Privacy Policy (Milli – Baby Tracker)

Milli – Baby Tracker ("Milli," "we," "our," or "us") helps families track baby care activities. This Privacy Policy explains what information we collect, how we use it, the legal basis for processing it, and your rights. It applies to users worldwide, with additional provisions for EU/EEA, UK, and California residents where applicable.

1. Information We Collect

We collect the following categories of information when you use the app:

• Account information: email address and authentication data managed through Supabase Authentication.
• Family and collaboration data: family name, family member email, role, title, invite codes, and join requests.
• Baby care tracking data: logs you create as a parent or caregiver, such as feeding, diaper, sleep, shower, vitamin, growth, medicine, and symptom/activity entries (for example temperature, medication, and puke/diarrhea tracking when enabled). This data is about your baby and is stored securely in our database. See Section 10 for how we handle this sensitive data.
• Optional baby profile data: baby name, age (weeks/months), gender, and date of birth, if you choose to enter it.
• Notification data: device push token and platform (iOS/Android), plus reminder settings.
• Local app data: cached logs and settings stored on your device (AsyncStorage) to support offline use and faster performance.
• Analytics data: Google Firebase Analytics automatically collects data about the parent's or caregiver's device and app usage — specifically: a random app instance identifier, device model, OS version, app version, approximate location (country/region derived from IP address), session duration, and which app features are used. Firebase Analytics receives no baby data whatsoever — no names, no health records, no care log contents. See Section 8 for full details.
• Advertising data: Google AdMob may collect device identifiers (such as Android Advertising ID), IP address, and general usage signals for the purpose of serving ads. See Section 9 for details.

2. How We Use Information

We use your information to:

• provide core app features (tracking, history, insights, reminders);
• sync your data across devices and family members in the same family group;
• send family activity and reminder notifications;
• support account and family management;
• understand how parents and caregivers use the app so we can improve features (analytics — using only device and usage data, never baby data);
• display ads through Google AdMob to support the free app;
• maintain app reliability and security.

3. Legal Basis for Processing (GDPR)

If you are located in the EU, EEA, or UK, we process your personal data under the following legal bases as required by GDPR Article 6 and Article 9:

• Performance of a contract (Article 6(1)(b)): processing your account information, family data, and notification data is necessary to provide the Milli service you have registered for.
• Explicit consent (Article 6(1)(a) and Article 9(2)(a)): baby care tracking data — including feeding, sleep, growth, temperature, and medication records — constitutes health data under GDPR Article 9 (special category data). We process this data solely on the basis of your explicit consent as the parent or caregiver. You provide this consent when you create an account and begin using the tracking features. You may withdraw consent at any time by deleting your tracking data or your account from within the app. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
• Legitimate interests (Article 6(1)(f)): we process device and behavioral usage data through Firebase Analytics to understand how the app is used and to improve its features. We have assessed that this interest is not overridden by your fundamental rights, given that no baby data is included and the data is limited to device-level and feature-level signals. You have the right to object to this processing — see Section 7.
• Legal obligation (Article 6(1)(c)): we may process certain data where required to comply with applicable law.

4. How Information Is Shared

We do not sell personal information.

We may share data only as needed with:

• Your family group members (based on family membership and permissions in the app). When the last member of a family group deletes their account, all associated family tracking data is also permanently deleted.
• Service providers that power app functionality. Each acts as a data processor under a written agreement (Data Processing Agreement where required by GDPR):
  • Supabase (authentication and database — stores baby care tracking data and family data). Supabase provides a standard Data Processing Agreement covering GDPR obligations. Privacy policy: https://supabase.com/privacy.
  • Expo / Expo Push Notification Service (delivery of push notifications — receives device push tokens and notification content). Privacy policy: https://expo.dev/privacy.
  • Google Firebase Analytics (app usage analytics — receives device and behavioral data about the parent's app session only; baby names, health records, and care log contents are never shared with Firebase — see Section 8). Privacy policy: https://policies.google.com/privacy.
  • Google AdMob (advertising — see Section 9 for details and opt-out options). Privacy policy: https://policies.google.com/privacy.
• Legal/compliance recipients where required by law or to protect rights and safety.

5. Notifications

If enabled, Milli may send:

• local reminders on your device (feeding, diaper, sleep, bottle, medicine), and
• push notifications to family members for shared activity updates.

You can disable notifications in app settings or your device settings at any time.

6. Data Retention

• Cloud tracking and history data is retained until deleted by you (for example, deleting history or account-related data in settings).
• Local device cache and settings remain until you clear app data, uninstall, or use in-app deletion flows.
• When you delete your account and you are the last member of your family group, your account and all associated family tracking history are permanently and irreversibly deleted from our systems.
• When you delete your account and other members remain in your family group, your account and personal profile are deleted. Tracking entries you created remain visible to the remaining family members as shared family records, but are no longer attributed to a named account. If you wish to have those entries removed before deleting your account, please delete them individually from the History screen first, or contact us at the address in Section 14.
• Supabase authentication records (email, hashed credentials) may be retained for up to 30 days in automated backups before permanent deletion.
• Firebase Analytics data (device and usage data about the parent's session) is retained by Google for up to 14 months by default. You can reset your Analytics identifier at any time by resetting your Android Advertising ID (Settings > Google > Ads) or by opting out of analytics collection on your device.

7. Your Choices and Rights

You can at any time:

• update your account email and password;
• edit or delete individual tracking entries;
• delete all family tracking history (owner role);
• delete your account and associated data from within the app;
• leave a family group;
• disable notifications in app settings or device settings;
• opt out of analytics data collection by resetting or deleting your Android Advertising ID (Settings > Google > Ads > Delete advertising ID);
• opt out of personalized ads (see Section 9);
• withdraw consent for the processing of baby health and care data at any time by deleting your tracking entries or your account from within the app. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

EU/EEA and UK residents (GDPR): In addition to the above, you have the following rights under the GDPR:

• Right of access (Article 15): request a copy of the personal data we hold about you.
• Right to rectification (Article 16): request correction of inaccurate or incomplete data.
• Right to erasure (Article 17): request deletion of your personal data ("right to be forgotten").
• Right to restriction of processing (Article 18): request that we limit how we use your data in certain circumstances.
• Right to data portability (Article 20): receive your personal data in a structured, machine-readable format or request it be transferred to another controller where technically feasible.
• Right to object (Article 21): object to processing based on our legitimate interests (for example, Firebase Analytics). If you object, we will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests. To object, contact us at the address in Section 14 or reset your Android Advertising ID to opt out of analytics tracking.
• Right not to be subject to solely automated decision-making (Article 22): Milli does not make automated decisions with legal or similarly significant effects on you.
• Right to lodge a complaint: if you believe we have not handled your personal data in compliance with the GDPR, you have the right to lodge a complaint with the data protection supervisory authority in your EU/EEA member state. For UK residents, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. We encourage you to contact us first so we can try to resolve your concern directly.

To exercise any of the rights above, contact us at the address in Section 14. We will respond within 30 days.

California residents (CCPA/CPRA): We do not sell or share personal information for cross-context behavioral advertising. You have the right to know what personal information we collect, to delete it, and to opt out of its sale (which we do not engage in). To make a request, contact us at the address in Section 14.

8. Analytics

Milli uses Google Firebase Analytics to understand how parents and caregivers interact with the app — for example, which features are used most and whether features like family sharing are adopted. This helps us prioritize improvements.

Firebase Analytics collects the following data about the parent's or caregiver's device and session:

• a random App Instance ID (a randomly generated identifier, not linked to your account, your baby's profile, or any care data);
• device model, OS version, and app version;
• approximate location (country/region only, derived from IP address — not precise GPS);
• session length and engagement time;
• which screens are visited and which feature categories are used.

We also log specific in-app events, for example:

• which tracking type was tapped (e.g., "feed", "sleep", "diaper") — the category label only, never the log contents;
• whether family sharing features were used;
• whether a session occurred before registration (to understand onboarding).

Firebase Analytics never receives: your baby's name, date of birth, gender, growth measurements, health records, care log contents, temperature readings, medication details, or any other data entered into tracking fields. We enforce this in our code — no baby data is ever passed as an analytics event parameter.

Because the app's users are adults (parents and caregivers) and not children, Firebase Analytics operates under standard data collection rules. The app is not classified as child-directed under COPPA or Google Play's Designed for Families program.

Firebase Analytics is operated by Google LLC and governed by Google's privacy policy: https://policies.google.com/privacy.

9. Advertising

Milli is free and supported by ads provided by Google AdMob. AdMob may collect and use:

• device advertising identifiers (Android Advertising ID),
• IP address and general location (country/region),
• app usage signals to serve and measure ads.

We do not pass baby care tracking data or family information to AdMob. AdMob operates under Google's privacy policy: https://policies.google.com/privacy.

Opt out of personalized ads:

• Android: go to Settings > Google > Ads > Delete advertising ID or toggle off ad personalization. You will still see ads, but they will not be personalized.
• iOS: go to Settings > Privacy & Security > Apple Advertising and turn off Personalized Ads. You can also limit ad tracking per-app via Settings > Privacy & Security > Tracking.

Because Milli is a parenting tool used by adults and is not directed at children as independent users, we do not serve child-directed ad requests.

10. Children's Privacy and Baby Data

Milli is used by parents and caregivers (adults) to track the care of their newborns and infants. The app's core function is to record health and care information — feeding amounts, sleep durations, diaper changes, growth measurements, temperature, and medication — that relates to babies.

Minimum age to register: You must be at least 16 years old to create a Milli account (or the minimum age required in your country to consent to data processing, if higher). In the United States, you must be at least 13. The app is designed for parents and caregivers and is intended to be used by adults.

Who uses the app: The account holder is always the parent or caregiver. Babies and children do not create accounts or interact with the app.

How consent is obtained: By creating an account and using the tracking features, you explicitly consent to the processing of baby care and health data as described in this policy. You can withdraw this consent at any time by deleting your tracking entries or your account from within the app.

Baby health and care data is sensitive data about a minor. We treat it with the highest level of care:

• Stored in our database (Supabase) with encrypted transmission (HTTPS/TLS) and row-level access controls so that only authenticated members of your family group can access your data.
• Shared only with family members you explicitly invite into your family group.
• Never shared with Firebase Analytics, AdMob, or any other third party. Analytics and advertising providers receive only device and usage data about the parent's session — zero baby data.
• Deleted when you delete your account or tracking history.

COPPA (US): We do not knowingly collect personal information directly from children under 13. All data is entered by the parent or caregiver on behalf of their baby. If you believe a child under 13 has independently registered an account, please contact us immediately and we will delete it promptly.

GDPR Article 9 (EU/EEA): Baby health data (feeding, growth, symptoms, temperature, medication) constitutes health data and is treated as a special category under GDPR. It is processed solely on the basis of your explicit consent as the parent or caregiver, for the purpose of providing the tracking features you have chosen to use. You may withdraw consent and delete this data at any time from within the app.

If you have concerns about how your baby's data is handled, contact us at mobileapplicationplaysystems@gmail.com.

11. Security and Data Breach Notification

We use reasonable technical and organizational measures to protect your information, including encrypted data transmission (HTTPS/TLS), row-level access controls on our database, and restricted access to production systems. No method of storage or transmission is 100% secure, and we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly without undue delay, as required by GDPR Article 34. Notification will be made via the email address associated with your account.

12. International Data Transfers

Milli uses third-party service providers (Supabase, Google Firebase, Google AdMob, Expo) that may process your data in countries outside your own, including the United States. When data is transferred from the EU/EEA or UK to countries without an adequacy decision by the European Commission, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): Supabase and Google both rely on EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the legal mechanism for transferring personal data outside the EEA. Your data is protected by these contractual safeguards when transferred to and processed by these providers.
• UK International Data Transfer Agreements: For UK residents, transfers are covered by equivalent transfer mechanisms under UK GDPR and the UK International Data Transfer Agreement (IDTA) where applicable.

You may request a copy of the applicable transfer mechanism by contacting us at the address in Section 14.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective Date" above shows the latest version date. For material changes, we will notify you via an in-app notice or email where reasonably possible. Continued use of Milli after updates means you accept the revised policy.

14. Contact

For privacy questions, data requests (access, deletion, export, portability), GDPR/CCPA inquiries, or to exercise any of the rights described in Section 7: