Privacy Policy

Last updated: 1 June 2026 · Version 2.1

The short version: Lullagram stores the data you enter (your account info and what you log about your baby) on servers in the EU. We do not sell your data, do not show ads, and do not share it with anyone. You can export or delete all of it any time from inside the app.

1. Who we are

Lullagram is an independent baby tracking application operated by Christopher O'Callaghan, based in Ireland (the "Data Controller" under GDPR).

Contact for any privacy question, data access request, or deletion request: hello@lullagram.ie.

2. What data we collect

2.1 Account data

Your display name (e.g. "Christopher")
Your email address
Encrypted password hash (we never see your actual password)
Timestamps showing when you agreed to our Terms, Privacy Policy and medical disclaimer

2.2 Baby and tracking data (special category — health)

The following data is classified as "data concerning health" under GDPR Article 9. We collect and process it only with your explicit consent given at signup.

Your baby's name, date of birth, and (optionally) sex
Feeds (time, type, amount, side)
Sleeps (start and end time, duration)
Nappies (time, type)
Supplements and journal entries about what was given (time, notes)
Weights (date, value in grams, optional notes)
Milestones (date, category, description)
Solid foods (date, food, portion, reaction)
Vaccines (scheduled and given dates, optional notes)
Appointments (date, time, location, notes)
Free-text notes you write

2.3 Technical data

Authentication session tokens (kept in your device's local storage)
A queue of unsent writes if you log entries offline
Your display preferences (unit choice, dismissed banners)

2.4 Data received if you sign in with Google

If you choose "Continue with Google" instead of creating a password, Google shares the following with us so we can create or sign you into your Lullagram account:

Your name as it appears on your Google account
Your email address
A unique Google account identifier (used internally to match you to your existing Lullagram account on subsequent sign-ins)

We do not receive your Google password. We do not request access to your Gmail, Google Drive, Google Calendar, contacts, photos, or any other Google service or data. The OAuth scope we request is the minimum needed to identify you (openid, email, profile).

You can revoke Lullagram's access to your Google account at any time via myaccount.google.com/permissions. Revoking access does not delete your Lullagram account — to delete the account, use More → Delete account inside the app.

We do not collect: device location, contact lists, photos, microphone audio, advertising identifiers, or any behavioural analytics.

3. Why we process your data (legal basis)

Data type	Purpose	GDPR legal basis
Account data	Create and operate your account	Contract (Art. 6(1)(b))
Baby health data	Display your tracking history back to you	Explicit consent (Art. 9(2)(a))
Email address	Send transactional emails (verification, password reset, optional emailed reports you request)	Contract (Art. 6(1)(b))
Google sign-in data (name, email, Google ID)	Authenticate you when you choose Google sign-in	Contract (Art. 6(1)(b))
Technical data	Keep the app working (sessions, offline queue)	Legitimate interest (Art. 6(1)(f))

We do not use your data for any other purpose. We do not profile you, do not run analytics on what you log, and do not use it to train any AI model.

4. Where your data is stored

Your data is stored in an EU data centre operated by Supabase Inc., our database and authentication processor. Supabase uses Amazon Web Services (AWS) infrastructure in the EU as a sub-processor.

Transactional emails (verification, password reset, and any emailed report you request from the app) are sent via Resend (a US company with EU sending infrastructure). Email content contains only your email address and the email subject and body. Emailed reports include the baby tracking data you chose to include when requesting the report; standard transactional emails do not.

If you use "Continue with Google" to sign in, Google LLC processes the sign-in handshake. Google does not receive any of your Lullagram tracking data. Google's own privacy policy applies to their handling of your Google account: policies.google.com/privacy.

All three processors have signed Data Processing Agreements with us or operate under terms that meet GDPR processor requirements. They process data only on our instructions and may not use it for their own purposes.

5. International transfers

Your data stays in the EU at rest. Supabase's US-based staff may access EU servers for support and operational reasons under Standard Contractual Clauses (SCCs) approved by the European Commission. Resend and Google both operate under the EU-US Data Privacy Framework.

6. How long we keep your data

While your account is active: indefinitely (you can delete any time)
If you delete your account: all data is permanently erased within 30 days
If you stop using the app without deleting: data remains so you can return to it. We may contact you after 24 months of inactivity to ask if you'd like to delete it
Backups: encrypted and rotated on a 7-day cycle

7. Your rights under GDPR

You have the right to:

Access — request a copy of all data we hold about you (available instantly via the in-app "Export my data" button, which produces a JSON file)
Rectify — correct any inaccurate data (do this in-app, or email us)
Erase — request deletion of all your data (available in-app under "Delete account", or by emailing us)
Restrict — ask us to stop processing your data while a dispute is resolved
Object — object to any processing based on legitimate interest
Data portability — receive your data in a machine-readable format (the JSON export covers this)
Withdraw consent — you can withdraw consent for health data processing at any time, which means we must delete that data (this effectively means deleting your account, as the app cannot function without it)

To exercise any of these rights, email hello@lullagram.ie. We will respond within 30 days.

8. Right to complain

If you are unhappy with how we handle your data, you can lodge a complaint with the Irish Data Protection Commission:

Website: www.dataprotection.ie
Phone: +353 (0)761 104 800
Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

9. Children's data

Lullagram is a tool for parents and guardians, not for children. You must be 18 or over to register a Lullagram account.

The data Lullagram stores about your baby is provided by you, the parent or legal guardian, in exercise of your parental responsibility. You can delete this data at any time. When your child reaches an age where they have data protection rights of their own (generally 16 in Ireland), you should review what is stored and decide whether to retain it.

10. Security

All data is transmitted over HTTPS (TLS 1.2 or higher)
Data at rest is encrypted on Supabase / AWS infrastructure
Passwords are hashed using bcrypt — we never see or store the plain text
If you sign in with Google, we do not see or store any Google credential — only the identity information described in section 2.4
Database access is restricted by Row Level Security policies — you can only ever read or write data that belongs to your household
Service role keys (which can bypass these restrictions) are held only in secure server environments, never in the app

11. Cookies and tracking

Lullagram does not use cookies for tracking. We use your browser's localStorage only to keep you signed in and to hold a queue of offline entries until they sync. This is purely functional, not analytical.

We do not use Google Analytics, Facebook Pixel, or any other tracker.

12. Relationship with the HSE

Lullagram is an independent application and is not affiliated with, endorsed by, or partnered with the Health Service Executive (HSE) or any other Irish government body. We link to publicly available HSE content as an information source for users. Linking to HSE.ie does not imply HSE has reviewed or approved Lullagram.

13. Medical disclaimer

Lullagram is a logging tool, not a medical device. Information shown in the app, including content summarised from HSE.ie, is for general guidance only and does not replace advice from your GP, public health nurse, or other qualified healthcare provider.

In a medical emergency, call 112 or 999. For non-emergency health advice in Ireland, call HSE Live on 1800 700 700.

14. Changes to this policy

If we change this policy in a material way, we'll notify you by email and inside the app, and require you to accept the new policy before continuing. Minor updates (clarifications, formatting) will be posted here with the updated "Last updated" date.

15. Contact

For any privacy question or to exercise your rights, email hello@lullagram.ie. We respond within 30 days, usually much sooner.