MayaBaby - Privacy Policy

Privacy Statement

As MayaBaby, we publish this Privacy Statement to inform Users what information we collect and how we use it to personalize and continually improve User experience. This Privacy Statement applies to the App and its services which collect data from Users.

This Policy should be read together with our Terms & Conditions and Cookie Policy.

What MayaBaby Collects

MayaBaby collects data from User and User's use of the App and of the services available through the App ("Services"). We collect, store and process information that User provides or makes available to us when accessing or using our App and Services.

We collect both information you actively provide (for example when creating an account, entering baby tracking logs, or contacting support) and information that is collected automatically when you use the App (for example via cookies and similar technologies, device identifiers, and network metadata).

Account information: email address, user ID, authentication and session data and, if you choose to sign in with Apple or Google, limited profile information such as your display name and Apple/Google account identifier.
Baby tracking data: feeding, sleep, growth measurements, health logs, reminders, notes, appointments, and (if enabled) photos and videos you upload. This data relates to a minor and is treated as sensitive personal data.
Device information: device brand/model, operating system version, device language, app version, and APNs device token (used to deliver push notifications).
Network information: IP address used to connect to the internet. IP addresses are treated as personal data under applicable law and are used solely for security, fraud prevention, and service delivery. The legal basis for processing IP addresses is our legitimate interest in maintaining secure and reliable service.
Usage information: activity within the App, feature interactions, and subscription status.
Anonymous usage data: if you use the App without creating an account, we generate an anonymous user identifier linked to a device fingerprint. See the "Anonymous Users" section below for details on what is collected.
Passkey data: if you enable passkey sign-in, your passkey is stored securely on your device or in iCloud Keychain by Apple. We do not store your private key; we only store the associated public key credential identifier to verify your identity at sign-in.

How We Use Information

To provide core features (tracking, syncing, and secure sharing where available).
To send push notifications for reminders and appointments you have scheduled.
To maintain security, prevent abuse, and troubleshoot issues.
To personalize and improve the App experience.
To process subscription payments and manage your subscription status.
To monitor usage patterns and enforce reasonable usage limits to ensure service quality and prevent abuse.
To comply with applicable legal obligations.
Analytics opt-out: where analytics processing is based on your consent, you may opt out at any time by contacting us at [email protected] or, where available, through the in-app privacy settings. Opting out will not affect the core functionality of the App.

Legal Basis for Processing (GDPR)

For Users in the European Economic Area (EEA), we process personal data on the following legal bases:

Performance of a contract: processing necessary to provide the App and its features to you.
Legitimate interests: improving the App, preventing abuse, and ensuring security, where these interests are not overridden by your rights.
Consent: where you have given explicit consent, such as for sensitive data (children's health data) or optional analytics. You may withdraw consent at any time.
Legal obligation: where processing is required by applicable law.

Children's Privacy

MayaBaby is specifically designed to help parents and caregivers track the health and development of infants and young children. We take the privacy of children very seriously.

Who enters the data: All data about minors must be entered by a parent or legal guardian who has accepted our Terms. The App is intended for use by adults and is not directed to children under 16, and we do not knowingly collect personal information directly from children under 13.

What data is collected: Baby tracking data (growth, feeding, sleep, health logs, photos) constitutes sensitive personal data under applicable law.

Legal frameworks:

COPPA (USA): We do not collect personal information from children under 13 without verifiable parental consent. Parents may review, correct, or request deletion of their child's data by contacting us.
GDPR Article 8 (EU/EEA): Processing of children's health data is based on the explicit consent of the parent or guardian who creates the account.
KVKK Madde 6 (Turkey): Health data of minors is treated as a special category of personal data requiring explicit (açık rıza) consent.

Parents and guardians may request access to, correction of, or deletion of any data relating to a child in their care by emailing [email protected].

Anonymous Users

The App allows you to start tracking without creating an account. In this mode we assign you an anonymous user identifier derived from a SHA-256 one-way hash of certain non-personal device signals (device model, iOS version, device language, and screen resolution). This fingerprint is not reversible — it cannot be used to reconstruct your device information — and is used solely to keep your data accessible on the same device and to enable account recovery if you reinstall the App on the same device. No email address or real name is collected in anonymous mode. You can convert your anonymous account to a full account at any time from within the App; doing so retains all your existing tracking data.

Shared Baby Profiles (Multi-User Access)

The App supports sharing a baby profile with other users (e.g., co-parents, family members, caregivers). When you invite another person:

The invited person ("member") can view and add tracking logs for the shared baby. The scope of access is defined by the permissions you grant as the profile owner.
All members with access to a baby profile can see the tracking data entered by other members for that baby.
The baby profile owner (OWNER) can revoke a member's access at any time. Upon revocation, the member loses access to all data associated with that baby; their own account data is not affected.
Each invited member has their own account and is independently responsible for their use of the App and compliance with these policies.
Removing a member does not delete the tracking data they entered; that data remains associated with the baby profile and is accessible to the owner.

If you are an invited member and wish to have data you entered deleted, please contact [email protected].

Push Notifications

When you enable push notifications, Apple provides us with an APNs device token — a unique identifier that allows us to deliver reminders and alerts to your device. This token is stored securely on our servers and used exclusively to send you notifications that you have configured in the App. You can disable push notifications at any time through your iOS Settings. When a device token becomes invalid (e.g., after reinstalling the App), it is automatically removed from our servers.

Third-Party Services

MayaBaby uses the following third-party services to operate the App. Each acts as a data processor under our instructions and is bound by appropriate data processing agreements.

Service	Purpose	Data Shared
Adapty	Subscription management & in-app purchase validation	User ID, subscription events
Sign in with Apple	Social login and account authentication	Apple account identifier, email address (where provided by Apple), and display name
Google Sign-In	Social login and account authentication	Google account identifier, email address, and display name
Cloudflare R2	Cloud storage for photos & media you upload	Uploaded files (stored in EU/US data centres)
Apple APNs	Push notification delivery	Device token, notification payload
Analytics provider	App usage analytics to improve the product	Anonymised usage events, device type, app version
Better Auth	Secure user authentication & session management	Email, session tokens
Email provider (Gmail / Google Mail)	Customer support and account communications	Email address, message content and metadata for support requests

Some third-party services may transfer data outside your country of residence, including to the United States. Where required, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses for EEA transfers).

Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. Specifically:

Active account data (tracking logs, baby profiles, photos): retained while your account is active.
Account data after deletion: deleted within 30 days of a verified account deletion request, except where retention is required by law.
Push notification tokens: deleted automatically when invalidated by Apple or when you delete your account.
Analytics data: retained in anonymised form for up to 24 months.
Subscription transaction records: retained for up to 7 years as required for tax and accounting purposes.

You can request deletion of your account and associated data at any time through the App (Settings → Delete Account) or by emailing [email protected].

Data Security

We implement reasonable security measures to protect your personal data, including encrypted data transmission (TLS), secure credential storage, and row-level access controls on our database. However, no method of transmission over the internet or electronic storage is 100% secure.

Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority (e.g., KVKK Kurumu; or the competent EU supervisory authority for EEA residents) within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and KVKK;
Notify affected Users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34);
Document all breaches internally, including those not required to be reported.

Data Privacy & Confidentiality

Users agree that information submitted through the App may be collected, used and disclosed by MayaBaby in accordance with this Privacy Statement and the App's Terms, as may be updated from time to time.

KVKK — Kişisel Verilerin Korunması

MayaBaby, Türkiye'den hizmet vermekte olup 6698 sayılı Kişisel Verilerin Korunması Kanunu'na (KVKK) tabi veri sorumlusu konumundadır. Kişisel verileriniz KVKK kapsamındaki haklarınız saklı kalmak kaydıyla işlenmektedir.

Bebeklere ait büyüme, beslenme, uyku ve sağlık verileri KVKK'nın 6. maddesi kapsamında özel nitelikli kişisel veri sayılmakta ve açık rızanıza dayalı olarak işlenmektedir. Açık rızanızı istediğiniz zaman geri alabilir; bunun için [email protected] adresine e-posta gönderebilirsiniz.

Kişisel verileriniz KVKK'nın 5. ve 6. maddelerinde sayılan işleme şartlarına dayanarak işlenmektedir (örneğin; açık rıza vermeniz, bir sözleşmenin kurulması veya ifası için zorunlu olması, hukuki yükümlülüklerimizin yerine getirilmesi, temel hak ve özgürlüklerinize zarar vermemek kaydıyla meşru menfaatlerimiz gibi).

KVKK'nın 11. maddesi uyarınca, veri sahibi olarak aşağıdaki haklara sahipsiniz:

kişisel verinizin işlenip işlenmediğini öğrenme,
kişisel verileriniz işlenmişse buna ilişkin bilgi talep etme,
kişisel verilerinizin işlenme amacını ve bunların amacına uygun kullanılıp kullanılmadığını öğrenme,
yurt içinde veya yurt dışında kişisel verilerinizin aktarıldığı üçüncü kişileri bilme,
kişisel verilerinizin eksik veya yanlış işlenmiş olması hâlinde bunların düzeltilmesini isteme,
KVKK'nın 7. maddesinde öngörülen şartlar çerçevesinde kişisel verilerinizin silinmesini veya yok edilmesini isteme,
bu işlemlerin, kişisel verilerinizin aktarıldığı üçüncü kişilere bildirilmesini isteme,
işlenen verilerin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme ve
kişisel verilerinizin kanuna aykırı olarak işlenmesi sebebiyle zarara uğramanız hâlinde zararınızın giderilmesini talep etme.

VERBİS Kaydı: MayaBaby, KVKK'nın 16. maddesi ve ilgili ikincil mevzuat uyarınca Veri Sorumluları Sicil Bilgi Sistemi'ne (VERBİS) kayıt yükümlülüğü kapsamında gerekli başvuruları yapmış veya yapma sürecindedir.

KVKK kapsamındaki haklarınız ve aydınlatma yükümlülüğümüz hakkında hazırlanan Türkçe Aydınlatma Metni'ne buradan ulaşabilirsiniz.

Fair Use and Reasonable Use Policy

Unlimited Features: While certain subscription plans may be marketed as offering "unlimited" or "sınırsız" features (such as baby profiles, family members, or logs), all usage is subject to our Fair Use Policy.

Definition of "Unlimited": "Unlimited" or "Sınırsız" means reasonable use for personal, non-commercial purposes within the normal scope of a family baby tracking application. It does not mean unlimited use without restrictions.

Our Rights: We reserve the right to:

Monitor usage patterns and implement reasonable technical limits to ensure service quality and prevent abuse;
Restrict or suspend accounts that exceed reasonable usage thresholds, as determined by us in our sole discretion;
Require additional verification or upgrade to a higher-tier plan for accounts with excessive usage;
Define and enforce maximum limits for baby profiles, family members, and other features to maintain system performance and security.

Abuse Prevention: To prevent abuse and ensure service quality, we reserve the right to implement reasonable technical limits and restrictions. These limits are designed to prevent misuse while allowing normal family use. We may monitor usage patterns and take action if we detect abusive behavior.

Examples of Unreasonable Use: Examples of unreasonable use or abuse include, but are not limited to:

Creating an excessive number of baby profiles beyond normal family use;
Inviting an excessive number of family members per baby beyond normal family needs;
Using the Service for commercial purposes, resale, or bulk data collection;
Any use that negatively impacts system performance, security, or other users' experience;
Automated or scripted creation of profiles, logs, or invitations;
Any activity that violates these terms or applicable laws.

Technical Limits: We may implement reasonable technical limits to prevent abuse and maintain service quality. These limits may include restrictions on the number of baby profiles, family members, logs, photos, API calls, or other features. Specific limits are determined at our sole discretion based on usage patterns and service requirements.

Actions We May Take: If we determine that your usage exceeds reasonable limits, we may:

Notify you and request that you reduce your usage;
Temporarily or permanently restrict certain features;
Require you to upgrade to a higher-tier subscription plan;
Suspend or terminate your account, with or without refund, at our sole discretion.

We will make reasonable efforts to notify you before taking action under this section, except in cases of clear abuse, fraud, or security threats.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Correction: request that we correct inaccurate or incomplete data.
Deletion: request that we delete your data (subject to legal retention requirements).
Data portability: request your data in a structured, machine-readable format (GDPR Article 20).
Objection / Restriction: object to or request restriction of certain processing activities.
Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Lodge a complaint: you have the right to lodge a complaint with your local data protection authority (e.g., KVKK Kurumu in Turkey, or your EU Member State supervisory authority).

To exercise any of these rights, please email [email protected]. We will respond within 30 days. We may require identity verification before fulfilling your request.

EU Representative (GDPR Article 27)

MayaBaby does not currently have an establishment within the European Economic Area (EEA). If and when our processing of EEA residents' personal data reaches a scale requiring the appointment of an EU representative under GDPR Article 27, we will appoint a representative and update this section with their contact details. In the meantime, EEA Users may direct all GDPR-related requests and complaints to [email protected]. You also retain the right to lodge a complaint with the supervisory authority in your EU Member State.

Personal Data

The way your personal data is stored may vary depending on features you use (e.g., account login, syncing). You can request deletion via the App (Settings → Delete Account) or by emailing [email protected]. We may require verification to protect your account.

Contact

Email (support): [email protected]
Email (feedback): [email protected]

You can use these addresses for any questions about this Policy, to exercise your data protection rights, or to report copyright or content-related complaints.

Türk kullanıcılar için KVKK kapsamında hazırlanan Türkçe Aydınlatma Metni'ne buradan ulaşabilirsiniz.