Your data, in plain English.

1. Who we are

HeyBabyOnline Limited ("HeyBabyOnline", "HBO", "we", "us", or "our") is the data controller for personal data collected through our website (www.heybabyonline.com) and our mobile applications (collectively, the "Products").

• HeyBabyOnline Limited, registered in England & Wales
• Company Number: 16572163
• Contact: hey@heybabyonline.com

For the purposes of UK GDPR, we are the Data Controller — we determine the purposes and means of processing your personal data.

2. Data we collect — parents

The table below sets out the parent data we collect, where it's stored, and why.

Data	Where stored	Purpose
Email address	Supabase Auth	Account login and identity
Password (hashed)	Supabase Auth	Authentication — we never see your raw password
Display name	Supabase database	In-app display
Location (town / city)	Supabase database	Directory filtering, anonymised analytics
Baby name	Supabase database	Log organisation and personalisation
Baby date of birth	Supabase database	Age-based sleep guidance, milestone triggers
Prematurity flag	Supabase database	Adjusted sleep recommendations
Unit preferences	Supabase database	Display formatting (ml, oz, °C, °F etc.)
Sleep, feed, nappy, solids logs	Supabase database	Core app function, optional sharing with professionals
Onboarding answers (sleep confidence, parenting style, support network, comms preferences)	Supabase database	Sleep recommendations; anonymised aggregate analytics only
Push notification token	Supabase database	Scheduled sleep and nap reminders via Expo
Questions submitted to Ask the Expert	Supabase database	Published forum content
Replies in Ask the Expert	Supabase database	Published community content
Reviews of professionals (text, rating, first name, location)	Supabase database	Displayed publicly on professional profiles
Messages sent to professionals	Supabase database	Communication with professionals you've contacted
Data sharing connection scope and date range	Supabase database	Controls professional access to logs (you set this)
Profile views of professionals	Supabase database (anonymous count)	Anonymous stat for the professional
Subscription status & purchase history	RevenueCat	Access control, billing
Favourited professionals, seen review IDs, sleep signal preferences, partnership cache, nudge dismissals	Device only (AsyncStorage)	Local app state — not transmitted to servers
Exported CSV file	Device only	User-initiated export; not retained server-side

3. Data we collect — professionals

Data	Where stored	Purpose
Email address	Supabase Auth	Account login and identity
Password (hashed)	Supabase Auth	Authentication
Full name & business name	Supabase database	Public profile display
Specialty	Supabase database	Directory search, question routing
Biography (short and full)	Supabase database	Public profile display
Profile photo	Supabase Storage	Public profile display
County, city / town, work style	Supabase database	Directory filtering, public profile
Phone, email, website	Supabase database	Shown to subscribed parents (Partner-tier)
Weekly availability (28 slots)	Supabase database	Public profile display
External review links (Google, Facebook, Trustpilot)	Supabase database	Public profile display
Verification level & date	Supabase database	Badge display, admin workflow
Subscription tier, Stripe customer & subscription IDs	Supabase database / Stripe	Billing management, access control
Message replies to parents	Supabase database	Communication
Forum answers	Supabase database	Published forum content
Profile view aggregate count	Supabase database	Professional stats dashboard
Verification metadata, signed Code of Conduct, training certificates, interview recordings, score sheets, decisions	Restricted Google Workspace folders (not in main app database)	Practitioner verification — see section 8 for full handling

4. How we use your data

We use your personal data only for the purposes set out below:

• To provide the Products — running the tracker, generating sleep recommendations, displaying the directory, processing messages between parents and professionals, and personalising your experience.
• To manage your account — authentication, subscription status, profile management.
• To process payments — through Apple, Google, Stripe and RevenueCat. We never see or store your card number — we receive only tokenised references and renewal status.
• To communicate with you — service notifications, security alerts, and (where you've opted in) email updates from us.
• To improve the Products — anonymised, aggregated analysis of how features are used.
• To verify professionals — confirming qualifications and scope for verification levels.
• To protect users — investigating policy violations or suspected misuse of the platform.
• To meet legal obligations — accounting, tax, lawful regulator requests.

We do not sell your personal data. We do not share it with advertisers for behavioural targeting. We do not embed advertising SDKs in the app.

5. Legal bases (UK GDPR)

• Performance of a contract — providing the Products you've subscribed to or registered for.
• Consent — for marketing emails, optional analytics, and any sensitive data processing (including data sharing with a professional). You can withdraw consent at any time.
• Legitimate interests — keeping the Products secure, preventing fraud, improving features, and running the business — always balanced against your rights.
• Legal obligation — UK tax, accounting, and other statutory requirements.

6. Who can see what

Some data becomes visible to other users in specific, controlled ways. Here's the full picture:

• Parent → Professional (data sharing connection): When you accept a data sharing connection, the professional can view the baby logs you've explicitly chosen, for the date range you've explicitly chosen. Access is governed by Supabase Row Level Security and revocable any time. See section 7.
• Parent → Professional (messaging): When you message a professional, that professional sees your first name, your baby's name, and your baby's age — alongside the message you send.
• Parent → Public: Reviews you write are displayed publicly on the professional's profile, attributed to your first name and location (as you provide them at review time).
• Parent → Public (forum): Questions you submit and community replies you write are visible to all subscribed users in Ask the Expert, attributed to your first name.
• Professional → Parent: Full profile (name, photo, bio, specialty, location, availability, contact details for Partner-tier) is visible to subscribed parents browsing the directory.
• Professional → Forum: Expert answers in Ask the Expert are attributed to the professional with their profile card and verification badge.
• Service providers (data processors): Third-party companies who process data on our instructions and to our security standards (see section 9).
• Legal requirements: Where compelled by law, court order, or to protect our or others' rights.
• Business transfers: If HeyBabyOnline is acquired, merged, or restructured, your data may be part of the transfer; we'll notify you and your data will continue to be protected by an equivalent privacy notice.

7. Data sharing with professionals

One of HeyBabyOnline's key features is letting parents share baby logs directly with a professional they're working with — for example, a sleep consultant. Because this involves health-adjacent data about your child, we want you to be clear on exactly how it works:

• You initiate it. A connection is only created when you, the parent, send an invitation. Professionals cannot request access to your data without you starting the process.
• You set the scope. You choose which data types are shared (any combination of sleep, bottle, breastfeeding, nappy, solids) and the date range (last 7 days, 30 days, 3 months, all time, or from today).
• Read-only. Professionals can view the data you've shared, but cannot edit or delete your logs.
• Revocable any time. You can edit the scope or cancel the connection at any time from the app — access stops immediately.
• Database-enforced. Access controls are enforced at the database layer using Supabase Row Level Security — not just in app code. A professional's view is technically restricted to the exact data you've authorised.
• Independent professional records. A professional may take their own notes about your work together inside their own systems. Those notes are subject to that professional's privacy policy, not ours. We're responsible for the data inside HeyBabyOnline; professionals are responsible for what they record about you elsewhere.

8. Practitioner verification data

HeyBabyOnline runs a structured verification process for postnatal practitioners listed in the directory. The full process is set out in our internal Verification Standard Operating Procedure, which is the source document for the public-facing summary on our For Professionals page. This section describes what we collect, how we handle it, and what your rights are if you are a practitioner whose data is being processed.

What we sight without retaining the original

HeyBabyOnline operates on a sight-and-record principle for the most sensitive verification documents. Our verifier sights the original document during the verification video interview, records the metadata necessary to evidence that the check was performed, and the original is not retained by HeyBabyOnline. The metadata record is the audit trail.

The following are sighted live and not retained:

• Government-issued photo ID (passport, driving licence)
• DBS certificate (or Disclosure Scotland / AccessNI equivalent)
• Insurance certificate (professional indemnity and public liability)
• Clinical registration documents (for example, NMC, HCPC, IBCLC) — supplemented by direct lookup on the regulator's public register, which is the source of truth

For each document, the verifier records key reference numbers, names, dates, issuers, and the date and method of sighting in the practitioner's verification file. Where copies are received in advance by email (for example, attached for asynchronous review), the email and attachments are deleted from the inbox and from Trash within 7 days of sighting.

What we do retain

• Sighting metadata records for each document above (no images of the originals).
• Training certificates, retained as evidence where there is no external source of truth (for example, where the awarding body is small or may cease to operate).
• Signed Code of Conduct and conflict-of-interest declaration.
• Verification interview recording, with explicit verbal consent at the start of the call.
• Score sheet and decision record, including the reasoning for any pass, fail, or tier assignment.
• Renewal log (insurance, DBS, CPD, annual review).
• Complaint files and outcomes, where applicable.

Where verification data is stored

Verification data is held in a dedicated, restricted Google Workspace environment — not in the main HeyBabyOnline application database. Each practitioner has a private Google Drive folder (named "Verification — [Practitioner Name] — [HBO ID]") containing their verification file (a structured Google Doc), supporting documents where retained, and the interview recording. Folder permissions are restricted to named verifiers only. Sharing settings are audited quarterly.

Lawful basis

We process verification data on the following lawful bases under UK GDPR and the Data Protection Act 2018:

• Article 6(1)(f) — legitimate interests. Verifying that practitioners listed on the platform meet a documented standard of competence and safeguarding is a legitimate interest of HeyBabyOnline and of the parents who use the platform.
• Article 6(1)(b) — performance of a contract. Verification is a contractual requirement of HeyBabyOnline Partner membership where a practitioner has applied for verification.
• Article 9(2)(g) — substantial public interest. Where verification involves special category data (for example, health-related information disclosed during the interview), processing is necessary in the substantial public interest of safeguarding children and vulnerable parents using the platform.
• Data Protection Act 2018, Schedule 1, Part 2, paragraph 18 (safeguarding of children and of individuals at risk). Provides the substantial public interest condition for processing DBS-derived data, which falls within Article 10 of the UK GDPR (data relating to criminal convictions and offences). HeyBabyOnline maintains an Appropriate Policy Document for this processing, reviewed at least every two years.

Retention

Retention periods for verification data are set out in section 11. In summary: sight-and-destroy originals are not retained at all; metadata records and decision documents are held for the duration of the practitioner's listing plus 6 years; interview recordings are held for 24 months from the interview date and then permanently deleted.

Practitioner rights

Practitioners have the same UK GDPR rights as any other data subject (see section 12), with these specific provisions for verification data:

• Right of access. A practitioner may request a copy of their verification file at any time. We aim to provide it within 30 calendar days.
• Right to rectification. If a metadata record is factually incorrect (for example, an incorrectly transcribed certificate number), the practitioner may ask us to correct it.
• Right to erasure. Once a practitioner is no longer listed, they may request earlier deletion of retained verification records, subject to our legitimate interest in retaining the evidence base for the standard listing-plus-6-years period to address any retrospective complaints, regulatory queries, or insurance claims.
• Right to challenge a verification decision. Practitioners may appeal a verification decision in writing within 14 days. Appeals against decisions made by the founder are reviewed by an independent advisor.

Verification-related requests should be sent to hey@heybabyonline.com.

9. Our data processors

We work with the following service providers. Each is bound by contract to process data only on our instructions and in accordance with applicable data protection law.

Processor	Purpose	Region
Supabase	Database, authentication, file storage, realtime	EU / US
Stripe	Professional subscription billing & invoicing	UK / US
RevenueCat	Parent in-app subscription management (no card storage)	US
Apple App Store / Google Play	In-app purchase processing for parents	Global
Expo Push Notifications	Delivery of push notifications (token only)	US
Google Workspace (Drive, Docs, Meet)	Practitioner verification files, interview recordings, internal record-keeping	EU / US
WordPress API (heybabyonline.com)	Fetching member discount / partnership content (no PII sent)	UK
Apple / Google App Store Review API	Triggering in-app review prompt (no PII sent)	Global
Hosting providers	Website hosting infrastructure	UK / EU

Each processor publishes its own privacy policy. Where we transfer data outside the UK, we rely on UK adequacy regulations or appropriate safeguards (Standard Contractual Clauses or the UK International Data Transfer Addendum).

10. Cookies & local storage

The HeyBabyOnline mobile app does not use traditional browser cookies. Instead, the app uses AsyncStorage (device-local storage on your phone) for app state that doesn't need to be synced to a server. This includes:

• IDs of Snooze Clues you've already seen (so we don't show them twice)
• Sleep signal preferences
• Partnership / member discount content cache (so the page works offline)
• Nudge dismissal flags (so we don't keep nudging you)
• Favourited professionals (your saved heart-icon list)

This local data is held only on your device and is not transmitted to our servers. It is removed when you uninstall the app or clear app data.

Our marketing website (heybabyonline.com) uses essential cookies and may use analytics cookies as described in any cookie banner shown on first visit.

11. Data retention & deletion

We retain personal data only for as long as necessary for the purposes set out in this policy.

• Active accounts: Account data, baby profiles, logs, messages, sharing connections, reviews, and forum content are retained while your account is active.
• Account deletion: When you delete your account in-app, deletion is processed via a database function (delete_own_account) and an Edge Function (delete-auth-user) that together cascade through and permanently remove your account, baby profiles, all logs, messages, data sharing connections, reviews, forum questions and answers, profile view records, and your authentication record. This is immediate and irreversible.
• Anonymised aggregate data: Aggregated and anonymised analytics (e.g. distribution of sleep confidence scores at onboarding) may be retained beyond account deletion, since this data cannot be re-identified.
• Financial records: Where we are legally required to retain payment-related records (e.g. for UK tax purposes), we keep these for the statutory period — currently 6 years.
• Exported CSVs: CSV files exported by you are not retained on our servers; they exist only on the device you exported them to.
• Verification data — sight-and-destroy: Government photo ID, DBS certificates, insurance certificates, and clinical registration documents are sighted but never stored. Originals are not retained.
• Verification data — retained records: Sighting metadata records, training certificates, signed Code of Conduct, conflict-of-interest declarations, score sheets, decisions and reasoning, renewal logs, and complaint files are retained for the duration of the practitioner's listing plus 6 years.
• Verification interview recordings: Retained for 24 months from the interview date, then permanently deleted from both the active folder and the Drive bin via a quarterly review process.

12. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data. Most fields are editable directly from your profile.
• Right to erasure ("right to be forgotten") — delete your account from inside the app at any time. See section 11.
• Right to data portability — export your baby's logs as a CSV file at any time directly from the app. This is our Article 20 data portability mechanism.
• Right to restrict processing — ask us to stop using your data for specific purposes.
• Right to object — object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
• Right to complain — to the UK Information Commissioner's Office (ico.org.uk) if you believe we've mishandled your data. We'd appreciate the chance to address concerns first — please email hey@heybabyonline.com.

To exercise any of these rights, email hey@heybabyonline.com. We aim to respond within 30 days.

13. Children's data

HeyBabyOnline is designed for parents to use for their own children. The app collects names, dates of birth, sleep and feeding logs, and other information about babies and young children. This constitutes children's personal data under UK GDPR (and equivalent provisions in other jurisdictions, including COPPA in the US).

• The account holder (parent or legal guardian) provides consent on the child's behalf.
• Children's data is used only to provide the service to the parent (e.g. age-appropriate sleep guidance, log organisation).
• Children's data is never sold, never used for advertising, and never shared except as you explicitly authorise via the data sharing feature.
• When a parent account is deleted, all associated children's data is permanently deleted in the same cascade.
• HeyBabyOnline is not intended for direct use by children. Accounts are held by adults.

14. Sensitive health-adjacent data

Sleep, feeding and nappy logs are not formal medical records, but they are health-adjacent — they reveal information about your baby's wellbeing and routines, particularly when shared with healthcare-adjacent professionals such as health visitors or lactation consultants.

We treat this data with appropriate care. The lawful bases for processing this category of data are:

• Performance of contract — to provide the tracking and guidance features you've subscribed to.
• Explicit consent — when you choose to share baby logs with a specific professional via the data sharing feature.

We do not currently use this data for any other purpose, and we do not enrich it with data from external sources.

For practitioners going through verification, additional categories of sensitive data are processed: special category health-related information may be disclosed during the verification interview, and DBS-derived information falls within Article 10 of the UK GDPR (data relating to criminal convictions and offences). The lawful bases for this additional processing are described in section 8, including reliance on the safeguarding-of-children condition under Schedule 1 Part 2 of the Data Protection Act 2018. We hold an Appropriate Policy Document covering this processing, reviewed at least every two years.

15. User-generated content

If you submit content to public or semi-public parts of the Products — for example, questions or replies in Ask the Expert, or reviews of professionals — the following applies:

• Licence: By submitting, you grant HeyBabyOnline a non-exclusive, royalty-free licence to display, host, and distribute that content within the Products.
• Moderation: Submitted questions and reviews are reviewed by our team before being published. We may decline to publish content that breaches our community guidelines.
• Attribution: Public reviews are attributed to your first name and location. Forum questions and replies are attributed to your first name.
• Removal on account deletion: When you delete your account, your questions, replies and reviews are removed, except where doing so would render a remaining conversation incoherent — in those rare cases the content may be anonymised rather than deleted.
• Professional public content: Approved professional profiles (name, photo, bio, specialty, location, availability) are visible to all subscribed parents. Professionals consent to this at registration.

16. Security

We use technical and organisational measures to protect your personal data, including:

• TLS 1.2+ encryption for all data in transit
• Hashed passwords (we never see your raw password)
• Database-level access controls via Supabase Row Level Security
• Restricted admin access on a least-privilege basis
• Regular review of third-party processors and their security postures

No system is completely secure. If we ever become aware of a personal data breach that's likely to result in risk to your rights, we'll notify you and the ICO as required by UK GDPR.

17. International transfers

Some of our processors are based outside the UK, including in the United States and the European Union. Where personal data is transferred outside the UK, we rely on:

• UK adequacy regulations for transfers to the EU and other adequate jurisdictions.
• The UK International Data Transfer Addendum or Standard Contractual Clauses for transfers to other countries.

This ensures your data has equivalent protection wherever it's processed.

18. Changes to this policy

We may update this Privacy Policy from time to time — for example, when we add a new feature, change a processor, or in response to legal developments. The "Last updated" date at the top of the policy will always show when changes were made.

For material changes that affect how your data is processed, we'll give at least 14 days' notice via email or in-app notification before the change takes effect.