DRAFT — pending legal review. This notice has not yet been finalised.

Privacy Notice

Last updated: 12 June 2026

Who we are

PocketPoppins is a UK-based service that helps parents capture and remember family moments. The data controller is:

[COMPANY DETAILS — TO BE COMPLETED]

This notice is provided under Articles 13 and 14 of the UK GDPR. If you have any questions about it, contact us at the details above.

What we collect

  • Account data — your name, email address, and password (stored as a secure hash).
  • Family data you log— children's names and birth dates, and the moments, notes, photos, and questions you record, which may include health-related information you choose to log.
  • Messages — messages and media you send via the app or a connected messaging channel (Telegram or WhatsApp), if you choose to connect one.
  • Connection identifiers — if you connect a messaging channel: your phone number (used for WhatsApp linking), your WhatsApp account identifier, or your Telegram chat ID.
  • Family context summary — an AI-maintained summary of your family, derived from the moments you log, which the service uses to personalise its responses to you.
  • Operational telemetry — error reports and basic technical logs needed to keep the service running.

Why we use it, and the lawful basis

  • Providing the service (storing your moments, AI processing, responding to your messages) — performance of a contract (UK GDPR Art. 6(1)(b)).
  • Health-related information you log — your explicit consent, given by choosing to record it (UK GDPR Art. 9(2)(a)).
  • Service emails (confirmations, password resets, notices) — performance of a contract (Art. 6(1)(b)).
  • Error monitoring and security — our legitimate interest in keeping the service working and secure (Art. 6(1)(f)).

Children's data

The service user is the parent (or guardian). Children do not have accounts and do not use the service directly. Children's data — names, birth dates, and the moments you log about them — is processed on the parent's behalf, at the parent's direction, solely to provide the service to the parent.

We design with the ICO's Age Appropriate Design Code in mind: we collect only what the parent chooses to log, we do not profile children for any purpose other than providing the service the parent asked for, we do not use children's data for advertising, and we never sell it.

Who processes data for us

We use a small number of service providers (processors) to run PocketPoppins:

  • SupabaseDatabase, authentication, and file storage. Hosted in the EU/UK region configured for the project.
  • Google Gemini APIAI processing of the moments you log, so the service can organise them and respond helpfully.
  • SentryError monitoring, so we can find and fix faults in the service.
  • MailjetTransactional email (sign-up confirmations, password resets, service notices) and the optional weekly summary email — an AI-generated recap of your family’s moments that may include things your children said. You can turn the weekly summary off at any time in Settings → Account → Email Preferences.
  • VercelHosting of the web application.
  • RailwayHosting of the background worker that processes messages.
  • Telegram / WhatsAppMessaging channels, used only if you choose to connect one. Messages you send via these channels pass through the provider you chose.

We do not sell your data, show you advertising, or use tracking by default. We use no third-party advertising or analytics trackers.

International transfers

Some of our processors are based in, or process data in, the United States: Google (AI processing), Sentry (error monitoring), and Mailjet (email). Where personal data is transferred outside the UK, those transfers are safeguarded by appropriate measures such as the UK International Data Transfer Agreement / standard contractual clauses, or an applicable adequacy decision (including the UK–US Data Bridge).

[TO BE CONFIRMED — legal review: verify each processor's transfer mechanism and data-processing location.]

How long we keep it

  • Account and family data— kept until you delete your account. Deleting your account removes your login identity and all data in families only you own. Content you contributed to a family shared with others remains part of that family's record for its remaining members.
  • Operational telemetry (error reports, technical logs) — kept for 90 days.
  • Transactional email records— kept for the email provider's standard retention window.

Your rights

  • Access — ask us for a copy of the personal data we hold about you and your family.
  • Erasure— delete your account via Settings → Delete account. This deletes your login identity and all data in families only you own. Content you contributed to a family shared with others remains part of that family's record; contact us if you need it removed too.
  • Portability — export your data using the in-app export.
  • Rectification— correct anything that's wrong, in the app or by contacting us.
  • Complaint— you can complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Changes to this notice

We will update this notice as the service develops and will flag significant changes in the app or by email.

Back to PocketPoppins · Terms of Service