Privacy Policy
Effective date: April 3, 2026 · Last updated: April 3, 2026 · Version: 1.0
Toddli ("we," "us," "our," or the "App") is a baby and child tracking mobile application developed by Matheus ("Developer"), an individual developer based in Brazil. This Privacy Policy explains how we collect, use, store, share, and protect your personal information and your children's information when you use our App.
We are committed to protecting your privacy and the privacy of your children. This policy is designed to comply with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais — LGPD, Law No. 13.709/2018), the European Union General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), and Apple App Store privacy requirements.
By using Toddli, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.
1. Data Controller
The data controller responsible for your personal data is:
Matheus
Location: Brazil
Contact: toddli@toddli.app
For any privacy-related inquiries, data access requests, or complaints, please contact us at the email address above.
2. Information We Collect
We collect the following categories of personal data:
2.1 Account Information
- Email address (provided directly or via Apple Sign-In / Google Sign-In)
- Name (as provided by you or your sign-in provider)
- Profile avatar/photo (optional)
- Authentication tokens (managed securely; never stored in plain text)
2.2 Child Information
- Name of the child
- Date of birth and/or due date (for pregnancies)
- Gender
- Photos of the child (optional, uploaded by the parent/guardian)
2.3 Health and Medical Records
- Growth measurements: weight (kg), height (cm), head circumference (cm)
- Vaccination records: vaccine name, date administered, notes
- Medical appointments: date, provider, reason, notes
- Fetal measurements (during pregnancy)
2.4 Activity Logs
- Feeding records: breastfeeding (side, duration), bottle feeding (amount, type), solid food entries
- Sleep records: start/end times, duration, sleep type (nap, night)
- Diaper changes: time, type, notes
- Medication administration: medicine name, dosage, time
- Temperature readings
- Bath times
- Tummy time sessions: duration, notes
2.5 Developmental Data
- Milestone achievements: developmental milestones reached and dates
- Play activity completions: activities performed and progress
2.6 Family and Caregiver Information
- Family member names, roles, and relationships (e.g., parent, grandparent, nanny)
- Push notification tokens (for delivering notifications to caregivers)
2.7 AI Conversation Data
- Full chat history with the AI parenting advisor feature
- Context data sent to the AI (such as child age, relevant activity data) to generate personalized advice
2.8 Financial and Subscription Information
- Subscription status (active, expired, plan type) managed via RevenueCat
- Task cost estimates (entered by the user for household/childcare budgeting)
- We do not collect or store credit card numbers, bank account details, or other payment instruments. All payment processing is handled by Apple (App Store) and RevenueCat.
2.9 Memories
- Photos with descriptions documenting family moments
- Dates and notes associated with memories
2.10 Shopping Lists
- Pregnancy and baby shopping items created by the user
2.11 Technical and Usage Data
- Device type and operating system version
- App version
- Crash reports and error logs (collected via Expo)
- We do not use cookies, advertising trackers, or analytics SDKs beyond what is essential for app functionality.
3. How We Collect Information
We collect information through:
- Direct input: Information you manually enter into the App (account details, child data, activity logs, etc.)
- Authentication providers: Basic profile information from Apple Sign-In or Google Sign-In when you create an account
- Automated collection: Technical data such as device type and crash reports collected by the Expo framework
- AI interactions: Conversations you have with the AI parenting advisor
- Subscription services: Subscription status information from RevenueCat
We do not collect data from third-party data brokers, social media scraping, or any passive surveillance methods.
4. Legal Basis for Processing (LGPD & GDPR)
We process your personal data based on the following legal grounds:
| Purpose | Legal Basis (LGPD Art. 7) | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account creation and authentication | Consent / Contract performance | Contract performance (Art. 6(1)(b)) |
| Storing child and health data | Explicit consent | Explicit consent (Art. 9(2)(a)) |
| Providing activity tracking features | Contract performance | Contract performance (Art. 6(1)(b)) |
| AI parenting advice | Consent | Consent (Art. 6(1)(a)) |
| Subscription management | Contract performance | Contract performance (Art. 6(1)(b)) |
| Push notifications | Consent | Consent (Art. 6(1)(a)) |
| Crash reporting and app stability | Legitimate interest | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation | Legal obligation (Art. 6(1)(c)) |
Special category data (health data of children): We process health-related data about your children solely based on your explicit consent as the parent or legal guardian. You may withdraw this consent at any time by deleting the relevant data or your account.
5. How We Use Your Information
We use the collected information for the following purposes:
- Core App Functionality: To provide baby/child tracking features including feeding, sleep, diaper, growth, vaccination, and milestone tracking.
- AI Parenting Advice: To generate personalized parenting guidance through the AI advisor feature, using your child's age, developmental stage, and activity data as context.
- Family Collaboration: To enable multiple caregivers within a family to share and access child data.
- Notifications: To send reminders and alerts related to your child's care (e.g., feeding reminders, vaccination schedules).
- Subscription Management: To manage your subscription plan and provide appropriate feature access.
- Data Export: To allow you to export your data in portable formats upon request.
- App Improvement: To identify and fix bugs, improve performance, and enhance the user experience.
- Legal Compliance: To comply with applicable laws and regulations.
We do not use your data for:
- Advertising or marketing to third parties
- Selling or renting personal data
- Profiling for purposes unrelated to the App's core features
- Training AI models (your data is used only for generating real-time responses)
6. AI Data Processing
6.1 How the AI Feature Works
The AI parenting advisor uses third-party AI services (currently Google Gemini via OpenRouter) to generate responses to your parenting questions. When you use this feature:
- Your message and relevant context (child's age, recent activities) are sent to the AI service provider.
- The AI generates a response that is streamed back to the App.
- Your conversation history is stored in our database (Supabase) so you can review past conversations.
6.2 AI Data Safeguards
- AI conversations are transmitted over encrypted connections (HTTPS/TLS).
- We do not share your AI conversations with any party other than the AI service provider for the sole purpose of generating responses.
- AI service providers process data according to their own privacy policies (see Section 9).
- You can delete individual AI conversations or all conversation history at any time.
- Your personal data is not used to train or fine-tune AI models.
6.3 AI Limitations Disclaimer
The AI parenting advisor provides general informational guidance only. It is not a substitute for professional medical, psychological, or childcare advice. Always consult qualified healthcare professionals for medical decisions regarding your child.
7. Data Storage and Security
7.1 Where Your Data Is Stored
Your data is stored on:
- Supabase (PostgreSQL database hosted on Amazon Web Services), with servers located in the United States and/or European Union.
- Local device storage: Only non-sensitive preferences (such as theme settings) are stored locally on your device via AsyncStorage. Sensitive authentication tokens are stored in the iOS Keychain via expo-secure-store.
7.2 Security Measures
We implement the following security measures to protect your data:
- Encryption in transit: All data transmitted between the App and our servers uses HTTPS/TLS encryption.
- Encryption at rest: All data stored in our database is encrypted using AES-256 encryption (provided by Supabase/AWS).
- Secure token storage: Authentication tokens are stored in the iOS Keychain using expo-secure-store, not in plain text or local storage.
- Row Level Security (RLS): Database access is restricted using Supabase Row Level Security policies, ensuring that users can only access data belonging to their own family.
- Family-scoped data isolation: All queries are scoped to the user's family, preventing cross-family data access.
- Private photo storage: Photos are stored in private Supabase Storage buckets. Access requires signed URLs with limited validity.
- EXIF metadata stripping: Location and camera metadata is removed from photos before upload to protect your location privacy.
- No sensitive data in local storage: Health data, activity logs, and personal information are never cached in unprotected local storage.
7.3 Data Breach Procedures
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the Brazilian National Data Protection Authority (ANPD) and, where applicable, EU supervisory authorities within 72 hours of becoming aware of the breach.
- We will notify affected users without undue delay via email, describing the nature of the breach, the data affected, and the measures taken.
- We will document all breaches internally, including those that do not require notification, as required by law.
8. Data Retention
We retain your data according to the following schedule:
| Data Category | Retention Period |
|---|---|
| Active account data (all categories) | Retained while your account is active |
| AI conversation history | Retained while your account is active; you may delete individual conversations at any time |
| Export files (PDF, data exports) | Generated on-demand; not stored permanently on our servers |
| Deleted account data | Permanently purged within 30 days of account deletion |
| Inactive accounts | Notification sent after 24 months of inactivity; account deleted after 30 months of inactivity |
After account deletion, we may retain anonymized, aggregated data that cannot be used to identify you, for the purpose of improving our services.
9. Third-Party Services and Data Sharing
We share your data with the following third-party service providers, solely for the purposes described:
| Service Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase (database, auth, storage) | Backend infrastructure, authentication, file storage | All account and app data | US / EU |
| OpenRouter / Google Gemini | AI chat response generation | AI conversation messages, child age context | US |
| RevenueCat | Subscription and in-app purchase management | User ID, subscription status, purchase receipts | US |
| Expo (Expo Application Services) | App updates (OTA), push notifications, crash reporting | Device tokens, app version, crash data | US |
| Apple (Apple Sign-In, App Store) | Authentication, app distribution, payment processing | Apple ID token, purchase transactions | US |
| Google (Google Sign-In) | Authentication | Google account token | US |
We do not sell, rent, or trade your personal data to any third party.
Each third-party provider processes data according to their own privacy policies:
- Supabase: https://supabase.com/privacy
- Google: https://policies.google.com/privacy
- RevenueCat: https://www.revenuecat.com/privacy
- Expo: https://expo.dev/privacy
- Apple: https://www.apple.com/legal/privacy/
10. International Data Transfers
Your data may be transferred to and processed in countries outside of Brazil, including the United States and European Union member states. These transfers are necessary to provide the App's services through our third-party infrastructure providers.
For transfers from Brazil, we rely on:
- Compliance with LGPD Chapter V (International Transfer of Personal Data), ensuring that recipient countries provide an adequate level of data protection or that appropriate safeguards are in place.
For transfers from the EU/EEA, we rely on:
- Standard Contractual Clauses (SCCs) adopted by the European Commission.
- Adequacy decisions where applicable.
We ensure that all international transfers are subject to appropriate safeguards to protect your personal data.
11. Children's Data Protection
11.1 Our Commitment
Toddli is designed for parents and legal guardians to track their children's development. We take the protection of children's data extremely seriously.
11.2 Parental Consent
- Only parents or legal guardians may create accounts and enter children's data.
- By entering your child's information, you represent and warrant that you are the child's parent or legal guardian and that you consent to the processing of your child's personal data as described in this policy.
- Children cannot create accounts or use the App independently.
11.3 Minimum Data Collection
- We collect only the child data that is necessary to provide the App's tracking and developmental features.
- We do not collect children's data for advertising or marketing purposes.
- We do not create behavioral profiles of children for purposes unrelated to the App's core functionality.
11.4 Enhanced Protections
- All children's data is subject to the same security measures described in Section 7.
- Children's photos are stored in private storage buckets and are accessible only to authorized family members.
- EXIF metadata (including geolocation) is stripped from all uploaded photos.
- Children's health data is processed under the explicit consent of the parent/guardian and can be deleted at any time.
11.5 Compliance with Children's Privacy Laws
- LGPD (Brazil): We comply with Article 14 of the LGPD, which requires that the processing of children's personal data be carried out in their best interest and with the specific and prominent consent of a parent or legal guardian.
- GDPR (EU): We comply with Article 8 of the GDPR regarding conditions applicable to children's consent in relation to information society services.
- COPPA (US): While Toddli is not directed at children under 13 as users, we respect the principles of the Children's Online Privacy Protection Act by collecting children's data only through verified parental accounts.
12. Your Rights
Depending on your location, you have the following rights regarding your personal data:
12.1 Under LGPD (Brazilian Users)
In accordance with Articles 17–22 of the LGPD, you have the right to:
- Confirmation of processing: Confirm whether we process your personal data.
- Access: Access all personal data we hold about you.
- Correction: Request correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD.
- Portability: Request portability of your data to another service provider.
- Deletion: Request deletion of personal data processed with your consent.
- Information about sharing: Obtain information about public and private entities with which we share your data.
- Information about consent denial: Be informed about the consequences of denying consent.
- Consent withdrawal: Withdraw your consent at any time.
- Review of automated decisions: Request review of decisions made solely based on automated processing of personal data.
- Opposition: Object to processing that does not comply with the LGPD.
12.2 Under GDPR (EU/EEA Users)
In accordance with the GDPR, you have the right to:
- Access (Art. 15): Obtain a copy of your personal data.
- Rectification (Art. 16): Have inaccurate data corrected.
- Erasure / Right to be Forgotten (Art. 17): Request deletion of your data.
- Restriction of processing (Art. 18): Request limitation of data processing.
- Data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Object (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
- Lodge a complaint: File a complaint with a supervisory authority.
12.3 How to Exercise Your Rights
To exercise any of these rights, please contact us at: toddli@toddli.app
Within the App, you can also:
- Export your data: Use the built-in data export feature to download your information.
- Delete individual records: Delete specific activity logs, AI conversations, or other records.
- Delete your account: Use the account deletion option in Settings, which will trigger permanent deletion of all your data within 30 days.
We will respond to your request within:
- 15 days for LGPD requests (as required by the ANPD).
- 30 days for GDPR requests (extendable by an additional 60 days for complex requests, with prior notification).
13. Cookies and Tracking Technologies
Toddli is a mobile application and does not use cookies, web beacons, pixel tags, or similar tracking technologies. We do not use advertising identifiers (IDFA/GAID) or participate in advertising networks.
The only local storage used is:
- iOS Keychain (via expo-secure-store): For secure storage of authentication tokens.
- AsyncStorage: For non-sensitive app preferences (theme, language, selected baby).
14. Do Not Track
We do not track users across third-party websites or services. We do not respond to Do Not Track (DNT) signals because we do not engage in cross-site tracking.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last Updated" date at the top of this policy.
- We will notify you via the App (in-app notification) and/or by email.
- For material changes that affect how we process your data, we will seek your renewed consent where required by law.
We encourage you to review this policy periodically.
16. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Toddli — Privacy Inquiries
Email: toddli@toddli.app
Website: https://toddli.app
For Brazilian users, you may also contact the Brazilian National Data Protection Authority (ANPD):
- Website: https://www.gov.br/anpd
- Email: encarregado@anpd.gov.br
For EU/EEA users, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities can be found at:
17. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the Federative Republic of Brazil, including the LGPD (Law No. 13.709/2018). For users in the European Union, the GDPR also applies to the extent required.