Privacy Policy

1. Introduction & scope

YourPottyPal (“we,” “us,” or “the Company”) is a Florida-registered company that operates the YourPottyPal mobile application (the “App”) and the website at yourpottypal.com (the “Website”). Together, the App and the Website are referred to as the “Service.”

This Privacy Policy describes how we collect, use, store, share, and protect information relating to you and your child when you use the Service. It applies globally and is designed to comply with applicable privacy laws, including but not limited to:

• •United States: COPPA (16 CFR Part 312), FTC Act Section 5, CCPA/CPRA (California), and comprehensive state privacy laws in Virginia, Colorado, Connecticut, Utah, Texas, Montana, Oregon, Iowa, Florida, Tennessee, and Indiana
• •European Union: General Data Protection Regulation (GDPR, Regulation 2016/679) and the ePrivacy Directive (2002/58/EC)
• •United Kingdom: UK GDPR, Data Protection Act 2018, and the Age Appropriate Design Code (Children's Code)
• •Canada: PIPEDA (federal), Québec Law 25 (Act Respecting the Protection of Personal Information in the Private Sector), and CASL
• •Australia: Privacy Act 1988 and the Australian Privacy Principles (APPs)
• •Brazil: LGPD (Lei Geral de Proteção de Dados)
• •South Korea: PIPA (Personal Information Protection Act)
• •Japan: APPI (Act on the Protection of Personal Information)

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

2. Data controller & contact information

For the purposes of data protection law, the data controller is:

If you are located in the European Economic Area (EEA) or the United Kingdom and wish to lodge a complaint, you have the right to contact your local supervisory authority in addition to contacting us directly.

3. Information we collect

3.1 Information you provide

• •Account information: Parent/caregiver email address used for account creation, authentication, and communication.
• •Child profile information: Child's first name (or nickname) and age, used to personalize the training experience. We do not collect the child's full legal name, date of birth, photos, or government identifiers.
• •Potty training data: Log entries including timestamps, event type (e.g., success, attempt, accident), caregiver notes, and self-initiated flags. This data may be classified as health-adjacent or sensitive information under certain privacy laws; we treat it accordingly.
• •Contact form submissions: Name, email address, and message when you contact us through the Website.
• •Waitlist/newsletter signup: Email address when you voluntarily sign up to receive updates.

3.2 Information stored on-device only

• •Voice recordings: If you use Voice Studio, audio recordings are stored exclusively on your device. They are never uploaded to our servers or any cloud service. We have zero access to these files.
• •Local preferences: App settings, theme preferences, and notification configurations stored in local device storage.

3.3 Information collected automatically

• •Usage analytics: De-identified, aggregated information about how the App is used (e.g., feature usage frequency, screen navigation patterns). This data cannot identify you or your child.
• •Device information: Device type, operating system version, and app version for compatibility and debugging purposes.
• •Website cookies: Our Website may use essential cookies for functionality. Non-essential cookies (analytics) require your consent where required by law. See Section 12 for details.

3.4 Information we do NOT collect

• •We do not collect precise geolocation data
• •We do not collect biometric identifiers
• •We do not collect financial information (payments are processed by Apple/Google)
• •We do not collect information directly from children — all data entry is performed by the parent/caregiver
• •We do not use cookies or tracking pixels for advertising

4. How we use your information

• •Provide the Service: Account management, potty training logging, reminders, progress tracking, celebrations, timer features, and widget functionality.
• •AI-powered features: Generating coaching tips, detecting patterns (e.g., regression alerts, stool withholding indicators, risk window analysis), and producing provider escalation alerts using automated processing both on-device and in the cloud. See Section 6 for AI-specific disclosures.
• •Data exports: Generating CSV and PDF reports at your request for sharing with pediatricians, therapists, or other providers. Export is always user-initiated.
• •Communication: Sending account-related notifications (e.g., password resets, subscription confirmations) and, with your consent, marketing emails about product updates.
• •Improve the Service: Using de-identified, aggregated data to understand feature usage, fix bugs, and improve the user experience.
• •Legal compliance: Fulfilling legal obligations, responding to lawful requests, and protecting our rights.

5. Legal bases for processing (EEA, UK, and similar jurisdictions)

Where data protection law requires a legal basis for processing, we rely on the following:

• •Performance of a contract: Processing necessary to provide the Service you signed up for (logging, reminders, coaching, exports).
• •Consent: Where we process sensitive data (health-adjacent potty training logs), send marketing communications, or use non-essential cookies. You can withdraw consent at any time.
• •Legitimate interests: Limited analytics for service improvement, fraud prevention, and security — balanced against your rights and expectations through regular assessment.
• •Legal obligation: Where we must process data to comply with applicable law (e.g., tax records, breach notification).

6. AI, automated processing & profiling

YourPottyPal uses automated processing to generate coaching tips, detect patterns (such as suggested potty times, regression indicators, and stool withholding), and produce “escalation alerts” when patterns may suggest you should consider contacting a healthcare provider.

Your rights regarding automated processing: Depending on your jurisdiction, you may have the right to:

• •Request an explanation of the logic, significance, and factors involved in automated processing (GDPR Articles 13–14, 22; Québec Law 25; LGPD Article 20)
• •Object to or opt out of profiling for decisions with legal or similarly significant effects (GDPR Article 21; U.S. state privacy laws)
• •Request human review of an automated decision that significantly affects you (GDPR Article 22; Québec Law 25 Section 12.1)
• •Submit observations or corrections regarding automated outputs

To exercise these rights, use Settings > Privacy in the App or email privacy@yourpottypal.com.

7. Children's privacy & parental controls

YourPottyPal is designed exclusively for use by parents and caregivers (adults aged 18+). We do not direct the Service to children and do not knowingly collect personal information directly from children.

7.1 COPPA compliance (United States)

We comply with the Children's Online Privacy Protection Act (COPPA, 16 CFR Part 312). Because our App stores information about children under 13 (name, age, training logs), we implement COPPA-grade protections:

• •Only the parent/caregiver account holder can create child profiles and enter child data
• •We collect only the minimum child information necessary (first name/nickname and age)
• •Child data is never used for advertising, never sold, and never shared with third parties for marketing purposes
• •Parents can review, export, correct, or delete all child data at any time through the App or by contacting us
• •Parents can withdraw consent for collection of their child's information, understanding that this may disable cloud-based features

7.2 International children's data protections

• •EU/UK (GDPR Article 8, UK Children's Code): We treat all child data with heightened safeguards. The App is designed for adults; children should not create accounts or directly interact with data entry features.
• •Canada (PIPEDA / Québec Law 25): Parental or guardian consent is required for processing data of children under 13 (PIPEDA guidance) or under 14 (Québec). Our parent-as-account-holder model satisfies this requirement.
• •Brazil (LGPD Article 14): Processing of children's personal data requires specific and prominent consent from at least one parent or legal guardian, made in the child's best interests.
• •South Korea (PIPA): Legal guardian consent is required for processing personal information of children under 14.
• •Australia: We follow the Australian Privacy Principles and monitor the draft Children's Online Privacy Code.

7.3 Parental rights

As a parent or legal guardian, you have the right to:

• •Review all personal information collected about your child
• •Request a copy (export) of your child's data in a portable format
• •Correct or update your child's information
• •Request deletion of your child's profile and all associated data
• •Refuse further collection, use, or storage of your child's information

8. Sharing & disclosure of information

8.1 We do NOT

• •Sell personal information to any third party (including under CCPA/CPRA definitions of "sale")
• •Share personal information for targeted advertising or cross-context behavioral advertising
• •Allow advertisers to access, view, or use any personal or child data
• •Trade, rent, or barter personal information

8.2 Limited sharing

• •Service providers: We use Supabase (cloud-hosted) for authentication and database services. Supabase processes data on our behalf under a data processing agreement with appropriate technical and organizational safeguards. We do not use any other third-party data processors.
• •User-initiated exports: When you generate and share CSV/PDF reports with a pediatrician or other provider, that sharing is initiated and controlled entirely by you. We are not responsible for how third parties handle information you choose to share outside the Service.
• •Legal requirements: We may disclose information if required by law, subpoena, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• •Business transfer: In the event of a merger, acquisition, or asset sale, personal information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

9. Data storage, security & retention

9.1 Storage location

Account data and potty training logs are stored in Supabase-hosted cloud infrastructure. Some data (voice recordings, local preferences) is stored exclusively on your device and never transmitted to our servers.

9.2 Security measures

• •Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• •Row-level security policies ensuring users can only access their own data
• •Authentication via Supabase Auth with secure token management
• •Regular security reviews and monitoring
• •Employee access to personal data restricted to essential personnel on a need-to-know basis

9.3 Data retention

We retain personal information only for as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

• •Active accounts: data retained while your account is active and the subscription is current
• •Deleted accounts: personal information is deleted or de-identified within 30 days, except for limited, time-bound encrypted backups (deleted within 90 days) and records we are legally required to retain
• •Individual log entries: can be deleted at any time through the App
• •Child profiles: can be fully deleted at any time, removing all associated training data

10. International data transfers

We may transfer, store, and process information in countries outside your country of residence, including the United States. When we transfer personal data internationally, we implement appropriate safeguards as required by applicable law:

• •EU transfers: Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, with transfer impact assessments as required
• •UK transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, as applicable
• •Canada: Contractual and organizational safeguards maintaining accountability under PIPEDA's organization-to-organization model
• •South Korea: Notification of data categories transferred, recipient identity, retention period, and your right to refuse
• •Japan: Contractual safeguards and due diligence on the recipient country's data protection system, with disclosures at registration

You may request a copy of the transfer safeguards we use by contacting privacy@yourpottypal.com.

11. Your privacy rights

Depending on where you live, you may have some or all of the following rights regarding your personal information and your child's personal information:

11.1 Rights available globally

• •Right to access: Request a copy of the personal information we hold about you and your child
• •Right to correction: Request correction of inaccurate or incomplete information
• •Right to deletion: Request deletion of your account and all associated personal data
• •Right to data portability: Receive your data in a structured, machine-readable format (CSV/PDF export)
• •Right to withdraw consent: Withdraw consent for non-essential processing at any time, without affecting the lawfulness of prior processing

11.2 Additional EEA/UK rights (GDPR)

• •Right to restrict processing in certain circumstances
• •Right to object to processing based on legitimate interests
• •Right not to be subject to solely automated decisions with legal or similarly significant effects (Article 22)
• •Right to lodge a complaint with your local supervisory authority

11.3 Additional California rights (CCPA/CPRA)

• •Right to know what personal information is collected, used, disclosed, or sold
• •Right to delete personal information held by us and by our service providers
• •Right to opt out of the sale or sharing of personal information — note: we do not sell or share personal information
• •Right to non-discrimination for exercising your privacy rights
• •Right to limit use of sensitive personal information to purposes necessary for the Service

11.4 Additional rights under other U.S. state laws

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Montana, Oregon, Iowa, Florida, Tennessee, or Indiana, you may have additional rights including the right to opt out of targeted advertising and certain profiling, and the right to appeal a decision regarding your privacy request. Contact us to exercise these rights or to submit an appeal.

11.5 How to exercise your rights

• •In-App: Settings > Privacy (access, export, deletion, and consent management)
• •Email: privacy@yourpottypal.com

We will verify your identity (and, for child data requests, your authority as a parent or legal guardian) before fulfilling any request. We will respond within 30 days (or within the timeframe required by your applicable law, typically 15–45 days depending on jurisdiction). If we need additional time, we will notify you of the extension and the reason.

12. Cookies & tracking on the Website

Our Website uses essential cookies required for basic functionality (e.g., theme preference). We do not use advertising cookies or cross-site tracking pixels.

If we implement non-essential analytics cookies in the future, we will obtain your prior consent where required by law (EU ePrivacy Directive, UK PECR, Québec Law 25) and provide a clear mechanism to accept, reject, and withdraw consent for each category of cookies.

13. Data breach notification

If we become aware of a security incident involving personal information, we will:

• •Investigate promptly and take reasonable steps to contain and mitigate harm
• •Notify the relevant supervisory authority within 72 hours of becoming aware (EU/UK GDPR, South Korea PIPA) or as soon as feasible/practicable (Canada PIPEDA, Australia NDB, Japan APPI), unless the breach is unlikely to result in a risk to rights and freedoms
• •Notify affected individuals without undue delay where the breach poses a high risk to their rights and freedoms, or as required by applicable law
• •Maintain an internal breach register documenting all incidents, their effects, and remedial actions
• •Comply with jurisdiction-specific notification requirements including those under U.S. state breach notification statutes (Florida Statute § 501.171 and others)

14. Email marketing & communications

We may send you service-related emails (account confirmations, security alerts, subscription notices) without separate opt-in, as these are necessary for the operation of the Service.

Marketing emails (product updates, newsletters) are sent only with your consent. Every marketing email includes:

• •A clear, one-click unsubscribe link (honored within 10 business days per CAN-SPAM; immediately where feasible)
• •Accurate sender identification and our physical mailing address
• •An option to manage your communication preferences

We comply with CAN-SPAM (United States), CASL (Canada), GDPR marketing consent requirements (EU/UK), and equivalent regulations in other jurisdictions.

15. Not medical advice

16. Third-party links & services

The Service may contain links to third-party websites or services (e.g., App Store, Google Play, social media profiles). We are not responsible for the privacy practices of third parties. We encourage you to read the privacy policies of any third-party service you interact with.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• •We will update the "Last updated" date at the top of this page
• •We will notify you by email and/or by prominent notice within the App at least 30 days before material changes take effect
• •Where required by law, we will obtain your renewed consent before processing data under materially different terms

Continued use of the Service after changes take effect constitutes acceptance of the updated policy, except where applicable law requires express consent.

18. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all inquiries within 15 business days. For data subject access requests, we will respond within the timeframe required by your applicable law (typically 15–45 days depending on jurisdiction).