chat) — https://policies.google.com/privacy
Anthropic (AI fallback provider for food scanning and chat when the primary provider is unavailable) — https://www.anthropic.com/legal/privacy
Apple StoreKit (subscriptions) — https://www.apple.com/legal/privacy/
Sentry (crash reporting, PII-scrubbed) — https://sentry.io/privacy/
Plausible Analytics (website only, babyledgerai.com) - https://plausible.io/privacy

When you subscribe, Apple processes your payment — we never see your credit card number. We only receive a verification receipt proving you subscribed.

Website analytics (babyledgerai.com)

Our marketing website uses Plausible Analytics, a privacy-friendly, cookieless web analytics service. Plausible does not use cookies, does not track you across sites, does not collect or store any personal data, and does not require a cookie banner under GDPR, CCPA, or PECR. It records only aggregated, anonymous metrics — page URL, referrer source, country (derived from IP address and immediately discarded), browser, operating system, device type, and aggregate event counts (such as how many visitors scrolled past 50% of a page or tapped an App Store link). Plausible derives unique-visit counts using a daily-rotating hash of IP + user-agent, then discards the IP — no individual identifiers are stored. Aggregate data is hosted in the EU (Frankfurt, Germany). No data is shared with advertisers, no profile is built about you, and no behavior is followed off our site. Plausible's data policy is available at https://plausible.io/data-policy. The Baby Ledger AI mobile app itself does not use Plausible or any other web-analytics tracker.

5. Your Rights

You have the right to:

Access — view all data we have about you and your baby in the app (Logs, Growth, Profile screens)
Export — download all your data in CSV or PDF format (Premium feature, available in Settings → Export Data)
Delete — permanently delete your account and all associated data via Settings → Account & Data → Delete Account. Deletion is immediate from the app and propagates to permanent removal within 30 days.
Correct — edit any log or profile information at any time (tap any entry to edit)
Withdraw consent — toggle off "Help improve our AI" or "Anonymous crash reports" in Settings → Privacy at any time. Going forward, no new data of that type will be collected. Already-collected anonymized data remains until you request its deletion.

To exercise any of these rights, use the in-app options above or email us at [email protected].

6. Children's Privacy

Baby Ledger AI is intended for use by parents and legal guardians, not by children. The account holder must be 18+ (per our Terms of Service, Section 1).

The baby is the SUBJECT of the tracking data, not a USER of the Service. Baby Ledger AI does not provide functionality that allows a child to interact with the Service directly.

In compliance with the Children's Online Privacy Protection Act (COPPA), we collect information ABOUT a child only via the parent or legal guardian, who is solely responsible for the accuracy of that information and for the decision to record it. We do not knowingly direct the Service to children under 13, and the Service is not designed for use by children. The Service is not directed to children under 13, we do not knowingly collect personal information from children under 13, and we have no actual knowledge that any child under 13 has directly interacted with or submitted information to the Service. If you believe we have inadvertently collected data directly from a child under 13, contact [email protected] and we will promptly delete it.

7. Data Retention

Active accounts: tracking data is retained indefinitely while the account is active
Deleted accounts: permanently deleted within 30 days of deletion request (cascade delete across all related tables)
Inactive accounts: we may delete accounts with no activity for 24 consecutive months after emailing a 30-day warning
Food scan images: retained for 90 days unless you explicitly save the scan
AI chat history (opt-in only): automatically purged after 180 days unless flagged for review
AI scan corrections (anonymized): retained while the account is active, deleted on account deletion
Crash reports (Sentry): retained per Sentry's standard 90-day retention

8. International Users

Baby Ledger AI is operated from the United States. If you use the Service from outside the US, your data will be transferred to, stored, and processed in the US. By using the Service, you consent to this transfer.

For EU/UK users: we rely on Standard Contractual Clauses for the US transfer. You have additional rights under GDPR including the right to lodge a complaint with your local data protection authority. To exercise GDPR rights (access, portability, erasure, restriction, objection, withdrawal of consent), email [email protected].

For California residents: under CCPA/CPRA, you have the right to know what personal information we collect, to delete it, to correct it, to opt out of the sale or sharing of it (we do neither), and to limit our use of sensitive personal information. We do not sell or share personal information.

For Washington State residents — Consumer Health Data (My Health My Data Act, RCW Ch. 19.373):

Categories of consumer health data we collect: baby health measurements (weight, height, head circumference), health logs (temperature, medications, vaccines), feeding records (type, amounts, duration), sleep records, and food allergy/intolerance records. This data is collected from you, the parent or legal guardian, and not directly from any child.
How we share consumer health data: We share health data only with our service providers — Supabase (for storage), Google Gemini (primary AI provider, for AI processing only; no retention or training, per our agreement with Google), and Anthropic (AI fallback provider for the same purpose, under the same no-retention/no-training contractual posture). We do not sell consumer health data. We do not share consumer health data with third parties for purposes unrelated to providing the Service.
Your rights: You have the right to (1) confirm whether we collect your consumer health data; (2) access it; (3) withdraw consent for collection; (4) delete it; and (5) appeal any denial of these rights. To exercise these rights, email [email protected]. We will respond within 45 days. You may appeal a denial by emailing the same address with "MHMDA Appeal" in the subject line; appeals will be resolved within 45 days.

For residents of Connecticut, Colorado, Nevada, Oregon, Texas, Utah, Virginia, and other states with consumer health/privacy laws: similar rights apply. Email [email protected].

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted here with an updated "Last updated" date. Material changes (changes that meaningfully affect what we collect or how we use it) will be communicated via in-app notification at least 30 days before they take effect. Continued use of the Service after material changes take effect constitutes acceptance.

10. Contact Us

Questions about this policy? Email us:

[email protected]

For general support: [email protected]

---

This privacy policy is licensed under CC-BY-SA 4.0. You may reuse it with attribution.